From 386895f4b38e6b92fa6bf3fb0f99ccabbcec1179 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Tue, 26 Nov 2024 16:46:48 +0300 Subject: [PATCH] import java-21-openjdk-21.0.4.0.7-1.el10 --- .gitignore | 2 + .java-21-openjdk.metadata | 2 + SOURCES/CheckVendor.java | 65 + SOURCES/NEWS | 1778 +++++++++ SOURCES/README.md | 39 + SOURCES/TestCryptoLevel.java | 72 + SOURCES/TestECDSA.java | 49 + SOURCES/TestSecurityProperties.java | 84 + SOURCES/TestTranslations.java | 160 + SOURCES/alt-java.c | 100 + SOURCES/fips-21u-0a42e29b391.patch | 4234 +++++++++++++++++++++ SOURCES/java-21-openjdk-portable.specfile | 2509 ++++++++++++ SOURCES/jconsole.desktop.in | 10 + SOURCES/remove-intree-libraries.sh | 164 + SPECS/java-21-openjdk.spec | 2781 ++++++++++++++ 15 files changed, 12049 insertions(+) create mode 100644 .gitignore create mode 100644 .java-21-openjdk.metadata create mode 100644 SOURCES/CheckVendor.java create mode 100644 SOURCES/NEWS create mode 100644 SOURCES/README.md create mode 100644 SOURCES/TestCryptoLevel.java create mode 100644 SOURCES/TestECDSA.java create mode 100644 SOURCES/TestSecurityProperties.java create mode 100644 SOURCES/TestTranslations.java create mode 100644 SOURCES/alt-java.c create mode 100644 SOURCES/fips-21u-0a42e29b391.patch create mode 100644 SOURCES/java-21-openjdk-portable.specfile create mode 100644 SOURCES/jconsole.desktop.in create mode 100644 SOURCES/remove-intree-libraries.sh create mode 100644 SPECS/java-21-openjdk.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dcbf759 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/openjdk-21.0.4+7.tar.xz +SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-21-openjdk.metadata b/.java-21-openjdk.metadata new file mode 100644 index 0000000..f90f8bc --- /dev/null +++ b/.java-21-openjdk.metadata @@ -0,0 +1,2 @@ +83148f1aa3a0f2fe1d4d5d98ee49c4849a2c8b7c SOURCES/openjdk-21.0.4+7.tar.xz +c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/CheckVendor.java b/SOURCES/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/SOURCES/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/SOURCES/NEWS b/SOURCES/NEWS new file mode 100644 index 0000000..ef34982 --- /dev/null +++ b/SOURCES/NEWS @@ -0,0 +1,1778 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 21.0.4 (2024-07-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2104 + +* CVEs + - CVE-2024-21131 + - CVE-2024-21138 + - CVE-2024-21140 + - CVE-2024-21145 + - CVE-2024-21147 +* Security fixes + - JDK-8314794: Improve UTF8 String supports + - JDK-8319859: Better symbol storage + - JDK-8320097: Improve Image transformations + - JDK-8320548: Improved loop handling + - JDK-8323231: Improve array management + - JDK-8323390: Enhance mask blit functionality + - JDK-8324559: Improve 2D image handling + - JDK-8325600: Better symbol storage + - JDK-8327413: Enhance compilation efficiency +* Other changes + - JDK-7001133: OutOfMemoryError by CustomMediaSizeName implementation + - JDK-8159927: Add a test to verify JMOD files created in the images do not have debug symbols + - JDK-8185862: AWT Assertion Failure in ::GetDIBits(hBMDC, hBM, 0, 1, 0, gpBitmapInfo, 0) 'awt_Win32GraphicsDevice.cpp', at line 185 + - JDK-8187759: Background not refreshed when painting over a transparent JFrame + - JDK-8223696: java/net/httpclient/MaxStreams.java failed with didn't finish within the time-out + - JDK-8259866: two java.util tests failed with "IOException: There is not enough space on the disk" + - JDK-8266242: java/awt/GraphicsDevice/CheckDisplayModes.java failing on macOS 11 ARM + - JDK-8278527: java/util/concurrent/tck/JSR166TestCase.java fails nanoTime test + - JDK-8280056: gtest/LargePageGtests.java#use-large-pages failed "os.release_one_mapping_multi_commits_vm" + - JDK-8281658: Add a security category to the java -XshowSettings option + - JDK-8288936: Wrong lock ordering writing G1HeapRegionTypeChange JFR event + - JDK-8288989: Make tests not depend on the source code + - JDK-8293069: Make -XX:+Verbose less verbose + - JDK-8293850: need a largest_committed metric for each category of NMT's output + - JDK-8294699: Launcher causes lingering busy cursor + - JDK-8294985: SSLEngine throws IAE during parsing of X500Principal + - JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries + - JDK-8299023: TestPLABResize.java and TestPLABPromotion.java are failing intermittently + - JDK-8301183: (zipfs) jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java failing with ZipException:R0 on OL9 + - JDK-8303525: Refactor/cleanup open/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java + - JDK-8303773: Replace "main.wrapper" with "test.thread.factory" property in test code + - JDK-8303891: Speed up Zip64SizeTest using a small ZIP64 file + - JDK-8303959: tools/jpackage/share/RuntimePackageTest.java fails with java.lang.AssertionError missing files + - JDK-8303972: (zipfs) Make test/jdk/jdk/nio/zipfs/TestLocOffsetFromZip64EF.java independent of the zip command line + - JDK-8304839: Move TestScaffold.main() to the separate class DebugeeWrapper + - JDK-8305645: System Tray icons get corrupted when Windows primary monitor changes + - JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none" + - JDK-8306040: HttpResponseInputStream.available() returns 1 on empty stream + - JDK-8308144: Uncontrolled memory consumption in SSLFlowDelegate.Reader + - JDK-8308453: Convert JKS test keystores in test/jdk/javax/net/ssl/etc to PKCS12 + - JDK-8309142: Refactor test/langtools/tools/javac/versions/Versions.java + - JDK-8309752: com/sun/jdi/SetLocalWhileThreadInNative.java fails with virtual test thread factory due to OpaqueFrameException + - JDK-8309757: com/sun/jdi/ReferrersTest.java fails with virtual test thread factory + - JDK-8309763: Move tests in test/jdk/sun/misc/URLClassPath directory to test/jdk/jdk/internal/loader + - JDK-8309871: jdk/jfr/api/consumer/recordingstream/TestSetEndTime.java timed out + - JDK-8309890: TestStringDeduplicationInterned.java waits for the wrong condition + - JDK-8310070: Test: javax/net/ssl/DTLS/DTLSWontNegotiateV10.java timed out + - JDK-8310228: Improve error reporting for uncaught native exceptions on Windows + - JDK-8310234: Refactor Locale tests to use JUnit + - JDK-8310355: Move the stub test from initialize_final_stubs() to test/hotspot/gtest + - JDK-8310513: [s390x] Intrinsify recursive ObjectMonitor locking + - JDK-8310731: Configure a javax.net.ssl.SNIMatcher for the HTTP/1.1 test servers in java/net/httpclient tests + - JDK-8310818: Refactor more Locale tests to use JUnit + - JDK-8310913: Move ReferencedKeyMap to jdk.internal so it may be shared + - JDK-8311792: java/net/httpclient/ResponsePublisher.java fails intermittently with AssertionError: Found some outstanding operations + - JDK-8311823: JFR: Uninitialized EventEmitter::_thread_id field + - JDK-8311881: jdk/javax/swing/ProgressMonitor/ProgressTest.java does not show the ProgressMonitorInputStream all the time + - JDK-8311964: Some jtreg tests failing on x86 with error 'unrecognized VM options' (C2 flags) + - JDK-8312014: [s390x] TestSigInfoInHsErrFile.java Failure + - JDK-8312194: test/hotspot/jtreg/applications/ctw/modules/jdk_crypto_ec.java cannot handle empty modules + - JDK-8312218: Print additional debug information when hitting assert(in_hash) + - JDK-8312320: Remove javax/rmi/ssl/SSLSocketParametersTest.sh from ProblemList + - JDK-8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection + - JDK-8312498: Thread::getState and JVM TI GetThreadState should return TIMED_WAITING virtual thread is timed parked + - JDK-8312777: notifyJvmtiMount before notifyJvmtiUnmount + - JDK-8313394: Array Elements in OldObjectSample event has the incorrect description + - JDK-8313612: Use JUnit in lib-test/jdk tests + - JDK-8313702: Update IANA Language Subtag Registry to Version 2023-08-02 + - JDK-8313710: jcmd: typo in the documentation of JFR.start and JFR.dump + - JDK-8313899: JVMCI exception Translation can fail in TranslatedException. + - JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account + - JDK-8314824: Fix serviceability/jvmti/8036666/GetObjectLockCount.java to use vm flags + - JDK-8314828: Mark 3 jcmd command-line options test as vm.flagless + - JDK-8314832: Few runtime/os tests ignore vm flags + - JDK-8314975: JavadocTester should set source path if not specified + - JDK-8315071: Modify TrayIconScalingTest.java, PrintLatinCJKTest.java to use new PassFailJFrame's builder pattern usage + - JDK-8315117: Update Zlib Data Compression Library to Version 1.3 + - JDK-8315373: Change VirtualThread to unmount after freezing, re-mount before thawing + - JDK-8315485: (fs) Move java/nio/file/Path/Misc.java tests into java/nio/file/Path/PathOps.java + - JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration + - JDK-8315559: Delay TempSymbol cleanup to avoid symbol table churn + - JDK-8315605: G1: Add number of nmethods in code roots scanning statistics + - JDK-8315609: Open source few more swing text/html tests + - JDK-8315652: RISC-V: Features string uses wrong separator for jtreg + - JDK-8315663: Open source misc awt tests + - JDK-8315677: Open source few swing JFileChooser and other tests + - JDK-8315741: Open source few swing JFormattedTextField and JPopupMenu tests + - JDK-8315824: Open source several Swing Text/HTML related tests + - JDK-8315834: Open source several Swing JSpinner related tests + - JDK-8315889: Open source several Swing HTMLDocument related tests + - JDK-8315898: Open source swing JMenu tests + - JDK-8315998: Remove dead ClassLoaderDataGraphKlassIteratorStatic + - JDK-8316002: Remove unnecessary seen_dead_loader in ClassLoaderDataGraph::do_unloading + - JDK-8316053: Open some swing tests 3 + - JDK-8316138: Add GlobalSign 2 TLS root certificates + - JDK-8316154: Opensource JTextArea manual tests + - JDK-8316164: Opensource JMenuBar manual test + - JDK-8316186: RISC-V: Remove PlatformCmpxchg<4> + - JDK-8316228: jcmd tests are broken by 8314828 + - JDK-8316242: Opensource SwingGraphics manual test + - JDK-8316451: 6 java/lang/instrument/PremainClass tests ignore VM flags + - JDK-8316460: 4 javax/management tests ignore VM flags + - JDK-8316559: Refactor some util/Calendar tests to JUnit + - JDK-8316563: test tools/jpackage/linux/LinuxResourceTest.java fails on CentOS Linux release 8.5.2111 and Fedora 27 + - JDK-8316608: Enable parallelism in vmTestbase/gc/vector tests + - JDK-8316669: ImmutableOopMapSet destructor not called + - JDK-8316670: Remove effectively unused nmethodBucket::_count + - JDK-8316696: Remove the testing base classes: IntlTest and CollatorTest + - JDK-8316924: java/lang/Thread/virtual/stress/ParkALot.java times out + - JDK-8316959: Improve InlineCacheBuffer pending queue management + - JDK-8317007: Add bulk removal of dead nmethods during class unloading + - JDK-8317235: Remove Access API use in nmethod class + - JDK-8317287: [macos14] InterJVMGetDropSuccessTest.java: Child VM: abnormal termination + - JDK-8317350: Move code cache purging out of CodeCache::UnloadingScope + - JDK-8317440: Lock rank checking fails when code root set is modified with the Servicelock held after JDK-8315503 + - JDK-8317600: VtableStubs::stub_containing() table load not ordered wrt to stores + - JDK-8317631: Refactor ChoiceFormat tests to use JUnit + - JDK-8317677: Specialize Vtablestubs::entry_for() for VtableBlob + - JDK-8317809: Insertion of free code blobs into code cache can be very slow during class unloading + - JDK-8317965: TestLoadLibraryDeadlock.java fails with "Unable to load native library.: expected true, was false" + - JDK-8318109: Writing JFR records while a CHT has taken its lock asserts in rank checking + - JDK-8318322: Update IANA Language Subtag Registry to Version 2023-10-16 + - JDK-8318455: Fix the compiler/sharedstubs/SharedTrampolineTest.java and SharedStubToInterpTest.java + - JDK-8318580: "javax/swing/MultiMonitor/MultimonVImage.java failing with Error. Can't find library: /open/test/jdk/java/awt/regtesthelpers" after JDK-8316053 + - JDK-8318585: Rename CodeCache::UnloadingScope to UnlinkingScope + - JDK-8318599: HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809 + - JDK-8318720: G1: Memory leak in G1CodeRootSet after JDK-8315503 + - JDK-8318727: Enable parallelism in vmTestbase/vm/gc/concurrent tests + - JDK-8318757: VM_ThreadDump asserts in interleaved ObjectMonitor::deflate_monitor calls + - JDK-8318854: [macos14] Running any AWT app prints Secure coding warning + - JDK-8318962: Update ProcessTools javadoc with suggestions in 8315097 + - JDK-8318986: Improve GenericWaitBarrier performance + - JDK-8319048: Monitor deflation unlink phase prolongs time to safepoint + - JDK-8319153: Fix: Class is a raw type in ProcessTools + - JDK-8319265: TestLoadLibraryDeadlock.java fails on windows-x64 "Unable to load b.jar" + - JDK-8319338: tools/jpackage/share/RuntimeImageTest.java fails with -XX:+UseZGC + - JDK-8319376: ParallelGC: Forwarded objects found during heap inspection + - JDK-8319437: NMT should show library names in call stacks + - JDK-8319567: Update java/lang/invoke tests to support vm flags + - JDK-8319568: Update java/lang/reflect/exeCallerAccessTest/CallerAccessTest.java to accept vm flags + - JDK-8319571: Update jni/nullCaller/NullCallerTest.java to accept flags or mark as flagless + - JDK-8319574: Exec/process tests should be marked as flagless + - JDK-8319578: Few java/lang/instrument ignore test.java.opts and accept test.vm.opts only + - JDK-8319647: Few java/lang/System/LoggerFinder/modules tests ignore vm flags + - JDK-8319648: java/lang/SecurityManager tests ignore vm flags + - JDK-8319650: Improve heap dump performance with class metadata caching + - JDK-8319651: Several network tests ignore vm flags when start java process + - JDK-8319672: Several classloader tests ignore VM flags + - JDK-8319676: A couple of jdk/modules/incubator/ tests ignore VM flags + - JDK-8319677: Test jdk/internal/misc/VM/RuntimeArguments.java should be marked as flagless + - JDK-8319713: Parallel: Remove PSAdaptiveSizePolicy::should_full_GC + - JDK-8319757: java/nio/channels/DatagramChannel/InterruptibleOrNot.java failed: wrong exception thrown + - JDK-8319876: Reduce memory consumption of VM_ThreadDump::doit + - JDK-8319896: Remove monitor deflation from final audit + - JDK-8319955: Improve dependencies removal during class unloading + - JDK-8320005: Allow loading of shared objects with .a extension on AIX + - JDK-8320061: [nmt] Multiple issues with peak accounting + - JDK-8320113: [macos14] : ShapeNotSetSometimes.java fails intermittently on macOS 14 + - JDK-8320129: "top" command during jtreg failure handler does not display CPU usage on OSX + - JDK-8320275: assert(_chunk->bitmap().at(index)) failed: Bit not set at index + - JDK-8320331: G1 Full GC Heap verification relies on metadata not reset before verification + - JDK-8320342: Use PassFailJFrame for TruncatedPopupMenuTest.java + - JDK-8320343: Generate GIF images for AbstractButton/5049549/bug5049549.java + - JDK-8320349: Simplify FileChooserSymLinkTest.java by using single-window testUI + - JDK-8320365: IPPPrintService.getAttributes() causes blanket re-initialisation + - JDK-8320370: NMT: Change MallocMemorySnapshot to simplify code. + - JDK-8320515: assert(monitor->object_peek() != nullptr) failed: Owned monitors should not have a dead object + - JDK-8320525: G1: G1UpdateRemSetTrackingBeforeRebuild::distribute_marked_bytes accesses partially unloaded klass + - JDK-8320570: NegativeArraySizeException decoding >1G UTF8 bytes with non-ascii characters + - JDK-8320681: [macos] Test tools/jpackage/macosx/MacAppStoreJlinkOptionsTest.java timed out on macOS + - JDK-8320692: Null icon returned for .exe without custom icon + - JDK-8320707: Virtual thread test updates + - JDK-8320712: Rewrite BadFactoryTest in pure Java + - JDK-8320714: java/util/Locale/LocaleProvidersRun.java and java/util/ResourceBundle/modules/visibility/VisibilityTest.java timeout after passing + - JDK-8320715: Improve the tests of test/hotspot/jtreg/compiler/intrinsics/float16 + - JDK-8320924: Improve heap dump performance by optimizing archived object checks + - JDK-8321075: RISC-V: UseSystemMemoryBarrier lacking proper OS support + - JDK-8321107: Add more test cases for JDK-8319372 + - JDK-8321163: [test] OutputAnalyzer.getExitValue() unnecessarily logs even when process has already completed + - JDK-8321182: SourceExample.SOURCE_14 comment should refer to 'switch expressions' instead of 'text blocks' + - JDK-8321270: Virtual Thread.yield consumes parking permit + - JDK-8321276: runtime/cds/appcds/dynamicArchive/DynamicSharedSymbols.java failed with "'17 2: jdk/test/lib/apps ' missing from stdout/stderr" + - JDK-8321489: Update LCMS to 2.16 + - JDK-8321713: Harmonize executeTestJvm with create[Limited]TestJavaProcessBuilder + - JDK-8321718: ProcessTools.executeProcess calls waitFor before logging + - JDK-8321812: Update GC tests to use execute[Limited]TestJava + - JDK-8321815: Shenandoah: gc state should be synchronized to java threads only once per safepoint + - JDK-8321925: sun/security/mscapi/KeytoolChangeAlias.java fails with "Alias <246810> does not exist" + - JDK-8322239: [macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane + - JDK-8322477: order of subclasses in the permits clause can differ between compilations + - JDK-8322503: Shenandoah: Clarify gc state usage + - JDK-8322818: Thread::getStackTrace can fail with InternalError if virtual thread is timed-parked when pinned + - JDK-8322846: Running with -Djdk.tracePinnedThreads set can hang + - JDK-8322858: compiler/c2/aarch64/TestFarJump.java fails on AArch64 due to unexpected PrintAssembly output + - JDK-8322920: Some ProcessTools.execute* functions are declared to throw Throwable + - JDK-8322962: Upcall stub might go undetected when freezing frames + - JDK-8323002: test/jdk/java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java times out on macosx-x64 + - JDK-8323170: j2dbench is using outdated javac source/target to be able to build by itself + - JDK-8323210: Update the usage of cmsFLAGS_COPY_ALPHA + - JDK-8323276: StressDirListings.java fails on AIX + - JDK-8323296: java/lang/Thread/virtual/stress/GetStackTraceALotWhenPinned.java#id1 timed out + - JDK-8323519: Add applications/ctw/modules to Hotspot tiered testing + - JDK-8323595: is_aligned(p, alignof(OopT))) assertion fails in Jetty without compressed OOPs + - JDK-8323635: Test gc/g1/TestHumongousAllocConcurrentStart.java fails with -XX:TieredStopAtLevel=3 + - JDK-8323685: PrintSystemDictionaryAtExit has mutex rank assert + - JDK-8323994: gtest runner repeats test name for every single gtest assertion + - JDK-8324121: SIGFPE in PhaseIdealLoop::extract_long_range_checks + - JDK-8324123: aarch64: fix prfm literal encoding in assembler + - JDK-8324236: compiler/ciReplay/TestInliningProtectionDomain.java failed with RuntimeException: should only dump inline information for ... expected true, was false + - JDK-8324238: [macOS] java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails with the shape has not been applied msg + - JDK-8324243: Compilation failures in java.desktop module with gcc 14 + - JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1 + - JDK-8324646: Avoid Class.forName in SecureRandom constructor + - JDK-8324648: Avoid NoSuchMethodError when instantiating NativePRNG + - JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16 + - JDK-8324733: [macos14] Problem list tests which fail due to macOS bug described in JDK-8322653 + - JDK-8324817: Parallel GC does not pre-touch all heap pages when AlwaysPreTouch enabled and large page disabled + - JDK-8324824: AArch64: Detect Ampere-1B core and update default options for Ampere CPUs + - JDK-8324834: Use _LARGE_FILES on AIX + - JDK-8324933: ConcurrentHashTable::statistics_calculate synchronization is expensive + - JDK-8324998: Add test cases for String.regionMatches comparing Turkic dotted/dotless I with uppercase latin I + - JDK-8325024: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java incorrect comment information + - JDK-8325028: (ch) Pipe channels should lazily set socket to non-blocking mode on first use by virtual thread + - JDK-8325095: C2: bailout message broken: ResourceArea allocated string used after free + - JDK-8325137: com/sun/management/ThreadMXBean/ThreadCpuTimeArray.java can fail in Xcomp with out of expected range + - JDK-8325203: System.exit(0) kills the launched 3rd party application + - JDK-8325213: Flags introduced by configure script are not passed to ADLC build + - JDK-8325255: jdk.internal.util.ReferencedKeySet::add using wrong test + - JDK-8325326: [PPC64] Don't relocate in case of allocation failure + - JDK-8325372: Shenandoah: SIGSEGV crash in unnecessary_acquire due to LoadStore split through phi + - JDK-8325432: enhance assert message "relocation addr must be in this section" + - JDK-8325437: Safepoint polling in monitor deflation can cause massive logs + - JDK-8325567: jspawnhelper without args fails with segfault + - JDK-8325579: Inconsistent behavior in com.sun.jndi.ldap.Connection::createSocket + - JDK-8325613: CTW: Stale method cleanup requires GC after Sweeper removal + - JDK-8325621: Improve jspawnhelper version checks + - JDK-8325743: test/jdk/java/nio/channels/unixdomain/SocketOptions.java enhance user name output in error case + - JDK-8325862: set -XX:+ErrorFileToStderr when executing java in containers for some container related jtreg tests + - JDK-8325908: Finish removal of IntlTest and CollatorTest + - JDK-8325972: Add -x to bash for building with LOG=debug + - JDK-8326006: Allow TEST_VM_FLAGLESS to set flagless mode + - JDK-8326101: [PPC64] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326140: src/jdk.accessibility/windows/native/libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp ReleaseStringChars might be missing in early returns + - JDK-8326201: [S390] Need to bailout cleanly if creation of stubs fails when code cache is out of space + - JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1 + - JDK-8326446: The User and System of jdk.CPULoad on Apple M1 are inaccurate + - JDK-8326496: [test] checkHsErrFileContent support printing hserr in error case + - JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit + - JDK-8326529: JFR: Test for CompilerCompile events fails due to time out + - JDK-8326591: New test JmodExcludedFiles.java fails on Windows when --with-external-symbols-in-bundles=public is used + - JDK-8326638: Crash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop + - JDK-8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message + - JDK-8326661: sun/java2d/cmm/ColorConvertOp/ColConvTest.java assumes profiles were generated by LCMS + - JDK-8326685: Linux builds not reproducible if two builds configured in different build folders + - JDK-8326718: Test java/util/Formatter/Padding.java should timeout on large inputs before fix in JDK-8299677 + - JDK-8326773: Bump update version for OpenJDK: jdk-21.0.4 + - JDK-8326824: Test: remove redundant test in compiler/vectorapi/reshape/utils/TestCastMethods.java + - JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries + - JDK-8326936: RISC-V: Shenandoah GC crashes due to incorrect atomic memory operations + - JDK-8326948: Force English locale for timeout formatting + - JDK-8326960: GHA: RISC-V sysroot cannot be debootstrapped due to ongoing Debian t64 transition + - JDK-8326974: ODR violation in macroAssembler_aarch64.cpp + - JDK-8327036: [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 + - JDK-8327059: os::Linux::print_proc_sys_info add swappiness information + - JDK-8327096: (fc) java/nio/channels/FileChannel/Size.java fails on partition incapable of creating large files + - JDK-8327136: javax/management/remote/mandatory/notif/NotifReconnectDeadlockTest.java fails on libgraal + - JDK-8327180: Failed: java/io/ObjectStreamClass/ObjectStreamClassCaching.java#G1 + - JDK-8327261: Parsing test for Double/Float succeeds w/o testing all bad cases + - JDK-8327468: Do not restart close if errno is EINTR [macOS/linux] + - JDK-8327474: Review use of java.io.tmpdir in jdk tests + - JDK-8327486: java/util/Properties/PropertiesStoreTest.java fails "Text 'xxx' could not be parsed at index 20" after 8174269 + - JDK-8327631: Update IANA Language Subtag Registry to Version 2024-03-07 + - JDK-8327799: JFR view: the "Park Until" field of jdk.ThreadPark is invalid if the parking method is not absolute + - JDK-8327971: Multiple ASAN errors reported for metaspace + - JDK-8327988: When running ASAN, disable dangerous NMT test + - JDK-8327989: java/net/httpclient/ManyRequest.java should not use "localhost" in URIs + - JDK-8327998: Enable java/lang/ProcessBuilder/JspawnhelperProtocol.java on Mac + - JDK-8328037: Test java/util/Formatter/Padding.java has unnecessary high heap requirement after JDK-8326718 + - JDK-8328066: WhiteBoxResizeTest failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328165: improve assert(idx < _maxlrg) failed: oob + - JDK-8328166: Epsilon: 'EpsilonHeap::allocate_work' misuses the parameter 'size' as size in bytes + - JDK-8328168: Epsilon: Premature OOM when allocating object larger than uncommitted heap size + - JDK-8328194: Add a test to check default rendering engine + - JDK-8328524: [x86] StringRepeat.java failure on linux-x86: Could not reserve enough space for 2097152KB object heap + - JDK-8328540: test javax/swing/JSplitPane/4885629/bug4885629.java fails on windows hidpi + - JDK-8328555: hidpi problems for test java/awt/Dialog/DialogAnotherThread/JaWSTest.java + - JDK-8328589: unify os::breakpoint among posix platforms + - JDK-8328592: hprof tests fail with -XX:-CompactStrings + - JDK-8328604: remove on_aix() function + - JDK-8328638: Fallback option for POST-only OCSP requests + - JDK-8328702: C2: Crash during parsing because sub type check is not folded + - JDK-8328703: Illegal accesses in Java_jdk_internal_org_jline_terminal_impl_jna_linux_CLibraryImpl_ioctl0 + - JDK-8328705: GHA: Cross-compilation jobs do not require build JDK + - JDK-8328709: AIX os::get_summary_cpu_info support Power 10 + - JDK-8328744: Parallel: Parallel GC throws OOM before heap is fully expanded + - JDK-8328776: [AIX] remove checked_vmgetinfo, use vmgetinfo directly + - JDK-8328812: Update and move siphash license + - JDK-8328822: C2: "negative trip count?" assert failure in profile predicate code + - JDK-8328825: Google CAInterop test failures + - JDK-8328938: C2 SuperWord: disable vectorization for large stride and scale + - JDK-8328948: GHA: Restoring sysroot from cache skips the build after JDK-8326960 + - JDK-8328957: Update PKCS11Test.java to not use hardcoded path + - JDK-8328988: [macos14] Problem list LightweightEventTest.java which fails due to macOS bug described in JDK-8322653 + - JDK-8328997: Remove unnecessary template parameter lists in GrowableArray + - JDK-8329013: StackOverflowError when starting Apache Tomcat with signed jar + - JDK-8329109: Threads::print_on() tries to print CPU time for terminated GC threads + - JDK-8329163: C2: possible overflow in PhaseIdealLoop::extract_long_range_checks() + - JDK-8329213: Better validation for com.sun.security.ocsp.useget option + - JDK-8329223: Parallel: Parallel GC resizes heap even if -Xms = -Xmx + - JDK-8329545: [s390x] Fix garbage value being passed in Argument Register + - JDK-8329570: G1: Excessive is_obj_dead_cond calls in verification + - JDK-8329605: hs errfile generic events - move memory protections and nmethod flushes to separate sections + - JDK-8329663: hs_err file event log entry for thread adding/removing should print current thread + - JDK-8329823: RISC-V: Need to sync CPU features with related JVM flags + - JDK-8329840: Fix ZPhysicalMemorySegment::_end type + - JDK-8329850: [AIX] Allow loading of different members of same shared library archive + - JDK-8329862: libjli GetApplicationHome cleanups and enhance jli tracing + - JDK-8329961: Buffer overflow in os::Linux::kernel_version + - JDK-8330011: [s390x] update block-comments to make code consistent + - JDK-8330094: RISC-V: Save and restore FRM in the call stub + - JDK-8330156: RISC-V: Range check auipc + signed 12 imm instruction + - JDK-8330242: RISC-V: Simplify and remove CORRECT_COMPILER_ATOMIC_SUPPORT in atomic_linux_riscv.hpp + - JDK-8330275: Crash in XMark::follow_array + - JDK-8330464: hserr generic events - add entry for the before_exit calls + - JDK-8330523: Reduce runtime and improve efficiency of KeepAliveTest + - JDK-8330524: Linux ppc64le compile warning with clang in os_linux_ppc.cpp + - JDK-8330615: avoid signed integer overflows in zip_util.c readCen / hashN + - JDK-8330815: Use pattern matching for instanceof in KeepAliveCache + - JDK-8331031: unify os::dont_yield and os::naked_yield across Posix platforms + - JDK-8331113: createJMHBundle.sh support configurable maven repo mirror + - JDK-8331167: UBSan enabled build fails in adlc on macOS + - JDK-8331298: avoid alignment checks in UBSAN enabled build + - JDK-8331331: :tier1 target explanation in doc/testing.md is incorrect + - JDK-8331352: error: template-id not allowed for constructor/destructor in C++20 + - JDK-8331466: Problemlist serviceability/dcmd/gc/RunFinalizationTest.java on generic-all + - JDK-8331639: [21u]: Bump GHA bootstrap JDK to 21.0.3 + - JDK-8331942: On Linux aarch64, CDS archives should be using 64K alignment by default + - JDK-8332253: Linux arm32 build fails after 8292591 + - JDK-8334441: Mark tests in jdk_security_infra group as manual + - JDK-8335960: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.4 + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8281658: Add a security category to the java -XshowSettings option +====================================================================== + +The `-XshowSettings` launcher option now has a 'security' category, allowing +the following arguments to be passed: + +* -XshowSettings:security or -XshowSettings:security:all: show all security settings and continue +* -XshowSettings:security:properties - show security properties and continue +* -XshowSettings:security:providers - show static security provider settings and continue +* -XshowSettings:security:tls - show TLS related security settings and continue + +The output will include third-party security providers if they are +included in the application class path or module path, and configured +in the java.security file. + +JDK-8316138: Add GlobalSign 2 TLS root certificates +=================================================== +The following root certificates have been added to the cacerts +truststore: + +Name: GlobalSign +Alias Name: globalsignr46 +Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE + +Name: GlobalSign +Alias Name: globalsigne46 +Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE + +security-libs/javax.security: + +JDK-8328638: Fallback Option For POST-only OCSP Requests +======================================================== +JDK-8179503, introduced in OpenJDK 17, added support for using the +HTTP GET method for OCSP requests. This was turned on unconditionally +for small requests. + +RFC 5019 and RFC 6960 explicitly allow and recommend the use of HTTP +GET requests. However, some OCSP responders have been observed to not +work well with such requests. + +With this release, the JDK system property +`com.sun.security.ocsp.useget` is introduced. The default setting is +'true' which retains the current behaviour of using GET requests for +small requests. If the property is instead set to 'false', only HTTP +POST requests will be used, regardless of size. + +This option is non-standard and may be removed again if problematic +OCSP responders are no longer an issue. + +infrastructure/build: + +JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in internal JDK binaries +================================================================================== +Native executables and libraries in the JDK use embedded runtime +search paths to locate required internal JDK native libraries. On +Linux systems, there are two ways of specifying these search paths; +DT_RPATH and DT_RUNPATH. + +The main difference between the two options is that paths specified by +DT_RPATH are searched before those in the LD_LIBRARY_PATH environment +variable, whereas DT_RUNPATH paths are considered afterwards. This +means the use of DT_RUNPATH can allow JDK internal libraries to be +overridden by libraries of the same name found on the LD_LIBRARY_PATH. + +Builds of earlier OpenJDK releases left the choice of which type of +runtime search path to use down to the default of the linker. With +this release, the option `--disable-new-dtags` is explicitly passed to +the linker to avoid setting DT_RUNPATH. + +tools/jpackage: + +JDK-8295111: dpkg appears to have problems resolving symbolically linked native libraries +========================================================================================= +The jpackage tool uses `dpkg -S` to lookup which package provides a +particular file on Debian and Ubuntu systems. However, on newer Debian +and Ubuntu systems, `dpkg -S` does not resolve symlinks. In this +OpenJDK release, jpackage now resolves symlinks before passing the +real path of the file to dpkg. + +hotspot/gc: + +JDK-8314573: G1: Heap resizing at Remark does not take existing eden regions into account +========================================================================================= +To comply with the settings of `-XX:MinHeapFreeRatio` and +`-XX:MaxHeapFreeRatio`, the G1 garbage collector adjusts the Java heap +size during the Remark phase, keeping the number of free regions +within these bounds. + +In earlier OpenJDK releases, Eden regions were considered to be +occupied or full for this calculation. This made the heap size +dependent on the Eden occupancy at the time the Remark phase was +run. However, after the next garbage collection, these Eden regions +would be empty. + +With this OpenJDK release, Eden regions are now considered empty or +free during the Remark phase calculation. The overall effect is that +G1 now expands the Java heap less aggressively and more +determinstically, as the number of free regions does not vary as much. +It also aligns Java heap sizing with the full GC heap sizing. +However, this may potentially lead to more garbage collections. + +JDK-8315503: G1: Code root scan causes long GC pauses due to imbalanced iteration +================================================================================= +The Code Root Scan phase of garbage collection finds references to +Java objects within compiled code. To speed up this process, a cache +is maintained within each region of the compiled code that contains +references into the Java heap. + +On the assumption that the set of references was small, previous +releases used a single thread per region to iterate through these +references. This introduced a scalability bottleneck, where +performance could be reduced if a particular region contained a large +number of references. + +In this release, multiple threads are used, removing this bottleneck. + +New in release OpenJDK 21.0.3 (2024-04-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2103 + +* CVEs + - CVE-2024-21012 + - CVE-2024-21011 + - CVE-2024-21068 +* Security fixes + - JDK-8315708: Enhance HTTP/2 client usage + - JDK-8318340: Improve RSA key implementations + - JDK-8319851: Improve exception logging + - JDK-8322122: Enhance generation of addresses +* Other changes + - JDK-6928542: Chinese characters in RTF are not decoded + - JDK-8009550: PlatformPCSC should load versioned so + - JDK-8077371: Binary files in JAXP test should be removed + - JDK-8169475: WheelModifier.java fails by timeout + - JDK-8209595: MonitorVmStartTerminate.java timed out + - JDK-8210410: Refactor java.util.Currency:i18n shell tests to plain java tests + - JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from + - JDK-8263256: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails due to dynamic reconfigurations of network interface during test + - JDK-8264899: C1: -XX:AbortVMOnException does not work if all methods in the call stack are compiled with C1 and there are no exception handlers + - JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + - JDK-8295343: sun/security/pkcs11 tests fail on Linux RHEL 8.6 and newer + - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts + - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + - JDK-8304020: Speed up test/jdk/java/util/zip/ZipFile/TestTooManyEntries.java and clarify its purpose + - JDK-8304292: Memory leak related to ClassLoader::update_class_path_entry_list + - JDK-8305962: update jcstress to 0.16 + - JDK-8305971: NPE in JavacProcessingEnvironment for missing enum constructor body + - JDK-8306922: IR verification fails because IR dump is chopped up + - JDK-8307408: Some jdk/sun/tools/jhsdb tests don't pass test JVM args to the debuggee JVM + - JDK-8309109: AArch64: [TESTBUG] compiler/intrinsics/sha/cli/TestUseSHA3IntrinsicsOptionOnSupportedCPU.java fails on Neoverse N2 and V1 + - JDK-8309203: C2: remove copy-by-value of GrowableArray for InterfaceSet + - JDK-8309302: java/net/Socket/Timeouts.java fails with AssertionError on test temporal post condition + - JDK-8309697: [TESTBUG] Remove "@requires vm.flagless" from jtreg vectorization tests + - JDK-8310031: Parallel: Implement better work distribution for large object arrays in old gen + - JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/bug6889007.java fails + - JDK-8310308: IR Framework: check for type and size of vector nodes + - JDK-8310629: java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java fails with RuntimeException Server not ready + - JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is spuriously passing + - JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + - JDK-8310844: [AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate + - JDK-8310919: runtime/ErrorHandling/TestAbortVmOnException.java times out due to core dumps taking a long time on OSX + - JDK-8310923: Refactor Currency tests to use JUnit + - JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + - JDK-8311279: TestStressIGVNAndCCP.java failed with different IGVN traces for the same seed + - JDK-8311581: Remove obsolete code and comments in TestLVT.java + - JDK-8311588: C2: RepeatCompilation compiler directive does not choose stress seed randomly + - JDK-8311663: Additional refactoring of Locale tests to JUnit + - JDK-8311893: Interactive component with ARIA role 'tabpanel' does not have a programmatically associated name + - JDK-8311986: Disable runtime/os/TestTracePageSizes.java for ShenandoahGC + - JDK-8311992: Test java/lang/Thread/virtual/JfrEvents::testVirtualThreadPinned failed + - JDK-8312136: Modify runtime/ErrorHandling/TestDwarf.java to split dwarf and decoder testing + - JDK-8312416: Tests in Locale should have more descriptive names + - JDK-8312428: PKCS11 tests fail with NSS 3.91 + - JDK-8312916: Remove remaining usages of -Xdebug from test/hotspot/jtreg + - JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + - JDK-8313229: DHEKeySizing.java should be modified to use TLS versions TLSv1, TLSv1.1, TLSv1.2 + - JDK-8313507: Remove pkcs11/Cipher/TestKATForGCM.java from ProblemList + - JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/TestFloatingDecimal should use RandomFactory + - JDK-8313638: Add test for dump of resolved references + - JDK-8313670: Simplify shared lib name handling code in some tests + - JDK-8313720: C2 SuperWord: wrong result with -XX:+UseVectorCmov -XX:+UseCMoveUnconditionally + - JDK-8313816: Accessing jmethodID might lead to spurious crashes + - JDK-8313854: Some tests in serviceability area fail on localized Windows platform + - JDK-8314164: java/net/HttpURLConnection/HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + - JDK-8314220: Configurable InlineCacheBuffer size + - JDK-8314283: Support for NSS tests on aarch64 platforms + - JDK-8314320: Mark runtime/CommandLine/ tests as flagless + - JDK-8314333: Update com/sun/jdi/ProcessAttachTest.java to use ProcessTools.createTestJvm(..) + - JDK-8314513: [IR Framework] Some internal IR Framework tests are failing after JDK-8310308 on PPC and Cascade Lake + - JDK-8314578: Non-verifiable code is emitted when two guards declare pattern variables in colon-switch + - JDK-8314610: hotspot can't compile with the latest of gtest because of + - JDK-8314612: TestUnorderedReduction.java fails with -XX:MaxVectorSize=32 and -XX:+AlignVector + - JDK-8314629: Generational ZGC: Clearing All SoftReferences log line lacks GCId + - JDK-8314829: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java ignores vm flags + - JDK-8314830: runtime/ErrorHandling/ tests ignore external VM flags + - JDK-8314831: NMT tests ignore vm flags + - JDK-8314835: gtest wrappers should be marked as flagless + - JDK-8314837: 5 compiled/codecache tests ignore VM flags + - JDK-8314838: 3 compiler tests ignore vm flags + - JDK-8314990: Generational ZGC: Strong OopStorage stats reported as weak roots + - JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + - JDK-8315042: NPE in PKCS7.parseOldSignedData + - JDK-8315097: Rename createJavaProcessBuilder + - JDK-8315241: (fs) Move toRealPath tests in java/nio/file/Path/Misc.java to separate JUnit 5 test + - JDK-8315406: [REDO] serviceability/jdwp/AllModulesCommandTest.java ignores VM flags + - JDK-8315594: Open source few headless Swing misc tests + - JDK-8315600: Open source few more headless Swing misc tests + - JDK-8315602: Open source swing security manager test + - JDK-8315611: Open source swing text/html and tree test + - JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + - JDK-8315721: CloseRace.java#id0 fails transiently on libgraal + - JDK-8315726: Open source several AWT applet tests + - JDK-8315731: Open source several Swing Text related tests + - JDK-8315761: Open source few swing JList and JMenuBar tests + - JDK-8315891: java/foreign/TestLinker.java failed with "error occurred while instantiating class TestLinker: null" + - JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/bug4654927.java: component must be showing on the screen to determine its location + - JDK-8315988: Parallel: Make TestAggressiveHeap use createTestJvm + - JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + - JDK-8316028: Update FreeType to 2.13.2 + - JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + - JDK-8316132: CDSProtectionDomain::get_shared_protection_domain should check for exception + - JDK-8316229: Enhance class initialization logging + - JDK-8316309: AArch64: VMError::print_native_stack() crashes on Java native method frame + - JDK-8316319: Generational ZGC: The SoftMaxHeapSize might be wrong when CDS decreases the MaxHeapSize + - JDK-8316392: compiler/interpreter/TestVerifyStackAfterDeopt.java failed with SIGBUS in PcDescContainer::find_pc_desc_internal + - JDK-8316410: GC: Make TestCompressedClassFlags use createTestJvm + - JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/CheckOrigin.java as vm.flagless + - JDK-8316446: 4 sun/management/jdp tests ignore VM flags + - JDK-8316447: 8 sun/management/jmxremote tests ignore VM flags + - JDK-8316462: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java ignores VM flags + - JDK-8316464: 3 sun/tools tests ignore VM flags + - JDK-8316562: serviceability/sa/jmap-hprof/JMapHProfLargeHeapTest.java times out after JDK-8314829 + - JDK-8316594: C2 SuperWord: wrong result with hand unrolled loops + - JDK-8316661: CompilerThread leaks CodeBlob memory when dynamically stopping compiler thread in non-product + - JDK-8316693: Simplify at-requires checkDockerSupport() + - JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + - JDK-8316961: Fallback implementations for 64-bit Atomic::{add,xchg} on 32-bit platforms + - JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm + - JDK-8317042: G1: Make TestG1ConcMarkStepDurationMillis use createTestJvm + - JDK-8317144: Exclude sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java on Linux ppc64le + - JDK-8317188: G1: Make TestG1ConcRefinementThreads use createTestJvm + - JDK-8317218: G1: Make TestG1HeapRegionSize use createTestJvm + - JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm + - JDK-8317300: javac erroneously allows "final" in front of a record pattern + - JDK-8317307: test/jdk/com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + - JDK-8317316: G1: Make TestG1PercentageOptions use createTestJvm + - JDK-8317317: G1: Make TestG1RemSetFlags use createTestJvm + - JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm + - JDK-8317347: Parallel: Make TestInitialTenuringThreshold use createTestJvm + - JDK-8317358: G1: Make TestMaxNewSize use createTestJvm + - JDK-8317522: Test logic for BODY_CF in AbstractThrowingSubscribers.java is wrong + - JDK-8317535: Shenandoah: Remove unused code + - JDK-8317771: [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma + - JDK-8317804: com/sun/jdi/JdwpAllowTest.java fails on Alpine 3.17 / 3.18 + - JDK-8318039: GHA: Bump macOS and Xcode versions + - JDK-8318082: ConcurrentModificationException from IndexWriter + - JDK-8318154: Improve stability of WheelModifier.java test + - JDK-8318157: RISC-V: implement ensureMaterializedForStackWalk intrinsic + - JDK-8318158: RISC-V: implement roundD/roundF intrinsics + - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows + - JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + - JDK-8318490: Increase timeout for JDK tests that are close to the limit when run with libgraal + - JDK-8318590: JButton ignores margin when painting HTML text + - JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + - JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + - JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + - JDK-8318613: ChoiceFormat patterns are not well tested + - JDK-8318689: jtreg is confused when folder name is the same as the test name + - JDK-8318696: Do not use LFS64 symbols on Linux + - JDK-8318737: Fallback linker passes bad JNI handle + - JDK-8318809: java/util/concurrent/ConcurrentLinkedQueue/WhiteBox.java shows intermittent failures on linux ppc64le and aarch64 + - JDK-8318964: Fix build failures caused by 8315097 + - JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + - JDK-8318983: Fix comment typo in PKCS12Passwd.java + - JDK-8319103: Popups that request focus are not shown on Linux with Wayland + - JDK-8319124: Update XML Security for Java to 3.0.3 + - JDK-8319128: sun/security/pkcs11 tests fail on OL 7.9 aarch64 + - JDK-8319136: Skip pkcs11 tests on linux-aarch64 + - JDK-8319137: release _object in ObjectMonitor dtor to avoid races + - JDK-8319213: Compatibility.java reads both stdout and stderr of JdkUtils + - JDK-8319314: NMT detail report slow or hangs for large number of mappings + - JDK-8319372: C2 compilation fails with "Bad immediate dominator info" + - JDK-8319382: com/sun/jdi/JdwpAllowTest.java shows failures on AIX if prefixLen of mask is larger than 32 in IPv6 case + - JDK-8319456: jdk/jfr/event/gc/collection/TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + - JDK-8319548: Unexpected internal name for Filler array klass causes error in VisualVM + - JDK-8319569: Several java/util tests should be updated to accept VM flags + - JDK-8319633: runtime/posixSig/TestPosixSig.java intermittent timeouts on UNIX + - JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + - JDK-8319777: Zero: Support 8-byte cmpxchg + - JDK-8319879: Stress mode to randomize incremental inlining decision + - JDK-8319883: Zero: Use atomic built-ins for 64-bit accesses + - JDK-8319897: Move StackWatermark handling out of LockStack::contains + - JDK-8319938: TestFileChooserSingleDirectorySelection.java fails with "getSelectedFiles returned empty array" + - JDK-8320052: Zero: Use __atomic built-ins for atomic RMW operations + - JDK-8320145: Compiler should accept final variable in Record Pattern + - JDK-8320168: handle setsocktopt return values + - JDK-8320206: Some intrinsics/stubs missing vzeroupper on x86_64 + - JDK-8320208: Update Public Suffix List to b5bf572 + - JDK-8320300: Adjust hs_err output in malloc/mmap error cases + - JDK-8320303: Allow PassFailJFrame to accept single window creator + - JDK-8320309: AIX: pthreads created by foreign test library don't work as expected + - JDK-8320383: refresh libraries cache on AIX in VMError::report + - JDK-8320582: Zero: Misplaced CX8 enablement flag + - JDK-8320798: Console read line with zero out should zero out underlying buffer + - JDK-8320807: [PPC64][ZGC] C1 generates wrong code for atomics + - JDK-8320830: [AIX] Dont mix os::dll_load() with direct dlclose() calls + - JDK-8320877: Shenandoah: Remove ShenandoahUnloadClassesFrequency support + - JDK-8320888: Shenandoah: Enable ShenandoahVerifyOptoBarriers in debug builds + - JDK-8320890: [AIX] Find a better way to mimic dl handle equality + - JDK-8320898: exclude compiler/vectorapi/reshape/TestVectorReinterpret.java on ppc64(le) platforms + - JDK-8320907: Shenandoah: Remove ShenandoahSelfFixing flag + - JDK-8320921: GHA: Parallelize hotspot_compiler test jobs + - JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + - JDK-8320943: Files/probeContentType/Basic.java fails on latest Windows 11 - content type mismatch + - JDK-8321120: Shenandoah: Remove ShenandoahElasticTLAB flag + - JDK-8321122: Shenandoah: Remove ShenandoahLoopOptsAfterExpansion flag + - JDK-8321131: Console read line with zero out should zero out underlying buffer in JLine + - JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + - JDK-8321164: javac with annotation processor throws AssertionError: Filling jrt:/... during JarFileObject[/...] + - JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + - JDK-8321269: Require platforms to define DEFAULT_CACHE_LINE_SIZE + - JDK-8321374: Add a configure option to explicitly set CompanyName property in VersionInfo resource for Windows exe/dll + - JDK-8321408: Add Certainly roots R1 and E1 + - JDK-8321409: Console read line with zero out should zero out underlying buffer in JLine (redux) + - JDK-8321410: Shenandoah: Remove ShenandoahSuspendibleWorkers flag + - JDK-8321480: ISO 4217 Amendment 176 Update + - JDK-8321542: C2: Missing ChaCha20 stub for x86_32 leads to crashes + - JDK-8321582: yield .class not parsed correctly. + - JDK-8321599: Data loss in AVX3 Base64 decoding + - JDK-8321619: Generational ZGC: ZColorStoreGoodOopClosure is only valid for young objects + - JDK-8321894: Bump update version for OpenJDK: 21.0.3 + - JDK-8321972: test runtime/Unsafe/InternalErrorTest.java timeout on linux-riscv64 platform + - JDK-8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized + - JDK-8322040: Missing array bounds check in ClassReader.parameter + - JDK-8322098: os::Linux::print_system_memory_info enhance the THP output with /sys/kernel/mm/transparent_hugepage/hpage_pmd_size + - JDK-8322142: JFR: Periodic tasks aren't orphaned between recordings + - JDK-8322159: ThisEscapeAnalyzer crashes for erroneous code + - JDK-8322255: Generational ZGC: ZPageSizeMedium should be set before MaxTenuringThreshold + - JDK-8322279: Generational ZGC: Use ZFragmentationLimit and ZYoungCompactionLimit as percentage instead of multiples + - JDK-8322282: Incorrect LoaderConstraintTable::add_entry after JDK-8298468 + - JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces + - JDK-8322417: Console read line with zero out should zero out when throwing exception + - JDK-8322418: Problem list gc/TestAllocHumongousFragment.java subtests for 8298781 + - JDK-8322512: StringBuffer.repeat does not work correctly after toString() was called + - JDK-8322583: RISC-V: Enable fast class initialization checks + - JDK-8322725: (tz) Update Timezone Data to 2023d + - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray + - JDK-8322772: Clean up code after JDK-8322417 + - JDK-8322783: prioritize /etc/os-release over /etc/SuSE-release in hs_err/info output + - JDK-8322790: RISC-V: Tune costs for shuffles with no conversion + - JDK-8322957: Generational ZGC: Relocation selection must join the STS + - JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + - JDK-8323021: Shenandoah: Encountered reference count always attributed to first worker thread + - JDK-8323065: Unneccesary CodeBlob lookup in CompiledIC::internal_set_ic_destination + - JDK-8323086: Shenandoah: Heap could be corrupted by oom during evacuation + - JDK-8323101: C2: assert(n->in(0) == nullptr) failed: divisions with zero check should already have bailed out earlier in split-if + - JDK-8323154: C2: assert(cmp != nullptr && cmp->Opcode() == Op_Cmp(bt)) failed: no exit test + - JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + - JDK-8323331: fix typo hpage_pdm_size + - JDK-8323428: Shenandoah: Unused memory in regions compacted during a full GC should be mangled + - JDK-8323515: Create test alias "all" for all test roots + - JDK-8323637: Capture hotspot replay files in GHA + - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + - JDK-8323659: LinkedTransferQueue add and put methods call overridable offer + - JDK-8323664: java/awt/font/JNICheck/FreeTypeScalerJNICheck.java still fails with JNI warning on some Windows configurations + - JDK-8323667: Library debug files contain non-reproducible full gcc include paths + - JDK-8323671: DevKit build gcc libraries contain full paths to source location + - JDK-8323717: Introduce test keyword for tests that need external dependencies + - JDK-8323964: runtime/Thread/ThreadCountLimit.java fails intermittently on AIX + - JDK-8324050: Issue store-store barrier after re-materializing objects during deoptimization + - JDK-8324280: RISC-V: Incorrect implementation in VM_Version::parse_satp_mode + - JDK-8324347: Enable "maybe-uninitialized" warning for FreeType 2.13.1 + - JDK-8324514: ClassLoaderData::print_on should print address of class loader + - JDK-8324598: use mem_unit when working with sysinfo memory and swap related information + - JDK-8324637: [aix] Implement support for reporting swap space in jdk.management + - JDK-8324647: Invalid test group of lib-test after JDK-8323515 + - JDK-8324659: GHA: Generic jtreg errors are not reported + - JDK-8324753: [AIX] adjust os_posix after JDK-8318696 + - JDK-8324858: [vectorapi] Bounds checking issues when accessing memory segments + - JDK-8324874: AArch64: crypto pmull based CRC32/CRC32C intrinsics clobber V8-V15 registers + - JDK-8324937: GHA: Avoid multiple test suites per job + - JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 + - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing + - JDK-8325150: (tz) Update Timezone Data to 2024a + - JDK-8325194: GHA: Add macOS M1 testing + - JDK-8325254: CKA_TOKEN private and secret keys are not necessarily sensitive + - JDK-8325444: GHA: JDK-8325194 causes a regression + - JDK-8325470: [AIX] use fclose after fopen in read_psinfo + - JDK-8325496: Make TrimNativeHeapInterval a product switch + - JDK-8325672: C2: allocate PhaseIdealLoop::_loop_or_ctrl from C->comp_arena() + - JDK-8325876: crashes in docker container tests on Linuxppc64le Power8 machines + - JDK-8326000: Remove obsolete comments for class sun.security.ssl.SunJSSE + - JDK-8327391: Add SipHash attribution file + - JDK-8329838: [21u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 21.0.3 + +Notes on individual issues: +=========================== + +tools/javac: + +JDK-8317300: Align `javac` with the Java Language Specification by Rejecting `final` in Record Patterns +======================================================================================================= +Java 21 enhanced the language with pattern matching for switch +statements. However, the javac compiler released with OpenJDK 21 +allowed the 'final' keyword to be used in front of a record pattern +(e.g. `case final R(...) ->`), which is a violation of the Java +Language specification. + +With this release of OpenJDK 21, programs using `final` within a +switch statement will now fail to compile. The erroneous keyword will +need to be removed to allow the program to be compiled. + +security-libs/javax.xml.crypto: + +JDK-8319124: Update XML Security for Java to 3.0.3 +================================================== +The XML signature implementation in OpenJDK 21 has been updated to +Apache Santuario 3.0.3. This update introduces four new SHA-3 based +RSA-MGF1 SignatureMethod algorithms. + +However, the API of javax.xml.crypto.dsig.SignatureMethod can not be +changed in update releases to provide constants for these new +algorithms. The equivalent string literals should be used as below: + +* SHA3_224_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1" +* SHA3_256_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1" +* SHA3_384_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1" +* SHA3_512_RSA_MGF1: "http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1" + +hotspot/runtime: + +JDK-8325496: Make TrimNativeHeapInterval a product switch +========================================================= +The option '-XX:TrimNativeHeapInterval=ms', where 'ms' is the interval +in milliseconds, is now an official product switch. It allows the +virtual machine to trim the native heap at the specified interval on +supported platforms (currently only Linux with glibc). A value of +zero (the default) disables trimming. + +client-libs/java.awt: + +JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops +======================================================================= +The java.awt.SystemTray API is used to interact with the system's +desktop taskbar to provide notifications and may include an icon +representing an application. The GNOME desktop's support for taskbar +icons has not worked properly for several years, due to a platform +bug. This bug, in turn, affects the JDK's SystemTray support on GNOME +desktops. + +Therefore, in accordance with the SystemTray API specification, +java.awt.SystemTray.isSupported() will now return false on systems +that exhibit this bug, which is assumed to be those running a version +of GNOME Shell below 45. + +The impact of this change is likely to be minimal, as users of the +SystemTray API should already be able to handle isSupported() +returning false and the system tray on such platforms has already been +unsupported for a number of years for all applications. + +security-libs/java.security: + +JDK-8321408: Added Certainly R1 and E1 Root Certificates +======================================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certainly +Alias Name: certainlyrootr1 +Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US + +Name: Certainly +Alias Name: certainlyroote1 +Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US + +hotspot/gc: + +JDK-8310031: Parallel: Precise Parallel Scanning of Large Object Arrays for Young Collection Roots +================================================================================================== +During the collection of young generation objects, the ParallelGC +collector partitions the old generation into 64kB stripes to scan for +references to the young generation. The stripes are assigned to worker +threads to do the scanning in parallel. + +However, previous releases of OpenJDK 21 did not constrain these +worker threads to their own stripe. Parallelism was limited as a +single thread could end up scanning a large object with thousands of +references across multiple stripes, if it happened to start in its +allocated stripe. This also resulted in bad scaling, due to the +subsequent memory sharing associated with multiple threads working on +the same stripe. + +In this release, workers are limited to their stripe and only process +interesting parts of large object arrays. Pauses for the ParallelGC +collector are now on par with the G1 collector when large object +arrays are present, reducing pause times by four to five times in some +cases. + +JDK-8325074: ZGC fails assert(index == 0 || is_power_of_2(index)) failed: Incorrect load shift: 11 +================================================================================================== +Running the virtual machine with `-XX:+UseZGC` and a non-default value +of `-XX:ObjectAlignmentInBytes` had the potential to crash or perform +incorrect execution. This was due to `ZBarrierSet::clone_obj_array` +not taking into account padding words at the end of an ObjArray. This +has now been rectified in this release. + +New in release OpenJDK 21.0.2 (2024-01-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk2102 + +* CVEs + - CVE-2024-20918 + - CVE-2024-20919 + - CVE-2024-20921 + - CVE-2024-20945 + - CVE-2024-20952 +* Security fixes + - JDK-8308204: Enhanced certificate processing + - JDK-8314295: Enhance verification of verifier + - JDK-8314307: Improve loop handling + - JDK-8314468: Improve Compiler loops + - JDK-8316976: Improve signature handling + - JDK-8317547: Enhance TLS connection support +* Other changes + - JDK-8038244: (fs) Check return value of malloc in Java_sun_nio_fs_AixNativeDispatcher_getmntctl() + - JDK-8161536: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java fails with ProviderException + - JDK-8219652: [aix] Tests failing with JNI attach problems. + - JDK-8225377: type annotations are not visible to javac plugins across compilation boundaries + - JDK-8232839: JDI AfterThreadDeathTest.java failed due to "FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()" + - JDK-8267502: JDK-8246677 caused 16x performance regression in SynchronousQueue + - JDK-8267509: Improve IllegalAccessException message to include the cause of the exception + - JDK-8268916: Tests for AffirmTrust roots + - JDK-8286757: adlc tries to build with /pathmap but without /experimental:deterministic + - JDK-8294156: Allow PassFailJFrame.Builder to create test UI + - JDK-8294158: HTML formatting for PassFailJFrame instructions + - JDK-8294427: Check boxes and radio buttons have rendering issues on Windows in High DPI env + - JDK-8294535: Add screen capture functionality to PassFailJFrame + - JDK-8295068: SSLEngine throws NPE parsing CertificateRequests + - JDK-8295555: Primitive wrapper caches could be `@Stable` + - JDK-8299614: Shenandoah: STW mark should keep nmethod/oops referenced from stack chunk alive + - JDK-8300663: java/util/concurrent/SynchronousQueue/Fairness.java failed with "Error: fair=true i=0 j=1" + - JDK-8301247: JPackage app-image exe launches multiple exe's in JDK 17+ + - JDK-8301341: LinkedTransferQueue does not respect timeout for poll() + - JDK-8301457: Code in SendPortZero.java is uncommented even after JDK-8236852 was fixed + - JDK-8301489: C1: ShortLoopOptimizer might lift instructions before their inputs + - JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + - JDK-8303737: C2: Load can bypass subtype check that enforces it's from the right object type + - JDK-8306561: Possible out of bounds access in print_pointer_information + - JDK-8308103: Massive (up to ~30x) increase in C2 compilation time since JDK 17 + - JDK-8308452: Extend internal Architecture enum with byte order and address size + - JDK-8308479: [s390x] Implement alternative fast-locking scheme + - JDK-8308592: Framework for CA interoperability testing + - JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows + - JDK-8309209: C2 failed "assert(_stack_guard_state == stack_guard_reserved_disabled) failed: inconsistent state" + - JDK-8309305: sun/security/ssl/SSLSocketImpl/BlockedAsyncClose.java fails with jtreg test timeout + - JDK-8309545: Thread.interrupted from virtual thread needlessly resets interrupt status + - JDK-8309663: test fails "assert(check_alignment(result)) failed: address not aligned: 0x00000008baadbabe" + - JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + - JDK-8309974: some JVMCI tests fail when VM options include -XX:+EnableJVMCI + - JDK-8310239: Add missing cross modifying fence in nmethod entry barriers + - JDK-8310512: Cleanup indentation in jfc files + - JDK-8310596: Utilize existing method frame::interpreter_frame_monitor_size_in_bytes() + - JDK-8310982: jdk/internal/util/ArchTest.java fails after JDK-8308452 failed with Method isARM() + - JDK-8311261: [AIX] TestAlwaysPreTouchStacks.java fails due to java.lang.RuntimeException: Did not find expected NMT output + - JDK-8311514: Incorrect regex in TestMetaSpaceLog.java + - JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + - JDK-8311591: Add SystemModulesPlugin test case that splits module descriptors with new local variables defined by DedupSetBuilder + - JDK-8311630: [s390] Implementation of Foreign Function & Memory API (Preview) + - JDK-8311631: When multiple users run tools/jpackage/share/LicenseTest.java, Permission denied for writing /var/tmp/*.files + - JDK-8311680: Update the release version after forking Oct CPU23_10 + - JDK-8311681: Update the Jan CPU24_01 release date in master branch after forking Oct CPU23_10 + - JDK-8311813: C1: Uninitialized PhiResolver::_loop field + - JDK-8311938: Add default cups include location for configure on AIX + - JDK-8312078: [PPC] JcmdScale.java Failing on AIX + - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955 + - JDK-8312166: (dc) DatagramChannel's socket adaptor does not release carrier thread when blocking in receive + - JDK-8312174: missing JVMTI events from vthreads parked during JVMTI attach + - JDK-8312191: ColorConvertOp.filter for the default destination is too slow + - JDK-8312433: HttpClient request fails due to connection being considered idle and closed + - JDK-8312434: SPECjvm2008/xml.transform with CDS fails with "can't seal package nu.xom" + - JDK-8312440: assert(cast != nullptr) failed: must have added a cast to pin the node + - JDK-8312466: /bin/nm usage in AIX makes needs -X64 flag + - JDK-8312467: relax the builddir check in make/autoconf/basic.m4 + - JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0 update + - JDK-8312612: handle WideCharToMultiByte return values + - JDK-8313164: src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp GetRGBPixels adjust releasing of resources + - JDK-8313167: Update to use jtreg 7.3 + - JDK-8313206: PKCS11 tests silently skip execution + - JDK-8313244: NM flags handling in configure process + - JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + - JDK-8313322: RISC-V: implement MD5 intrinsic + - JDK-8313368: (fc) FileChannel.size returns 0 on block special files + - JDK-8313575: Refactor PKCS11Test tests + - JDK-8313616: support loading library members on AIX in os::dll_load + - JDK-8313643: Update HarfBuzz to 8.2.2 + - JDK-8313656: assert(!JvmtiExport::can_support_virtual_threads()) with -XX:-DoJVMTIVirtualThreadTransitions + - JDK-8313756: [BACKOUT] 8308682: Enhance AES performance + - JDK-8313760: [REDO] Enhance AES performance + - JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic + - JDK-8313781: Add regression tests for large page logging and user-facing error messages + - JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used + - JDK-8313792: Verify 4th party information in src/jdk.internal.le/share/legal/jline.md + - JDK-8313873: java/nio/channels/DatagramChannel/SendReceiveMaxSize.java fails on AIX due to small default RCVBUF size and different IPv6 Header interpretation + - JDK-8314045: ArithmeticException in GaloisCounterMode + - JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on Windows when run as user with Administrator privileges + - JDK-8314120: Add tests for FileDescriptor.sync + - JDK-8314121: test tools/jpackage/share/RuntimePackageTest.java#id0 fails on RHEL8 + - JDK-8314191: C2 compilation fails with "bad AD file" + - JDK-8314226: Series of colon-style fallthrough switch cases with guards compiled incorrectly + - JDK-8314242: Update applications/scimark/Scimark.java to accept VM flags + - JDK-8314246: javax/swing/JToolBar/4529206/bug4529206.java fails intermittently on Linux + - JDK-8314263: Signed jars triggering Logger finder recursion and StackOverflowError + - JDK-8314330: java/foreign tests should respect vm flags when start new processes + - JDK-8314476: TestJstatdPortAndServer.java failed with "java.rmi.NoSuchObjectException: no such object in table" + - JDK-8314495: Update to use jtreg 7.3.1 + - JDK-8314551: More generic way to handshake GC threads with monitor deflation + - JDK-8314580: PhaseIdealLoop::transform_long_range_checks fails with assert "was tested before" + - JDK-8314632: Intra-case dominance check fails in the presence of a guard + - JDK-8314759: VirtualThread.parkNanos timeout adjustment when pinned should be replaced + - JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + - JDK-8314935: Shenandoah: Unable to throw OOME on back-to-back Full GCs + - JDK-8315026: ProcessHandle implementation listing processes on AIX should use getprocs64 + - JDK-8315062: [GHA] get-bootjdk action should return the abolute path + - JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) + - JDK-8315088: C2: assert(wq.size() - before == EMPTY_LOOP_SIZE) failed: expect the EMPTY_LOOP_SIZE nodes of this body if empty + - JDK-8315195: RISC-V: Update hwprobe query for new extensions + - JDK-8315206: RISC-V: hwprobe query is_set return wrong value + - JDK-8315213: java/lang/ProcessHandle/TreeTest.java test enhance output of children + - JDK-8315214: Do not run sun/tools/jhsdb tests concurrently + - JDK-8315362: NMT: summary diff reports threads count incorrectly + - JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? + - JDK-8315383: jlink SystemModulesPlugin incorrectly parses the options + - JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + - JDK-8315437: Enable parallelism in vmTestbase/nsk/monitoring/stress/classload tests + - JDK-8315442: Enable parallelism in vmTestbase/nsk/monitoring/stress/thread tests + - JDK-8315452: Erroneous AST missing modifiers for partial input + - JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + - JDK-8315545: C1: x86 cmove can use short branches + - JDK-8315549: CITime misreports code/total nmethod sizes + - JDK-8315554: C1: Replace "cmp reg, 0" with "test reg, reg" on x86 + - JDK-8315578: PPC builds are broken after JDK-8304913 + - JDK-8315579: SPARC64 builds are broken after JDK-8304913 + - JDK-8315606: Open source few swing text/html tests + - JDK-8315612: RISC-V: intrinsic for unsignedMultiplyHigh + - JDK-8315644: increase timeout of sun/security/tools/jarsigner/Warning.java + - JDK-8315651: Stop hiding AIX specific multicast socket errors via NetworkConfiguration (aix) + - JDK-8315683: Parallelize java/util/concurrent/tck/JSR166TestCase.java + - JDK-8315684: Parallelize sun/security/util/math/TestIntegerModuloP.java + - JDK-8315688: Update jdk21u fix version to 21.0.2 + - JDK-8315692: Parallelize gc/stress/TestStressRSetCoarsening.java test + - JDK-8315696: SignedLoggerFinderTest.java test failed + - JDK-8315702: jcmd Thread.dump_to_file slow with millions of virtual threads + - JDK-8315706: com/sun/tools/attach/warnings/DynamicLoadWarningTest.java real fix for failure on AIX + - JDK-8315735: VerifyError when switch statement used with synchronized block + - JDK-8315751: RandomTestBsi1999 fails often with timeouts on Linux ppc64le + - JDK-8315766: Parallelize gc/stress/TestStressIHOPMultiThread.java test + - JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java should run with -XX:-VerifyDependencies + - JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading tests + - JDK-8315863: [GHA] Update checkout action to use v4 + - JDK-8315869: UseHeavyMonitors not used + - JDK-8315920: C2: "control input must dominate current control" assert failure + - JDK-8315931: RISC-V: xxxMaxVectorTestsSmokeTest fails when using RVV + - JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test + - JDK-8315937: Enable parallelism in vmTestbase/nsk/stress/numeric tests + - JDK-8315942: Sort platform enums and definitions after JDK-8304913 follow-ups + - JDK-8315960: test/jdk/java/io/File/TempDirDoesNotExist.java leaves test files behind + - JDK-8315971: ProblemList containers/docker/TestMemoryAwareness.java on linux-all + - JDK-8316003: Update FileChooserSymLinkTest.java to HTML instructions + - JDK-8316017: Refactor timeout handler in PassFailJFrame + - JDK-8316025: Use testUI() method of PassFailJFrame.Builder in FileChooserSymLinkTest.java + - JDK-8316030: Update Libpng to 1.6.40 + - JDK-8316031: SSLFlowDelegate should not log from synchronized block + - JDK-8316060: test/hotspot/jtreg/runtime/reflect/ReflectOutOfMemoryError.java may fail if heap is huge + - JDK-8316087: Test SignedLoggerFinderTest.java is still failing + - JDK-8316113: Infinite permission checking loop in java/net/spi/InetAddressResolverProvider/RuntimePermissionTest + - JDK-8316123: ProblemList serviceability/dcmd/gc/RunFinalizationTest.java on AIX + - JDK-8316130: Incorrect control in LibraryCallKit::inline_native_notify_jvmti_funcs + - JDK-8316142: Enable parallelism in vmTestbase/nsk/monitoring/stress/lowmem tests + - JDK-8316156: ByteArrayInputStream.transferTo causes MaxDirectMemorySize overflow + - JDK-8316178: Better diagnostic header for CodeBlobs + - JDK-8316179: Use consistent naming for lightweight locking in MacroAssembler + - JDK-8316181: Move the fast locking implementation out of the .ad files + - JDK-8316199: Remove sun/tools/jstatd/TestJstatd* tests from problemlist for Windows. + - JDK-8316206: Test StretchedFontTest.java fails for Baekmuk font + - JDK-8316304: (fs) Add support for BasicFileAttributes.creationTime() for Linux + - JDK-8316337: (bf) Concurrency issue in DirectByteBuffer.Deallocator + - JDK-8316341: sun/security/pkcs11/PKCS11Test.java needs adjustment on Linux ppc64le Ubuntu 22 + - JDK-8316387: Exclude more failing multicast tests on AIX after JDK-8315651 + - JDK-8316396: Endless loop in C2 compilation triggered by AddNode::IdealIL + - JDK-8316399: Exclude java/net/MulticastSocket/Promiscuous.java on AIX + - JDK-8316400: Exclude jdk/jfr/event/runtime/TestResidentSetSizeEvent.java on AIX + - JDK-8316401: sun/tools/jhsdb/JStackStressTest.java failed with "InternalError: We should have found a thread that owns the anonymous lock" + - JDK-8316411: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with force inline by CompileCommand missing + - JDK-8316414: C2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86 + - JDK-8316415: Parallelize sun/security/rsa/SignedObjectChain.java subtests + - JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java get OOM killed with Parallel GC + - JDK-8316436: ContinuationWrapper uses unhandled nullptr oop + - JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + - JDK-8316468: os::write incorrectly handles partial write + - JDK-8316514: Better diagnostic header for VtableStub + - JDK-8316540: StoreReproducibilityTest fails on some locales + - JDK-8316566: RISC-V: Zero extended narrow oop passed to Atomic::cmpxchg + - JDK-8316581: Improve performance of Symbol::print_value_on() + - JDK-8316585: [REDO] runtime/InvocationTests spend a lot of time on dependency verification + - JDK-8316645: RISC-V: Remove dependency on libatomic by adding cmpxchg 1b + - JDK-8316648: jrt-fs.jar classes not reproducible between standard and bootcycle builds + - JDK-8316659: assert(LockingMode != LM_LIGHTWEIGHT || flag == CCR0) failed: bad condition register + - JDK-8316671: sun/security/ssl/SSLSocketImpl/SSLSocketCloseHang.java test fails intermittent with Read timed out + - JDK-8316679: C2 SuperWord: wrong result, load should not be moved before store if not comparable + - JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java + - JDK-8316719: C2 compilation still fails with "bad AD file" + - JDK-8316735: Print LockStack in hs_err files + - JDK-8316741: BasicStroke.createStrokedShape miter-limits failing on small shapes + - JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic option result to warning + - JDK-8316746: Top of lock-stack does not match the unlocked object + - JDK-8316778: test hprof lib: invalid array element type from JavaValueArray.elementSize + - JDK-8316859: RISC-V: Disable detection of V through HWCAP + - JDK-8316879: RegionMatches1Tests fails if CompactStrings are disabled after JDK-8302163 + - JDK-8316880: AArch64: "stop: Header is not fast-locked" with -XX:-UseLSE since JDK-8315880 + - JDK-8316894: make test TEST="jtreg:test/jdk/..." fails on AIX + - JDK-8316906: Clarify TLABWasteTargetPercent flag + - JDK-8316929: Shenandoah: Shenandoah degenerated GC and full GC need to cleanup old OopMapCache entries + - JDK-8316933: RISC-V: compiler/vectorapi/VectorCastShape128Test.java fails when using RVV + - JDK-8316935: [s390x] Use consistent naming for lightweight locking in MacroAssembler + - JDK-8316958: Add test for unstructured locking + - JDK-8316967: Correct the scope of vmtimer in UnregisteredClasses::load_class + - JDK-8317039: Enable specifying the JDK used to run jtreg + - JDK-8317136: [AIX] Problem List runtime/jni/terminatedThread/TestTerminatedThread.java + - JDK-8317257: RISC-V: llvm build broken + - JDK-8317262: LockStack::contains(oop) fails "assert(t->is_Java_thread()) failed: incorrect cast to JavaThread" + - JDK-8317294: Classloading throws exceptions over already pending exceptions + - JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + - JDK-8317331: Solaris build failed with "declaration can not follow a statement (E_DECLARATION_IN_CODE)" + - JDK-8317335: Build on windows fails after 8316645 + - JDK-8317336: Assertion error thrown during 'this' escape analysis + - JDK-8317340: Windows builds are not reproducible if MS VS compiler install path differs + - JDK-8317373: Add Telia Root CA v2 + - JDK-8317374: Add Let's Encrypt ISRG Root X2 + - JDK-8317439: Updating RE Configs for BUILD REQUEST 21.0.2+1 + - JDK-8317507: C2 compilation fails with "Exceeded _node_regs array" + - JDK-8317510: Change Windows debug symbol files naming to avoid losing info when an executable and a library share the same name + - JDK-8317581: [s390x] Multiple test failure with LockingMode=2 + - JDK-8317601: Windows build on WSL broken after JDK-8317340 + - JDK-8317603: Improve exception messages thrown by sun.nio.ch.Net native methods (win) + - JDK-8317692: jcmd GC.heap_dump performance regression after JDK-8292818 + - JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh on linux-ppc64le and aix due to JDK-8248691 + - JDK-8317706: Exclude java/awt/Graphics2D/DrawString/RotTransText.java on linux + - JDK-8317711: Exclude gtest/GTestWrapper.java on AIX + - JDK-8317736: Stream::handleReset locks twice + - JDK-8317751: ProblemList ConsumeForModalDialogTest.java, MenuItemActivatedTest.java & MouseModifiersUnitTest_Standard.java for windows + - JDK-8317772: NMT: Make peak values available in release builds + - JDK-8317790: Fix Bug entry for exclusion of runtime/jni/terminatedThread/TestTerminatedThread.java on AIX + - JDK-8317803: Exclude java/net/Socket/asyncClose/Race.java on AIX + - JDK-8317807: JAVA_FLAGS removed from jtreg running in JDK-8317039 + - JDK-8317818: Combinatorial explosion during 'this' escape analysis + - JDK-8317834: java/lang/Thread/IsAlive.java timed out + - JDK-8317839: Exclude java/nio/channels/Channels/SocketChannelStreams.java on AIX + - JDK-8317920: JDWP-agent sends broken exception event with onthrow option + - JDK-8317959: Check return values of malloc in native java.base coding + - JDK-8317964: java/awt/Mouse/MouseModifiersUnitTest/MouseModifiersUnitTest_Standard.java fails on macosx-all after JDK-8317751 + - JDK-8317967: Enhance test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java to handle default cases + - JDK-8317987: C2 recompilations cause high memory footprint + - JDK-8318078: ADLC: pass ASSERT and PRODUCT flags + - JDK-8318089: Class space not marked as such with NMT when CDS is off + - JDK-8318137: Change milestone to fcs for all releases + - JDK-8318144: Match on enum constants with body compiles but fails with MatchException + - JDK-8318183: C2: VM may crash after hitting node limit + - JDK-8318240: [AIX] Cleaners.java test failure + - JDK-8318415: Adjust describing comment of os_getChildren after 8315026 + - JDK-8318474: Fix memory reporter for thread_count + - JDK-8318525: Atomic gtest should run as TEST_VM to access VM capabilities + - JDK-8318528: Rename TestUnstructuredLocking test + - JDK-8318540: make test cannot run .jasm tests directly + - JDK-8318562: Computational test more than 2x slower when AVX instructions are used + - JDK-8318587: refresh libraries cache on AIX in print_vm_info + - JDK-8318591: avoid leaks in loadlib_aix.cpp reload_table() + - JDK-8318669: Target OS detection in 'test-prebuilt' makefile target is incorrect when running on MSYS2 + - JDK-8318705: [macos] ProblemList java/rmi/registry/multipleRegistries/MultipleRegistries.java + - JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with "transport error 202: bind failed: Address already in use" + - JDK-8318759: Add four DigiCert root certificates + - JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + - JDK-8318895: Deoptimization results in incorrect lightweight locking stack + - JDK-8318951: Additional negative value check in JPEG decoding + - JDK-8318953: RISC-V: Small refactoring for MacroAssembler::test_bit + - JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + - JDK-8318957: enhance agentlib:jdwp help output by info about allow option + - JDK-8318961: increase javacserver connection timeout values and max retry attempts + - JDK-8318981: compiler/compilercontrol/TestConflictInlineCommands.java fails intermittent with 'disallowed by CompileCommand' missing from stdout/stderr + - JDK-8319104: GtestWrapper crashes with SIGILL in AsyncLogTest::test_asynclog_raw on AIX opt + - JDK-8319120: Unbound ScopedValue.get() throws the wrong exception + - JDK-8319184: RISC-V: improve MD5 intrinsic + - JDK-8319187: Add three eMudhra emSign roots + - JDK-8319195: Move most tier 1 vector API regression tests to tier 3 + - JDK-8319268: Build failure with GCC8.3.1 after 8313643 + - JDK-8319339: Internal error on spurious markup in a hybrid snippet + - JDK-8319436: Proxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader + - JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad under riscv/gc + - JDK-8319532: jshell - Non-sealed declarations sometimes break a snippet evaluation + - JDK-8319542: Fix boundaries of region to be tested with os::is_readable_range + - JDK-8319700: [AArch64] C2 compilation fails with "Field too big for insn" + - JDK-8319828: runtime/NMT/VirtualAllocCommitMerge.java may fail if mixing interpreted and compiled native invocations + - JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21 + - JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not compile on Windows 32-bit + - JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks + - JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + - JDK-8320053: GHA: Cross-compile gtest code + - JDK-8320209: VectorMaskGen clobbers rflags on x86_64 + - JDK-8320280: RISC-V: Avoid passing t0 as temp register to MacroAssembler::lightweight_lock/unlock + - JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + - JDK-8320601: ProblemList java/lang/invoke/lambda/LambdaFileEncodingSerialization.java on linux-all + - JDK-8321067: Unlock experimental options in EATests.java + - JDK-8322883: [BACKOUT] 8225377: type annotations are not visible to javac plugins across compilation boundaries + - JDK-8322985: [BACKOUT] 8318562: Computational test more than 2x slower when AVX instructions are used + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8308593: Add KEEPALIVE Extended Socket Options Support for Windows +====================================================================== +On Windows 10 version 1709 and above, TCP_KEEPIDLE and +TCP_KEEPINTERVAL are now supported in the +java.net.ExtendedSocketOptions class. Similarly, on Windows 10 +version 1703 and above, TCP_KEEPCOUNT is now supported. + +hotspot/compiler: + +JDK-8315082: [REDO] Generational ZGC: Tests crash with assert(index == 0 || is_power_of_2(index)) +================================================================================================= +In the initial release of JDK 21, running the JVM with -XX:+UseZGC and +a non-default value of -XX:ObjectAlignmentInBytes could lead to JVM +crashes or incorrect execution. This issue should now be resolved and +it should be possible to use these options again. + +hotspot/runtime: + +JDK-8317772: NMT: Make peak values available in release builds +============================================================== +The peak value is the highest value for committed memory in a given +Native Memory Tracking (NMT) category over the lifetime of the JVM +process. NMT reports will now show the peak value for all categories. + +If the committed memory for a category is at its peak, NMT will +print "at peak". Otherwise, it prints the peak value. + +For example, "Compiler (arena=196KB #4) (peak=6126KB #16)" shows that +compiler arena memory peaked above 6 MB, but now hovers around 200KB. + +JDK-8313782: Add user-facing warning if THPs are enabled but cannot be used +=========================================================================== +On Linux, the JVM will now print the following message to standard +output if Transparent Huge Pages (THPs) are requested, but are not +supported on the operating system: + +"UseTransparentHugePages disabled; transparent huge pages are not +supported by the operating system." + +security-libs/java.security: + +JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt +================================================================= +The following root certificate has been added to the cacerts +truststore: + +Name: Let's Encrypt +Alias Name: letsencryptisrgx2 +Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US + +JDK-8318759: Added Four Root Certificates from DigiCert, Inc. +============================================================= +The following root certificates have been added to the cacerts +truststore: + +Name: DigiCert, Inc. +Alias Name: digicertcseccrootg5 +Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicertcsrsarootg5 +Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlseccrootg5 +Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US + +Name: DigiCert, Inc. +Alias Name: digicerttlsrsarootg5 +Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US + +JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited +============================================================================ +The following root certificates have been added to the cacerts +truststore: + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag1 +Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsigneccrootcag3 +Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +Name: eMudhra Technologies Limited +Alias Name: emsignrootcag2 +Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN + +JDK-8317373: Added Telia Root CA v2 Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Telia Root CA v2 +Alias Name: teliarootcav2 +Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ``` + +New in release OpenJDK 21.0.1 (2023-10-17): +=========================================== + +* CVEs + - CVE-2023-22081 + - CVE-2023-22025 +* Security fixes + - JDK-8286503, JDK-8312367: Enhance security classes + - JDK-8296581: Better system proxy support + - JDK-8297856: Improve handling of Bidi characters + - JDK-8309966: Enhanced TLS connections + - JDK-8312248: Enhanced archival support redux + - JDK-8314649: Enhanced archival support redux + - JDK-8317121: vector_masked_load instruction is moved too early after JDK-8286941 +* Other changes + - JDK-8240567: MethodTooLargeException thrown while creating a jlink image + - JDK-8284772: GHA: Use GCC Major Version Dependencies Only + - JDK-8293114: JVM should trim the native heap + - JDK-8299658: C1 compilation crashes in LinearScan::resolve_exception_edge + - JDK-8302017: Allocate BadPaddingException only if it will be thrown + - JDK-8303815: Improve Metaspace test speed + - JDK-8304954: SegmentedCodeCache fails when using large pages + - JDK-8307766: Linux: Provide the option to override the timer slack + - JDK-8308042: [macos] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters + - JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/BasicCancelTest.java timed out and also had jcmd pipe errors + - JDK-8308184: Launching java with large number of jars in classpath with java.protocol.handler.pkgs system property set can lead to StackOverflowError + - JDK-8308474: DSA does not reset SecureRandom when initSign is called again + - JDK-8308609: java/lang/ScopedValue/StressStackOverflow.java fails with "-XX:-VMContinuations" + - JDK-8309032: jpackage does not work for module projects unless --module-path is specified + - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails + - JDK-8309214: sun/security/pkcs11/KeyStore/CertChainRemoval.java fails after 8301154 + - JDK-8309475: Test java/foreign/TestByteBuffer.java fails: a problem with msync (aix) + - JDK-8309502: RISC-V: String.indexOf intrinsic may produce misaligned memory loads + - JDK-8309591: Socket.setOption(TCP_QUICKACK) uses wrong level + - JDK-8309746: Reconfigure check should include make/conf/version-numbers.conf + - JDK-8309889: [s390] Missing return statement after calling jump_to_native_invoker method in generate_method_handle_dispatch. + - JDK-8310106: sun.security.ssl.SSLHandshake.getHandshakeProducer() incorrectly checks handshakeConsumers + - JDK-8310171: Bump version numbers for 21.0.1 + - JDK-8310211: serviceability/jvmti/thread/GetStackTrace/getstacktr03/getstacktr03.java failing + - JDK-8310233: Fix THP detection on Linux + - JDK-8310268: RISC-V: misaligned memory access in String.Compare intrinsic + - JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose + - JDK-8310586: ProblemList java/lang/ScopedValue/StressStackOverflow.java#default with virtual threads on linux-all + - JDK-8310687: JDK-8303215 is incomplete + - JDK-8310873: Re-enable locked_create_entry symbol check in runtime/NMT/CheckForProperDetailStackTrace.java for RISC-V + - JDK-8311026: Some G1 specific tests do not set -XX:+UseG1GC + - JDK-8311033: [macos] PrinterJob does not take into account Sides attribute + - JDK-8311160: [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem + - JDK-8311249: Remove unused MemAllocator::obj_memory_range + - JDK-8311285: report some fontconfig related environment variables in hs_err file + - JDK-8311511: Improve description of NativeLibrary JFR event + - JDK-8311592: ECKeySizeParameterSpec causes too many exceptions on third party providers + - JDK-8311682: Change milestone to fcs for all releases + - JDK-8311862: RISC-V: small improvements to shift immediate instructions + - JDK-8311917: MAP_FAILED definition seems to be obsolete in src/java.desktop/unix/native/common/awt/fontpath.c + - JDK-8311921: Inform about MaxExpectedDataSegmentSize in case of pthread_create failures on AIX + - JDK-8311923: TestIRMatching.java fails on RISC-V + - JDK-8311926: java/lang/ScopedValue/StressStackOverflow.java takes 9mins in tier1 + - JDK-8311955: c++filt is now ibm-llvm-cxxfilt when using xlc17 / clang on AIX + - JDK-8311981: Test gc/stringdedup/TestStringDeduplicationAgeThreshold.java#ZGenerational timed out + - JDK-8312127: FileDescriptor.sync should temporarily increase parallelism + - JDK-8312180: (bf) MappedMemoryUtils passes incorrect arguments to msync (aix) + - JDK-8312182: THPs cause huge RSS due to thread start timing issue + - JDK-8312394: [linux] SIGSEGV if kernel was built without hugepage support + - JDK-8312395: Improve assertions in growableArray + - JDK-8312401: SymbolTable::do_add_if_needed hangs when called in InstanceKlass::add_initialization_error path with requesting length exceeds max_symbol_length + - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + - JDK-8312525: New test runtime/os/TestTrimNative.java#trimNative is failing: did not see the expected RSS reduction + - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException + - JDK-8312555: Ideographic characters aren't stretched by AffineTransform.scale(2, 1) + - JDK-8312573: Failure during CompileOnly parsing leads to ShouldNotReachHere + - JDK-8312585: Rename DisableTHPStackMitigation flag to THPStackMitigation + - JDK-8312591: GCC 6 build failure after JDK-8280982 + - JDK-8312619: Strange error message when switching over long + - JDK-8312620: WSL Linux build crashes after JDK-8310233 + - JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java failed: RSS use increased + - JDK-8312909: C1 should not inline through interface calls with non-subtype receiver + - JDK-8312976: MatchResult produces StringIndexOutOfBoundsException for groups outside match + - JDK-8312984: javac may crash on a record pattern with too few components + - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + - JDK-8313248: C2: setScopedValueCache intrinsic exposes nullptr pre-values to store barriers + - JDK-8313262: C2: Sinking node may cause required cast to be dropped + - JDK-8313307: java/util/Formatter/Padding.java fails on some Locales + - JDK-8313312: Add missing classpath exception copyright header + - JDK-8313323: javac -g on a java file which uses unnamed variable leads to ClassFormatError when launching that class + - JDK-8313402: C1: Incorrect LoadIndexed value numbering + - JDK-8313428: GHA: Bump GCC versions for July 2023 updates + - JDK-8313576: GCC 7 reports compiler warning in bundled freetype 2.13.0 + - JDK-8313602: increase timeout for jdk/classfile/CorpusTest.java + - JDK-8313626: C2 crash due to unexpected exception control flow + - JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors + - JDK-8313676: Amend TestLoadIndexedMismatch test to target intrinsic directly + - JDK-8313678: SymbolTable can leak Symbols during cleanup + - JDK-8313691: use close after failing os::fdopen in vmError and ciEnv + - JDK-8313701: GHA: RISC-V should use the official repository for bootstrap + - JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase + - JDK-8313752: InstanceKlassFlags::print_on doesn't print the flag names + - JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) + - JDK-8313796: AsyncGetCallTrace crash on unreadable interpreter method pointer + - JDK-8313874: JNI NewWeakGlobalRef throws exception for null arg + - JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/CodeCacheFullCountTest.java fails with java.lang.VirtualMachineError + - JDK-8313904: [macos] All signing tests which verifies unsigned app images are failing + - JDK-8314020: Print instruction blocks in byte units + - JDK-8314024: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info + - JDK-8314063: The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection + - JDK-8314117: RISC-V: Incorrect VMReg encoding in RISCV64Frame.java + - JDK-8314118: Update JMH devkit to 1.37 + - JDK-8314139: TEST_BUG: runtime/os/THPsInThreadStackPreventionTest.java could fail on machine with large number of cores + - JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + - JDK-8314216: Case enumConstant, pattern compilation fails + - JDK-8314262: GHA: Cut down cross-compilation sysroots deeper + - JDK-8314423: Multiple patterns without unnamed variables + - JDK-8314426: runtime/os/TestTrimNative.java is failing on slow machines + - JDK-8314501: Shenandoah: sun/tools/jhsdb/heapconfig/JMapHeapConfigTest.java fails + - JDK-8314517: some tests fail in case ipv6 is disabled on the machine + - JDK-8314618: RISC-V: -XX:MaxVectorSize does not work as expected + - JDK-8314656: GHA: No need for Debian ports keyring installation after JDK-8313701 + - JDK-8314679: SA fails to properly attach to JVM after having just detached from a different JVM + - JDK-8314730: GHA: Drop libfreetype6-dev transitional package in favor of libfreetype-dev + - JDK-8314850: SharedRuntime::handle_wrong_method() gets called too often when resolving Continuation.enter + - JDK-8314960: Add Certigna Root CA - 2 + - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate. + - JDK-8315051: jdk/jfr/jvm/TestGetEventWriter.java fails with non-JVMCI GCs + - JDK-8315534: Incorrect warnings about implicit annotation processing + +Notes on individual issues: +=========================== + +core-libs/java.util.jar: + +JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) +===================================================================== +Additional validity checks in the handling of Zip64 files, +JDK-8302483, introduced in 21.0.0, caused the use of some valid zip +files to now fail with the error, `Invalid CEN header (invalid zip64 +extra data field size)` + +This release, 21.0.1, allows for zero length headers and additional +padding produced by some Zip64 creation tools. + +The following third party tools have also released patches to better +adhere to the ZIP File Format Specification: + +* Apache Commons Compress fix for Empty CEN Zip64 Extra Headers fixed in Commons Compress release 1.11 +* Apache Ant fix for Empty CEN Zip64 Extra Headers fixed in Ant 1.10.14 +* BND issue with writing invalid Extra Headers fixed in BND 5.3 + +The maven-bundle-plugin 5.1.5 includes the BND 5.3 patch. + +If these improved validation checks cause issues for deployed zip or +jar files, check how the file was created and whether patches are +available from the generating software to resolve the issue. With +both JDK releases, the checks can be disabled by setting the new +system property, `jdk.util.zip.disableZip64ExtraFieldValidation` to +`true`. + +hotspot/runtime: + +JDK-8311981: JVM May Hang When Using Generational ZGC if a VM Handshake Stalls on Memory +======================================================================================== +The JVM can hang under an uncommon condition that involves the JVM +running out of heap memory, the GC just starting a relocation phase to +reclaim memory, and a JVM thread-local Handshake asking to relocate an +object. This potential deadlock should now be avoided in this +release. + +core-libs/java.util.regex: + +JDK-8312976: `java.util.regex.MatchResult` Might Throw `StringIndexOutOfBoundsException` on Regex Patterns Containing Lookaheads and Lookbehinds +================================================================================================================================================ +JDK-8132995 introduced an unintended regression when using instances +returned by `java.util.regex.Matcher.toMatchResult()`. + +This regression happens with a `java.util.regex.Pattern`s containing +lookaheads and lookbehinds that, in turn, contain groups. If these are +located outside the match, a `StringIndexOutOfBoundsException` is +thrown when accessing these groups. See JDK-8312976 for an example. + +The issue is resolved in this release by calculating a minimum start +location as part of the match result and using this in constructing +String objects, rather than the location of the first match. + +JDK-8314960: Added Certigna Root CA Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR + +JDK-8312489: Increase Default Value of the System Property `jdk.jar.maxSignatureFileSize` +========================================================================================= +A maximum signature file size property, jdk.jar.maxSignatureFileSize, +was introduced in the 21.0.0 release of OpenJDK by JDK-8300596 to +control the maximum size of signature files in a signed JAR. The +default value of 8MB proved to be too small for some JAR files. This +release, 21.0.1, increases it to 16MB. + +New in release OpenJDK 21.0.0 (2023-09-XX): +=========================================== +Major changes are listed below. Some changes may have been backported +to earlier releases following their first appearance in OpenJDK 18 +through to 21. + +NEW FEATURES +============ + +Language Features +================= + +Pattern Matching for switch +=========================== +https://openjdk.org/jeps/406 +https://openjdk.org/jeps/420 +https://openjdk.org/jeps/427 +https://openjdk.org/jeps/433 +https://openjdk.org/jeps/441 + +Enhance the Java programming language with pattern matching for +`switch` expressions and statements, along with extensions to the +language of patterns. Extending pattern matching to `switch` allows an +expression to be tested against a number of patterns, each with a +specific action, so that complex data-oriented queries can be +expressed concisely and safely. + +This was a preview feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 17 (JEP 406), which saw a second preview in +OpenJDK 18 (JEP 420), a third in OpenJDK 19 (JEP 427) and a fourth +(JEP 427) in OpenJDK 20. It became final with OpenJDK 21 (JEP 441). + +Record Patterns +=============== +https://openjdk.org/jeps/405 +https://openjdk.org/jeps/432 +https://openjdk.org/jeps/440 + +Enhance the Java programming language with record patterns to +deconstruct record values. Record patterns and type patterns can be +nested to enable a powerful, declarative, and composable form of data +navigation and processing. + +This was a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 19 (JEP 405) with a second preview (JEP 432) in OpenJDK 20. +It became final with OpenJDK 21 (JEP 440). + +String Templates +================ +https://openjdk.org/jeps/430 + +Enhance the Java programming language with string templates. String +templates complement Java's existing string literals and text blocks +by coupling literal text with embedded expressions and template +processors to produce specialized results. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 430). + +Unnamed Patterns and Variables +============================== +https://openjdk.org/jeps/443 + +Enhance the Java language with unnamed patterns, which match a record +component without stating the component's name or type, and unnamed +variables, which can be initialized but not used. Both are denoted by +an underscore character, _. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 443). + +Unnamed Classes and Instance Main Methods (Preview) +=================================================== +https://openjdk.org/jeps/445 + +Evolve the Java language so that students can write their first +programs without needing to understand language features designed for +large programs. Far from using a separate dialect of Java, students +can write streamlined declarations for single-class programs and then +seamlessly expand their programs to use more advanced features as +their skills grow. + +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 21 (JEP 445). + +Library Features +================ + +UTF-8 by Default +================ +https://openjdk.org/jeps/400 + +Specify UTF-8 as the default charset of the standard Java APIs. With +this change, APIs that depend upon the default charset will behave +consistently across all implementations, operating systems, locales, +and configurations. + +Reimplement Core Reflection with Method Handles +=============================================== +https://openjdk.org/jeps/416 + +Reimplement java.lang.reflect.Method, Constructor, and Field on top of +java.lang.invoke method handles. Making method handles the underlying +mechanism for reflection will reduce the maintenance and development +cost of both the java.lang.reflect and java.lang.invoke APIs. + +Vector API +========== +https://openjdk.org/jeps/338 +https://openjdk.org/jeps/414 +https://openjdk.org/jeps/417 +https://openjdk.org/jeps/426 +https://openjdk.org/jeps/438 +https://openjdk.org/jeps/448 + +Introduce an API to express vector computations that reliably compile +at runtime to optimal vector hardware instructions on supported CPU +architectures and thus achieve superior performance to equivalent +scalar computations. + +This is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16 (JEP 338). A second round of incubation took +place in OpenJDK 17 (JEP 414), OpenJDK 18 (JEP 417) saw a third, +OpenJDK 19 a fourth (JEP 426), OpenJDK 20 (JEP 438) a fifth and +OpenJDK 21 a sixth (JEP 448). + +Internet-Address Resolution SPI +=============================== +https://openjdk.org/jeps/418 + +Define a service-provider interface (SPI) for host name and address +resolution, so that java.net.InetAddress can make use of resolvers +other than the platform's built-in resolver. + +Foreign Function & Memory API +============================= +https://openjdk.org/jeps/412 +https://openjdk.org/jeps/419 +https://openjdk.org/jeps/424 +https://openjdk.org/jeps/434 +https://openjdk.org/jeps/442 + +Introduce an API by which Java programs can interoperate with code and +data outside of the Java runtime. By efficiently invoking foreign +functions (i.e., code outside the JVM), and by safely accessing +foreign memory (i.e., memory not managed by the JVM), the API enables +Java programs to call native libraries and process native data without +the brittleness and danger of JNI. + +This API is now a preview feature (http://openjdk.java.net/jeps/12). +It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 17 (JEP 412), and is an +evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and +Foreign Linker API (OpenJDK 16) (see release notes for +java-17-openjdk). OpenJDK 18 saw a second round of incubation (JEP +419) before its inclusion as a preview in OpenJDK 19 (JEP 424) and a +second in OpenJDK 20 (JEP 434). It reaches a third preview in OpenJDK +21 (JEP 442). + +Virtual Threads +=============== +https://openjdk.org/jeps/425 +https://openjdk.org/jeps/436 +https://openjdk.org/jeps/444 + +Introduce virtual threads to the Java Platform. Virtual threads are +lightweight threads that dramatically reduce the effort of writing, +maintaining, and observing high-throughput concurrent applications. + +This was a preview feature (http://openjdk.java.net/jeps/12) +introduced in OpenJDK 19 (JEP 425) and reaching its second preview in +OpenJDK 20 (JEP 436). It became final with OpenJDK 21 (JEP 444). + +Structured Concurrency +====================== +https://openjdk.org/jeps/428 +https://openjdk.org/jeps/437 +https://openjdk.org/jeps/453 + +Simplify multithreaded programming by introducing an API for +structured concurrency. Structured concurrency treats multiple tasks +running in different threads as a single unit of work, thereby +streamlining error handling and cancellation, improving reliability, +and enhancing observability. + +This API is now a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 21 (JEP 453). It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 19 (JEP 428) and had a +second round of incubation in OpenJDK 20 (JEP 437). + +Scoped Values +============= +https://openjdk.org/jeps/429 + +Introduce scoped values, which enable the sharing of immutable data +within and across threads. They are preferred to thread-local +variables, especially when using large numbers of virtual threads. + +This API is now a preview feature (http://openjdk.java.net/jeps/12) +in OpenJDK 21 (JEP 429). It was first introduced in incubation +(https://openjdk.java.net/jeps/11) in OpenJDK 20 (JEP 429). + +Sequenced Collections +===================== +https://openjdk.org/jeps/431 + +Introduce new interfaces to represent collections with a defined +encounter order. Each such collection has a well-defined first +element, second element, and so forth, up to the last element. It also +provides uniform APIs for accessing its first and last elements, and +for processing its elements in reverse order. + +Key Encapsulation Mechanism API +=============================== +https://openjdk.org/jeps/452 + +Introduce an API for key encapsulation mechanisms (KEMs), an +encryption technique for securing symmetric keys using public key +cryptography. + +Virtual Machine Enhancements +============================ + +Generational ZGC +================ +https://openjdk.org/jeps/439 + +Improve application performance by extending the Z Garbage Collector +(ZGC) to maintain separate generations for young and old objects. This +will allow ZGC to collect young objects — which tend to die young — +more frequently. + +Tools +===== + +Simple Web Server +================= +https://openjdk.org/jeps/408 + +Provide a command-line tool, `jwebserver`, to start a minimal web +server that serves static files only. No CGI or servlet-like +functionality is available. This tool will be useful for prototyping, +ad-hoc coding, and testing purposes, particularly in educational +contexts. + +Code Snippets in Java API Documentation +======================================= +https://openjdk.org/jeps/413 + +Introduce an @snippet tag for JavaDoc's Standard Doclet, to simplify +the inclusion of example source code in API documentation. + +Ports +===== + +Linux/RISC-V Port +================= +https://openjdk.org/jeps/422 + +RISC-V is a free and open-source RISC instruction set architecture +(ISA) designed originally at the University of California, Berkeley, +and now developed collaboratively under the sponsorship of RISC-V +International. It is already supported by a wide range of language +toolchains. With the increasing availability of RISC-V hardware, a +port of the JDK would be valuable. + +DEPRECATIONS +============ + +Deprecate Finalization for Removal +================================== +https://openjdk.org/jeps/421 + +Deprecate finalization for removal in a future release. Finalization +remains enabled by default for now, but can be disabled to facilitate +early testing. In a future release it will be disabled by default, and +in a later release it will be removed. Maintainers of libraries and +applications that rely upon finalization should consider migrating to +other resource management techniques such as the try-with-resources +statement and cleaners. + +Deprecate the Windows 32-bit x86 Port for Removal +================================================= +https://openjdk.org/jeps/449 + +Deprecate the Windows 32-bit x86 port, with the intent to remove it in +a future release. + +Prepare to Disallow the Dynamic Loading of Agents +================================================= +https://openjdk.org/jeps/451 + +Issue warnings when agents are loaded dynamically into a running +JVM. These warnings aim to prepare users for a future release which +disallows the dynamic loading of agents by default in order to improve +integrity by default. Serviceability tools that load agents at startup +will not cause warnings to be issued in any release. diff --git a/SOURCES/README.md b/SOURCES/README.md new file mode 100644 index 0000000..cf5e219 --- /dev/null +++ b/SOURCES/README.md @@ -0,0 +1,39 @@ +OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform. + +For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream +release page for OpenJDK 21 and the preceding interim releases: + +* 18: https://openjdk.java.net/projects/jdk/18/ +* 19: https://openjdk.java.net/projects/jdk/19/ +* 20: https://openjdk.java.net/projects/jdk/20/ +* 21: https://openjdk.java.net/projects/jdk/21/ + +# Rebuilding the OpenJDK package + +The OpenJDK packages are now created from a single build which is then +packaged for different major versions of Red Hat Enterprise Linux +(RHEL). This allows the OpenJDK team to focus their efforts on the +development and testing of this single build, rather than having +multiple builds which only differ by the platform they were built on. + +This does make rebuilding the package slightly more complicated than a +normal package. Modifications should be made to the +`java-21-openjdk-portable.specfile` file, which can be found with this +README file in the source RPM or installed in the documentation tree +by the `java-21-openjdk-headless` RPM. + +Once the modified `java-21-openjdk-portable` RPMs are built, they +should be installed and will produce a number of tarballs in the +`/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be +built, which will use these tarballs to create the usual RPMs found in +RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the +desired final RPMs are produced. + +Note that the `java-21-openjdk.spec` file has a hard requirement on +the exact version of java-21-openjdk-portable to use, so this will +need to be modified if the version or rpmrelease values are changed in +`java-21-openjdk-portable.specfile`. + +To reduce the number of RPMs involved, the `fastdebug` and `slowdebug` +builds may be disabled using `--without fastdebug` and `--without +slowdebug`. diff --git a/SOURCES/TestCryptoLevel.java b/SOURCES/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/SOURCES/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/SOURCES/TestECDSA.java b/SOURCES/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/SOURCES/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java new file mode 100644 index 0000000..2967a32 --- /dev/null +++ b/SOURCES/TestSecurityProperties.java @@ -0,0 +1,84 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties "); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(propsFile)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + +} diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java new file mode 100644 index 0000000..f6a4fe2 --- /dev/null +++ b/SOURCES/TestTranslations.java @@ -0,0 +1,160 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV, CIUDAD_JUAREZ; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET", + "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST", + "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + + map = new HashMap(); + map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", + "Mountain Daylight Time", "MDT", "MDT", + "Mountain Time", "MT", "MT"}); + map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", + "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", + "heure des Rocheuses", "UTC\u221207:00", "MT"}); + map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST", + "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", + "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); + CIUDAD_JUAREZ = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + String localeProvider = args[0]; + testZone(localeProvider, KYIV, + new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); + testZone(localeProvider, CIUDAD_JUAREZ, + new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); + } + + private static void testZone(String localeProvider, Map exp, String[] ids) { + for (Locale l : exp.keySet()) { + String[] expected = exp.get(l); + System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); + for (String id : ids) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/SOURCES/alt-java.c b/SOURCES/alt-java.c new file mode 100644 index 0000000..644d002 --- /dev/null +++ b/SOURCES/alt-java.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2023 Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Red Hat designates this + * particular file as subject to the "Classpath" exception as provided + * by Red Hat in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* Per task speculation control */ +#ifndef PR_GET_SPECULATION_CTRL +# define PR_GET_SPECULATION_CTRL 52 +#endif +#ifndef PR_SET_SPECULATION_CTRL +# define PR_SET_SPECULATION_CTRL 53 +#endif +/* Speculation control variants */ +#ifndef PR_SPEC_STORE_BYPASS +# define PR_SPEC_STORE_BYPASS 0 +#endif +/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ + +#ifndef PR_SPEC_NOT_AFFECTED +# define PR_SPEC_NOT_AFFECTED 0 +#endif +#ifndef PR_SPEC_PRCTL +# define PR_SPEC_PRCTL (1UL << 0) +#endif +#ifndef PR_SPEC_ENABLE +# define PR_SPEC_ENABLE (1UL << 1) +#endif +#ifndef PR_SPEC_DISABLE +# define PR_SPEC_DISABLE (1UL << 2) +#endif +#ifndef PR_SPEC_FORCE_DISABLE +# define PR_SPEC_FORCE_DISABLE (1UL << 3) +#endif +#ifndef PR_SPEC_DISABLE_NOEXEC +# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) +#endif + +static void set_speculation() { +#if defined(__linux__) && defined(__x86_64__) + // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it + // if ( prctl(PR_SET_SPECULATION_CTRL, + // PR_SPEC_STORE_BYPASS, + // PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { + // return; + // } + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); +#else +#warning alt-java requested but SSB mitigation not available on this platform. +#endif +} + +int main(int argc, char **argv) { + set_speculation(); + + char our_name[PATH_MAX], java_name[PATH_MAX]; + ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1); + if (len < 0) { + perror("I can't find myself"); + exit(2); + } + + our_name[len] = '\0'; // readlink(2) doesn't append a null byte + char *path = dirname(our_name); + strncpy(java_name, path, PATH_MAX - 1); + + size_t remaining_bytes = PATH_MAX - strlen(path) - 1; + strncat(java_name, "/java", remaining_bytes); + + execv(java_name, argv); + fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno)); + + exit(1); +} + diff --git a/SOURCES/fips-21u-0a42e29b391.patch b/SOURCES/fips-21u-0a42e29b391.patch new file mode 100644 index 0000000..54e8da0 --- /dev/null +++ b/SOURCES/fips-21u-0a42e29b391.patch @@ -0,0 +1,4234 @@ +diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 +index 5f4b22bb27f..1ca9f5b8ffe 100644 +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..f48fc7f7e80 +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,87 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) ++ ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index 51d4f724c33..feb0bcf3e75 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -35,6 +35,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_X11 + + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + BASIC_JDKLIB_LIBS_TARGET="" +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index f6def153c82..4d7abc33427 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk +index 9e5cfe2d0fc..434ade8e182 100644 +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 1e0f66726d0..59fe923f2c5 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index 10093137151..b023c63ae58 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -147,298 +152,299 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); +- +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -447,15 +453,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -625,10 +633,10 @@ public final class SunJCE extends Provider { + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +@@ -651,136 +659,137 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256"); + +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); +- +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * KEMs +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + +- "|java.security.interfaces.XECKey"); +- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); ++ ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * KEMs ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + ++ "|java.security.interfaces.XECKey"); ++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 671529f71a1..af632936921 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -34,6 +34,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -58,6 +59,11 @@ import sun.security.jca.*; + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -75,6 +81,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -96,6 +115,7 @@ public final class Security { + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -116,6 +136,61 @@ public final class Security { + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } ++ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -126,7 +201,7 @@ public final class Security { + + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..9d26a54f5d4 +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index 919d758a6e3..b1e5fbaf84a 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -43,6 +43,7 @@ import java.io.PrintStream; + import java.io.PrintWriter; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -90,6 +91,7 @@ public class SharedSecrets { + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; + private static JavaTemplateAccess javaTemplateAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -537,4 +539,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 06b141dcf22..e8cbf7f15d7 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -158,6 +158,7 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.jfr, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index f036a411f1d..1e9de933bd9 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.LinkedHashSet; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetBooleanAction; + +@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -102,89 +107,92 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- attrs.remove("KeySize"); ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ } + + attrs.clear(); + attrs.put("ImplementedIn", "Software"); +@@ -196,9 +204,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -213,44 +223,46 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- addWithAlias(p, "KeyFactory", "HSS/LMS", +- "sun.security.provider.HSS$KeyFactoryImpl", attrs); +- +- /* +- * Digest engines +- */ +- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", +- attrs); +- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", +- attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); ++ addWithAlias(p, "KeyFactory", "HSS/LMS", ++ "sun.security.provider.HSS$KeyFactoryImpl", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", ++ attrs); ++ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", ++ attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index 539ef1e8ee8..435f57e3ff2 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 5149edba0e5..8227d650a03 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -85,6 +85,17 @@ security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign ++fips.provider.7=XMLDSig ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=pkcs12 ++ ++# ++# Location of the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# The syntax for this property is identical to the 'nssSecmodDirectory' ++# attribute available in the SunPKCS11 NSS configuration file. Use the ++# 'sql:' prefix to refer to an SQLite DB. ++# ++# If the system property fips.nssdb.path is also specified, it supersedes ++# the security property value defined here. ++# ++# Note: the default value for this property points to an NSS DB that might be ++# readable by multiple operating system users and unsuitable to store keys. ++# ++fips.nssdb.path=sql:/etc/pki/nssdb ++ ++# ++# PIN for the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# Values must take any of the following forms: ++# 1) pin: ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -332,6 +384,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in +new file mode 100644 +index 00000000000..55bbba98b7a +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ +diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy +index 86d45147709..22fd8675503 100644 +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..48d6d656a28 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,457 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +new file mode 100644 +index 00000000000..f8d505ca815 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index c3b412885a6..0e7ce73b158 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length { + @Serial + private static final long serialVersionUID = -2575874101938349339L; + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final String PUBLIC = "public"; + private static final String PRIVATE = "private"; + private static final String SECRET = "secret"; +@@ -401,9 +406,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + +- boolean keySensitive = +- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) || +- attrs[1].getBoolean() || !attrs[2].getBoolean(); ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && ++ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + return switch (algorithm) { + case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, +@@ -455,7 +461,8 @@ abstract class P11Key implements Key, Length { + + public String getFormat() { + token.ensureValid(); +- if (sensitive || !extractable || (isNSS && tokenObject)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || !extractable || (isNSS && tokenObject))) { + return null; + } else { + return "RAW"; +@@ -1625,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference { + this.clear(); + } + } +- +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 5cd6828d293..bae49c4e8a9 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider { + @Serial + private static final long serialVersionUID = -1354835039035306505L; + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ + static final Debug debug = Debug.getInstance("sunpkcs11"); + // the PKCS11 object through which we make the native calls + @SuppressWarnings("serial") // Type of field is not Serializable; +@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance( ++ library, functionList, initArgs, ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider { + } else { + initArgs.flags = 0; + } +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance(library, ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (!token.isValid()) { + throw new NoSuchAlgorithmException("Token has been removed"); + } ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ ++ try { ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); ++ } ++ } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +index a6f5f0a8764..9a07c96ca4e 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; + */ + final class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + @Serial + private static final long serialVersionUID = 2541527649100571747L; +@@ -125,6 +129,10 @@ final class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -242,7 +250,12 @@ final class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (!isLoggedIn(session)) { +- provider.login(null, null); ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { ++ provider.login(null, null); ++ } + } + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 4b06daaf264..55e14945469 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.AccessController; +@@ -174,18 +177,43 @@ public class PKCS11 { + return version; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter, ++ MethodHandle fipsKeyExporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null && ++ fipsKeyExporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(PKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ FIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.PKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ SynchronizedFIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public synchronized void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, ++ MethodHandle fipsKeyExporter, long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ Map sensitiveAttrs = new HashMap<>(); ++ List nonSensitiveAttrs = new LinkedList<>(); ++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, ++ sensitiveAttrs, nonSensitiveAttrs); ++ try { ++ if (sensitiveAttrs.size() > 0) { ++ long keyClass = -1L; ++ long keyType = -1L; ++ try { ++ // Secret and private keys have both class and type ++ // attributes, so we can query them at once. ++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ ++ new CK_ATTRIBUTE(CKA_CLASS), ++ new CK_ATTRIBUTE(CKA_KEY_TYPE), ++ }; ++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); ++ keyClass = queryAttrs[0].getLong(); ++ keyType = queryAttrs[1].getLong(); ++ } catch (PKCS11Exception e) { ++ // If the query fails, the object is neither a secret nor a ++ // private key. As this case won't be handled with the FIPS ++ // Key Exporter, we keep keyClass initialized to -1L. ++ } ++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { ++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, ++ sensitiveAttrs); ++ if (nonSensitiveAttrs.size() > 0) { ++ CK_ATTRIBUTE[] pNonSensitiveAttrs = ++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; ++ int i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ pNonSensitiveAttrs[i++] = nonSensAttr; ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, ++ pNonSensitiveAttrs); ++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we ++ // update the reference on the previous CK_ATTRIBUTEs ++ i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; ++ } ++ } ++ return; ++ } ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, ++ Map sensitiveAttrs, ++ List nonSensitiveAttrs) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ long type = attr.type; ++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c ++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || ++ type == CKA_PRIME_1 || type == CKA_PRIME_2 || ++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || ++ type == CKA_COEFFICIENT) { ++ sensitiveAttrs.put(type, attr); ++ } else { ++ nonSensitiveAttrs.add(attr); ++ } ++ } ++ } ++} + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +index 920422376f8..6aa308fa5f8 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception { + return res; + } + ++ /** ++ * Constructor taking the error code from the RV enum and ++ * extra info for error message. ++ */ ++ public PKCS11Exception(RV errorEnum, String extraInfo) { ++ this(errorEnum.value, extraInfo); ++ } ++ + /** + * Constructor taking the error code (the CKR_* constants in PKCS#11) and + * extra info for error message. +diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 7f8c4dba002..e65b11fc3ee 100644 +--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -34,6 +34,7 @@ import java.security.ProviderException; + import java.util.HashMap; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; + import sun.security.ec.ed.EdDSASignature; +@@ -50,6 +51,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -240,83 +245,85 @@ public final class SunEC extends Provider { + putXDHEntries(); + putEdDSAEntries(); + +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -333,23 +340,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -364,21 +373,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } +diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +new file mode 100644 +index 00000000000..ce01c655eb8 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +@@ -0,0 +1,349 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Method; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Arrays; ++import java.util.function.Consumer; ++import java.util.List; ++import javax.crypto.Cipher; ++import javax.crypto.spec.SecretKeySpec; ++ ++import jdk.test.lib.process.Proc; ++import jdk.test.lib.util.FileUtils; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary ++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used ++ * for a successful login into an NSS DB. Some additional unitary testing ++ * is then performed. This test depends on NSS modutil and must be run in ++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). ++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @library /test/lib ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=600 NssdbPin ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class NssdbPin { ++ ++ // Public properties and names ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; ++ private static final String NSSDB_TOKEN_NAME = ++ "NSS FIPS 140-2 Certificate DB"; ++ ++ // Data to be tested ++ private static final String[] PINS_TO_TEST = ++ new String[] { ++ "", ++ "1234567890abcdef1234567890ABCDEF\uA4F7" ++ }; ++ private static enum PropType { SYSTEM, SECURITY } ++ private static enum LoginType { IMPLICIT, EXPLICIT } ++ ++ // Internal test fields ++ private static final boolean DEBUG = true; ++ private static class TestContext { ++ String pin; ++ PropType propType; ++ Path workspace; ++ String nssdbPath; ++ Path nssdbPinFile; ++ LoginType loginType; ++ TestContext(String pin, Path workspace) { ++ this.pin = pin; ++ this.workspace = workspace; ++ this.nssdbPath = "sql:" + workspace; ++ this.loginType = LoginType.IMPLICIT; ++ } ++ } ++ ++ public static void main(String[] args) throws Throwable { ++ if (args.length == 3) { ++ // Executed by a child process. ++ mainChild(args[0], args[1], LoginType.valueOf(args[2])); ++ } else if (args.length == 0) { ++ // Executed by the parent process. ++ mainLauncher(); ++ // Test defaults ++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); ++ System.out.println("TEST PASS - OK"); ++ } else { ++ throw new Exception("Unexpected number of arguments."); ++ } ++ } ++ ++ private static void mainChild(String expectedPath, String expectedPin, ++ LoginType loginType) throws Throwable { ++ if (DEBUG) { ++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, ++ FIPS_NSSDB_PIN_PROP)) { ++ System.out.println(prop + " (System): " + ++ System.getProperty(prop)); ++ System.out.println(prop + " (Security): " + ++ Security.getProperty(prop)); ++ } ++ } ++ ++ /* ++ * Functional cross-test against an NSS DB generated by modutil ++ * with the same PIN. Check that we can perform a crypto operation ++ * that requires a login. The login might be explicit or implicit. ++ */ ++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); ++ if (DEBUG) { ++ System.out.println(FIPS_PROVIDER_NAME + ": " + p); ++ } ++ if (p == null) { ++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); ++ } ++ if (DEBUG) { ++ System.out.println("Login type: " + loginType); ++ } ++ if (loginType == LoginType.EXPLICIT) { ++ // Do the expansion to account for truncation, so C_Login in ++ // the NSS Software Token gets a UTF-8 encoded PIN. ++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ KeyStore.getInstance("PKCS11", p).load(null, pinChar); ++ if (DEBUG) { ++ System.out.println("Explicit login succeeded."); ++ } ++ } ++ if (DEBUG) { ++ System.out.println("Trying a crypto operation..."); ++ } ++ final int blockSize = 16; ++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); ++ cipher.init(Cipher.ENCRYPT_MODE, ++ new SecretKeySpec(new byte[blockSize], "AES")); ++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { ++ throw new Exception("Could not perform a crypto operation."); ++ } ++ if (DEBUG) { ++ if (loginType == LoginType.IMPLICIT) { ++ System.out.println("Implicit login succeeded."); ++ } ++ System.out.println("Crypto operation after login succeeded."); ++ } ++ ++ if (loginType == LoginType.IMPLICIT) { ++ /* ++ * Additional unitary testing. Expected to succeed at this point. ++ */ ++ if (DEBUG) { ++ System.out.println("Trying unitary test..."); ++ } ++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); ++ if (DEBUG) { ++ System.out.println("Path value (as a System property): " + ++ sysPathProp); ++ } ++ if (!expectedPath.equals(sysPathProp)) { ++ throw new Exception("Path is different than expected: " + ++ sysPathProp + " (actual) vs " + expectedPath + ++ " (expected)."); ++ } ++ Class c = Class ++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); ++ Method m = c.getDeclaredMethod("getFipsNssdbPin"); ++ m.setAccessible(true); ++ String pin = null; ++ char[] pinChar = (char[]) m.invoke(c); ++ if (pinChar != null) { ++ byte[] pinUtf8 = new byte[pinChar.length]; ++ for (int i = 0; i < pinUtf8.length; i++) { ++ pinUtf8[i] = (byte) pinChar[i]; ++ } ++ pin = new String(pinUtf8, StandardCharsets.UTF_8); ++ } ++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || ++ expectedPin.isEmpty() && pin != null) { ++ throw new Exception("PIN is different than expected: '" + pin + ++ "' (actual) vs '" + expectedPin + "' (expected)."); ++ } ++ if (DEBUG) { ++ System.out.println("PIN value: " + pin); ++ System.out.println("Unitary test succeeded."); ++ } ++ } ++ } ++ ++ private static void mainLauncher() throws Throwable { ++ for (String pin : PINS_TO_TEST) { ++ Path workspace = Files.createTempDirectory(null); ++ try { ++ TestContext ctx = new TestContext(pin, workspace); ++ createNSSDB(ctx); ++ { ++ ctx.loginType = LoginType.IMPLICIT; ++ for (PropType propType : PropType.values()) { ++ ctx.propType = propType; ++ pinLauncher(ctx); ++ envLauncher(ctx); ++ fileLauncher(ctx); ++ } ++ } ++ explicitLoginLauncher(ctx); ++ } finally { ++ FileUtils.deleteFileTreeWithRetry(workspace); ++ } ++ } ++ } ++ ++ private static void pinLauncher(TestContext ctx) throws Throwable { ++ launchTest(p -> {}, "pin:" + ctx.pin, ctx); ++ } ++ ++ private static void envLauncher(TestContext ctx) throws Throwable { ++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; ++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), ++ "env:" + NSSDB_PIN_ENV_VAR, ctx); ++ } ++ ++ private static void fileLauncher(TestContext ctx) throws Throwable { ++ // The file containing the PIN (ctx.nssdbPinFile) was created by the ++ // generatePinFile method, called from createNSSDB. ++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); ++ } ++ ++ private static void explicitLoginLauncher(TestContext ctx) ++ throws Throwable { ++ ctx.loginType = LoginType.EXPLICIT; ++ ctx.propType = PropType.SYSTEM; ++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); ++ } ++ ++ private static void launchTest(Consumer procCb, String pinPropVal, ++ TestContext ctx) throws Throwable { ++ if (DEBUG) { ++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + ++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + ++ "=" + pinPropVal); ++ } ++ Proc p = Proc.create(NssdbPin.class.getName()) ++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); ++ if (ctx.propType == PropType.SYSTEM) { ++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ // Make sure that Security properties defaults are not used. ++ p.secprop(FIPS_NSSDB_PATH_PROP, ""); ++ p.secprop(FIPS_NSSDB_PIN_PROP, ""); ++ } else if (ctx.propType == PropType.SECURITY) { ++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ pinPropVal = escapeForPropsFile(pinPropVal); ++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ } else { ++ throw new Exception("Unsupported property type."); ++ } ++ if (DEBUG) { ++ p.inheritIO(); ++ p.prop("java.security.debug", "sunpkcs11"); ++ p.debug(NssdbPin.class.getName()); ++ ++ // Need the launched process to connect to a debugger? ++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + ++ // "transport=dt_socket,address=localhost:8000,suspend=y"); ++ } else { ++ p.nodump(); ++ } ++ procCb.accept(p); ++ p.start().waitFor(0); ++ } ++ ++ private static String escapeForPropsFile(String str) throws Throwable { ++ StringBuffer sb = new StringBuffer(); ++ for (int i = 0; i < str.length(); i++) { ++ int cp = str.codePointAt(i); ++ if (Character.UnicodeBlock.of(cp) ++ == Character.UnicodeBlock.BASIC_LATIN) { ++ sb.append(Character.toChars(cp)); ++ } else { ++ sb.append("\\u").append(String.format("%04X", cp)); ++ } ++ } ++ return sb.toString(); ++ } ++ ++ private static void createNSSDB(TestContext ctx) throws Throwable { ++ ProcessBuilder pb = getModutilPB(ctx, "-create"); ++ if (DEBUG) { ++ System.out.println("Creating an NSS DB in " + ctx.workspace + ++ "..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB creation failed."); ++ } ++ generatePinFile(ctx); ++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, ++ "-newpwfile", ctx.nssdbPinFile.toString()); ++ if (DEBUG) { ++ System.out.println("NSS DB created."); ++ System.out.println("Changing NSS DB PIN..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB PIN change failed."); ++ } ++ if (DEBUG) { ++ System.out.println("NSS DB PIN changed."); ++ } ++ } ++ ++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) ++ throws Throwable { ++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); ++ List pbCommand = pb.command(); ++ if (args != null) { ++ pbCommand.addAll(Arrays.asList(args)); ++ } ++ pbCommand.add("-dbdir"); ++ pbCommand.add(ctx.nssdbPath); ++ if (DEBUG) { ++ pb.inheritIO(); ++ } else { ++ pb.redirectError(ProcessBuilder.Redirect.INHERIT); ++ } ++ return pb; ++ } ++ ++ private static void generatePinFile(TestContext ctx) throws Throwable { ++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); ++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + ++ "2nd line with garbage"); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +new file mode 100644 +index 00000000000..87f1ad04505 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=30 VerifyMissingAttributes ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class VerifyMissingAttributes { ++ ++ private static final String[] svcAlgImplementedIn = { ++ "AlgorithmParameterGenerator.DSA", ++ "AlgorithmParameters.DSA", ++ "CertificateFactory.X.509", ++ "KeyStore.JKS", ++ "KeyStore.CaseExactJKS", ++ "KeyStore.DKS", ++ "CertStore.Collection", ++ "CertStore.com.sun.security.IndexedCollection" ++ }; ++ ++ public static void main(String[] args) throws Throwable { ++ Provider sunProvider = Security.getProvider("SUN"); ++ for (String svcAlg : svcAlgImplementedIn) { ++ String filter = svcAlg + " ImplementedIn:Software"; ++ doQuery(sunProvider, filter); ++ } ++ if (Double.parseDouble( ++ System.getProperty("java.specification.version")) >= 17) { ++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"; ++ doQuery(Security.getProvider("SunRsaSign"), filter); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void doQuery(Provider expectedProvider, String filter) ++ throws Exception { ++ if (expectedProvider == null) { ++ throw new Exception("Provider not found."); ++ } ++ Provider[] providers = Security.getProviders(filter); ++ if (providers == null || providers.length != 1 || ++ providers[0] != expectedProvider) { ++ throw new Exception("Failure retrieving the provider with this" + ++ " query: " + filter); ++ } ++ } ++} diff --git a/SOURCES/java-21-openjdk-portable.specfile b/SOURCES/java-21-openjdk-portable.specfile new file mode 100644 index 0000000..2a633ee --- /dev/null +++ b/SOURCES/java-21-openjdk-portable.specfile @@ -0,0 +1,2509 @@ +# debug_package %%{nil} is portable-jdks specific +%define debug_package %{nil} + +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-21-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-21-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs + +# This is RHEL 7 specific as it doesn't seem to have the +# __brp_strip_static_archive macro. +%if 0%{?rhel} == 7 +%define __os_install_post %{nil} +%endif + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libjsvml.so) +%global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +# s390x fails on RHEL 7 so we exclude it there +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches} +%else +%global gdb_arches %{jit_arches} %{zero_arches} +%endif +# Architecture on which we run Java only tests +%global jdk_test_arch x86_64 +# Set of architectures for which we have a devkit +# Only used on RHEL +%if 0%{?centos} == 0 +%global devkit_arches %{aarch64} %{ppc64le} s390x x86_64 +%endif + +# By default, we build a slowdebug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif + +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# The static libraries are produced under the same configuration as the main +# build for portables, as we expect in-tree libraries to be used throughout. +# If system libraries are enabled, the static libraries will also use them +# which may cause issues. +%global bootstrap_targets images %{static_libs_target} legacy-jre-image +%global release_targets images docs-zip %{static_libs_target} legacy-jre-image +# No docs nor bootcycle for debug builds +%global debug_targets images %{static_libs_target} legacy-jre-image +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# DTS toolset to use to provide gcc & binutils +%if 0%{?rhel} == 7 +%global dtsversion 10 +%endif + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 21 +%global interimver 0 +%global updatever 4 +%global patchver 0 +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, +# and this it is better to change it here, on single place +%global buildjdkver %{featurever} +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{featurever}-openjdk +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +# This will only work where the bootstrap JDK is the same major version +# as the JDK being built +%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease}) + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 0a42e29b391 +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{vcstag} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 7 +%global rpmrelease 1 +#%%global tagsuffix %%{nil} +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global ea_designator "" +%global ea_designator_zip %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%global altjavaoutputdir install/altjava.install +%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +# portable only declarations +%global jreimage jre +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.static-libs;g") +%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} +%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} +%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz} +%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}} +%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on +# top of the JDK archive +%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g") +%define docportablearchive() %{docportablename}.tar.xz +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g") +%define miscportablearchive() %{miscportablename}.tar.xz + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for slowdebug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + +# VM variant being built +%ifarch %{zero_arches} +%global vm_variant zero +%else +%global vm_variant server +%endif + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java +%global devkit_name %{origin}-devkit + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +# Portables have no repo (requires/provides), but these are awesome for orientation in spec +# Also scriptlets are happily missing and files are handled old fashion +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +} + +%define java_devel_rpo() %{expand: +} + +%define java_static_libs_rpo() %{expand: +} + +%define java_unstripped_rpo() %{expand: +} + +%define java_docs_rpo() %{expand: +} + +%define java_misc_rpo() %{expand: +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +# Define an optional suffix for the OS this package is built on +%if 0%{?rhel} == 7 +%global pkgos rhel7 +%endif + +# Define the architectures on which we build +# On RHEL, this should be the architectures with a devkit +%if 0%{?centos} == 0 +ExclusiveArch: %{devkit_arches} +%else +ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64 +%endif + +Name: java-%{javaver}-%{origin}-portable%{?pkgos:-%{pkgos}} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + +# The source tarball, generated using generate_source_tarball.sh +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +# Disabled in portables +#Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# Source code for alt-java +Source11: alt-java.c + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +############################################ +# +# RPM/distribution specific patches +# +############################################ +# Crypto policy and FIPS support patches +# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Follow system wide crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# RH1929465: Improve system FIPS detection +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +# RH1996182: Login to the NSS software token in FIPS mode +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +# RH2021263: Resolve outstanding FIPS issues +# RH2052819: Fix FIPS reliance on crypto policies +# RH2052829: Detect NSS at Runtime for FIPS detection +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] +# RH2020290: Support TLS 1.3 in FIPS mode +# Add nss.fips.cfg support to OpenJDK tree +# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +# Remove forgotten dead code from RH2020290 and RH2104724 +# OJ1357: Fix issue on FIPS with a SecurityManager in place +# RH2134669: Add missing attributes when registering services in FIPS mode. +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +# RH1940064: Enable XML Signature provider in FIPS mode +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# + +# Currently empty + +############################################# +# +# OpenJDK patches which missed last update +# +############################################# + +# Currently empty + +############################################# +# +# Portable build specific patches +# +############################################# + +# Currently empty + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: file +BuildRequires: fontconfig-devel +# RHEL 7 builds obtain a newer compiler from DTS +%if 0%{?rhel} == 7 +BuildRequires: devtoolset-%{dtsversion}-gcc +BuildRequires: devtoolset-%{dtsversion}-gcc-c++ +%else +%ifarch %{devkit_arches} +BuildRequires: %{devkit_name} >= 1.0-6 +%else +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 +BuildRequires: gcc-c++ +%endif +%endif +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.fips.cfg +BuildRequires: nss-devel +# Requirement for system security property test +# N/A for portable as we don't enable support for them +#BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +# to pack portable tarballs +BuildRequires: tar +BuildRequires: unzip +BuildRequires: javapackages-filesystem +BuildRequires: java-%{featurever}-%{origin}%{?pkgos:-%{pkgos}}-devel +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# Full documentation build requirements +# pandoc is only available on RHEL/CentOS 8 +%if 0%{?rhel} == 8 +BuildRequires: graphviz +BuildRequires: pandoc +%endif +# cacerts build requirement in portable mode +BuildRequires: ca-certificates + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: zlib-devel +%else +# Version in src/java.desktop/share/legal/freetype.md +Provides: bundled(freetype) = 2.13.2 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 8.2.2 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.16.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.40 +# Version in src/java.base/share/native/libzip/zlib/zlib.h +Provides: bundled(zlib) = 1.3.1 +# We link statically against libstdc++ to increase portability +%ifnarch %{devkit_arches} +BuildRequires: libstdc++-static +%endif +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment - portable edition. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment portable edition +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools - portable edition. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} runtime environment and development tools - portable edition +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking - portable edition. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package unstripped +Summary: The %{origin_nice} %{featurever} runtime environment. + +%{java_unstripped_rpo %{nil}} + +%description unstripped +The %{origin_nice} %{featurever} runtime environment. + +%endif + +%package docs +Summary: %{origin_nice} %{featurever} API documentation + +%{java_docs_rpo %{nil}} + +%description docs +The %{origin_nice} %{featurever} API documentation. + +%package misc +Summary: %{origin_nice} %{featurever} miscellany + +%{java_misc_rpo %{nil}} + +%description misc +The %{origin_nice} %{featurever} miscellany. + +%prep + +echo "Preparing %{oj_vendor_version}" +echo "System is RHEL=%{?rhel}%{!?rhel:0}, CentOS=%{?centos}%{!?centos:0}, EPEL=%{?epel}%{!?epel:0}, Fedora=%{?fedora}%{!?fedora:0}" + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi + +%if %{with fresh_libjvm} && ! %{build_hotspot_first} +echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch" +echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}" +%endif + +export XZ_OPT="-T0" +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} +%endif + +# Patch the JDK +# This syntax is deprecated: +# %patchN [...] +# and should be replaced with: +# %patch -PN [...] +# For example: +# %patch1001 -p1 +# becomes: +# %patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +pushd %{top_level_dir_name} +# Add crypto policy and FIPS support +%patch -P1001 -p1 +popd # openjdk + + +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "WARNING: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + exit 17 +fi + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# Portables do not have desktop integration + +# Extract devkit +%ifarch %{devkit_arches} + devkittarball=%{_datadir}/%{devkit_name}/sdk-%{_target_cpu}-%{_target_os}-gnu*.tar.gz + echo "Extracting devkit ${devkittarball}"; + mkdir devkit; + tar -C devkit --strip-components=1 -xzf ${devkittarball} + DEVKIT_ROOT=$(pwd)/devkit + source ${DEVKIT_ROOT}/devkit.info + echo "Installed ${DEVKIT_NAME} devkit" +%else +%if 0%{?centos} > 0 + echo "No devkit for CentOS %{?centos}" +%else + echo "No devkit for %{_target_cpu} on RHEL %{?rhel}"; +%endif +%endif + +%build +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif +export XZ_OPT="-T0" + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set the C++ standard as the default has changed on GCC >= 6 +EXTRA_CFLAGS="%ourcppflags" +EXTRA_CPP_FLAGS="%ourcppflags" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +%ifarch %{devkit_arches} +# Remove annobin plugin reference which isn't available in the devkit +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1||')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1||')" +%endif + +export EXTRA_CFLAGS EXTRA_CPP_FLAGS + +# Set modification times (mtimes) of files within JAR files generated +# by the OpenJDK build to a timestamp that is constant across RPM +# rebuilds. OpenJDK provides the --with-source-date configure option +# for this purpose. Potential arguments in the RPM build context are: +# +# A) --with-source-date="${SOURCE_DATE_EPOCH}" +# B) --with-source-date=version +# C) --with-source-date="${OPENJDK_UPSTREAM_TAG_EPOCH}" +# +# Consider Option A. Fedora 38 (rpm-4.18.2) and RHEL-8 (rpm-4.14.3) +# have different support for SOURCE_DATE_EPOCH. To keep +# SOURCE_DATE_EPOCH constant across RPM rebuilds, one could set the +# source_date_epoch_from_changelog macro to 1 on both Fedora 38 and +# RHEL-8. However, on RHEL-8, this results in the RPM build times +# being set to the timestamp of the most recent changelog. This is +# bad for tracing when RPMs were actually built. Fedora 38 supports a +# better behaviour via the introduction of the +# use_source_date_epoch_as_buildtime macro, set to 0 by default. +# There is no way to make this work on RHEL-8 as well though, so +# option A is suboptimal. +# +# Option B uses the value of the DEFAULT_VERSION_DATE field from +# make/conf/version-numbers.conf. DEFAULT_VERSION_DATE represents the +# aspirational eventual JDK general availability (GA) release date. +# When the RPM build occurs prior to GA, generated JAR files will have +# payload mtimes in the future relative to the RPM build time. +# Whereas for tarballs some tools will issue warnings about future +# mtimes, per OPENJDK-2583 apparently this is no problem for Java and +# JAR files. +# +# Option C uses the modification timestamp of files in the source +# tarball. The reproducibility logic in generate_source_tarball.sh +# sets them all to the commit time of the release-tagged OpenJDK +# commit, as archived in the tarball. This timestamp is deterministic +# across RPM rebuilds and is reliably in the past. Any file's mtime +# will do, so use version-numbers.conf's. +# +# Use option B for JAR files, based on the discussion in OPENJDK-2583. +# +# For portable tarballs, use option C (OPENJDK_UPSTREAM_TAG_EPOCH) for +# the modification times of all files in the portable tarballs. Doing +# so eliminates one source of variability across RPM rebuilds. +VERSION_FILE="$(pwd)"/"%{top_level_dir_name}"/make/conf/version-numbers.conf +OPENJDK_UPSTREAM_TAG_EPOCH="$(stat --format=%Y "${VERSION_FILE}")" + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + local debug_symbols=${6} + local devkit=${7} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + +%ifarch s390x + # devkit libstdc++.a fails with "error: relocation refers + # to local symbol "" [9], which is defined in a discarded section + libc_link_opt="dynamic"; +%else + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi +%endif + + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Using debug_symbols: ${debug_symbols}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + +%ifarch %{devkit_arches} + LIBPATH="${devkit}/lib:${devkit}/lib64" + echo "Setting library path to ${LIBPATH}" +%endif + + mkdir -p ${outputdir} + pushd ${outputdir} + + # Note: zlib and freetype use %{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build + LD_LIBRARY_PATH=${LIBPATH} \ + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} + --with-jvm-variants=zero \ +%endif +%ifarch %{devkit_arches} + --with-devkit=${devkit} \ +%endif + --with-cacerts-file=$(readlink -f %{_sysconfdir}/pki/java/cacerts) \ + --with-version-build=%{buildver} \ + --with-version-pre="%{ea_designator}" \ + --with-version-opt="%{lts_designator}" \ + --with-vendor-version-string="%{oj_vendor_version}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="${debug_symbols}" \ + --disable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ + --with-stdc++lib=${libc_link_opt} \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --with-source-date="version" \ + --disable-javac-server \ +%ifarch %{zgc_arches} + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors + + cat spec.gmk + LD_LIBRARY_PATH=${LIBPATH} \ + make LOG=trace $maketargets || \ + ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false ) + + popd +} + +function stripjdk() { + local outputdir=${1} + local toolpath=${2} + local jdkimagepath=images/%{jdkimage} + local jreimagepath=images/%{jreimage} + local jmodimagepath=images/jmods + local modulefile=lib/modules + local supportdir=${outputdir}/support + local modulebuildpath=${outputdir}/jdk/modules + local jdkoutdir=${outputdir}/${jdkimagepath} + local jreoutdir=${outputdir}/${jreimagepath} + +%ifarch %{devkit_arches} + OBJCOPY=${toolpath}/objcopy + STRIP=${toolpath}/strip +%else + OBJCOPY=$(which objcopy) + STRIP=$(which strip) +%endif + + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + cp -a ${jdkoutdir}{,.unstripped} + + # Strip the files + for file in $(find ${jdkoutdir} ${jreoutdir} ${supportdir} ${modulebuildpath} -type f) ; do + if file ${file} | cut -d ':' -f 2 | grep -q 'ELF'; then + noextfile=${file/.so/}; + ${OBJCOPY} --only-keep-debug ${file} ${noextfile}.debuginfo; + ${OBJCOPY} --add-gnu-debuglink=${noextfile}.debuginfo ${file}; + ${STRIP} -g ${file}; + fi + done + + # Rebuild jmod files against the stripped binaries + if [ ! -d ${supportdir} ] ; then + echo "Support directory missing."; + exit 15 + fi + # Build the java.base jmod a third time to fix the hashes of dependent jmods + for cmd in $(find ${supportdir}/${jmodimagepath} -name '*.jmod_exec.cmdline') \ + ${supportdir}/${jmodimagepath}/*java.base*exec.cmdline ; do + pre=${cmd/_exec/_pre}; + post=${cmd/_exec/_post}; + jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##') + echo "Rebuilding ${jmod} against stripped binaries..."; + if [ -e ${pre} ] ; then + echo -e "Executing ${pre}...\n$(cat ${pre})"; + cat ${pre} | sh -s ; + fi + echo "Executing ${cmd}...$(cat ${cmd})"; + cat ${cmd} | sh -s ; + if [ -e ${post} ] ; then + echo -e "Executing ${post}...\n$(cat ${post})"; + cat ${post} | sh -s ; + fi + done + + # Rebuild the image with the stripped modules + for image in ${jdkimagepath} ${jreimagepath} ; do + outdir=${outputdir}/${image}; + jlink=${supportdir}/${image}/_jlink*_exec.cmdline; + # Backup the existing image as it contains + # files not generated by jlink + mv ${outdir}{,.bak}; + # Regenerate the image using the command + # generated using the initial build + echo -e "Executing ${jlink}...\n$(cat ${jlink})"; + cat ${jlink} | sh -s; + # Move the new jmods and module file from the new + # image to the old one + if [ -e ${outdir}.bak/jmods ] ; then + rm -rf ${outdir}.bak/jmods; + mv ${outdir}/jmods ${outdir}.bak; + fi + rm -f ${outdir}.bak/${modulefile}; + mv ${outdir}/${modulefile} ${outdir}.bak/$(dirname ${modulefile}); + # Restore the original image + rm -rf ${outdir}; + mv ${outdir}{.bak,}; + # Update the CDS archives + for cmd in ${supportdir}/${image}/*_gen_cds*_exec.cmdline ; do + echo -e "Executing ${cmd}...\n$(cat ${cmd})"; + cat ${cmd} | sh -s; + done + done + fi +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local jdkimagepath=${installdir}/images/%{jdkimage} + local jreimagepath=${installdir}/images/%{jreimage} + local unstripped=${jdkimagepath}.unstripped + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif + + # legacy-jre-image target does not install any man pages for the JRE + # We copy the jdk man directory and then remove pages for binaries that + # don't exist in the JRE + cp -a ${jdkimagepath}/man ${jreimagepath} + for manpage in $(find ${jreimagepath}/man -name '*.1'); do + filename=$(basename ${manpage}); + binary=${filename/.1/}; + if [ ! -f ${jreimagepath}/bin/${binary} ] ; then + echo "Removing ${manpage} from JRE for which no binary ${binary} exists"; + rm -f ${manpage}; + fi; + done + + for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install local files which are distributed with the JDK + install -m 644 %{SOURCE10} ${imagepath} + + # Print release information + cat ${imagepath}/release + fi + done +} + +function genchecksum() { + local checkedfile=${1} + + checkdir=$(dirname ${1}) + checkfile=$(basename ${1}) + + echo "Generating checksum for ${checkfile} in ${checkdir}..." + pushd ${checkdir} + sha256sum ${checkfile} > ${checkfile}.sha256sum + sha256sum --check ${checkfile}.sha256sum + popd +} + +# Create a reproducible tarball in an appropriate way for +# the version of tar in use +function createtar() { + local directory=${1} + local archive=${2} + local filter=${3} + local transform=${4} + local exclude=${5} + + if [ "x${filter}" != "x" ] ; then + local filteroption="-name ${filter}"; + fi + if [ "x${transform}" != "x" ] ; then + local transoption="--transform ${transform}"; + fi + if [ "x${exclude}" != "x" ] ; then + local excludeoption="--exclude=${exclude}"; + fi + + local common_tar_opts="--owner=0 --group=0 --numeric-owner \ + ${transoption} ${excludeoption} --create --xz" + # Capture tar version, removing the decimal point (so 1.28 => 128) + tarver=$(tar --version|head -n1|sed -re 's|tar \(GNU tar\) ([0-9]).([0-9]*)|\1\2|') + echo "Detected tar ${tarver}" + if [ ${tarver} -gt 128 ] ; then + local tar_time="$(date --utc --iso-8601=seconds --date=@"${OPENJDK_UPSTREAM_TAG_EPOCH}")" + local tar_opts="--mtime=${tar_time} --sort=name ${common_tar_opts}" + if test "x${filteroption}" = "x"; then + tar ${tar_opts} --file ${archive} ${directory} + else + tar ${tar_opts} --file ${archive} $(find ${directory} ${filteroption}) + fi + else + # See https://reproducible-builds.org/docs/archives/ + # RHEL-7 has tar 1.26 which does not support --sort=name (added + # in 1.28), so use find-piped-through-sort instead. Omit + # --pax-option since it made the docs package not reproducible + # due to PaxHeaders timestamp differences. + local tar_opts="--mtime=@${OPENJDK_UPSTREAM_TAG_EPOCH} \ + --no-recursion --null --files-from - \ + ${common_tar_opts}" + find ${directory} ${filteroption} -print0 | \ + LC_ALL=C sort -z | \ + tar ${tar_opts} --file ${archive} + fi +} + +function packagejdk() { + local imagesdir=$(pwd)/${1}/images + local docdir=$(pwd)/${1}/images/docs + local bundledir=$(pwd)/${1}/bundles + local packagesdir=$(pwd)/${2} + local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset + local altjavadir=$(pwd)/${3} + + echo "Packaging build from ${imagesdir} to ${packagesdir}..." + mkdir -p ${packagesdir} + pushd ${imagesdir} + + if [ "x$suffix" = "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + + jdkname=%{jdkportablename -- "$nameSuffix"} + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrename=%{jreportablename -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + staticname=%{staticlibsportablename -- "$nameSuffix"} + staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} + + if [ "x$suffix" = "x" ] ; then + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + + # Keep the unstripped version for consumption by RHEL RPMs + mv %{jdkimage}.unstripped ${jdkname} + createtar ${jdkname} ${unstrippedarchive} + genchecksum ${unstrippedarchive} + mv ${jdkname} %{jdkimage}.unstripped + fi + + # Rename directories for packaging + mv %{jdkimage} ${jdkname} + mv %{jreimage} ${jrename} + + # Release images have external debug symbols + if [ "x$suffix" = "x" ] ; then + debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + # We only use docs for the release build + docname=%{docportablename} + docarchive=${packagesdir}/%{docportablearchive} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + # These are from the source tree so no debug variants + miscname=%{miscportablename} + miscarchive=${packagesdir}/%{miscportablearchive} + + createtar ${jdkname} ${debugarchive} \*.debuginfo + genchecksum ${debugarchive} + + mkdir ${docname} + mv ${docdir} ${docname} + mv ${bundledir}/${built_doc_archive} ${docname} + createtar ${docname} ${docarchive} + genchecksum ${docarchive} + + mkdir ${miscname} + for s in 16 24 32 48 ; do + cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname} + done +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif + cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname} + createtar ${miscname} ${miscarchive} + genchecksum ${miscarchive} + fi + + createtar ${jdkname} ${jdkarchive} "" "" "**.debuginfo" + genchecksum ${jdkarchive} + + createtar ${jrename} ${jrearchive} "" "" "**.debuginfo" + genchecksum ${jrearchive} + +%if %{include_staticlibs} + # Static libraries (needed for building graal vm with native image) + # Tar as overlay. Transform to the JDK name, since we just want to "add" + # static libraries to that folder + createtar "%{static_libs_image}/lib" ${staticarchive} "" \ + "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" + genchecksum ${staticarchive} +%endif + + # Revert directory renaming so testing will run + # TODO: testing should run on the packaged JDK + mv ${jdkname} %{jdkimage} + mv ${jrename} %{jreimage} + + popd #images + +} + +%ifarch %{devkit_arches} + DEVKIT_ROOT=$(pwd)/devkit + source ${DEVKIT_ROOT}/devkit.info + GCC="${DEVKIT_TOOLCHAIN_PATH}/gcc --sysroot=${DEVKIT_SYSROOT}" + LIBPATH="${DEVKIT_ROOT}/lib:${DEVKIT_ROOT}/lib64" +%else + GCC=$(which gcc) +%endif + +echo "Building %{SOURCE11}" +mkdir -p %{altjavaoutputdir} +LD_LIBRARY_PATH="${LIBPATH}" ${GCC} ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11} +echo "Generating %{alt_java_name} man page" +altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1 +echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage} +cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage} + +echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + echo "Building HotSpot only for the latest libjvm.so" + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" ${DEVKIT_ROOT} + mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant} +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + # We build with internal debug symbols and do + # our own stripping for one version of the + # release build + debug_symbols=internal + + builddir=%{buildoutputdir -- ${suffix}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}} + bootinstalldir=boot${installdir} + packagesdir=%{packageoutputdir -- ${suffix}} + + link_opt="%{link_type}" +%if %{system_libs} + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT} + stripjdk ${builddir} ${DEVKIT_TOOLCHAIN_PATH} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} ${DEVKIT_ROOT} + stripjdk ${builddir} ${DEVKIT_TOOLCHAIN_PATH} + installjdk ${builddir} ${installdir} + fi + packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir} + +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +# Pre-test setup + +# System security properties are disabled by default on portable. +# Turn on system security properties +#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ +#${JAVA_HOME}/conf/security/java.security + +# Set up tools +%ifarch %{devkit_arches} + DEVKIT_ROOT=$(pwd)/devkit + source ${DEVKIT_ROOT}/devkit.info + NM="${DEVKIT_TOOLCHAIN_PATH}/nm" +%else + NM=$(which nm) +%endif +# elfutils readelf supports more binaries than binutils version on RHEL 8 +# and debug symbols tests below were designed around this version +READELF=$(which eu-readelf) +# Only native gdb seems to work +# The devkit gdb needs the devkit stdc++ library but then the JVM +# segfaults when this is on the LD_LIBRARY_PATH +GDB=$(which gdb) + +# Check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Only test on one architecture (the fastest) for Java only tests +%ifarch %{jdk_test_arch} + + # Check unlimited policy has been used + $JAVA_HOME/bin/javac -d . %{SOURCE13} + $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + + # Check ECC is working + $JAVA_HOME/bin/javac -d . %{SOURCE14} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + + # Check system crypto (policy) is active and can be disabled + # Test takes a single argument - true or false - to state whether system + # security properties are enabled or not. + $JAVA_HOME/bin/javac -d . %{SOURCE15} + export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") + export SEC_DEBUG="-Djava.security.debug=properties" + # Specific to portable:System security properties to be off by default + $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false + $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + + # Check correct vendor values have been set + $JAVA_HOME/bin/javac -d . %{SOURCE16} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + +%if ! 0%{?flatpak} + # Check translations are available for new timezones (during flatpak builds, the + # tzdb.dat used by this test is not where the test expects it, so this is + # disabled for flatpak builds) + # Disable test until we are on the latest JDK + $JAVA_HOME/bin/javac -d . %{SOURCE18} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE + $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif + + # Check src.zip has all sources. See RHBZ#1130490 + unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + + # Check class files include useful debugging information + $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + + # Check generated class files include useful debugging information + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +%else + + # Just run a basic java -version test on other architectures + $JAVA_HOME/bin/java -version + +%endif + +# Check java launcher has no SSB mitigation +if ! ${NM} $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call +%ifarch %{ssbd_arches} +${NM} %{altjavaoutputdir}/%{alt_java_name} | grep prctl +%else +if ! ${NM} %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +ls -l $STATIC_LIBS_HOME +ls -l $STATIC_LIBS_HOME/lib +${READELF} --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c +${READELF} --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c +%endif + +# Release builds strip the debug symbols into external .debuginfo files +if [ "x$suffix" = "x" ] ; then + so_suffix="debuginfo" +else + so_suffix="so" +fi +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + ${READELF} -S "$lib" | grep "] .debug_" + test $(${READELF} -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(${READELF} -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp and .S files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + ${READELF} -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + ${READELF} -S "$lib" | grep 'gnu' + if ${READELF} -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + ${READELF} -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +${GDB} -q "$JAVA_HOME/bin/java" < - 1:21.0.4.0.7-1 +- Update to jdk-21.0.4+7 (GA) +- Update release notes to 21.0.4+7 +- Switch to GA mode. +- Sync with RHEL 7 portable build: + - Conditionally define __os_install_post, dtsversion & pkgos only on RHEL 7 + - Use ExclusiveArch over ExcludeArch + - Depend on devtoolset only on RHEL 7 + - Use javapackages-filesystem rather than manually defining _jvmdir + - Restrict pandoc dependency to RHEL/CentOS 8 + - Drop unused component macro +- Sync ExclusiveArch with devkit_arches on RHEL only +- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. ** +- Resolves: OPENJDK-2756 +- Resolves: OPENJDK-3163 + +* Wed Jun 26 2024 Andrew Hughes - 1:21.0.4.0.5-0.1.ea +- Update to jdk-21.0.4+5 (EA) +- Update release notes to 21.0.4+5 +- Move unstripped, misc and doc tarball handling into normal build / no suffix blocks +- Limit Java only tests to one architecture using jdk_test_arch +- Drop unneeded tzdata-java build dependency following f854bb3955fb57bba4e83d09813e9cfd0e81079e +- Resolves: OPENJDK-3133 +- Resolves: OPENJDK-3237 +- Resolves: OPENJDK-3182 +- Resolves: OPENJDK-3190 + +* Sat Jun 22 2024 Andrew Hughes - 1:21.0.4.0.1-0.1.ea +- Update to jdk-21.0.4+1 (EA) +- Update release notes to 21.0.4+1 +- Switch to EA mode +- Bump LCMS 2 version to 2.16.0 following JDK-8321489 +- Add zlib build requirement or bundled version (1.3.1), depending on system_libs setting +- Resolves: OPENJDK-3061 +- Resolves: OPENJDK-3064 + +* Sat Apr 13 2024 Andrew Hughes - 1:21.0.3.0.9-1 +- Update to jdk-21.0.3+9 (GA) +- Update release notes to 21.0.3+9 +- Switch to GA mode. +- Update buildjdkver to match the featurever +- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. ** + +* Thu Apr 04 2024 Andrew Hughes - 1:21.0.3.0.7-0.1.ea +- Update to jdk-21.0.3+7 (EA) +- Update release notes to 21.0.3+7 +- Require tzdata 2024a due to upstream inclusion of JDK-8322725 +- Only require tzdata 2023d for now as 2024a is unavailable in buildroot +- Drop JDK-8009550 which is now available upstream +- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254 + +* Wed Mar 20 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.1.ea +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: Remove temporary directory exit conditions +- generate_source_tarball.sh: Fix -ea logic to add dash +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- generate_source_tarball.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: shellcheck: Do not use -a (SC2166) +- generate_source_tarball.sh: shellcheck: Do not use $ on arithmetic variables (SC2004) +- Use backward-compatible patch syntax +- generate_source_tarball.sh: Ignore -ga tags with OPENJDK_LATEST +- generate_source_tarball.sh: Fix whitespace +- generate_source_tarball.sh: Remove trailing period in echo +- generate_source_tarball.sh: Use long-style argument to grep +- generate_source_tarball.sh: Add license +- generate_source_tarball.sh: Add indentation instructions for Emacs +- Remove -T0 argument from systemtap tar invocation +- Use RHEL-7 tar-1.26-compatible invocations for reproducible tarballs +- createtar: Add exclude option +- packagejdk: Exclude debuginfo when creating jdkarchive and jrearchive tarballs +- Resolves: OPENJDK-2995 + +* Mon Mar 18 2024 Andrew Hughes - 1:21.0.3.0.1-0.1.ea +- Update to jdk-21.0.3+1 (EA) +- Update release notes to 21.0.3+1 +- Switch to EA mode +- Require tzdata 2023d due to upstream inclusion of JDK-8322725 +- Bump FreeType version to 2.13.2 following JDK-8316028 +- Add module build path to stripped directories to catch jpackageapplauncher files +- Move alt-java man page to the misc tarball so it is not in the JDK image +- generate_source_tarball.sh: Update examples in header for clarity +- generate_source_tarball.sh: Cleanup message issued when checkout already exists +- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP +- generate_source_tarball.sh: Only add --depth=1 on non-local repositories +- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch +- Move maintenance scripts to a scripts subdirectory +- discover_trees.sh: Set compile-command and indentation instructions for Emacs +- discover_trees.sh: shellcheck: Do not use -o (SC2166) +- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- discover_trees.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: Add authorship +- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs +- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086) +- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: Set compile-command and indentation instructions for Emacs +- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086) +- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196) +- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST +- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086) +- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck +- Vary reproducible tar creation by version of tar detected +- Set OPENJDK_UPSTREAM_TAG_EPOCH & VERSION_FILE at start of build section as in 17u +- Change --with-source-date value to 'version' to match Temurin builds +- Re-run jlink to regenerate the jmods directory and lib/modules with stripped libraries +- Rebuild CDS archives against the updated lib/modules +- Require openjdk-devkit 1.0-4 to bring in fixes for .comment section and deterministic archives +- Bump devkit requirement to 1.0-5 to bring in the bootstrapped version +- Set LD_LIBRARY_PATH when calling gcc to build alt-java +- Set LD_LIBRARY_PATH when calling configure +- Set LD_LIBRARY_PATH when calling make +- Bump devkit requirement to 1.0-6 to bring in the AS=/as fix +- Resolves: OPENJDK-2820 +- Resolves: OPENJDK-2821 +- Resolves: OPENJDK-2585 +- Resolves: OPENJDK-3138 + +* Fri Mar 15 2024 Andrew Hughes - 1:21.0.2.0.13-1 +- Update to jdk-21.0.2+13 (GA) +- Update release notes to 21.0.2+13 +- Bump libpng version to 1.6.40 following JDK-8316030 +- Bump HarfBuzz version to 8.2.2 following JDK-8313643 +- pandoc is only available on RHEL/CentOS 8 +- Check for CentOS being defined to determine use of devkit +- Set buildjdkver to 20 until OpenJDK 21 is available in the buildroot +- Use featurever for JDK build dependencies + +* Mon Mar 11 2024 Andrew Hughes - 1:21.0.1.0.12-2 +- Use a devkit to build on architectures where we have one (s390x, aarch64, ppc64le, x86_64) +- Use a dynamic libstdc++ on s390x to workaround failure with static libstdc++ +- Use the devkit tools during the check stage so they can understand the generated binaries +- Use eu-readelf on devkit and non-devkit builds as debug symbol tests rely on its behaviour +- Use system gdb for both builds as devkit version fails (needs devkit libraries, then JDK segfaults with them) +- Filter out annobin plugin when using the devkit +- Drop static libstdc++ build dependency on devkit builds as it should come from the devkit +- Disable devkit build on CentOS where it is unavailable +- Introduce tar_opts to avoid repetition of lengthy tar creation options + +* Thu Feb 08 2024 Thomas Fitzsimmons - 1:21.0.1.0.12-2 +- Invoke xz in multi-threaded mode +- Remove ppc64le with-jobs=1 workaround +- Make portable tarball modification times reproducible + +* Fri Oct 27 2023 Andrew Hughes - 1:21.0.1.0.12-1 +- Update to jdk-21.0.1.0+12 (GA) +- Update release notes to 21.0.1.0+12 +- Update openjdk_news script to specify subdirectory last +- Add missing discover_trees script required by openjdk_news +- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng) +- Sync generate_tarball.sh with 11u & 17u version +- Update bug URL for RHEL to point to the Red Hat customer portal +- Fix upstream release URL for OpenJDK source +- Update buildjdkver to match the featurever + +* Fri Oct 27 2023 Andrew Hughes - 1:21.0.0.0.35-4 +- Rebuild jmods using the stripped binaries in release builds +- Make sure the unstripped JDK is customised by the installjdk function +- Resolves: OPENJDK-3224 + +* Thu Oct 26 2023 Andrew Hughes - 1:21.0.0.0.35-3 +- Re-enable SystemTap support and perform only substitutions possible without final NVR available +- Depend on graphviz & pandoc for full documentation support +- Fix typo which stops the EA designator being included in the build +- Include tapsets in the miscellaneous tarball +- Drop unused globals for tapset installation + +* Thu Aug 24 2023 Andrew Hughes - 1:21.0.0.0.35-2 +- Update documentation (README.md, add missing JEP to release notes) +- Replace alt-java patch with a binary separate from the JDK +- Adapt alt-java test to new binary where there is always a set_speculation function +- Drop stale patches that are of little use any more: +- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work +- * No accessibility subpackage to warrant RH1648242 patch any more +- * No use of system libjpeg turbo to warrant RH649512 patch any more +- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed +- Related: rhbz#2192749 + +* Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 +- Update to jdk-21.0.0+35 +- Update release notes to 21.0.0+35 +- Update system crypto policy & FIPS patch from new fips-21u tree +- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal +- Drop fakefeaturever now it is no longer needed +- Hardcode buildjdkver while the build JDK is not yet 21 +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Re-enable tzdata tests now we are on the latest JDK and things are back in sync +- Related: rhbz#2192749 + +* Mon Aug 21 2023 Petra Alice Mikova - 1:21.0.0.0.35-1 +- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798 +- Related: rhbz#2192749 + +* Wed Aug 16 2023 Andrew Hughes - 1:20.0.2.0.9-1 +- Update to jdk-20.0.2+9 +- Update release notes to 20.0.2+9 +- Update system crypto policy & FIPS patch from new fips-20u tree +- Update generate_tarball.sh ICEDTEA_VERSION +- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit) + +* Wed Aug 16 2023 Jiri Vanek - 1:20.0.2.0.9-1 +- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream +- Adapted rh1750419-redhat_alt_java.patch + +* Tue Aug 15 2023 Andrew Hughes - 1:19.0.2.0.7-2 +- Bump rpmrelease to rebuild for CentOS 9 + +* Tue Aug 15 2023 Andrew Hughes - 1:19.0.2.0.7-1 +- Update to jdk-19.0.2 release +- Update release notes to 19.0.2 +- Rebase FIPS patches from fips-19u branch +- Remove references to sample directory removed by JDK-8284999 +- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag +- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases +- Switch buildjdkver to java-21-openjdk + +* Thu Aug 10 2023 Andrew Hughes - 1:18.0.2.0.9-2 +- Bump rpmrelease to rebuild for CentOS 9 + +* Thu Aug 10 2023 Andrew Hughes - 1:18.0.2.0.9-1 +- Update to jdk-18.0.2 release +- Update release notes to actually reflect OpenJDK 18 +- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory +- Rebase FIPS patches from fips-18u branch +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built +- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21 +- Disable tzdata tests until we are on the latest JDK and things are back in sync + +* Thu Aug 10 2023 Petra Alice Mikova - 1:18.0.0.0.37-1 +- Update to ea version of jdk18 +- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch + +* Mon May 15 2023 Andrew Hughes - 1:17.0.7.0.7-3 +- Bump rpmrelease to rebuild for CentOS 9 + +* Mon May 15 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Create java-21-openjdk-portable package based on java-17-openjdk-portable +- Related: rhbz#2192749 + +* Tue Apr 25 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Update to jdk-17.0.7.0+7 +- Update release notes to 17.0.7.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Reintroduce generate_source_tarball.sh from RHEL 9 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Update FIPS support against 17.0.7+6 and bring in latest changes: +- * RH2134669: Add missing attributes when registering services in FIPS mode. +- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +- * RH1940064: Enable XML Signature provider in FIPS mode +- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +- Fix trailing '.' in tarball name +- Use rpmrelease in vendor version to avoid inclusion of dist tag +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2134669 +- Resolves: rhbz#1940064 +- Resolves: rhbz#2173781 + +* Thu Apr 20 2023 Andrew Hughes - 1:17.0.6.0.10-7 +- Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 +- Restore system bootstrap JDK (RHEL 8 has java-17-openjdk) +- Remove use of devtoolset (RHEL 8 native compilers should be sufficient) +- Explicitly exclude x86, as on RHEL RPMs + +* Tue Feb 21 2023 Andrew Hughes - 1:17.0.6.0.10-6 +- Add docs, icons and samples to the portable output +- Make sure generated checksums work and don't include full path +- The docs directory is a subdirectory of images, so remove confusing separate copying + +* Wed Feb 15 2023 Andrew Hughes - 1:17.0.6.0.10-5 +- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build +- Restore compiler flags to those used in RHEL +- Drop unused static library patch +- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago + +* Tue Feb 14 2023 Andrew Hughes - 1:17.0.6.0.10-4 +- Separate JDK packaging into a separate function +- Use variables to make it clearer what is going on +- Use a package output directory as we do for building and installing +- Workaround missing manpage directory in the JRE image + +* Sun Feb 12 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Adapt the portable build to use the same system library handling as RHEL builds + +* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Add missing release note for JDK-8295687 +- Resolves: rhbz#2160111 + +* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.10-2 +- Update FIPS support to bring in latest changes +- * Add nss.fips.cfg support to OpenJDK tree +- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +- * Remove forgotten dead code from RH2020290 and RH2104724 +- * OJ1357: Fix issue on FIPS with a SecurityManager in place +- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build +- Resolves: rhbz#2118493 + +* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.10-2 +- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat +- Related: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:17.0.6.0.10-1 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Re-enable EA upstream status check now it is being actively maintained. +- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream +- Drop JDK-8275535 local patch now this has been accepted and backported upstream +- Drop local copy of JDK-8293834 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. ** +- Resolves: rhbz#2160111 + +* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2 +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Update CLDR data with Europe/Kyiv (JDK-8293834) +- Drop JDK-8292223 patch which we found to be unnecessary +- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream +- Related: rhbz#2160111 + +* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Switch to GA mode for final release. +- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- Resolves: rhbz#2133695 + +* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2 +- Update FIPS support to bring in latest changes +- * RH2023467: Enable FIPS keys export +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms +- * RH2048582: Support PKCS#12 keystores +- * RH2020290: Support TLS 1.3 in FIPS mode +- Resolves: rhbz#2123579 +- Resolves: rhbz#2123580 +- Resolves: rhbz#2123581 +- Resolves: rhbz#2123583 +- Resolves: rhbz#2123584 + +* Sun Aug 21 2022 Jayashree Huttanagoudar - 1:17.0.4.1.1-1 +- Added a missing change to portable NEWS file from upstream. + +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +- Update to jdk-17.0.4.1+1 +- Update release notes to 17.0.4.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated +- Resolves: rhbz#2119532 + +* Mon Jul 18 2022 Jayashree Huttanagoudar - 1:17.0.4.0.8-1 +- Commented out: fipsver f8142a23d0a which was from rhel-9-main +- Picked 17.0.4+8 GA tag from rhel-9.0.0 +- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0 + +* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1 +- Update to jdk-17.0.4.0+8 (GA) +- Update release notes to 17.0.4.0+8 +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. ** + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2084779 + +* Tue Jul 12 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.1.ea +- Tweaked line to print release information for portable + +* Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Move EA designator check to prep so failures can be caught earlier +- Make EA designator check non-fatal while upstream is not maintaining it +- Related: rhbz#2084218 + +* Thu Jun 30 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-8 +- Comment line for portable: System security properties to be off by default + +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-8 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102433 + +* Wed Jun 29 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-7 +- System security properties are disabled by default on portable. +- Commented out lines which are not applicable for portable. + +* Wed Jun 29 2022 Andrew Hughes - 1:17.0.3.0.7-7 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099844 +- Resolves: rhbz#2100677 + +* Tue Jun 28 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-6 +- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch + +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-6 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS +- Resolves: rhbz#2029657 +- Resolves: rhbz#2096117 + +* Wed May 25 2022 Andrew Hughes - 1:17.0.3.0.7-5 +- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build + +* Tue May 24 2022 Jiri Vanek - 1:17.0.3.0.7-4 +- to pass aqa, fixing genuie failure in : +- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions +- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions +- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch +- this, properly named, patch must go to all our jdk17 builds, and to the fips repo + +* Thu May 19 2022 Jiri Vanek - 1:17.0.3.0.7-3 +- to pass aqa: +- removed copy system tzdb in favour of in-tree +- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch +- This is not intended to release untill we decide proper steps + +* Thu May 19 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-2 +- Include BOOT_JDK for s390x for portable +- BOOT_JDK downlaoded form hydra as + java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz + and renamed +- Added cosmetic changes to bypass a failure for s390x + +* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+7 +- Remove JDK-8284548 and JDK-8284920 they are upstreamed now +- Resolves: rhbz#2073579 + +* Sat Apr 16 2022 Andrew Hughes - 1:17.0.3.0.6-3 +- Add JDK-8284920 fix for XPath regression +- Related: rhbz#2073575 + +* Fri Apr 15 2022 Andrew Hughes - 1:17.0.3.0.6-2 +- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit +- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476 +- Related: rhbz#2073575 + +* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1 +- April 2022 security update to jdk 17.0.3+6 +- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408) +- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga +- Update release notes to 17.0.3.0+6 +- Add missing README.md and generate_source_tarball.sh +- Introduce tests/tests.yml, based on the one in java-11-openjdk +- JDK-8283911 patch no longer needed now we're GA... +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. ** +- Resolves: rhbz#2073575 + +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 +- Resolves: rhbz#2050460 + +* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value +- Related: rhbz#2050456 + +* Mon Feb 28 2022 Jayashree Huttanagoudar - 1:17.0.2.0.8-10 +- Update icedtea_sync.sh with suitable message for portable + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-10 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Resolves: rhbz#2022822 + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-9 +- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +- Correction to previous changelog entry +- Resolves: rhbz#2052070 + +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Resolves: rhbz#2051605 + +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053521 + +* Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-4 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2022822 + +* Tue Jan 18 2022 Andrew Hughes - 1:17.0.2.0.8-3 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent + +* Mon Jan 17 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Related: rhbz#2039366 + +* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 +- January 2022 security update to jdk 17.0.2+8 +- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java +- Resolves: rhbz#2039366 +- Minor change to the OUTPUT_FILE value to separate the name from the version with '-' + +* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023537 + +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 +- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 +- October CPU update to jdk 17.0.1+12 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Add patch to allow plain key import. + +* Mon Oct 25 2021 Jiri Vanek - 1:17.0.0.0.35-5 +- cacerts symlink is resolved before passed to configure +- https://issues.redhat.com/browse/OPENJDK-487 +- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS +-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss +-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started + +* Thu Sep 30 2021 Jiri Vanek - 1:17.0.0.0.35-4 +- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7 diff --git a/SOURCES/jconsole.desktop.in b/SOURCES/jconsole.desktop.in new file mode 100644 index 0000000..8a3b04d --- /dev/null +++ b/SOURCES/jconsole.desktop.in @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) +Comment=Monitor and manage OpenJDK applications +Exec=_SDKBINDIR_/jconsole +Icon=java-@JAVA_VER@-@JAVA_VENDOR@ +Terminal=false +Type=Application +StartupWMClass=sun-tools-jconsole-JConsole +Categories=Development;Profiling;Java; +Version=1.0 diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh new file mode 100644 index 0000000..25c2fc8 --- /dev/null +++ b/SOURCES/remove-intree-libraries.sh @@ -0,0 +1,164 @@ +#!/bin/sh + +# Arguments: +TREE=${1} +TYPE=${2} + +ZIP_SRC=src/java.base/share/native/libzip/zlib/ +FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ +JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ +GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ +PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ +LCMS_SRC=src/java.desktop/share/native/liblcms/ + +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} + +echo "Removing built-in libs (they will be linked)" + +# On full runs, allow for zlib & freetype having already been deleted by minimal +echo "Removing zlib" +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then + echo "${ZIP_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${ZIP_SRC} +echo "Removing freetype" +if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then + echo "${FREETYPE_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${FREETYPE_SRC} + +# Minimal is limited to just zlib and freetype so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + +echo "Removing libjpeg" +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist + echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." + exit 1 +fi + +rm -vf ${JPEG_SRC}/jcomapi.c +rm -vf ${JPEG_SRC}/jdapimin.c +rm -vf ${JPEG_SRC}/jdapistd.c +rm -vf ${JPEG_SRC}/jdcoefct.c +rm -vf ${JPEG_SRC}/jdcolor.c +rm -vf ${JPEG_SRC}/jdct.h +rm -vf ${JPEG_SRC}/jddctmgr.c +rm -vf ${JPEG_SRC}/jdhuff.c +rm -vf ${JPEG_SRC}/jdhuff.h +rm -vf ${JPEG_SRC}/jdinput.c +rm -vf ${JPEG_SRC}/jdmainct.c +rm -vf ${JPEG_SRC}/jdmarker.c +rm -vf ${JPEG_SRC}/jdmaster.c +rm -vf ${JPEG_SRC}/jdmerge.c +rm -vf ${JPEG_SRC}/jdphuff.c +rm -vf ${JPEG_SRC}/jdpostct.c +rm -vf ${JPEG_SRC}/jdsample.c +rm -vf ${JPEG_SRC}/jerror.c +rm -vf ${JPEG_SRC}/jerror.h +rm -vf ${JPEG_SRC}/jidctflt.c +rm -vf ${JPEG_SRC}/jidctfst.c +rm -vf ${JPEG_SRC}/jidctint.c +rm -vf ${JPEG_SRC}/jidctred.c +rm -vf ${JPEG_SRC}/jinclude.h +rm -vf ${JPEG_SRC}/jmemmgr.c +rm -vf ${JPEG_SRC}/jmemsys.h +rm -vf ${JPEG_SRC}/jmemnobs.c +rm -vf ${JPEG_SRC}/jmorecfg.h +rm -vf ${JPEG_SRC}/jpegint.h +rm -vf ${JPEG_SRC}/jpeglib.h +rm -vf ${JPEG_SRC}/jquant1.c +rm -vf ${JPEG_SRC}/jquant2.c +rm -vf ${JPEG_SRC}/jutils.c +rm -vf ${JPEG_SRC}/jcapimin.c +rm -vf ${JPEG_SRC}/jcapistd.c +rm -vf ${JPEG_SRC}/jccoefct.c +rm -vf ${JPEG_SRC}/jccolor.c +rm -vf ${JPEG_SRC}/jcdctmgr.c +rm -vf ${JPEG_SRC}/jchuff.c +rm -vf ${JPEG_SRC}/jchuff.h +rm -vf ${JPEG_SRC}/jcinit.c +rm -vf ${JPEG_SRC}/jconfig.h +rm -vf ${JPEG_SRC}/jcmainct.c +rm -vf ${JPEG_SRC}/jcmarker.c +rm -vf ${JPEG_SRC}/jcmaster.c +rm -vf ${JPEG_SRC}/jcparam.c +rm -vf ${JPEG_SRC}/jcphuff.c +rm -vf ${JPEG_SRC}/jcprepct.c +rm -vf ${JPEG_SRC}/jcsample.c +rm -vf ${JPEG_SRC}/jctrans.c +rm -vf ${JPEG_SRC}/jdtrans.c +rm -vf ${JPEG_SRC}/jfdctflt.c +rm -vf ${JPEG_SRC}/jfdctfst.c +rm -vf ${JPEG_SRC}/jfdctint.c +rm -vf ${JPEG_SRC}/jversion.h +rm -vf ${JPEG_SRC}/README + +echo "Removing giflib" +if [ ! -d ${GIF_SRC} ]; then + echo "${GIF_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${GIF_SRC} + +echo "Removing libpng" +if [ ! -d ${PNG_SRC} ]; then + echo "${PNG_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${PNG_SRC} + +echo "Removing lcms" +if [ ! -d ${LCMS_SRC} ]; then + echo "${LCMS_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -vf ${LCMS_SRC}/cmscam02.c +rm -vf ${LCMS_SRC}/cmscgats.c +rm -vf ${LCMS_SRC}/cmscnvrt.c +rm -vf ${LCMS_SRC}/cmserr.c +rm -vf ${LCMS_SRC}/cmsgamma.c +rm -vf ${LCMS_SRC}/cmsgmt.c +rm -vf ${LCMS_SRC}/cmshalf.c +rm -vf ${LCMS_SRC}/cmsintrp.c +rm -vf ${LCMS_SRC}/cmsio0.c +rm -vf ${LCMS_SRC}/cmsio1.c +rm -vf ${LCMS_SRC}/cmslut.c +rm -vf ${LCMS_SRC}/cmsmd5.c +rm -vf ${LCMS_SRC}/cmsmtrx.c +rm -vf ${LCMS_SRC}/cmsnamed.c +rm -vf ${LCMS_SRC}/cmsopt.c +rm -vf ${LCMS_SRC}/cmspack.c +rm -vf ${LCMS_SRC}/cmspcs.c +rm -vf ${LCMS_SRC}/cmsplugin.c +rm -vf ${LCMS_SRC}/cmsps2.c +rm -vf ${LCMS_SRC}/cmssamp.c +rm -vf ${LCMS_SRC}/cmssm.c +rm -vf ${LCMS_SRC}/cmstypes.c +rm -vf ${LCMS_SRC}/cmsvirt.c +rm -vf ${LCMS_SRC}/cmswtpnt.c +rm -vf ${LCMS_SRC}/cmsxform.c +rm -vf ${LCMS_SRC}/lcms2.h +rm -vf ${LCMS_SRC}/lcms2_internal.h +rm -vf ${LCMS_SRC}/lcms2_plugin.h diff --git a/SPECS/java-21-openjdk.spec b/SPECS/java-21-openjdk.spec new file mode 100644 index 0000000..b3f7c35 --- /dev/null +++ b/SPECS/java-21-openjdk.spec @@ -0,0 +1,2781 @@ +# To rebuild this RPM, you must first rebuild the portable +# RPM using the java-21-openjdk-portable.specfile, install +# it and then adjust portablerelease and portablesuffix +# to match the new portable. + +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-21-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-21-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug + +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs +# Build with system libraries +%bcond_with system_libs + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# With LTO flags enabled, debuginfo checks fail for some reason. Disable +# LTO for a passing build. This really needs to be looked at. +%define _lto_cflags %{nil} + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# Indicates whether this is the default JDK on this version of RHEL +# Only the default/system JDK provides unversioned Provides like 'java', 'jre' and 'java-devel' +%global is_system_jdk 1 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libjsvml.so) +%global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} +# Architecture on which we run Java only tests +%global jdk_test_arch x86_64 + +# Define the OS the portable JDK is built on +# This is undefined for CentOS & openjdk-portable-rhel-8 builds and +# equals 'rhel7' for openjdk-portable-rhel-7 builds +%if 0%{?centos} == 0 +%global pkgos rhel7 +%endif + +# By default, we build a debug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if 0%{?flatpak} +%global bootstrap_build false +%else +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# debugedit tool for rewriting ELF file paths +%if 0%{?rhel} >= 10 +# From RHEL 10, the tool is in its own package installed in the usual location +%global debugedit %{_bindir}/debugedit +%else +# On earlier versions of RHEL, it is part of the rpm package +%global debugedit %{_rpmconfigdir}/debugedit +%endif + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 21 +%global interimver 0 +%global updatever 4 +%global patchver 0 +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{portablerelease}) + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 0a42e29b391 +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{vcstag} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 7 +%global rpmrelease 1 +# Settings used by the portable build +%global portablerelease 1 +# Portable suffix differs between RHEL and CentOS +%if 0%{?centos} == 0 +%global portablesuffix %{?pkgos:el7_9}%{!?pkgos:el8} +%else +%global portablesuffix el9 +%endif +%global portablebuilddir /builddir/build/BUILD + +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global ea_designator "" +%global ea_designator_zip %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|lible[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for any debug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + +# VM variant being built +%ifarch %{zero_arches} +%global vm_variant zero +%else +%global vm_variant server +%endif + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +%global family %{name}.%{_arch} +%global family_noarch %{name} + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka target_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} +%endif + +# not-duplicated scriptlets for normal/debug packages +%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + + +%define post_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +exit 0 +} + +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +key=java +alternatives \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ + --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ + --slave %{_mandir}/man1/java.1$ext java.1$ext \\ + %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ + %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ + %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ + %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} + +for X in %{origin} %{javaver} ; do + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} +done + +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} + +%define post_headless() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +# see pretrans where this file is declared +# also see that pretrans is only for non-debug +if [ ! "%{?1}" == %{debug_suffix} ]; then + if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then + sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}} + fi +fi + +exit 0 +} + +%define postun_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + + +%define postun_headless() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} +} + +%define posttrans_script() %{expand: +%{update_desktop_icons} +} + + +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +key=javac +alternatives \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ + --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ +%ifarch %{sa_arches} +%ifnarch %{zero_arches} + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif +%endif + --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ + --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ + --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ + --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ + --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ + --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ + --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ + --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ + --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ + --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ + --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ + --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ + --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ + --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ + --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ + --slave %{_bindir}/jwebserver jwebserver %{sdkbindir -- %{?1}}/jwebserver \\ + --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ + --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\ + %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\ + %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\ + %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\ + %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ + %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ + %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ + %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\ + %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\ + %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\ + %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\ + %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\ + %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\ + %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\ + %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\ + %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jwebserver.1$ext jwebserver.1$ext \\ + %{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ + %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} + +for X in %{origin} %{javaver} ; do + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} +done + +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} + +%define post_devel() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +exit 0 +} + +%define postun_devel() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + +update-desktop-database %{_datadir}/applications &> /dev/null || : + +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + +%define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} +%{update_desktop_icons} +} + +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + for X in %{origin} %{javaver} ; do + key=javadocdir_"$X" + alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + done + + key=javadocdir_%{javaver}_%{origin} + alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + + key=javadocdir + alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} +exit 0 +} + +%define postun_javadoc() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} +exit 0 +} + +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + for X in %{origin} %{javaver} ; do + key=javadoczip_"$X" + alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + done + + key=javadoczip_%{javaver}_%{origin} + alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + + # Weird legacy filename for backwards-compatibility + key=javadoczip + alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} +exit 0 +} + +%define postun_javadoc_zip() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} +exit 0 +} + +%define files_jre() %{expand: +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so +} + + +%define files_jre_headless() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile +%dir %{_sysconfdir}/.java/.systemPrefs +%dir %{_sysconfdir}/.java +%dir %{_jvmdir}/%{sdkdir -- %{?1}} +%{_jvmdir}/%{sdkdir -- %{?1}}/release +%{_jvmdir}/%{jrelnk -- %{?1}} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib +%ifarch %{jit_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%if ! %{system_libs} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/lible.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%ifnarch %{zero_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so +%ifarch %{svml_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc +%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/ +%ifarch %{share_arches} +%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes.jsa +%ifnarch %{ix86} %{arm32} +%attr(444, root, root) %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/classes_nocoops.jsa +%endif +%endif +%dir %{etcjavasubdir} +%dir %{etcjavadir -- %{?1}} +%dir %{etcjavadir -- %{?1}}/lib +%dir %{etcjavadir -- %{?1}}/lib/security +%{etcjavadir -- %{?1}}/lib/security/cacerts +%dir %{etcjavadir -- %{?1}}/conf +%dir %{etcjavadir -- %{?1}}/conf/sdp +%dir %{etcjavadir -- %{?1}}/conf/management +%dir %{etcjavadir -- %{?1}}/conf/security +%dir %{etcjavadir -- %{?1}}/conf/security/policy +%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited +%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy + %{etcjavadir -- %{?1}}/conf/security/policy/README.txt +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access +# This is a config template, thus not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template +%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/jaxp.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/conf +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/java +%ghost %{_jvmdir}/jre +%ghost %{_bindir}/%{alt_java_name} +%ghost %{_bindir}/jcmd +%ghost %{_bindir}/keytool +%ghost %{_bindir}/rmiregistry +%ghost %{_jvmdir}/jre-%{origin} +%ghost %{_jvmdir}/jre-%{javaver} +%ghost %{_jvmdir}/jre-%{javaver}-%{origin} +%endif +%endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved +} + +%define files_devel() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%ifnarch %{zero_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jwebserver +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver +%{_jvmdir}/%{sdkdir -- %{?1}}/include +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir -- %{?1}}/tapset +%endif +%{_datadir}/applications/*jconsole%{?1}.desktop +%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* + +%if %{with_systemtap} +%dir %{tapsetroot} +%dir %{tapsetdirttapset} +%dir %{tapsetdir} +%{tapsetdir}/*%{_arch}%{?1}.stp +%endif +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/javac +%ghost %{_jvmdir}/java +%ghost %{_bindir}/jlink +%ghost %{_bindir}/jmod +%ghost %{_bindir}/jhsdb +%ghost %{_bindir}/jar +%ghost %{_bindir}/jarsigner +%ghost %{_bindir}/javadoc +%ghost %{_bindir}/javap +%ghost %{_bindir}/jconsole +%ghost %{_bindir}/jdb +%ghost %{_bindir}/jdeps +%ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jfr +%ghost %{_bindir}/jimage +%ghost %{_bindir}/jinfo +%ghost %{_bindir}/jmap +%ghost %{_bindir}/jps +%ghost %{_bindir}/jpackage +%ghost %{_bindir}/jrunscript +%ghost %{_bindir}/jshell +%ghost %{_bindir}/jstack +%ghost %{_bindir}/jstat +%ghost %{_bindir}/jstatd +%ghost %{_bindir}/jwebserver +%ghost %{_bindir}/serialver +%ghost %{_jvmdir}/java-%{origin} +%ghost %{_jvmdir}/java-%{javaver} +%ghost %{_jvmdir}/java-%{javaver}-%{origin} +%endif +%endif +} + +%define files_jmods() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/jmods +} + +%define files_demo() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/demo +} + +%define files_src() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip +} + +%define files_static_libs() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +} + +%define files_javadoc() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java +%ghost %{_javadocdir}/java-%{origin} +%ghost %{_javadocdir}/java-%{javaver} +%ghost %{_javadocdir}/java-%{javaver}-%{origin} +%endif +%endif +} + +%define files_javadoc_zip() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java-zip +%ghost %{_javadocdir}/java-%{origin}.zip +%ghost %{_javadocdir}/java-%{javaver}.zip +%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip +%endif +%endif +} + +# x86 is not supported by OpenJDK 17 +ExcludeArch: %{ix86} + +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +Requires: fontconfig%{?_isa} +Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} +# Requires rest of java +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# for java-X-openjdk package's desktop binding +# Where recommendations are available, recommend Gtk+ for the Swing look and feel +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 +Recommends: gtk3%{?_isa} +%endif + +Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} + +# Standard JPackage base provides +Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java%{?1} = %{epoch}:%{version}-%{release} +Provides: jre%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_headless_rpo() %{expand: +# Require /etc/pki/java/cacerts +Requires: ca-certificates +# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros +Requires: javapackages-filesystem +# Require zone-info data provided by tzdata-java sub-package +# 2024a required as of JDK-8325150 +Requires: tzdata-java >= 2024a +# for support of kernel stream control +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} +# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, +# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be +# considered as regression +Requires: copy-jdk-configs >= 4.0 +OrderWithRequires: copy-jdk-configs +%endif +# for printing support +Requires: cups-libs +# for system security properties +Requires: crypto-policies +# for FIPS PKCS11 provider +Requires: nss +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} +# Where suggestions are available, recommend the sctp and pcsc libraries +# for optional support of kernel stream control and card reader +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 +Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} +%endif + +# Standard JPackage base provides +Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_devel_rpo() %{expand: +# Requires base package +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} + +# Standard JPackage devel provides +Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_static_libs_rpo() %{expand: +Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +} + +%define java_jmods_rpo() %{expand: +# Requires devel package +# as jmods are bytecode, they should be OK without any _isa +Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_demo_rpo() %{expand: +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_javadoc_rpo() %{expand: +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install javadoc alternative +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{alternatives_requires} + +# Standard JPackage javadoc provides +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_src_rpo() %{expand: +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +# Standard JPackage sources provides +Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 +# Define the root name of the portable packages +%global pkgnameroot java-%{featurever}-%{origin}-portable%{?pkgos:-%{pkgos}} + +Name: java-%{javaver}-%{origin} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# Equivalent for the portable build +%global prelease %{?eaprefix}%{portablerelease}%{?extraver} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + +# The source tarball, generated using generate_source_tarball.sh +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +Source9: jconsole.desktop.in + +# Source code for alt-java +Source11: alt-java.c + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +# Include portable spec and instructions on how to rebuild +Source19: README.md +Source20: java-%{featurever}-openjdk-portable.specfile +Source21: NEWS + +# Setup variables to reference correct sources +%global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz +%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz +%global docszip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz +%global misczip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz +%global slowdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz +%global slowdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.static-libs.%{_arch}.tar.xz +%global fastdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz +%global fastdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.static-libs.%{_arch}.tar.xz + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# Crypto policy and FIPS support patches +# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Follow system wide crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# RH1929465: Improve system FIPS detection +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +# RH1996182: Login to the NSS software token in FIPS mode +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +# RH2021263: Resolve outstanding FIPS issues +# RH2052819: Fix FIPS reliance on crypto policies +# RH2052829: Detect NSS at Runtime for FIPS detection +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] +# RH2020290: Support TLS 1.3 in FIPS mode +# Add nss.fips.cfg support to OpenJDK tree +# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +# Remove forgotten dead code from RH2020290 and RH2104724 +# OJ1357: Fix issue on FIPS with a SecurityManager in place +# RH2134669: Add missing attributes when registering services in FIPS mode. +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +# RH1940064: Enable XML Signature provider in FIPS mode +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# + +# Currently empty + +############################################# +# +# OpenJDK patches which missed last update +# +############################################# + +############################################# +# +# Portable build specific patches +# +############################################# + +# Currently empty + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +# From RHEL 10, debugedit is in its own package +%if 0%{?rhel} >= 10 +BuildRequires: debugedit +%endif +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: fontconfig-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.fips.cfg +BuildRequires: nss-devel +# Requirement for system security property test +BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +BuildRequires: javapackages-filesystem +%if %{include_normal_build} +BuildRequires: %{pkgnameroot}-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-static-libs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +%if %{include_fastdebug_build} +BuildRequires: %{pkgnameroot}-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-static-libs-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +%if %{include_debug_build} +BuildRequires: %{pkgnameroot}-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-static-libs-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +%endif +BuildRequires: %{pkgnameroot}-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: %{pkgnameroot}-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# 2024a required as of JDK-8325150 +BuildRequires: tzdata-java >= 2024a +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: zlib-devel +%else +# Version in src/java.desktop/share/legal/freetype.md +Provides: bundled(freetype) = 2.13.2 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 8.2.2 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.16.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.40 +# Version in src/java.base/share/native/libzip/zlib/zlib.h +Provides: bundled(zlib) = 1.3.1 +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package headless +Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_headless_rpo %{nil}} + +%description headless +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%endif + +%if %{include_debug_build} +%package headless-slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_headless_rpo -- %{debug_suffix_unquoted}} + +%description headless-slowdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} development tools . +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package jmods +Summary: JMods for %{origin_nice} %{featurever} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_jmods_rpo %{nil}} + +%description jmods +The JMods for %{origin_nice} %{featurever}. +%endif + +%if %{include_debug_build} +%package jmods-slowdebug +Summary: JMods for %{origin_nice} %{featurever} %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_jmods_rpo -- %{debug_suffix_unquoted}} + +%description jmods-slowdebug +The JMods for %{origin_nice} %{featurever}. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package jmods-fastdebug +Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} + +%description jmods-fastdebug +The JMods for %{origin_nice} %{featurever}. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package demo +Summary: %{origin_nice} %{featurever} Demos +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_demo_rpo %{nil}} + +%description demo +The %{origin_nice} %{featurever} demos. +%endif + +%if %{include_debug_build} +%package demo-slowdebug +Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_demo_rpo -- %{debug_suffix_unquoted}} + +%description demo-slowdebug +The %{origin_nice} %{featurever} demos. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} %{featurever} demos. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package src +Summary: %{origin_nice} %{featurever} Source Bundle +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_src_rpo %{nil}} + +%description src +The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} +class library source code for use by IDE indexers and debuggers. +%endif + +%if %{include_debug_build} +%package src-slowdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_src_rpo -- %{debug_suffix_unquoted}} + +%description src-slowdebug +The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_debug}. +%endif + +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. +%endif + +%if %{include_normal_build} +%package javadoc +Summary: %{origin_nice} %{featurever} API documentation +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif +Requires: javapackages-filesystem +Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling + +%{java_javadoc_rpo -- %{nil} %{nil}} + +%description javadoc +The %{origin_nice} %{featurever} API documentation. +%endif + +%if %{include_normal_build} +%package javadoc-zip +Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif +Requires: javapackages-filesystem +Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling + +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} + +%description javadoc-zip +The %{origin_nice} %{featurever} API documentation compressed in a single archive. +%endif + +%prep + +echo "Preparing %{oj_vendor_version}" + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi + +export XZ_OPT="-T0" +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} +%endif + +# Patch the JDK +# This syntax is deprecated: +# %patchN [...] +# and should be replaced with: +# %patch -PN [...] +# For example: +# %patch1001 -p1 +# becomes: +# %patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +pushd %{top_level_dir_name} +# Add crypto policy and FIPS support +%patch -P1001 -p1 +popd # openjdk + + +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "WARNING: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + exit 17 +fi + +# Prepare desktop files +# The _X_ syntax indicates variables that are replaced by make upstream +# The @X@ syntax indicates variables that are replaced by configure upstream +for suffix in %{build_loop} ; do +for file in %{SOURCE9}; do + FILE=`basename $file | sed -e s:\.in$::g` + EXT="${FILE##*.}" + NAME="${FILE%.*}" + OUTPUT_FILE=$NAME$suffix.$EXT + sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE + sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE +done +done + +%build + +function customisejdk() { + local imagepath=${1} + + if [ -d ${imagepath} ] ; then + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + fi +} + +export XZ_OPT="-T0" + +mkdir -p $(dirname %{installoutputdir}) + +docdir=%{installoutputdir -- "-docs"} +tar -xJf %{docszip} +mv java-%{featurever}-openjdk*.docs.* ${docdir} + +miscdir=%{installoutputdir -- "-misc"} +tar -xJf %{misczip} +mv java-%{featurever}-openjdk*.misc.* ${miscdir} + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + jdkzip=%{releasezip} + staticlibzip=%{staticlibzip} + elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then + jdkzip=%{fastdebugzip} + staticlibzip=%{fastdebugstaticlibzip} + else # slowdebug + jdkzip=%{slowdebugzip} + staticlibzip=%{slowdebugstaticlibzip} + fi + + installdir=%{installoutputdir -- ${suffix}} + + # TODO: should verify checksums when using packages from buildroot + tar -xJf ${jdkzip} + tar -xJf ${staticlibzip} + mv java-%{featurever}-openjdk* ${installdir} + + # Fix build paths in ELF files so it looks like we built them + portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}" + for file in $(find ${installdir} -type f) ; do + if file ${file} | grep -q 'ELF'; then + %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} + fi + done + + # Set tapset variables to match this build +%if %{with_systemtap} + for file in ${miscdir}/tapset${suffix}/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/%{vm_variant}/libjvm.so:g" $file > ${OUTPUT_FILE} +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE} +%else + sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE} +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +%endif + + # Final setup on the main image + customisejdk ${installdir} + + # Print release information + cat ${installdir}/release + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +export JAVA_HOME=$(pwd)/%{installoutputdir -- ${suffix}} + +# Pre-test setup + +# Check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Only test on one architecture (the fastest) for Java only tests +%ifarch %{jdk_test_arch} + + # Check unlimited policy has been used + $JAVA_HOME/bin/javac -d . %{SOURCE13} + $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + + # Check ECC is working + $JAVA_HOME/bin/javac -d . %{SOURCE14} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + + # Check system crypto (policy) is active and can be disabled + # Test takes a single argument - true or false - to state whether system + # security properties are enabled or not. + $JAVA_HOME/bin/javac -d . %{SOURCE15} + export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") + export SEC_DEBUG="-Djava.security.debug=properties" + $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true + $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + + # Check correct vendor values have been set + $JAVA_HOME/bin/javac -d . %{SOURCE16} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + +%if ! 0%{?flatpak} + # Check translations are available for new timezones (during flatpak builds, the + # tzdb.dat used by this test is not where the test expects it, so this is + # disabled for flatpak builds) + # Disable test until we are on the latest JDK + $JAVA_HOME/bin/javac -d . %{SOURCE18} + $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE + $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif + + # Check src.zip has all sources. See RHBZ#1130490 + unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + + # Check class files include useful debugging information + $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + + # Check generated class files include useful debugging information + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable + $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +%else + + # Just run a basic java -version test on other architectures + $JAVA_HOME/bin/java -version + +%endif + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call +alt_java_binary=$RPM_BUILD_ROOT%{jrebindir -- $suffix}/%{alt_java_name} +%ifarch %{ssbd_arches} +nm ${alt_java_binary} | grep prctl +%else +if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc +readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet4AddressImpl.c +readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet6AddressImpl.c +%endif + +so_suffix="so" +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre +-- if copy-jdk-configs is in transaction, it installs in pretrans to temp +-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is +-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends +-- whether copy-jdk-configs is installed or not. If so, then configs are copied +-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all +local posix = require "posix" + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end + +SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" +SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" + +local stat1 = posix.stat(SOURCE1, "type"); +local stat2 = posix.stat(SOURCE2, "type"); + + if (stat1 ~= nil) then + if (debug) then + print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.") + end; + package.path = package.path .. ";" .. SOURCE1 +else + if (stat2 ~= nil) then + if (debug) then + print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.") + end; + package.path = package.path .. ";" .. SOURCE2 + else + if (debug) then + print(SOURCE1 .." does NOT exists") + print(SOURCE2 .." does NOT exists") + print("No config files will be copied") + end + return + end +end +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) + +%post +%{post_script %{nil}} + +%post headless +%{post_headless %{nil}} + +%postun +%{postun_script %{nil}} + +%postun headless +%{postun_headless %{nil}} + +%posttrans +%{posttrans_script %{nil}} + +%posttrans headless +%{alternatives_java_install %{nil}} + +%post devel +%{post_devel %{nil}} + +%postun devel +%{postun_devel %{nil}} + +%posttrans devel +%{posttrans_devel %{nil}} + +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} + +%postun javadoc +%{postun_javadoc %{nil}} + +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} + +%postun javadoc-zip +%{postun_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%post slowdebug +%{post_script -- %{debug_suffix_unquoted}} + +%post headless-slowdebug +%{post_headless -- %{debug_suffix_unquoted}} + +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + +%postun slowdebug +%{postun_script -- %{debug_suffix_unquoted}} + +%postun headless-slowdebug +%{postun_headless -- %{debug_suffix_unquoted}} + +%posttrans slowdebug +%{posttrans_script -- %{debug_suffix_unquoted}} + +%post devel-slowdebug +%{post_devel -- %{debug_suffix_unquoted}} + +%postun devel-slowdebug +%{postun_devel -- %{debug_suffix_unquoted}} + +%posttrans devel-slowdebug +%{posttrans_devel -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + +%if %{include_normal_build} +%files +# main package builds always +%{files_jre %{nil}} +%else +%files +# placeholder +%endif + + +%if %{include_normal_build} +%files headless +# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +# all config/noreplace files (and more) have to be declared in pretrans. See pretrans +%{files_jre_headless %{nil}} + +%files devel +%{files_devel %{nil}} + +%if %{include_staticlibs} +%files static-libs +%{files_static_libs %{nil}} +%endif + +%files jmods +%{files_jmods %{nil}} + +%files demo +%{files_demo %{nil}} + +%files src +%{files_src %{nil}} + +%files javadoc +%{files_javadoc %{nil}} + +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only +# same for debug variant +%files javadoc-zip +%{files_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%files slowdebug +%{files_jre -- %{debug_suffix_unquoted}} + +%files headless-slowdebug +%{files_jre_headless -- %{debug_suffix_unquoted}} + +%files devel-slowdebug +%{files_devel -- %{debug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-slowdebug +%{files_static_libs -- %{debug_suffix_unquoted}} +%endif + +%files jmods-slowdebug +%{files_jmods -- %{debug_suffix_unquoted}} + +%files demo-slowdebug +%{files_demo -- %{debug_suffix_unquoted}} + +%files src-slowdebug +%{files_src -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-fastdebug +%{files_static_libs -- %{fastdebug_suffix_unquoted}} +%endif + +%files jmods-fastdebug +%{files_jmods -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%endif + +%changelog +* Sun Aug 04 2024 Andrew Hughes - 1:21.0.4.0.7-1 +- Update to jdk-21.0.4+7 (GA) +- Update release notes to 21.0.4+7 +- Switch to GA mode. +- Sync the copy of the portable specfile with the latest update +- Add missing section headers in NEWS +- Vary portablesuffix depending on whether we are on RHEL ('el8') or CentOS ('el9') +- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. ** +- Resolves: RHEL-47024 + +* Sun Aug 04 2024 Andrew Hughes - 1:21.0.4.0.5-0.1.ea +- Update to jdk-21.0.4+5 (EA) +- Update release notes to 21.0.4+5 +- Limit Java only tests to one architecture using jdk_test_arch +- Actually require tzdata 2024a now it is available in the buildroot +- Resolves: RHEL-45357 +- Resolves: RHEL-52735 +- Related: RHEL-52723 + +* Sun Aug 04 2024 Andrew Hughes - 1:21.0.4.0.1-0.1.ea +- Update to jdk-21.0.4+1 (EA) +- Update release notes to 21.0.4+1 +- Switch to EA mode +- Bump LCMS 2 version to 2.16.0 following JDK-8321489 +- Add zlib build requirement or bundled version (1.3.1), depending on system_libs setting +- Restore NEWS file so portable can be rebuilt +- Sync the copy of the portable specfile with the latest update +- Related: RHEL-45357 +- Resolves: RHEL-46026 + +* Sun Aug 04 2024 Andrew Hughes - 1:21.0.3.0.9-1 +- Update to jdk-21.0.3+9 (GA) +- Update release notes to 21.0.3+9 +- Switch to GA mode. +- Sync the copy of the portable specfile with the latest update +- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. ** +- Resolves: RHEL-32427 + +* Sun Aug 04 2024 Andrew Hughes - 1:21.0.3.0.7-0.1.ea +- Update to jdk-21.0.3+7 (EA) +- Update release notes to 21.0.3+7 +- Require tzdata 2024a due to upstream inclusion of JDK-8322725 +- Only require tzdata 2023d for now as 2024a is unavailable in buildroot +- Drop JDK-8009550 which is now available upstream +- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254 +- Resolves: RHEL-52723 + +* Sat Aug 03 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.1.ea +- Invoke xz in multi-threaded mode +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: Remove temporary directory exit conditions +- generate_source_tarball.sh: Fix -ea logic to add dash +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- generate_source_tarball.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: shellcheck: Do not use -a (SC2166) +- generate_source_tarball.sh: shellcheck: Do not use $ on arithmetic variables (SC2004) +- Use backward-compatible patch syntax +- generate_source_tarball.sh: Ignore -ga tags with OPENJDK_LATEST +- generate_source_tarball.sh: Fix whitespace +- generate_source_tarball.sh: Remove trailing period in echo +- generate_source_tarball.sh: Use long-style argument to grep +- generate_source_tarball.sh: Add license +- generate_source_tarball.sh: Add indentation instructions for Emacs +- Related: RHEL-52723 + +* Sat Aug 03 2024 Andrew Hughes - 1:21.0.3.0.1-0.1.ea +- Update to jdk-21.0.3+1 (EA) +- Update release notes to 21.0.3+1 +- Switch to EA mode +- Require tzdata 2023d due to local inclusion of JDK-8322725 +- Bump FreeType version to 2.13.2 following JDK-8316028 +- Install alt-java man page from the misc tarball as it is no longer in the JDK image +- generate_source_tarball.sh: Update examples in header for clarity +- generate_source_tarball.sh: Cleanup message issued when checkout already exists +- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP +- generate_source_tarball.sh: Only add --depth=1 on non-local repositories +- Move maintenance scripts to a scripts subdirectory +- discover_trees.sh: Set compile-command and indentation instructions for Emacs +- discover_trees.sh: shellcheck: Do not use -o (SC2166) +- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- discover_trees.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: Add authorship +- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs +- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086) +- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: Set compile-command and indentation instructions for Emacs +- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086) +- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196) +- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST +- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086) +- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck +- Related: RHEL-52723 + +* Tue Jul 30 2024 Andrew Hughes - 1:21.0.2.0.13-3 +- Fix gating.yaml to reference RHEL 10 +- Set this to be the default/system JDK providing 'java', 'jre', 'java-devel' ,etc. +- Resolves: RHEL-34597 +- Resolves: RHEL-51617 + +* Fri Apr 12 2024 Andrew Hughes - 1:21.0.2.0.13-2 +- Define portablesuffix according to whether pkgos is defined or not +- Handle debugedit being a separate package installed in /usr on RHEL/CentOS 10 +- Related: RHEL-45217 + +* Tue Jan 09 2024 Andrew Hughes - 1:21.0.2.0.13-1 +- Update to jdk-21.0.2+13 (GA) +- Sync the copy of the portable specfile with the latest update +- Bump libpng version to 1.6.40 following JDK-8316030 +- Bump HarfBuzz version to 8.2.2 following JDK-8313643 +- Drop local JDK-8311630 patch which is now upstream +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** +- Resolves: RHEL-45217 + +* Mon Nov 06 2023 Andrew Hughes - 1:21.0.1.0.12-3 +- Include JDK-8311630 patch to implement Foreign Function & Memory preview API on s390x +- Sync the copy of the portable specfile with the latest update +- Related: RHEL-45217 + +* Mon Oct 30 2023 Andrew Hughes - 1:21.0.1.0.12-2 +- Define pkgnameroot to simplify build requirements and allow '-rhel7' suffix on RHEL +- Related: RHEL-45217 + +* Fri Oct 27 2023 Andrew Hughes - 1:21.0.1.0.12-1 +- Update to jdk-21.0.1.0+12 (GA) +- Update release notes to 21.0.1.0+12 +- Sync the copy of the portable specfile with the latest update +- Update openjdk_news script to specify subdirectory last +- Add missing discover_trees script required by openjdk_news +- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng) +- Sync generate_tarball.sh with 11u & 17u version +- Update bug URL for RHEL to point to the Red Hat customer portal +- Fix upstream release URL for OpenJDK source +- Following JDK-8005165, class data sharing can be enabled on all JIT architectures +- Use tapsets from the misc tarball +- Introduce 'prelease' for the portable release versioning, to handle EA builds +- Make sure root installation directory is created first +- Use in-place substitution for all but the first of the tapset changes +- Synchronise runtime and buildtime tzdata requirements +- Remove ghosts for binaries not in java-21-openjdk (pack200, rmid, unpack200) +- Add missing jfr, jpackage and jwebserver alternative ghosts +- Move jcmd to the headless package +- Revert alt-java binary location to being within the JDK tree +- Related: RHEL-45217 + +* Fri Oct 27 2023 Jiri Vanek - 1:21.0.1.0.12-1 +- Exclude classes_nocoops.jsa on i686 and arm32 +- Related: RHEL-45217 + +* Fri Oct 27 2023 Severin Gehwolf - 1:21.0.1.0.12-1 +- Fix packaging of CDS archives +- Resolves: RHEL-45217 + +* Thu Aug 24 2023 Andrew Hughes - 1:21.0.0.0.35-2 +- Update documentation (README.md) +- Replace alt-java patch with a binary separate from the JDK +- Drop stale patches that are of little use any more: +- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work +- * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more +- * No use of system libjpeg turbo to warrant RH649512 patch any more +- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed +- Adapt alt-java test to new binary where there is always a set_speculation function +- Related: RHEL-45217 + +* Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 +- Update to jdk-21.0.0+35 +- Update system crypto policy & FIPS patch from new fips-21u tree +- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal +- Drop fakefeaturever now it is no longer needed +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Re-enable tzdata tests now we are on the latest JDK and things are back in sync +- Install jaxp.properties introduced by JDK-8303530 +- Install lible.so introduced by JDK-8306983 +- Related: RHEL-45217 + +* Mon Aug 21 2023 Petra Alice Mikova - 1:21.0.0.0.35-1 +- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798 +- Related: RHEL-45217 + +* Wed Aug 16 2023 Andrew Hughes - 1:20.0.0.0.36-1 +- Update to jdk-20.0.2+9 +- Update release notes to 20.0.2+9 +- Update system crypto policy & FIPS patch from new fips-20u tree +- Update generate_tarball.sh ICEDTEA_VERSION +- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit) +- Related: RHEL-45217 + +* Wed Aug 16 2023 Jiri Vanek - 1:20.0.0.0.36-1 +- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream +- Adapted rh1750419-redhat_alt_java.patch +- Related: RHEL-45217 + +* Tue Aug 15 2023 Andrew Hughes - 1:19.0.1.0.10-1 +- Update to jdk-19.0.2 release +- Update release notes to 19.0.2 +- Rebase FIPS patches from fips-19u branch +- Remove references to sample directory removed by JDK-8284999 +- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag +- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases +- Related: RHEL-45217 + +* Thu Aug 10 2023 Andrew Hughes - 1:18.0.2.0.9-1 +- Update to jdk-18.0.2 release +- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory +- Rebase FIPS patches from fips-18u branch +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Drop now unused fresh_libjvm, build_hotspot_first, bootjdk and buildjdkver variables, as we don't build a JDK here +- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21 +- Disable tzdata tests until we are on the latest JDK and things are back in sync +- Use empty nss.fips.cfg until it is again available via the FIPS patch +- Related: RHEL-45217 + +* Thu Aug 10 2023 Petra Alice Mikova - 1:18.0.2.0.9-1 +- Update to ea version of jdk18 +- Add new slave jwebserver and corresponding manpage +- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +- Related: RHEL-45217 + +* Thu Aug 10 2023 FeRD (Frank Dana) - 1:18.0.2.0.9-1 +- Add javaver- and origin-specific javadoc and javadoczip alternatives. +- Related: RHEL-45217 + +* Tue Aug 08 2023 Andrew Hughes - 1:17.0.7.0.7-4 +- Set portablerelease and portablerhel to use the CentOS 9 build +- Related: RHEL-45217 + +* Tue Aug 08 2023 Andrew Hughes - 1:17.0.7.0.7-4 +- Add files missed by centpkg import. +- Related: RHEL-45217 + +* Fri Aug 04 2023 Andrew Hughes - 1:17.0.7.0.7-3 +- Create java-21-openjdk package based on java-17-openjdk +- Related: RHEL-45217