From 65e86db1414673e9b702f23a47cacec64f9d026e Mon Sep 17 00:00:00 2001
From: CentOS Sources
Date: Jan 15 2023 10:58:24 +0000
Subject: import java-1.8.0-openjdk-1.8.0.352.b08-2.el8_7
---
diff --git a/.gitignore b/.gitignore
index 5f70416..35138ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index dd9d11c..ce1ddd8 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
+11e3bf44f3c54d25e2018fc7df16c231daf041c5 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index e911b13..08b5588 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,369 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 8u352 (2022-10-18):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk8u352
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt
+
+* Security fixes
+ - JDK-8282252: Improve BigInteger/Decimal validation
+ - JDK-8285662: Better permission resolution
+ - JDK-8286511: Improve macro allocation
+ - JDK-8286519: Better memory handling
+ - JDK-8286526, CVE-2022-21619: Improve NTLM support
+ - JDK-8286533, CVE-2022-21626: Key X509 usages
+ - JDK-8286910, CVE-2022-21624: Improve JNDI lookups
+ - JDK-8286918, CVE-2022-21628: Better HttpServer service
+ - JDK-8288508: Enhance ECDSA usage
+* Other changes
+ - JDK-7131823: bug in GIFImageReader
+ - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate
+ - JDK-8028265: Add legacy tz tests to OpenJDK
+ - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]
+ - JDK-8049228: Improve multithreaded scalability of InetAddress cache
+ - JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+ - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation
+ - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9
+ - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script
+ - JDK-8139668: Generate README-build.html from markdown
+ - JDK-8143847: Remove REF_CLEANER reference category
+ - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl
+ - JDK-8150669: C1 intrinsic for Class.isPrimitive
+ - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
+ - JDK-8173339: AArch64: Fix minimum stack size computations
+ - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
+ - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+ - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
+ - JDK-8183107: PKCS11 regression regarding checkKeySize
+ - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
+ - JDK-8194873: right ALT key hotkeys no longer work in Swing components
+ - JDK-8201793: (ref) Reference object should not support cloning
+ - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
+ - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
+ - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
+ - JDK-8235218: Minimal VM is broken after JDK-8173361
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles
+ - JDK-8254178: Remove .hgignore
+ - JDK-8254318: Remove .hgtags
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
+ - JDK-8280963: Incorrect PrintFlags formatting on Windows
+ - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+ - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+ - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3
+ - JDK-8285497: Add system property for Java SE specification maintenance version
+ - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE
+ - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11
+ - JDK-8287521: Bump update version of OpenJDK: 8u352
+ - JDK-8288763: Pack200 extraction failure with invalid size
+ - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
+ - JDK-8290000: Bump macOS GitHub actions to macOS 11
+ - JDK-8292579: (tz) Update Timezone Data to 2022c
+ - JDK-8292688: Support Security properties in security.testlibrary.Proc
+
+Notes on individual issues:
+===========================
+
+core-libs/java.lang:
+
+JDK-8201793: (ref) Reference object should not support cloning
+==============================================================
+`java.lang.ref.Reference::clone` method always throws
+`CloneNotSupportedException`. `Reference` objects cannot be
+meaningfully cloned. To create a new Reference object, call the
+constructor to create a `Reference` object with the same referent and
+reference queue instead.
+
+JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+===============================================================================================
+`java.lang.ref.Reference.enqueue` method clears the reference object
+before it is added to the registered queue. When the `enqueue` method
+is called, the reference object is cleared and `get()` method will
+return null in OpenJDK 8u352.
+
+Typically when a reference object is enqueued, it is expected that the
+reference object is cleared explicitly via the `clear` method to avoid
+memory leak because its referent is no longer referenced. In other
+words the `get` method is expected not to be called in common cases
+once the `enqueue`method is called. In the case when the `get` method
+from an enqueued reference object and existing code attempts to access
+members of the referent, `NullPointerException` may be thrown. Such
+code will need to be updated.
+
+JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+=========================================================================
+This enhancement changes phantom references to be automatically
+cleared by the garbage collector as soft and weak references.
+
+An object becomes phantom reachable after it has been finalized. This
+change may cause the phantom reachable objects to be GC'ed earlier -
+previously the referent is kept alive until PhantomReference objects
+are GC'ed or cleared by the application. This potential behavioral
+change might only impact existing code that would depend on
+PhantomReference being enqueued rather than when the referent be freed
+from the heap.
+
+security-libs/javax.net.ssl:
+
+JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
+================================================================
+The TLSv1.3 implementation is now enabled by default for client roles
+in 8u352. It has been enabled by default for server roles since 8u272.
+
+Note that TLS 1.3 is not directly compatible with previous
+versions. Enabling it on the client may introduce compatibility issues
+on either the server or the client side. Here are some more details on
+potential compatibility issues that you should be aware of:
+
+* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions
+ use a duplex-close policy. For applications that depend on the
+ duplex-close policy, there may be compatibility issues when
+ upgrading to TLS 1.3.
+
+* The signature_algorithms_cert extension requires that pre-defined
+ signature algorithms are used for certificate authentication. In
+ practice, however, an application may use non-supported signature
+ algorithms.
+
+* The DSA signature algorithm is not supported in TLS 1.3. If a server
+ is configured to only use DSA certificates, it cannot upgrade to TLS
+ 1.3.
+
+* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2
+ and prior versions. If an application hard-codes cipher suites which
+ are no longer supported, it may not be able to use TLS 1.3 without
+ modifying the application code.
+
+* The TLS 1.3 session resumption and key update behaviors are
+ different from TLS 1.2 and prior versions. The compatibility should
+ be minimal, but it could be a risk if an application depends on the
+ handshake details of the TLS protocols.
+
+The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols
+system property:
+
+java -Djdk.tls.client.protocols="TLSv1.2" ...
+
+Alternatively, an application can explicitly set the enabled protocols
+with the javax.net.ssl APIs e.g.
+
+sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
+
+or:
+
+SSLParameters params = sslSocket.getSSLParameters();
+params.setProtocols(new String[] {"TLSv1.2"});
+slsSocket.setSSLParameters(params);
+
+New in release OpenJDK 8u345 (2022-08-01):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk8u345
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u345.txt
+
+* Other changes
+ - JDK-8290832: It is no longer possible to change "user.dir" in the JDK8
+ - JDK-8291568: Bump update version of OpenJDK: 8u345
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:
+
+JDK-8290832: It is no longer possible to change "user.dir" in the JDK8
+======================================================================
+A change, JDK-8194154, was introduced in the 8u342 release of OpenJDK
+causing the JDK to ignore attempts to set the `user.dir` property.
+While this change is suitable for a major release (it was originally
+introduced in the initial release of OpenJDK 11), changing the
+behaviour of such a property in an update release creates
+compatibility issues in software that relies on the behaviour in prior
+versions of OpenJDK 8. As a result, we have reverted this change in
+8u345.
+
+New in release OpenJDK 8u342 (2022-07-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk8u342
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt
+
+* Security fixes
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8277608: Address IP Addressing
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+ - JDK-8031567: Better model for storing source revision information
+ - JDK-8076190: Customizing the generation of a PKCS12 keystore
+ - JDK-8129572: Cleanup usage of getResourceAsStream in jaxp
+ - JDK-8132256: jaxp: Investigate removal of com/sun/org/apache/bcel/internal/util/ClassPath.java
+ - JDK-8168926: C2: Bytecode escape analyzer crashes due to stack overflow
+ - JDK-8170385: JDK-8031567 broke source bundles
+ - JDK-8170392: JDK-8031567 broke builds from source bundles
+ - JDK-8170530: bash configure output contains a typo in a suggested library name
+ - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
+ - JDK-8194154: System property user.dir should not be changed
+ - JDK-8202142: jfr/event/io/TestInstrumentation is unstable
+ - JDK-8209771: jdk.test.lib.Utils::runAndCheckException error
+ - JDK-8221988: add possibility to build with Visual Studio 2019
+ - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+ - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+ - JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
+ - JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"
+ - JDK-8248876: LoadObject with bad base address created for exec file on linux
+ - JDK-8253424: Add support for running pre-submit testing using GitHub Actions
+ - JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably
+ - JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command
+ - JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow
+ - JDK-8254175: Build no-pch configuration in debug mode for submit checks
+ - JDK-8254282: Add Linux x86_32 builds to submit workflow
+ - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale
+ - JDK-8255305: Add Linux x86_32 tier1 to submit workflow
+ - JDK-8255352: Archive important test outputs in submit workflow
+ - JDK-8255373: Submit workflow artifact name is always "test-results_.zip"
+ - JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch
+ - JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow
+ - JDK-8256277: Github Action build on macOS should define OS and Xcode versions
+ - JDK-8256354: Github Action build on Windows should define OS and MSVC versions
+ - JDK-8256393: Github Actions build on Linux should define OS and GCC versions
+ - JDK-8256414: add optimized build to submit workflow
+ - JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing
+ - JDK-8257056: Submit workflow should apt-get update to avoid package installation errors
+ - JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"
+ - JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"
+ - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream)
+ - JDK-8263667: Avoid running GitHub actions on branches named pr/*
+ - JDK-8266187: Memory leak in appendBootClassPath()
+ - JDK-8274658: ISO 4217 Amendment 170 Update
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8278138: OpenJDK8 fails to start on Windows 8.1 after upgrading compiler to VS2017
+ - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
+ - JDK-8281814: Debuginfo.diz contains redundant build path after backport JDK-8025936
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282458: Update .jcheck/conf file for 8u move to git
+ - JDK-8282552: Bump update version of OpenJDK: 8u342
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284772: 8u GHA: Use GCC Major Version Dependencies Only
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8286989: Build failure on macOS after 8281814
+ - JDK-8287537: 8u JDK-8284620 backport broke AArch64 build
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8215293: Customizing PKCS12 keystore Generation
+===================================================
+New system and security properties have been added to enable users to
+customize the generation of PKCS #12 keystores. This includes
+algorithms and parameters for key protection, certificate protection,
+and MacData. The detailed explanation and possible values for these
+properties can be found in the "PKCS12 KeyStore properties" section of
+the `java.security` file.
+
+Also, support for the following SHA-2 based HmacPBE algorithms has
+been added to the SunJCE provider:
+
+* HmacPBESHA224
+* HmacPBESHA256
+* HmacPBESHA384
+* HmacPBESHA512
+* HmacPBESHA512/224
+* HmacPBESHA512/256
+
+core-libs/java.io:
+
+JDK-8285660: Enable Windows Alternate Data Streams by default
+=============================================================
+The Windows implementation of `java.io.File` has been changed so that
+strict validity checks are **not** performed by default on file
+paths. This includes allowing colons (':') in the path other than only
+immediately after a single drive letter. It also allows paths that
+represent NTFS Alternate Data Streams (ADS), such as
+"filename:streamname". This restores the default behavior of
+`java.io.File` to what it was prior to the April 2022 CPU in which
+strict validity checks were not performed by default on file paths on
+Windows. To re-enable strict path checking in `java.io.File`, the
+system property `jdk.io.File.enableADS` should be set to `false` (case
+ignored). This might be preferable, for example, if Windows special
+device paths such as `NUL:` are *not* used.
+
+New in release OpenJDK 8u332 (2022-04-22):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk8u332
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
+
+* Security fixes
+ - JDK-8269938: Enhance XML processing passes redux
+ - JDK-8270504, CVE-2022-21426: Better XPath expression handling
+ - JDK-8272255: Completely handle MIDI files
+ - JDK-8272261: Improve JFR recording file processing
+ - JDK-8272594: Better record of recordings
+ - JDK-8274221: More definite BER encodings
+ - JDK-8275151, CVE-2022-21443: Improved Object Identification
+ - JDK-8277227: Better identification of OIDs
+ - JDK-8277672, CVE-2022-21434: Better invocation handler handling
+ - JDK-8278008, CVE-2022-21476: Improve Santuario processing
+ - JDK-8278356: Improve file creation
+ - JDK-8278449: Improve keychain support
+ - JDK-8278805: Enhance BMP image loading
+ - JDK-8278972, CVE-2022-21496: Improve URL supports
+ - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
+* Other changes
+ - JDK-8033980: Xerces Update: datatype XMLGregorianCalendarImpl and DurationImpl
+ - JDK-8035437: Xerces Update: xml/serialize/DOMSerializerImpl
+ - JDK-8035577: Xerces Update: impl/xpath/regex/RangeToken.java
+ - JDK-8037259: xerces update: xpointer update
+ - JDK-8041523: Xerces Update: Serializer improvements from Xalan
+ - JDK-8141508: java.lang.invoke.LambdaConversionException: Invalid receiver type
+ - JDK-8162572: Update License Header for all JAXP sources
+ - JDK-8167014: jdeps: Missing message: warn.skipped.entry
+ - JDK-8198411: [TEST_BUG] Two java2d tests are unstable in mach5
+ - JDK-8202822: Add .git to .hgignore
+ - JDK-8205540: test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 commands
+ - JDK-8209178: Proxied HttpsURLConnection doesn't send BODY when retrying POST request
+ - JDK-8210283: Support git as an SCM alternative in the build
+ - JDK-8218682: [TEST_BUG] DashOffset fails in mach5
+ - JDK-8225690: Multiple AttachListener threads can be created
+ - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"
+ - JDK-8227815: Minimal VM: set_state is not a member of AttachListener
+ - JDK-8240633: Memory leaks in the implementations of FileChooserUI
+ - JDK-8241768: git needs .gitattributes
+ - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn
+ - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens
+ - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node
+ - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems
+ - JDK-8270290: NTLM authentication fails if HEAD request is used
+ - JDK-8273229: Update OS detection code to recognize Windows Server 2022
+ - JDK-8273341: Update Siphash to version 1.0
+ - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
+ - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
+ - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
+ - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
+ - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
+ - JDK-8280060: The sun/rmi/server/Activation.java class use Thread.dumpStack()
+ - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+ - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
+ - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
+ - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
+ - JDK-8284936: Fix Java 7 bootstrap breakage due to use of Arrays.stream
+* Shenandoah
+ - JDK-8260632: Build failures after JDK-8253353
+ - JDK-8282458: Update .jcheck/conf file for sh-jdk8u move to git
+
New in release OpenJDK 8u322 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 06a0b07..2967a32 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -1,3 +1,20 @@
+/* TestSecurityProperties -- Ensure system security properties can be used to
+ enable the crypto policies.
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
@@ -9,35 +26,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties ");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
}
diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java
new file mode 100644
index 0000000..7b2f09b
--- /dev/null
+++ b/SOURCES/TestTranslations.java
@@ -0,0 +1,140 @@
+/* TestTranslations -- Ensure translations are available for new timezones
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.text.DateFormatSymbols;
+
+import java.time.ZoneId;
+import java.time.format.TextStyle;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.TimeZone;
+
+public class TestTranslations {
+
+ private static Map KYIV;
+
+ static {
+ Map map = new HashMap();
+ map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
+ "Eastern European Summer Time", "GMT+03:00", "EEST",
+ "Eastern European Time", "GMT+02:00", "EET"});
+ map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
+ "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
+ "Heure d'Europe de l'Est", "UTC+02:00", "EET"});
+ map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
+ "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
+ "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
+ KYIV = Collections.unmodifiableMap(map);
+ }
+
+
+ public static void main(String[] args) {
+ if (args.length < 1) {
+ System.err.println("Test must be started with the name of the locale provider.");
+ System.exit(1);
+ }
+
+ String localeProvider = args[0];
+ System.out.println("Checking sanity of full zone string set...");
+ boolean invalid = Arrays.stream(Locale.getAvailableLocales())
+ .peek(l -> System.out.println("Locale: " + l))
+ .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
+ .flatMap(zs -> Arrays.stream(zs))
+ .flatMap(names -> Arrays.stream(names))
+ .filter(name -> Objects.isNull(name) || name.isEmpty())
+ .findAny()
+ .isPresent();
+ if (invalid) {
+ System.err.println("Zone string for a locale returned null or empty string");
+ System.exit(2);
+ }
+
+ for (Locale l : KYIV.keySet()) {
+ String[] expected = KYIV.get(l);
+ for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) {
+ String expectedShortStd = null;
+ String expectedShortDST = null;
+ String expectedShortGen = null;
+
+ System.out.printf("Checking locale %s for %s...\n", l, id);
+
+ if ("JRE".equals(localeProvider)) {
+ expectedShortStd = expected[2];
+ expectedShortDST = expected[5];
+ expectedShortGen = expected[8];
+ } else if ("CLDR".equals(localeProvider)) {
+ expectedShortStd = expected[1];
+ expectedShortDST = expected[4];
+ expectedShortGen = expected[7];
+ } else {
+ System.err.printf("Invalid locale provider %s\n", localeProvider);
+ System.exit(3);
+ }
+ System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
+ localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
+
+ String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
+ String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
+ String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
+ String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
+ String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
+ String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
+
+ if (!expected[0].equals(longStd)) {
+ System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+ id, l, longStd, expected[0]);
+ System.exit(4);
+ }
+
+ if (!expectedShortStd.equals(shortStd)) {
+ System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
+ id, l, shortStd, expectedShortStd);
+ System.exit(5);
+ }
+
+ if (!expected[3].equals(longDST)) {
+ System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
+ id, l, longDST, expected[3]);
+ System.exit(6);
+ }
+
+ if (!expectedShortDST.equals(shortDST)) {
+ System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
+ id, l, shortDST, expectedShortDST);
+ System.exit(7);
+ }
+
+ if (!expected[6].equals(longGen)) {
+ System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
+ id, l, longGen, expected[6]);
+ System.exit(8);
+ }
+
+ if (!expectedShortGen.equals(shortGen)) {
+ System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
+ id, l, shortGen, expectedShortGen);
+ System.exit(9);
+ }
+ }
+ }
+ }
+}
diff --git a/SOURCES/fips-8u-6d1aade0648.patch b/SOURCES/fips-8u-6d1aade0648.patch
new file mode 100644
index 0000000..58ab6e5
--- /dev/null
+++ b/SOURCES/fips-8u-6d1aade0648.patch
@@ -0,0 +1,2007 @@
+diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac
+index 151e5a109f8..a8761b500e0 100644
+--- a/common/autoconf/configure.ac
++++ b/common/autoconf/configure.ac
+@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE
+ LIB_SETUP_ALSA
+ LIB_SETUP_FONTCONFIG
+ LIB_SETUP_MISC_LIBS
++LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_STATIC_LINK_LIBSTDCPP
+ LIB_SETUP_ON_WINDOWS
+
+diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
+index 71fabf4dbb3..17f4f50673d 100644
+--- a/common/autoconf/generated-configure.sh
++++ b/common/autoconf/generated-configure.sh
+@@ -651,6 +651,9 @@ LLVM_CONFIG
+ LIBFFI_LIBS
+ LIBFFI_CFLAGS
+ STATIC_CXX_SETTING
++USE_SYSCONF_NSS
++NSS_LIBS
++NSS_CFLAGS
+ LIBDL
+ LIBM
+ LIBZIP_CAN_USE_MMAP
+@@ -1111,6 +1114,7 @@ with_fontconfig
+ with_fontconfig_include
+ with_giflib
+ with_zlib
++enable_sysconf_nss
+ with_stdc__lib
+ with_msvcr_dll
+ with_msvcp_dll
+@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS
+ FREETYPE_LIBS
+ ALSA_CFLAGS
+ ALSA_LIBS
++NSS_CFLAGS
++NSS_LIBS
+ LIBFFI_CFLAGS
+ LIBFFI_LIBS
+ CCACHE'
+@@ -1871,6 +1877,8 @@ Optional Features:
+ disable bundling of the freetype library with the
+ build result [enabled on Windows or when using
+ --with-freetype, disabled otherwise]
++ --enable-sysconf-nss build the System Configurator (libsysconf) using the
++ system NSS library if available [disabled]
+ --enable-sjavac use sjavac to do fast incremental compiles
+ [disabled]
+ --disable-precompiled-headers
+@@ -2115,6 +2123,8 @@ Some influential environment variables:
+ linker flags for FREETYPE, overriding pkg-config
+ ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config
+ ALSA_LIBS linker flags for ALSA, overriding pkg-config
++ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config
++ NSS_LIBS linker flags for NSS, overriding pkg-config
+ LIBFFI_CFLAGS
+ C compiler flags for LIBFFI, overriding pkg-config
+ LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config
+@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+ } # ac_fn_c_check_header_compile
++
++# ac_fn_c_try_link LINENO
++# -----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_link ()
++{
++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++ rm -f conftest.$ac_objext conftest$ac_exeext
++ if { { ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++ (eval "$ac_link") 2>conftest.err
++ ac_status=$?
++ if test -s conftest.err; then
++ grep -v '^ *+' conftest.err >conftest.er1
++ cat conftest.er1 >&5
++ mv -f conftest.er1 conftest.err
++ fi
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ test -x conftest$ac_exeext
++ }; then :
++ ac_retval=0
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_retval=1
++fi
++ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
++ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
++ # interfere with the next link command; also delete a directory that is
++ # left behind by Apple's compiler. We do this before executing the actions.
++ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
++ as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_link
+ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+@@ -4049,6 +4105,11 @@ fi
+
+
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++
++
+ #
+ # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+@@ -49304,6 +49365,157 @@ fi
+ LIBS="$save_LIBS"
+
+
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5
++$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; }
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ # Check whether --enable-sysconf-nss was given.
++if test "${enable_sysconf_nss+set}" = set; then :
++ enableval=$enable_sysconf_nss;
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++
++else
++
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++
++fi
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5
++$as_echo "$sysconf_nss" >&6; }
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++
++pkg_failed=no
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5
++$as_echo_n "checking for NSS... " >&6; }
++
++if test -n "$NSS_CFLAGS"; then
++ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++if test -n "$NSS_LIBS"; then
++ pkg_cv_NSS_LIBS="$NSS_LIBS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++
++
++
++if test $pkg_failed = yes; then
++
++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
++ _pkg_short_errors_supported=yes
++else
++ _pkg_short_errors_supported=no
++fi
++ if test $_pkg_short_errors_supported = yes; then
++ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1`
++ else
++ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1`
++ fi
++ # Put the nasty error message in config.log where it belongs
++ echo "$NSS_PKG_ERRORS" >&5
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ NSS_FOUND=no
++elif test $pkg_failed = untried; then
++ NSS_FOUND=no
++else
++ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS
++ NSS_LIBS=$pkg_cv_NSS_LIBS
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++ NSS_FOUND=yes
++fi
++ if test "x${NSS_FOUND}" = "xyes"; then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5
++$as_echo_n "checking for system FIPS support in NSS... " >&6; }
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++#include
++int
++main ()
++{
++SECMOD_GetSystemFIPSEnabled()
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++else
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5
++fi
++rm -f core conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++ ac_ext=cpp
++ac_cpp='$CXXCPP $CPPFLAGS'
++ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
++
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5
++ fi
++ fi
++
++
++
+ ###############################################################################
+ #
+ # statically link libstdc++ before C++ ABI is stablized on Linux unless
+diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
+index 6efae578ea9..0080846255b 100644
+--- a/common/autoconf/libraries.m4
++++ b/common/autoconf/libraries.m4
+@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
+ BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
+ fi
+ ])
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
+index 506cf617087..7241593b1a4 100644
+--- a/common/autoconf/spec.gmk.in
++++ b/common/autoconf/spec.gmk.in
+@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@
+ ALSA_LIBS:=@ALSA_LIBS@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ PACKAGE_PATH=@PACKAGE_PATH@
+
+ # Source file for cacerts
+diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl
+index 3b79a526f56..d2a0e39b206 100644
+--- a/common/bin/compare_exceptions.sh.incl
++++ b/common/bin/compare_exceptions.sh.incl
+@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/i386/libsplashscreen.so
+ ./jre/lib/i386/libsunec.so
+ ./jre/lib/i386/libsunwjdga.so
++./jre/lib/i386/libsystemconf.so
+ ./jre/lib/i386/libt2k.so
+ ./jre/lib/i386/libunpack.so
+ ./jre/lib/i386/libverify.so
+@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/amd64/libsplashscreen.so
+ ./jre/lib/amd64/libsunec.so
+ ./jre/lib/amd64/libsunwjdga.so
++//jre/lib/amd64/libsystemconf.so
+ ./jre/lib/amd64/libt2k.so
+ ./jre/lib/amd64/libunpack.so
+ ./jre/lib/amd64/libverify.so
+@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparc/libsplashscreen.so
+ ./jre/lib/sparc/libsunec.so
+ ./jre/lib/sparc/libsunwjdga.so
++./jre/lib/sparc/libsystemconf.so
+ ./jre/lib/sparc/libt2k.so
+ ./jre/lib/sparc/libunpack.so
+ ./jre/lib/sparc/libverify.so
+@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparcv9/libsplashscreen.so
+ ./jre/lib/sparcv9/libsunec.so
+ ./jre/lib/sparcv9/libsunwjdga.so
++./jre/lib/sparcv9/libsystemconf.so
+ ./jre/lib/sparcv9/libt2k.so
+ ./jre/lib/sparcv9/libunpack.so
+ ./jre/lib/sparcv9/libverify.so
+diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml
+index d2beed0b93a..3b6aef98d9a 100644
+--- a/common/nb_native/nbproject/configurations.xml
++++ b/common/nb_native/nbproject/configurations.xml
+@@ -53,6 +53,9 @@
+ jvmtiEnterTrace.cpp
+
+
++
++ systemconf.c
++
+
+
+
+@@ -12772,6 +12775,11 @@
+ tool="0"
+ flavor2="0">
+
++ -
++
+ - Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -62,6 +72,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -78,6 +101,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -93,6 +117,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -187,6 +212,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..a24a0445db2
+--- /dev/null
++++ b/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws IOException {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..5c30a8b29c7
+--- /dev/null
++++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index f065a2c685d..0dafe6f59cf 100644
+--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java
++++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ import java.security.AccessController;
+@@ -63,6 +64,7 @@ public class SharedSecrets {
+ private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
+ private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -248,4 +250,15 @@ public class SharedSecrets {
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..14d19450390
+--- /dev/null
++++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = P11ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+index fedcd7743ef..f9d70863bd1 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback;
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+
+@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 2e42d1d9fb0..1b7eed1c656 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -145,18 +146,41 @@ public class PKCS11 {
+ this.pkcs11ModulePath = pkcs11ModulePath;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
+diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+index ffee2c1603b..98119479823 100644
+--- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
+
+ import javax.net.ssl.*;
+
++import sun.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ keyManager = new X509KeyManagerImpl(
+ Collections.emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+index 820e10164fc..6fe2c29389f 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import sun.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+index 2845dc37938..52337a7b6cf 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
++++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+
+ import java.security.*;
+
++import sun.misc.SharedSecrets;
++
+ /**
+ * The JSSE provider.
+ *
+@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context");
+ put("SSLContext.TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context");
+- put("SSLContext.TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context");
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ put("SSLContext.TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context");
++ }
+ put("SSLContext.TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext");
+ if (isfips == false) {
+diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
+index 7a93d4e6b59..681a24b905d 100644
+--- a/jdk/src/share/lib/security/java.security-aix
++++ b/jdk/src/share/lib/security/java.security-aix
+@@ -287,6 +287,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 145a84f94cf..789c19a8cba 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
+ security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.9=sun.security.smartcardio.SunPCSC
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
++fips.provider.2=sun.security.provider.Sun
++fips.provider.3=sun.security.ec.SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
+ #
+ # Sun Provider SecureRandom seed source.
+ #
+@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=jks
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
+ #
+ # Controls compatibility mode for the JKS keystore type.
+ #
+@@ -287,6 +300,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
+index 35fa140d7a5..d4da666af3b 100644
+--- a/jdk/src/share/lib/security/java.security-macosx
++++ b/jdk/src/share/lib/security/java.security-macosx
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
+index f79ba37ddb9..300132384a1 100644
+--- a/jdk/src/share/lib/security/java.security-solaris
++++ b/jdk/src/share/lib/security/java.security-solaris
+@@ -288,6 +288,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
+index d70503ce95f..64db5a5cd1e 100644
+--- a/jdk/src/share/lib/security/java.security-windows
++++ b/jdk/src/share/lib/security/java.security-windows
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c
+new file mode 100644
+index 00000000000..8dcb7d9073f
+--- /dev/null
++++ b/jdk/src/solaris/native/java/security/systemconf.c
+@@ -0,0 +1,224 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include
++#include
++#include "jvm_md.h"
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#else
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
diff --git a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch
deleted file mode 100644
index 0ab462e..0000000
--- a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-# HG changeset patch
-# User zgu
-# Date 1641313782 0
-# Tue Jan 04 16:29:42 2022 +0000
-# Node ID b694a28adaa2a602fedbc4aeba69b9c2350e7409
-# Parent 3177fc2314df6deb4d4771148f27934a597dd1d7
-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
-Reviewed-by: phh
-
-diff --git openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
---- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
-+++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
-@@ -176,6 +176,10 @@
-
- Thread* t = ThreadLocalStorage::get_thread_slow();
-
-+ // Must do this before SignalHandlerMark, if crash protection installed we will longjmp away
-+ // (no destructors can be run)
-+ os::ThreadCrashProtection::check_crash_protection(sig, t);
-+
- SignalHandlerMark shm(t);
-
- // Note: it's not uncommon that JNI code uses signal/sigset to install
diff --git a/SOURCES/jdk8294357-tzdata2022d.patch b/SOURCES/jdk8294357-tzdata2022d.patch
new file mode 100644
index 0000000..7356928
--- /dev/null
+++ b/SOURCES/jdk8294357-tzdata2022d.patch
@@ -0,0 +1,506 @@
+commit 8589b1229cffb9a0ab00baf62ce2d4376d31b055
+Author: Andrew John Hughes
+Date: Fri Oct 14 22:55:39 2022 +0100
+
+ Backport f67b4de8a07b8158be1dfb5b09cdb4cc5b7ac93b
+
+diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/jdk/make/data/tzdata/VERSION
++++ b/jdk/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
+index 6cb6d2c57cf..1dc7d34f88e 100644
+--- a/jdk/make/data/tzdata/asia
++++ b/jdk/make/data/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards. Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
+ Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
+@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
+ Rule Palestine 2014 only - Oct 24 0:00 0 -
+ Rule Palestine 2015 only - Mar 28 0:00 1:00 S
+ Rule Palestine 2015 only - Oct 23 1:00 0 -
+-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
+-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
+ Rule Palestine 2019 only - Mar 29 0:00 1:00 S
+-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
+-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
+ Rule Palestine 2020 only - Oct 24 1:00 0 -
+-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
+-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
++Rule Palestine 2021 only - Oct 29 1:00 0 -
++Rule Palestine 2022 only - Mar 27 0:00 1:00 S
++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
+diff --git a/jdk/make/data/tzdata/backward b/jdk/make/data/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/jdk/make/data/tzdata/backward
++++ b/jdk/make/data/tzdata/backward
+@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
+index f7eb7a387aa..9e0a538f86d 100644
+--- a/jdk/make/data/tzdata/europe
++++ b/jdk/make/data/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 2:00 EU EE%sT 2014 Mar 30 2:00
+ 4:00 - MSK 2014 Oct 26 2:00s
+ 3:00 - MSK
+@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-# This represents most of Ukraine. See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
+ 2:00 - EET 1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:00 1:00 EEST 1991 Sep 29 3:00
+ 2:00 C-Eur EE%sT 1996 May 13
+ 2:00 EU EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
+- 1:00 - CET 1940
+- 1:00 C-Eur CE%sT 1944 Oct
+- 1:00 1:00 CEST 1944 Oct 26
+- 1:00 - CET 1945 Jun 29
+- 3:00 Russia MSK/MSD 1990
+- 3:00 - MSK 1990 Jul 1 2:00
+- 1:00 - CET 1991 Mar 31 3:00
+- 2:00 - EET 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English. Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye 2:20:40 - LMT 1880
+- 2:20 - +0220 1924 May 2
+- 2:00 - EET 1930 Jun 21
+- 3:00 - MSK 1941 Aug 25
+- 1:00 C-Eur CE%sT 1943 Oct 25
+- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
+- 2:00 E-Eur EE%sT 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/jdk/make/data/tzdata/southamerica b/jdk/make/data/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/jdk/make/data/tzdata/southamerica
++++ b/jdk/make/data/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"... This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
+diff --git a/jdk/make/data/tzdata/zone.tab b/jdk/make/data/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/jdk/make/data/tzdata/zone.tab
++++ b/jdk/make/data/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
+ TW +2503+12130 Asia/Taipei
+ TZ -0648+03917 Africa/Dar_es_Salaam
+ UA +5026+03031 Europe/Kyiv Ukraine (most areas)
+-UA +4837+02218 Europe/Uzhgorod Transcarpathia
+-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
+ UG +0019+03225 Africa/Kampala
+ UM +2813-17722 Pacific/Midway Midway Islands
+ UM +1917+16637 Pacific/Wake Wake Island
+diff --git a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+index 43bddd5859a..4b84cda3067 100644
+--- a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -573,12 +573,8 @@ public final class ZoneInfoFile {
+ // we can then pass in the dom = -1, dow > 0 into ZoneInfo
+ //
+ // hacking, assume the >=24 is the result of ZRB optimization for
+- // "last", it works for now. From tzdata2020d this hacking
+- // will not work for Asia/Gaza and Asia/Hebron which follow
+- // Palestine DST rules.
+- if (dom < 0 || dom >= 24 &&
+- !(zoneId.equals("Asia/Gaza") ||
+- zoneId.equals("Asia/Hebron"))) {
++ // "last", it works for now.
++ if (dom < 0 || dom >= 24) {
+ params[1] = -1;
+ params[2] = toCalendarDOW[dow];
+ } else {
+@@ -600,7 +596,6 @@ public final class ZoneInfoFile {
+ params[7] = 0;
+ } else {
+ // hacking: see comment above
+- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
+ if (dom < 0 || dom >= 24) {
+ params[6] = -1;
+ params[7] = toCalendarDOW[dow];
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+index c32bee39fba..71470168456 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
+index a5e6428a3f5..e3ce742f887 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
+@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+index fc148537f1f..b3823958ae4 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -163,11 +163,9 @@ Europe/Simferopol MSK
+ Europe/Sofia EET EEST
+ Europe/Tallinn EET EEST
+ Europe/Tirane CET CEST
+-Europe/Uzhgorod EET EEST
+ Europe/Vienna CET CEST
+ Europe/Vilnius EET EEST
+ Europe/Warsaw CET CEST
+-Europe/Zaporozhye EET EEST
+ Europe/Zurich CET CEST
+ HST HST
+ MET MET MEST
+diff --git a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
+index 3aad69f8118..c682531d4bd 100644
+--- a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
++++ b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
+@@ -173,10 +173,19 @@ public class TestZoneInfo310 {
+ * Temporary ignoring the failing TimeZones which are having zone
+ * rules defined till year 2037 and/or above and have negative DST
+ * save time in IANA tzdata. This bug is tracked via JDK-8223388.
++ *
++ * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
++ * to be the last year. Thus javazic's rule is based on year 2037
++ * (Mar 20th/Sep 20th are the cutover dates), while the real rule
++ * has year 2087 where Mar 21st/Sep 21st are the cutover dates.
+ */
+- if (zid.equals("Africa/Casablanca") || zid.equals("Africa/El_Aaiun")
+- || zid.equals("Asia/Tehran") || zid.equals("Iran")) {
+- continue;
++ if (zid.equals("Africa/Casablanca") || // uses "Morocco" rule
++ zid.equals("Africa/El_Aaiun") || // uses "Morocco" rule
++ zid.equals("Asia/Tehran") || // last rule mismatch
++ zid.equals("Asia/Gaza") || // uses "Palestine" rule
++ zid.equals("Asia/Hebron") || // uses "Palestine" rule
++ zid.equals("Iran")) { // last rule mismatch
++ continue;
+ }
+ if (! zi.equalsTo(ziOLD)) {
+ System.out.println(zi.diffsTo(ziOLD));
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
+index 6cb6d2c57cf..1dc7d34f88e 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/asia
++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards. Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
+ Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
+@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
+ Rule Palestine 2014 only - Oct 24 0:00 0 -
+ Rule Palestine 2015 only - Mar 28 0:00 1:00 S
+ Rule Palestine 2015 only - Oct 23 1:00 0 -
+-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
+-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
+ Rule Palestine 2019 only - Mar 29 0:00 1:00 S
+-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
+-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
+ Rule Palestine 2020 only - Oct 24 1:00 0 -
+-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
+-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
++Rule Palestine 2021 only - Oct 29 1:00 0 -
++Rule Palestine 2022 only - Mar 27 0:00 1:00 S
++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/backward b/jdk/test/sun/util/calendar/zi/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/backward
++++ b/jdk/test/sun/util/calendar/zi/tzdata/backward
+@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
+index f7eb7a387aa..9e0a538f86d 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/europe
++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 2:00 EU EE%sT 2014 Mar 30 2:00
+ 4:00 - MSK 2014 Oct 26 2:00s
+ 3:00 - MSK
+@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-# This represents most of Ukraine. See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
+ 2:00 - EET 1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:00 1:00 EEST 1991 Sep 29 3:00
+ 2:00 C-Eur EE%sT 1996 May 13
+ 2:00 EU EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
+- 1:00 - CET 1940
+- 1:00 C-Eur CE%sT 1944 Oct
+- 1:00 1:00 CEST 1944 Oct 26
+- 1:00 - CET 1945 Jun 29
+- 3:00 Russia MSK/MSD 1990
+- 3:00 - MSK 1990 Jul 1 2:00
+- 1:00 - CET 1991 Mar 31 3:00
+- 2:00 - EET 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English. Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye 2:20:40 - LMT 1880
+- 2:20 - +0220 1924 May 2
+- 2:00 - EET 1930 Jun 21
+- 3:00 - MSK 1941 Aug 25
+- 1:00 C-Eur CE%sT 1943 Oct 25
+- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
+- 2:00 E-Eur EE%sT 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/southamerica b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/southamerica
++++ b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"... This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
++++ b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
+ TW +2503+12130 Asia/Taipei
+ TZ -0648+03917 Africa/Dar_es_Salaam
+ UA +5026+03031 Europe/Kyiv Ukraine (most areas)
+-UA +4837+02218 Europe/Uzhgorod Transcarpathia
+-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
+ UG +0019+03225 Africa/Kampala
+ UM +2813-17722 Pacific/Midway Midway Islands
+ UM +1917+16637 Pacific/Wake Wake Island
diff --git a/SOURCES/jdk8295173-tzdata2022e.patch b/SOURCES/jdk8295173-tzdata2022e.patch
new file mode 100644
index 0000000..a7d23ef
--- /dev/null
+++ b/SOURCES/jdk8295173-tzdata2022e.patch
@@ -0,0 +1,813 @@
+commit 44ea8322b2f62e3d8139a78923e3bf017e535989
+Author: Andrew John Hughes
+Date: Sun Oct 16 03:02:37 2022 +0100
+
+ Backport 21407dec0156301871a83328615e4d975c4287c4
+
+diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/jdk/make/data/tzdata/VERSION
++++ b/jdk/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
+index 1dc7d34f88e..f1771e42a71 100644
+--- a/jdk/make/data/tzdata/asia
++++ b/jdk/make/data/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Jordan 1973 only - Jun 6 0:00 1:00 S
+ Rule Jordan 1973 1975 - Oct 1 0:00 0 -
+@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
+ Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
+ Rule Jordan 2013 only - Dec 20 0:00 0 -
+ Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
+-Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
+-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Amman 2:23:44 - LMT 1931
+- 2:00 Jordan EE%sT
++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
++ 3:00 - +03
+
+
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+
+ Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
+ Rule Syria 2008 only - Nov 1 0:00 0 -
+ Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
+ Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
+-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
+-Rule Syria 2009 max - Oct lastFri 0:00 0 -
++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
++Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
+- 2:00 Syria EE%sT
++ 2:00 Syria EE%sT 2022 Oct 28 0:00
++ 3:00 - +03
+
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
+index 9e0a538f86d..930cede4cf4 100644
+--- a/jdk/make/data/tzdata/europe
++++ b/jdk/make/data/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
+ 0:00 Spain WE%sT 1940 Mar 16 23:00
+ 1:00 Spain CE%sT 1979
+ 1:00 EU CE%sT
+-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
+ 0:00 - WET 1918 May 6 23:00
+ 0:00 1:00 WEST 1918 Oct 7 23:00
+ 0:00 - WET 1924
+diff --git a/jdk/make/data/tzdata/northamerica b/jdk/make/data/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/jdk/make/data/tzdata/northamerica
++++ b/jdk/make/data/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
+ Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
+ Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Chicago C%sT 1936 Mar 1 2:00
+ -5:00 - EST 1936 Nov 15 2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
+ -6:00 Chicago C%sT 1967
+ -6:00 US C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1992 Oct 25 2:00
+ -6:00 US C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See .
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2003 Oct 26 2:00
+ -6:00 US C%sT
+
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
+ # largest city in Mercer County). Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2010 Nov 7 2:00
+ -6:00 US C%sT
+
+@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
+ Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
+ Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1920
+ -7:00 Denver M%sT 1942
+ -7:00 US M%sT 1946
+@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
+ Rule CA 1950 1961 - Sep lastSun 2:00 0 S
+ Rule CA 1962 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1946
+ -8:00 CA P%sT 1967
+ -8:00 US P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1944 Jan 1 0:01
+ -7:00 - MST 1944 Apr 1 0:01
+ -7:00 US M%sT 1944 Oct 1 0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1923 May 13 2:00
+ -7:00 US M%sT 1974
+ -7:00 - MST 1974 Feb 3 2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
+ Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
+ Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Indianapolis C%sT 1942
+ -6:00 US C%sT 1946
+@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
+ Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
+ Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1951
+ -6:00 Marengo C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
+ Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
+ Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Vincennes C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1969
+@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
+ Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Perry C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1967 Oct 29 2:00
+@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
+ Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1955
+ -6:00 Pike C%sT 1965 Apr 25 2:00
+ -5:00 - EST 1966 Oct 30 2:00
+@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
+ Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1947
+ -6:00 Starke C%sT 1962 Apr 29 2:00
+ -5:00 - EST 1963 Oct 27 2:00
+@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
+ Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Pulaski C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1954 Apr 25 2:00
+ -5:00 - EST 1969
+ -5:00 US E%sT 1973
+@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
+ Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
+ Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1921
+ -6:00 Louisville C%sT 1942
+ -6:00 US C%sT 1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 - CST 1968
+ -6:00 US C%sT 2000 Oct 29 2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
+ # longitude they are located at.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule Mexico 1931 only - May 1 23:00 1:00 D
++Rule Mexico 1931 only - Oct 1 0:00 0 S
+ Rule Mexico 1939 only - Feb 5 0:00 1:00 D
+ Rule Mexico 1939 only - Jun 25 0:00 0 S
+ Rule Mexico 1940 only - Dec 9 0:00 1:00 D
+@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
+ Rule Mexico 2002 max - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 Mexico E%sT 1998 Aug 2 2:00
+ -6:00 Mexico C%sT 2015 Feb 1 2:00
+ -5:00 - EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 - EST 1982 Dec 2
+ -6:00 Mexico C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT 2010
+ -6:00 US C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 Mexico C%sT 2001 Sep 30 2:00
+ -6:00 - CST 2002 Feb 20
+ -6:00 Mexico C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT 2010
+ -7:00 US M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT
+ # Sonora
+-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+
+ # Mazatlán
+-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+ -7:00 Mexico M%sT
+
+ # BahÃa de Banderas
+-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
+ -6:00 Mexico C%sT
+
+ # Baja California
+-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1924
+ -8:00 - PST 1927 Jun 10 23:00
+ -7:00 - MST 1930 Nov 15
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+index 71470168456..0cad939008f 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+index b3823958ae4..2f2786f1c69 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
+ America/Yakutat AKST AKDT
+ America/Yellowknife MST MDT
+ Antarctica/Macquarie AEST AEDT
+-Asia/Amman EET EEST
+ Asia/Beirut EET EEST
+-Asia/Damascus EET EEST
+ Asia/Famagusta EET EEST
+ Asia/Gaza EET EEST
+ Asia/Hebron EET EEST
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
+index 1dc7d34f88e..f1771e42a71 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/asia
++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Jordan 1973 only - Jun 6 0:00 1:00 S
+ Rule Jordan 1973 1975 - Oct 1 0:00 0 -
+@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
+ Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
+ Rule Jordan 2013 only - Dec 20 0:00 0 -
+ Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
+-Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
+-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Amman 2:23:44 - LMT 1931
+- 2:00 Jordan EE%sT
++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
++ 3:00 - +03
+
+
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+
+ Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
+ Rule Syria 2008 only - Nov 1 0:00 0 -
+ Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
+ Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
+-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
+-Rule Syria 2009 max - Oct lastFri 0:00 0 -
++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
++Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
+- 2:00 Syria EE%sT
++ 2:00 Syria EE%sT 2022 Oct 28 0:00
++ 3:00 - +03
+
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
+index 9e0a538f86d..930cede4cf4 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/europe
++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
+ 0:00 Spain WE%sT 1940 Mar 16 23:00
+ 1:00 Spain CE%sT 1979
+ 1:00 EU CE%sT
+-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
+ 0:00 - WET 1918 May 6 23:00
+ 0:00 1:00 WEST 1918 Oct 7 23:00
+ 0:00 - WET 1924
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/northamerica b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/northamerica
++++ b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
+ Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
+ Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Chicago C%sT 1936 Mar 1 2:00
+ -5:00 - EST 1936 Nov 15 2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
+ -6:00 Chicago C%sT 1967
+ -6:00 US C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1992 Oct 25 2:00
+ -6:00 US C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See .
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2003 Oct 26 2:00
+ -6:00 US C%sT
+
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
+ # largest city in Mercer County). Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2010 Nov 7 2:00
+ -6:00 US C%sT
+
+@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
+ Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
+ Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1920
+ -7:00 Denver M%sT 1942
+ -7:00 US M%sT 1946
+@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
+ Rule CA 1950 1961 - Sep lastSun 2:00 0 S
+ Rule CA 1962 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1946
+ -8:00 CA P%sT 1967
+ -8:00 US P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1944 Jan 1 0:01
+ -7:00 - MST 1944 Apr 1 0:01
+ -7:00 US M%sT 1944 Oct 1 0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1923 May 13 2:00
+ -7:00 US M%sT 1974
+ -7:00 - MST 1974 Feb 3 2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
+ Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
+ Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Indianapolis C%sT 1942
+ -6:00 US C%sT 1946
+@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
+ Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
+ Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1951
+ -6:00 Marengo C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
+ Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
+ Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Vincennes C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1969
+@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
+ Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Perry C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1967 Oct 29 2:00
+@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
+ Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1955
+ -6:00 Pike C%sT 1965 Apr 25 2:00
+ -5:00 - EST 1966 Oct 30 2:00
+@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
+ Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1947
+ -6:00 Starke C%sT 1962 Apr 29 2:00
+ -5:00 - EST 1963 Oct 27 2:00
+@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
+ Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Pulaski C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1954 Apr 25 2:00
+ -5:00 - EST 1969
+ -5:00 US E%sT 1973
+@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
+ Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
+ Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1921
+ -6:00 Louisville C%sT 1942
+ -6:00 US C%sT 1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 - CST 1968
+ -6:00 US C%sT 2000 Oct 29 2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
+ # longitude they are located at.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule Mexico 1931 only - May 1 23:00 1:00 D
++Rule Mexico 1931 only - Oct 1 0:00 0 S
+ Rule Mexico 1939 only - Feb 5 0:00 1:00 D
+ Rule Mexico 1939 only - Jun 25 0:00 0 S
+ Rule Mexico 1940 only - Dec 9 0:00 1:00 D
+@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
+ Rule Mexico 2002 max - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 Mexico E%sT 1998 Aug 2 2:00
+ -6:00 Mexico C%sT 2015 Feb 1 2:00
+ -5:00 - EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 - EST 1982 Dec 2
+ -6:00 Mexico C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT 2010
+ -6:00 US C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 Mexico C%sT 2001 Sep 30 2:00
+ -6:00 - CST 2002 Feb 20
+ -6:00 Mexico C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT 2010
+ -7:00 US M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT
+ # Sonora
+-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+
+ # Mazatlán
+-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+ -7:00 Mexico M%sT
+
+ # BahÃa de Banderas
+-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
+ -6:00 Mexico C%sT
+
+ # Baja California
+-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1924
+ -8:00 - PST 1927 Jun 10 23:00
+ -7:00 - MST 1930 Nov 15
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
index 1aff153..2d9ec35 100644
--- a/SOURCES/nss.fips.cfg.in
+++ b/SOURCES/nss.fips.cfg.in
@@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch b/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
deleted file mode 100644
index a42688d..0000000
--- a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1459487045 -3600
-# Fri Apr 01 06:04:05 2016 +0100
-# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
-# Parent 6b81fd2227d14226f2121f2d51b464536925686e
-PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
-PR3575: System cacerts database handling should not affect jssecacerts
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-@@ -72,7 +72,7 @@
- * The preference of the default trusted KeyStore is:
- * javax.net.ssl.trustStore
- * jssecacerts
-- * cacerts
-+ * cacerts (system and local)
- */
- private static final class TrustStoreDescriptor {
- private static final String fileSep = File.separator;
-@@ -83,6 +83,10 @@
- defaultStorePath + fileSep + "cacerts";
- private static final String jsseDefaultStore =
- defaultStorePath + fileSep + "jssecacerts";
-+ /* Check system cacerts DB: /etc/pki/java/cacerts */
-+ private static final String systemStore =
-+ fileSep + "etc" + fileSep + "pki" +
-+ fileSep + "java" + fileSep + "cacerts";
-
- // the trust store name
- private final String storeName;
-@@ -146,7 +150,8 @@
- long temporaryTime = 0L;
- if (!"NONE".equals(storePropName)) {
- String[] fileNames =
-- new String[] {storePropName, defaultStore};
-+ new String[] {storePropName,
-+ systemStore, defaultStore};
- for (String fileName : fileNames) {
- File f = new File(fileName);
- if (f.isFile() && f.canRead()) {
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
---- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-@@ -108,9 +108,14 @@
- throws Exception
- {
- String sep = File.separator;
-- File file = new File(System.getProperty("java.home") + sep
-- + "lib" + sep + "security" + sep
-- + "cacerts");
-+ /* Check system cacerts DB first; /etc/pki/java/cacerts */
-+ File file = new File(sep + "etc" + sep + "pki" + sep
-+ + "java" + sep + "cacerts");
-+ if (!file.exists()) {
-+ file = new File(System.getProperty("java.home") + sep
-+ + "lib" + sep + "security" + sep
-+ + "cacerts");
-+ }
- if (!file.exists()) {
- return null;
- }
diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch
new file mode 100644
index 0000000..1b88f2a
--- /dev/null
+++ b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch
@@ -0,0 +1,263 @@
+diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+index e7b4763db53..e8ec8467e6a 100644
+--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
++++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import sun.security.action.*;
++import sun.security.tools.KeyStoreUtil;
+ import sun.security.validator.TrustStoreUtil;
+
+ /**
+@@ -68,7 +69,7 @@ final class TrustStoreManager {
+ * The preference of the default trusted KeyStore is:
+ * javax.net.ssl.trustStore
+ * jssecacerts
+- * cacerts
++ * cacerts (system and local)
+ */
+ private static final class TrustStoreDescriptor {
+ private static final String fileSep = File.separator;
+@@ -76,7 +77,7 @@ final class TrustStoreManager {
+ GetPropertyAction.privilegedGetProperty("java.home") +
+ fileSep + "lib" + fileSep + "security";
+ private static final String defaultStore =
+- defaultStorePath + fileSep + "cacerts";
++ KeyStoreUtil.getCacertsKeyStoreFile().getPath();
+ private static final String jsseDefaultStore =
+ defaultStorePath + fileSep + "jssecacerts";
+
+@@ -139,6 +140,10 @@ final class TrustStoreManager {
+ String storePropPassword = System.getProperty(
+ "javax.net.ssl.trustStorePassword", "");
+
++ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
++ SSLLogger.fine("Default store: " + defaultStore);
++ }
++
+ String temporaryName = "";
+ File temporaryFile = null;
+ long temporaryTime = 0L;
+@@ -146,21 +151,22 @@ final class TrustStoreManager {
+ String[] fileNames =
+ new String[] {storePropName, defaultStore};
+ for (String fileName : fileNames) {
+- File f = new File(fileName);
+- if (f.isFile() && f.canRead()) {
+- temporaryName = fileName;;
+- temporaryFile = f;
+- temporaryTime = f.lastModified();
+-
+- break;
+- }
+-
+- // Not break, the file is inaccessible.
+- if (SSLLogger.isOn &&
++ if (fileName != null && !"".equals(fileName)) {
++ File f = new File(fileName);
++ if (f.isFile() && f.canRead()) {
++ temporaryName = fileName;;
++ temporaryFile = f;
++ temporaryTime = f.lastModified();
++
++ break;
++ }
++ // Not break, the file is inaccessible.
++ if (SSLLogger.isOn &&
+ SSLLogger.isOn("trustmanager")) {
+- SSLLogger.fine(
+- "Inaccessible trust store: " +
+- storePropName);
++ SSLLogger.fine(
++ "Inaccessible trust store: " +
++ fileName);
++ }
+ }
+ }
+ } else {
+diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+index fcc77786da1..f554f83a8b4 100644
+--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
++++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
+
+ import java.net.URL;
+
++import java.security.AccessController;
+ import java.security.KeyStore;
++import java.security.PrivilegedAction;
++import java.security.Security;
+
+ import java.security.cert.X509Certificate;
+ import java.text.Collator;
+@@ -54,6 +57,33 @@ public class KeyStoreUtil {
+
+ private static final String JKS = "jks";
+
++ private static final String PROP_NAME = "security.systemCACerts";
++
++ /**
++ * Returns the value of the security property propName, which can be overridden
++ * by a system property of the same name
++ *
++ * @param propName the name of the system or security property
++ * @return the value of the system or security property
++ */
++ @SuppressWarnings("removal")
++ public static String privilegedGetOverridable(String propName) {
++ if (System.getSecurityManager() == null) {
++ return getOverridableProperty(propName);
++ } else {
++ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName));
++ }
++ }
++
++ private static String getOverridableProperty(String propName) {
++ String val = System.getProperty(propName);
++ if (val == null) {
++ return Security.getProperty(propName);
++ } else {
++ return val;
++ }
++ }
++
+ /**
+ * Returns true if the certificate is self-signed, false otherwise.
+ */
+@@ -96,20 +126,38 @@ public class KeyStoreUtil {
+ }
+ }
+
++ /**
++ * Returns the path to the cacerts DB
++ */
++ public static File getCacertsKeyStoreFile()
++ {
++ String sep = File.separator;
++ File file = null;
++ /* Check system cacerts DB first, preferring system property over security property */
++ String systemDB = privilegedGetOverridable(PROP_NAME);
++ if (systemDB != null && !"".equals(systemDB)) {
++ file = new File(systemDB);
++ }
++ if (file == null || !file.exists()) {
++ file = new File(System.getProperty("java.home") + sep
++ + "lib" + sep + "security" + sep
++ + "cacerts");
++ }
++ if (file.exists()) {
++ return file;
++ }
++ return null;
++ }
++
+ /**
+ * Returns the keystore with the configured CA certificates.
+ */
+ public static KeyStore getCacertsKeyStore()
+ throws Exception
+ {
+- String sep = File.separator;
+- File file = new File(System.getProperty("java.home") + sep
+- + "lib" + sep + "security" + sep
+- + "cacerts");
+- if (!file.exists()) {
+- return null;
+- }
+ KeyStore caks = null;
++ File file = getCacertsKeyStoreFile();
++ if (file == null) { return null; }
+ try (FileInputStream fis = new FileInputStream(file)) {
+ caks = KeyStore.getInstance(JKS);
+ caks.load(fis, null);
+diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
+index bfe0c593adb..093bc09bf95 100644
+--- a/jdk/src/share/lib/security/java.security-aix
++++ b/jdk/src/share/lib/security/java.security-aix
+@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 9d1c8fe8a8e..16c9281cc1f 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
+index 19047c61097..43e034cdeaf 100644
+--- a/jdk/src/share/lib/security/java.security-macosx
++++ b/jdk/src/share/lib/security/java.security-macosx
+@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
+index 7eda556ae13..325937e97fb 100644
+--- a/jdk/src/share/lib/security/java.security-solaris
++++ b/jdk/src/share/lib/security/java.security-solaris
+@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
+index dfa1a669aa9..92ef777e065 100644
+--- a/jdk/src/share/lib/security/java.security-windows
++++ b/jdk/src/share/lib/security/java.security-windows
+@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
diff --git a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
deleted file mode 100644
index 5a619b4..0000000
--- a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-
-# HG changeset patch
-# User andrew
-# Date 1478057514 0
-# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
-# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
-PR3183: Support Fedora/RHEL system crypto policy
-
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/classes/java/security/Security.java
---- openjdk/jdk/src/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
-@@ -43,6 +43,9 @@
- * implementation-specific location, which is typically the properties file
- * {@code lib/security/java.security} in the Java installation directory.
- *
-+ * Additional default values of security properties are read from a
-+ * system-specific location, if available.
-+ *
- * @author Benjamin Renaud
- */
-
-@@ -52,6 +55,10 @@
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-+ /* System property file*/
-+ private static final String SYSTEM_PROPERTIES =
-+ "/etc/crypto-policies/back-ends/java.config";
-+
- /* The java.security properties */
- private static Properties props;
-
-@@ -93,6 +100,7 @@
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -114,6 +122,31 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
-+ if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-aix
---- openjdk/jdk/src/share/lib/security/java.security-aix Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-aix Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-linux Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=true
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-macosx
---- openjdk/jdk/src/share/lib/security/java.security-macosx Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-macosx Wed Nov 02 03:31:54 2016 +0000
-@@ -279,6 +279,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-solaris
---- openjdk/jdk/src/share/lib/security/java.security-solaris Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-solaris Wed Nov 02 03:31:54 2016 +0000
-@@ -278,6 +278,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/share/lib/security/java.security-windows
---- openjdk/jdk/src/share/lib/security/java.security-windows Wed Oct 26 03:51:39 2016 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-windows Wed Nov 02 03:31:54 2016 +0000
-@@ -279,6 +279,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
-
diff --git a/SOURCES/pr3655-toggle_system_crypto_policy.patch b/SOURCES/pr3655-toggle_system_crypto_policy.patch
deleted file mode 100644
index abfac45..0000000
--- a/SOURCES/pr3655-toggle_system_crypto_policy.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1545198926 0
-# Wed Dec 19 05:55:26 2018 +0000
-# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
-# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
-PR3655: Allow use of system crypto policy to be disabled by the user
-Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
-
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -122,31 +122,6 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
-- }
-- }
--
-- if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-@@ -212,6 +187,33 @@
- }
- }
-
-+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+ if (disableSystemProps == null &&
-+ "true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
- if (!loadedProps) {
- initializeStatic();
- if (sdebug != null) {
diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
index febd87e..eb8f255 100644
--- a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -1,11 +1,12 @@
-diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
---- openjdk/jdk/src/share/lib/security/java.security-linux Tue May 16 13:29:05 2017 -0700
-+++ openjdk/jdk/src/share/lib/security/java.security-linux Tue Jun 06 14:05:12 2017 +0200
-@@ -74,6 +74,7 @@
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 9d1c8fe8a8e..a80a3c12abb 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -74,6 +74,7 @@ security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
- # Sun Provider SecureRandom seed source.
+ # Security providers used when FIPS mode support is active
diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch
deleted file mode 100644
index 58d77b3..0000000
--- a/SOURCES/rh1655466-global_crypto_and_fips.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -191,27 +191,7 @@
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
--
-- // now load the system file, if it exists, so its values
-- // will win if they conflict with the earlier values
-- try (BufferedInputStream bis =
-- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-- props.load(bis);
-- loadedProps = true;
--
-- if (sdebug != null) {
-- sdebug.println("reading system security properties file " +
-- SYSTEM_PROPERTIES);
-- sdebug.println(props.toString());
-- }
-- } catch (IOException e) {
-- if (sdebug != null) {
-- sdebug.println
-- ("unable to load security properties from " +
-- SYSTEM_PROPERTIES);
-- e.printStackTrace();
-- }
-- }
-+ loadedProps = loadedProps && SystemConfigurator.configure(props);
- }
-
- if (!loadedProps) {
-diff --git a/src/share/classes/javopenjdk.orig/jdk/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,153 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.nio.file.Files;
-+import java.nio.file.FileSystems;
-+import java.nio.file.Path;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+import java.util.function.Consumer;
-+import java.util.regex.Matcher;
-+import java.util.regex.Pattern;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+class SystemConfigurator {
-+
-+ private static final Debug sdebug =
-+ Debug.getInstance("properties");
-+
-+ private static final String CRYPTO_POLICIES_BASE_DIR =
-+ "/etc/crypto-policies";
-+
-+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+ private static final String CRYPTO_POLICIES_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/config";
-+
-+ private static final class SecurityProviderInfo {
-+ int number;
-+ String key;
-+ String value;
-+ SecurityProviderInfo(int number, String key, String value) {
-+ this.number = number;
-+ this.key = key;
-+ this.value = value;
-+ }
-+ }
-+
-+ /*
-+ * Invoked when java.security.Security class is initialized, if
-+ * java.security.disableSystemPropertiesFile property is not set and
-+ * security.useSystemPropertiesFile is true.
-+ */
-+ static boolean configure(Properties props) {
-+ boolean loadedProps = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ loadedProps = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+
-+ try {
-+ if (enableFips()) {
-+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+ loadedProps = false;
-+ // Remove all security providers
-+ Iterator> i = props.entrySet().iterator();
-+ while (i.hasNext()) {
-+ Entry e = i.next();
-+ if (((String) e.getKey()).startsWith("security.provider")) {
-+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+ i.remove();
-+ }
-+ }
-+ // Add FIPS security providers
-+ String fipsProviderValue = null;
-+ for (int n = 1;
-+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+ String fipsProviderKey = "security.provider." + n;
-+ if (sdebug != null) {
-+ sdebug.println("Adding provider " + n + ": " +
-+ fipsProviderKey + "=" + fipsProviderValue);
-+ }
-+ props.put(fipsProviderKey, fipsProviderValue);
-+ }
-+ loadedProps = true;
-+ }
-+ } catch (Exception e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load FIPS configuration");
-+ e.printStackTrace();
-+ }
-+ }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * FIPS is enabled only if crypto-policies are set to "FIPS"
-+ * and the com.redhat.fips property is true.
-+ */
-+ private static boolean enableFips() throws Exception {
-+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (fipsEnabled) {
-+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+ return pattern.matcher(cryptoPoliciesConfig).find();
-+ } else {
-+ return false;
-+ }
-+ }
-+}
-diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux
---- openjdk.orig/jdk/src/share/lib/security/java.security-linux
-+++ openjdk/jdk/src/share/lib/security/java.security-linux
-@@ -77,6 +77,14 @@
- #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
-
- #
-+# Security providers used when global crypto-policies are set to FIPS.
-+#
-+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
-+fips.provider.2=sun.security.provider.Sun
-+fips.provider.3=sun.security.ec.SunEC
-+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
-+
-+#
- # Sun Provider SecureRandom seed source.
- #
- # Select the primary source of seed data for the "SHA1PRNG" and
diff --git a/SOURCES/rh1760838-fips_default_keystore_type.patch b/SOURCES/rh1760838-fips_default_keystore_type.patch
deleted file mode 100644
index bedc8ea..0000000
--- a/SOURCES/rh1760838-fips_default_keystore_type.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
-@@ -123,6 +123,33 @@
- }
- props.put(fipsProviderKey, fipsProviderValue);
- }
-+ // Add other security properties
-+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+ if (keystoreTypeValue != null) {
-+ String nonFipsKeystoreType = props.getProperty("keystore.type");
-+ props.put("keystore.type", keystoreTypeValue);
-+ if (keystoreTypeValue.equals("PKCS11")) {
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ }
-+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+ // If no trustStoreType has been set, use the
-+ // previous keystore.type under FIPS mode. In
-+ // a default configuration, the Trust Store will
-+ // be 'cacerts' (JKS type).
-+ System.setProperty("javax.net.ssl.trustStoreType",
-+ nonFipsKeystoreType);
-+ }
-+ if (sdebug != null) {
-+ sdebug.println("FIPS mode default keystore.type = " +
-+ keystoreTypeValue);
-+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
-+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+ System.getProperty("javax.net.ssl.trustStoreType", ""));
-+ }
-+ }
- loadedProps = true;
- }
- } catch (Exception e) {
-diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
---- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300
-@@ -179,6 +179,11 @@
- keystore.type=jks
-
- #
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
-+#
- # Controls compatibility mode for the JKS keystore type.
- #
- # When set to 'true', the JKS keystore type supports loading
diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
deleted file mode 100644
index 91e3705..0000000
--- a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
+++ /dev/null
@@ -1,327 +0,0 @@
-diff -r bbc65dfa59d1 src/share/classes/java/security/SystemConfigurator.java
---- openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
-@@ -1,11 +1,13 @@
- /*
-- * Copyright (c) 2019, Red Hat, Inc.
-+ * Copyright (c) 2019, 2020, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
-- * published by the Free Software Foundation.
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-@@ -34,10 +36,10 @@
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.function.Consumer;
--import java.util.regex.Matcher;
- import java.util.regex.Pattern;
-
-+import sun.misc.SharedSecrets;
-+import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -47,7 +49,7 @@
- *
- */
-
--class SystemConfigurator {
-+final class SystemConfigurator {
-
- private static final Debug sdebug =
- Debug.getInstance("properties");
-@@ -61,15 +63,16 @@
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
-
-- private static final class SecurityProviderInfo {
-- int number;
-- String key;
-- String value;
-- SecurityProviderInfo(int number, String key, String value) {
-- this.number = number;
-- this.key = key;
-- this.value = value;
-- }
-+ private static boolean systemFipsEnabled = false;
-+
-+ static {
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
- }
-
- /*
-@@ -128,9 +131,9 @@
- String nonFipsKeystoreType = props.getProperty("keystore.type");
- props.put("keystore.type", keystoreTypeValue);
- if (keystoreTypeValue.equals("PKCS11")) {
-- // If keystore.type is PKCS11, javax.net.ssl.keyStore
-- // must be "NONE". See JDK-8238264.
-- System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
- }
- if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
- // If no trustStoreType has been set, use the
-@@ -144,12 +147,13 @@
- sdebug.println("FIPS mode default keystore.type = " +
- keystoreTypeValue);
- sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-- System.getProperty("javax.net.ssl.keyStore", ""));
-+ System.getProperty("javax.net.ssl.keyStore", ""));
- sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
- System.getProperty("javax.net.ssl.trustStoreType", ""));
- }
- }
- loadedProps = true;
-+ systemFipsEnabled = true;
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -165,20 +165,37 @@
- return loadedProps;
- }
-
-+ /**
-+ * Returns whether or not global system FIPS alignment is enabled.
-+ *
-+ * Value is always 'false' before java.security.Security class is
-+ * initialized.
-+ *
-+ * Call from out of this package through SharedSecrets:
-+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ * .isSystemFipsEnabled();
-+ *
-+ * @return a boolean value indicating whether or not global
-+ * system FIPS alignment is enabled.
-+ */
-+ static boolean isSystemFipsEnabled() {
-+ return systemFipsEnabled;
-+ }
-+
- /*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
- */
- private static boolean enableFips() throws Exception {
-- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-- if (fipsEnabled) {
-- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-- } else {
-- return false;
-- }
-+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (shouldEnable) {
-+ Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-+ String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-+ return pattern.matcher(cryptoPoliciesConfig).find();
-+ } else {
-+ return false;
-+ }
- }
- }
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -0,0 +1,30 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.misc;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+ boolean isSystemFipsEnabled();
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
---- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -63,6 +63,7 @@
- private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
- private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
- private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
-+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
-
- public static JavaUtilJarAccess javaUtilJarAccess() {
- if (javaUtilJarAccess == null) {
-@@ -248,4 +249,12 @@
- }
- return javaxCryptoSealedObjectAccess;
- }
-+
-+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+ javaSecuritySystemConfiguratorAccess = jssca;
-+ }
-+
-+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ return javaSecuritySystemConfiguratorAccess;
-+ }
- }
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-@@ -31,6 +31,7 @@
- import java.security.cert.*;
- import java.util.*;
- import javax.net.ssl.*;
-+import sun.misc.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -539,20 +540,38 @@
-
- static {
- if (SunJSSE.isFIPS()) {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- );
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ }
- } else {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
-@@ -612,6 +631,16 @@
-
- static ProtocolVersion[] getSupportedProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-@@ -939,6 +968,16 @@
-
- static ProtocolVersion[] getProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[]{
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-@@ -30,6 +30,8 @@
-
- import java.security.*;
-
-+import sun.misc.SharedSecrets;
-+
- /**
- * The JSSE provider.
- *
-@@ -215,8 +217,13 @@
- "sun.security.ssl.SSLContextImpl$TLS11Context");
- put("SSLContext.TLSv1.2",
- "sun.security.ssl.SSLContextImpl$TLS12Context");
-- put("SSLContext.TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ put("SSLContext.TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ }
- put("SSLContext.TLS",
- "sun.security.ssl.SSLContextImpl$TLSContext");
- if (isfips == false) {
diff --git a/SOURCES/rh1906862-always_initialise_configurator_access.patch b/SOURCES/rh1906862-always_initialise_configurator_access.patch
deleted file mode 100644
index 82116ad..0000000
--- a/SOURCES/rh1906862-always_initialise_configurator_access.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1608219816 0
-# Thu Dec 17 15:43:36 2020 +0000
-# Node ID db5d1b28bfce04352b3a48960bf836f6eb20804b
-# Parent a2cfa397150e99b813354226d536eb8509b5850b
-RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
-
-diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -30,6 +30,8 @@
- import java.util.concurrent.ConcurrentHashMap;
- import java.io.*;
- import java.net.URL;
-+import sun.misc.SharedSecrets;
-+import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
- import sun.security.util.PropertyExpander;
-
-@@ -69,6 +71,15 @@
- }
-
- static {
-+ // Initialise here as used by code with system properties disabled
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ });
-+
- // doPrivileged here because there are multiple
- // things in initialize that might require privs.
- // (the FileInputStream call and the File.exists call,
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -39,8 +39,6 @@
- import java.util.Properties;
- import java.util.regex.Pattern;
-
--import sun.misc.SharedSecrets;
--import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
-
- /**
-@@ -66,16 +64,6 @@
-
- private static boolean systemFipsEnabled = false;
-
-- static {
-- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-- new JavaSecuritySystemConfiguratorAccess() {
-- @Override
-- public boolean isSystemFipsEnabled() {
-- return SystemConfigurator.isSystemFipsEnabled();
-- }
-- });
-- }
--
- /*
- * Invoked when java.security.Security class is initialized, if
- * java.security.disableSystemPropertiesFile property is not set and
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
deleted file mode 100644
index 1461be8..0000000
--- a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
+++ /dev/null
@@ -1,344 +0,0 @@
-diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
---- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
-+++ openjdk/jdk/make/lib/SecurityLibraries.gmk
-@@ -289,3 +289,34 @@
-
- endif
- endif
-+
-+################################################################################
-+# Create the systemconf library
-+
-+LIBSYSTEMCONF_CFLAGS :=
-+LIBSYSTEMCONF_CXXFLAGS :=
-+
-+ifeq ($(USE_SYSCONF_NSS), true)
-+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+endif
-+
-+ifeq ($(OPENJDK_BUILD_OS), linux)
-+ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
-+ LIBRARY := systemconf, \
-+ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
-+ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
-+ LANG := C, \
-+ OPTIMIZATION := LOW, \
-+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
-+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
-+ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
-+ LDFLAGS := $(LDFLAGS_JDKLIB) \
-+ $(call SET_SHARED_LIBRARY_ORIGIN), \
-+ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
-+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
-+ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
-+
-+ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
-+endif
-+
-diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
-@@ -0,0 +1,35 @@
-+#
-+# Copyright (c) 2021, Red Hat, Inc.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation. Oracle designates this
-+# particular file as subject to the "Classpath" exception as provided
-+# by Oracle in the LICENSE file that accompanied this code.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+# Define public interface.
-+
-+SUNWprivate_1.1 {
-+ global:
-+ DEF_JNI_OnLoad;
-+ DEF_JNI_OnUnLoad;
-+ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
-+ local:
-+ *;
-+};
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
-@@ -30,14 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
-
--import java.nio.file.Files;
--import java.nio.file.FileSystems;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
-
- import sun.security.util.Debug;
-
-@@ -59,10 +54,21 @@
- private static final String CRYPTO_POLICIES_JAVA_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
-- private static final String CRYPTO_POLICIES_CONFIG =
-- CRYPTO_POLICIES_BASE_DIR + "/config";
-+ private static boolean systemFipsEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-
-- private static boolean systemFipsEnabled = false;
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-
- /*
- * Invoked when java.security.Security class is initialized, if
-@@ -171,17 +177,34 @@
- }
-
- /*
-- * FIPS is enabled only if crypto-policies are set to "FIPS"
-- * and the com.redhat.fips property is true.
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
- */
-- private static boolean enableFips() throws Exception {
-+ private static boolean enableFips() throws IOException {
- boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (shouldEnable) {
-- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
- } else {
- return false;
- }
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-new file mode 100644
---- /dev/null
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -0,0 +1,168 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include
-+#include
-+#include
-+#include
-+
-+#ifdef SYSCONF_NSS
-+#include
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " SECMOD_GetSystemFIPSEnabled return value");
-+ }
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " read character");
-+ }
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
deleted file mode 100644
index 64d8ac0..0000000
--- a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
---- openjdk.orig/common/autoconf/configure.ac
-+++ openjdk/common/autoconf/configure.ac
-@@ -212,6 +212,7 @@
- LIB_SETUP_ALSA
- LIB_SETUP_FONTCONFIG
- LIB_SETUP_MISC_LIBS
-+LIB_SETUP_SYSCONF_LIBS
- LIB_SETUP_STATIC_LINK_LIBSTDCPP
- LIB_SETUP_ON_WINDOWS
-
-diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
---- openjdk.orig/common/autoconf/libraries.m4
-+++ openjdk/common/autoconf/libraries.m4
-@@ -1067,3 +1067,63 @@
- BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
- fi
- ])
-+
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+ ])
-+ AC_MSG_RESULT([$sysconf_nss])
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ AC_MSG_CHECKING([for system FIPS support in NSS])
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ AC_LANG_PUSH([C])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
-+ [[SECMOD_GetSystemFIPSEnabled()]])],
-+ [AC_MSG_RESULT([yes])],
-+ [AC_MSG_RESULT([no])
-+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+ AC_LANG_POP([C])
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+ dnl in nss3/pk11pub.h.
-+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+ fi
-+ fi
-+ AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
---- openjdk.orig/common/autoconf/spec.gmk.in
-+++ openjdk/common/autoconf/spec.gmk.in
-@@ -312,6 +312,10 @@
- ALSA_LIBS:=@ALSA_LIBS@
- ALSA_CFLAGS:=@ALSA_CFLAGS@
-
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- PACKAGE_PATH=@PACKAGE_PATH@
-
- # Source file for cacerts
-diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
---- openjdk.orig/common/bin/compare_exceptions.sh.incl
-+++ openjdk/common/bin/compare_exceptions.sh.incl
-@@ -280,6 +280,7 @@
- ./jre/lib/i386/libsplashscreen.so
- ./jre/lib/i386/libsunec.so
- ./jre/lib/i386/libsunwjdga.so
-+./jre/lib/i386/libsystemconf.so
- ./jre/lib/i386/libt2k.so
- ./jre/lib/i386/libunpack.so
- ./jre/lib/i386/libverify.so
-@@ -433,6 +434,7 @@
- ./jre/lib/amd64/libsplashscreen.so
- ./jre/lib/amd64/libsunec.so
- ./jre/lib/amd64/libsunwjdga.so
-+//jre/lib/amd64/libsystemconf.so
- ./jre/lib/amd64/libt2k.so
- ./jre/lib/amd64/libunpack.so
- ./jre/lib/amd64/libverify.so
-@@ -587,6 +589,7 @@
- ./jre/lib/sparc/libsplashscreen.so
- ./jre/lib/sparc/libsunec.so
- ./jre/lib/sparc/libsunwjdga.so
-+./jre/lib/sparc/libsystemconf.so
- ./jre/lib/sparc/libt2k.so
- ./jre/lib/sparc/libunpack.so
- ./jre/lib/sparc/libverify.so
-@@ -741,6 +744,7 @@
- ./jre/lib/sparcv9/libsplashscreen.so
- ./jre/lib/sparcv9/libsunec.so
- ./jre/lib/sparcv9/libsunwjdga.so
-+./jre/lib/sparcv9/libsystemconf.so
- ./jre/lib/sparcv9/libt2k.so
- ./jre/lib/sparcv9/libunpack.so
- ./jre/lib/sparcv9/libverify.so
-diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
---- openjdk.orig/common/nb_native/nbproject/configurations.xml
-+++ openjdk/common/nb_native/nbproject/configurations.xml
-@@ -53,6 +53,9 @@
- jvmtiEnterTrace.cpp
-
-
-+
-+ systemconf.c
-+
-
-
-
-@@ -12772,6 +12775,11 @@
- tool="0"
- flavor2="0">
-
-+ -
-+
- - attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = P11ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -63,6 +66,26 @@
- private static final boolean systemFipsEnabled = SharedSecrets
- .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -314,10 +337,15 @@
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -333,7 +361,7 @@
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -147,16 +148,28 @@
-
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1905,4 +1918,69 @@
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
- }
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
-+}
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@
-
- import javax.net.ssl.*;
-
-+import sun.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@
- keyManager = new X509KeyManagerImpl(
- Collections.
emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
deleted file mode 100644
index 341e092..0000000
--- a/SOURCES/rh1996182-login_to_nss_software_token.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-# HG changeset patch
-# User mbalao
-# Date 1630103180 -3600
-# Fri Aug 27 23:26:20 2021 +0100
-# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
-# Parent c90394a76ee02a689f95199559d5724824b4b25e
-RH1996182: Login to the NSS Software Token in FIPS Mode
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -42,6 +42,8 @@
- import javax.security.auth.callback.PasswordCallback;
- import javax.security.auth.callback.TextOutputCallback;
-
-+import sun.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
-
-@@ -58,6 +60,9 @@
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -368,6 +373,24 @@
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
deleted file mode 100644
index 5aa9ec7..0000000
--- a/SOURCES/rh2021263-fips_ensure_security_initialised.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit 06c2decab204fcce5aca2d285953fcac1820b1ae
-Author: Andrew John Hughes
-Date: Mon Jan 24 01:23:28 2022 +0000
-
- RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-index 40ca609e02..0dafe6f59c 100644
---- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -31,6 +31,7 @@ import java.io.Console;
- import java.io.FileDescriptor;
- import java.io.ObjectInputStream;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- import java.security.AccessController;
-@@ -255,6 +256,9 @@ public class SharedSecrets {
- }
-
- public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
- return javaSecuritySystemConfiguratorAccess;
- }
- }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
deleted file mode 100644
index 90cc44e..0000000
--- a/SOURCES/rh2021263-fips_missing_native_returns.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
-Author: Fridrich Strba
-Date: Mon Jan 24 01:10:57 2022 +0000
-
- RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-index 6f4656bfcb..34d0ff0ce9 100644
---- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
deleted file mode 100644
index e237841..0000000
--- a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-commit aaf92165ad1cbb1c9818eb60178c91293e13b053
-Author: Andrew John Hughes
-Date: Mon Jan 24 15:13:14 2022 +0000
-
- RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
-index fa494b680f..b5aa5c749d 100644
---- openjdk.orig/jdk/src/share/classes/java/security/Security.java
-+++ openjdk/jdk/src/share/classes/java/security/Security.java
-@@ -57,10 +57,6 @@ public final class Security {
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-- /* System property file*/
-- private static final String SYSTEM_PROPERTIES =
-- "/etc/crypto-policies/back-ends/java.config";
--
- /* The java.security properties */
- private static Properties props;
-
-@@ -202,13 +198,6 @@ public final class Security {
- }
- }
-
-- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-- if (disableSystemProps == null &&
-- "true".equalsIgnoreCase(props.getProperty
-- ("security.useSystemPropertiesFile"))) {
-- loadedProps = loadedProps && SystemConfigurator.configure(props);
-- }
--
- if (!loadedProps) {
- initializeStatic();
- if (sdebug != null) {
-@@ -217,6 +206,28 @@ public final class Security {
- }
- }
-
-+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
-+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-+ if (!SystemConfigurator.configureSysProps(props)) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
-+ }
-+ }
-+ }
-+
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
-+ if (sdebug != null) {
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
-+ }
-+ }
-+ }
- }
-
- /*
-diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-index d1f677597d..7da65b1d2c 100644
---- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
- * java.security.disableSystemPropertiesFile property is not set and
- * security.useSystemPropertiesFile is true.
- */
-- static boolean configure(Properties props) {
-+ static boolean configureSysProps(Properties props) {
- boolean loadedProps = false;
-
- try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
- e.printStackTrace();
- }
- }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-
- try {
- if (enableFips()) {
- if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-- loadedProps = false;
- // Remove all security providers
- Iterator> i = props.entrySet().iterator();
- while (i.hasNext()) {
diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
deleted file mode 100644
index 52a7803..0000000
--- a/SOURCES/rh2052829-fips_runtime_nss_detection.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2
-Author: Andrew John Hughes
-Date: Mon Feb 28 05:50:10 2022 +0000
-
- RH2051605: Detect NSS at Runtime for FIPS detection
-
-diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
-index 34d0ff0ce9..8dcb7d9073 100644
---- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
-@@ -23,25 +23,99 @@
- * questions.
- */
-
--#include
- #include
- #include
-+#include "jvm_md.h"
- #include
-
- #ifdef SYSCONF_NSS
- #include
-+#else
-+#include
- #endif //SYSCONF_NSS
-
- #include "java_security_SystemConfigurator.h"
-
-+#define MSG_MAX_SIZE 256
- #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
--#define MSG_MAX_SIZE 96
-
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
- static jmethodID debugPrintlnMethodID = NULL;
- static jobject debugObj = NULL;
-
--static void throwIOException(JNIEnv *env, const char *msg);
--static void dbgPrint(JNIEnv *env, const char* msg);
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-
- /*
- * Class: java_security_SystemConfigurator
-@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
- debugObj = (*env)->NewGlobalRef(env, debugObj);
- }
-
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
- return (*env)->GetVersion(env);
- }
-
-@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
- if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
- return; /* Should not happen */
- }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
- (*env)->DeleteGlobalRef(env, debugObj);
- }
- }
-@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- char msg[MSG_MAX_SIZE];
- int msg_bytes;
-
--#ifdef SYSCONF_NSS
--
-- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-- fips_enabled = SECMOD_GetSystemFIPSEnabled();
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " SECMOD_GetSystemFIPSEnabled return value");
-- }
-- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
--
--#else // SYSCONF_NSS
-+ FILE *fe;
-
-- FILE *fe;
--
-- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- fips_enabled = fgetc(fe);
-- fclose(fe);
-- if (fips_enabled == EOF) {
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " read character is '%c'", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " read character");
-- }
-- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
--
--#endif // SYSCONF_NSS
--}
--
--static void throwIOException(JNIEnv *env, const char *msg)
--{
-- jclass cls = (*env)->FindClass(env, "java/io/IOException");
-- if (cls != 0)
-- (*env)->ThrowNew(env, cls, msg);
--}
--
--static void dbgPrint(JNIEnv *env, const char* msg)
--{
-- jstring jMsg;
-- if (debugObj != NULL) {
-- jMsg = (*env)->NewStringUTF(env, msg);
-- CHECK_NULL(jMsg);
-- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
- }
- }
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 84f7d57..16fbf02 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -23,6 +23,8 @@
%bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm}
@@ -31,6 +33,16 @@
%global build_hotspot_first 0
%endif
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global jpeg_lib |libjavajpeg[.]so.*
+%else
+%global system_libs 0
+%global link_type bundled
+%global jpeg_lib |libjpeg[.]so.*
+%endif
+
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -150,11 +162,15 @@
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%global bootstrap_targets images
%global release_targets images docs-zip
@@ -265,11 +281,15 @@
# New Version-String scheme-style defines
%global majorver 8
-# Standard JPackage naming and versioning defines.
+# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
+# Settings for local security configuration
+%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os}
+%global cacerts_file /etc/pki/java/cacerts
+
# Define vendor information used by OpenJDK
%global oj_vendor Red Hat, Inc.
%global oj_vendor_url "https://www.redhat.com/"
@@ -291,15 +311,18 @@
%endif
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
-%global shenandoah_project openjdk
-%global shenandoah_repo shenandoah-jdk8u
-%global shenandoah_revision aarch64-shenandoah-jdk8u322-b06
+%global shenandoah_project openjdk
+%global shenandoah_repo shenandoah-jdk8u
+%global openjdk_revision jdk8u352-b08
+%global shenandoah_revision shenandoah-%{openjdk_revision}
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
%global repo %{shenandoah_repo}
%global revision %{shenandoah_revision}
# Define IcedTea version used for SystemTap tapsets and desktop files
%global icedteaver 3.15.0
+# Define current Git revision for the FIPS support patches
+%global fipsver 6d1aade0648
# e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04
%global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*})
@@ -309,7 +332,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease 11
+%global rpmrelease 2
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -349,8 +372,7 @@
# as to why some libraries *cannot* be excluded. In particular,
# these are:
# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
-%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
-
+%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
%global __provides_exclude ^(%{_privatelibs})$
%global __requires_exclude ^(%{_privatelibs})$
@@ -774,6 +796,7 @@ exit 0
%{_jvmdir}/%{jrelnk -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
+%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream
%dir %{_jvmdir}/%{jredir -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/bin
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib
@@ -856,7 +879,11 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so
+%if %{system_libs}
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so
+%else
+%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so
+%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so
@@ -897,6 +924,7 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
%{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
@@ -1097,9 +1125,10 @@ Provides: java%{?1} = %{epoch}:%{javaver}
Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/
Requires: javapackages-filesystem
-# Require zoneinfo data provided by tzdata-java subpackage.
-# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021e
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+Requires: tzdata-java >= 2022d
+# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
%if ! 0%{?flatpak}
@@ -1111,6 +1140,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1293,6 +1324,9 @@ Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
Source20: repackReproduciblePolycies.sh
# New versions of config files with aarch64 support. This is not upstream yet.
@@ -1320,29 +1354,26 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1582504-rsa_default_for_keytool.patch
-# FIPS support patches
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{openjdk_revision} common jdk > fips-8u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy
+# PR3655: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1760838: No ciphersuites available for SSLSocket in FIPS mode
-Patch1002: rh1760838-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1005: rh1906862-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
-Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
-Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
# RH1996182: Login to the NSS software token in FIPS mode
-Patch1008: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2052819: Fix FIPS reliance on crypto policies
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
-Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-8u-%{fipsver}.patch
#############################################
#
@@ -1364,11 +1395,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_
Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch
# PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
# PR3575, RH1567204: System cacerts database handling should not affect jssecacerts
-Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
-# PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy
-Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3655: Allow use of system crypto policy to be disabled by the user
-Patch401: pr3655-toggle_system_crypto_policy.patch
+# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
+# Must be applied after crypto policy patch as it also changes java.security
+Patch539: pr2888-rh2055274-support_system_cacerts.patch
# enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch
# JDK-8281098, PR3836: Extra compiler flags not passed to adlc build
@@ -1424,14 +1453,17 @@ Patch581: jdk8257794-remove_broken_assert.patch
#############################################
#
-# Patches appearing in 8u332
+# Patches appearing in 8u362
#
# This section includes patches which are present
# in the listed OpenJDK 8u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
-Patch700: jdk8279077-missing_crash_protector_ppc.patch
+# JDK-8294357: (tz) Update Timezone Data to 2022d
+Patch2002: jdk8294357-tzdata2022d.patch
+# JDK-8295173: (tz) Update Timezone Data to 2022e
+Patch2003: jdk8295173-tzdata2022e.patch
#############################################
#
@@ -1476,12 +1508,8 @@ BuildRequires: desktop-file-utils
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
-BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXext-devel
@@ -1492,6 +1520,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1502,8 +1532,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021e
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+BuildRequires: tzdata-java >= 2022d
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1511,6 +1542,24 @@ BuildRequires: gcc >= 4.8.3-8
BuildRequires: systemtap-sdt-devel
%endif
+%if %{system_libs}
+BuildRequires: giflib-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h
+Provides: bundled(lcms2) = 2.10.0
+# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in jdk/src/share/native/sun/awt/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@@ -1799,18 +1848,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/
# OpenJDK patches
+%if %{system_libs}
# Remove libraries that are linked
sh %{SOURCE12}
+%endif
# System library fixes
+%if %{system_libs}
%patch201
%patch202
%patch203
%patch204
-
-# System security policy fixes
-%patch400
-%patch401
+%endif
%patch1
%patch3
@@ -1839,26 +1888,21 @@ sh %{SOURCE12}
%patch581
%patch113
-# Upstreamed fixes
-%patch700
+pushd %{top_level_dir_name}
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
+# system cacerts support
+%patch539 -p1
+# tzdata updates targetted for 8u362
+%patch2002 -p1
+%patch2003 -p1
+popd
# RPM-only fixes
-%patch539
%patch600
-%patch1000
-%patch1001
-%patch1002
%patch1003
-%patch1004
-%patch1005
-%patch1006
-%patch1007
-%patch1008
-%patch1011
-%patch1014
-%patch1015
-%patch1016
-%patch1017
# RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1920,7 +1964,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+# Setup security policy
+sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file}
+
%build
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -1957,12 +2005,20 @@ function buildjdk() {
local buildjdk=${2}
local maketargets="${3}"
local debuglevel=${4}
+ local link_opt=${5}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
# Variable used in hs_err hook on build failures
local top_builddir_abs_path=$(pwd)/${outputdir}
echo "Using output directory: ${outputdir}";
+
+ if [ "x${link_opt}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
echo "Using make targets: ${maketargets}"
@@ -1993,12 +2049,14 @@ function buildjdk() {
--with-debug-level=${debuglevel} \
--disable-sysconf-nss \
--enable-unlimited-crypto \
- --with-zlib=system \
- --with-libjpeg=system \
- --with-giflib=system \
- --with-libpng=system \
- --with-lcms=system \
- --with-stdc++lib=dynamic \
+ --with-zlib=${link_opt} \
+ --with-giflib=${link_opt} \
+%if %{with system_libs}
+ --with-libjpeg=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+%endif
+ --with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-asflags="$EXTRA_ASFLAGS" \
@@ -2055,6 +2113,35 @@ function installjdk() {
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/jre/lib/security/
+
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/jre/lib/security/
+
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/jre/lib/security/java.security
+
+ # Use system-wide tzdata
+ mv ${imagepath}/jre/lib/tzdb.dat{,.upstream}
+ ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
+
+ # Rename OpenJDK cacerts database
+ mv ${imagepath}/jre/lib/security/cacerts{,.upstream}
+ # Install cacerts symlink needed by some apps which hard-code the path
+ ln -sv %{cacerts_file} ${imagepath}/jre/lib/security
+
+ # add alt-java man page
+ pushd ${imagepath}
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+
+ # Print release information
+ cat ${imagepath}/release
+
fi
}
@@ -2080,6 +2167,7 @@ builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir}
+link_opt="%{link_type}"
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
@@ -2093,35 +2181,16 @@ else
fi
if ${run_bootstrap} ; then
- buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
installjdk ${bootbuilddir} ${bootinstalldir}
- buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
+ buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
else
- buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi
-# Install nss.cfg right away as we will be using the JRE above
-export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage}
-
-# Install nss.cfg right away as we will be using the JRE above
-install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/
-
-# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-install -m 644 nss.fips.cfg $JAVA_HOME/jre/lib/security/
-
-# Use system-wide tzdata
-rm $JAVA_HOME/jre/lib/tzdb.dat
-ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/jre/lib/tzdb.dat
-
-# add alt-java man page
-pushd ${JAVA_HOME}
-echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-popd
-
# build cycles
done
@@ -2140,9 +2209,14 @@ $JAVA_HOME/bin/java TestCryptoLevel
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
@@ -2158,6 +2232,9 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
@@ -2274,13 +2351,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien
done
%endif
- # Remove empty cacerts database
- rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts
- # Install cacerts symlink needed by some apps which hardcode the path
- pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security
- ln -sf /etc/pki/java/cacerts .
- popd
-
# Install versioned symlinks
pushd $RPM_BUILD_ROOT%{_jvmdir}
ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix}
@@ -2635,6 +2705,93 @@ cjc.mainProgram(args)
%endif
%changelog
+* Sun Oct 16 2022 Andrew Hughes - 1:1.8.0.352.b08-2
+- Update to shenandoah-jdk8u352-b08 (GA)
+- Update release notes for shenandoah-8u352-b08.
+- Rebase FIPS patch against 8u352-b07
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Add test to ensure timezones can be translated
+- * This tarball is embargoed until 2022-10-18 @ 1pm PT. *
+- Resolves: rhbz#2133695
+
+* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2048542
+
+* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-4
+- Sync system cacerts support with RHEL 9, disabling using -Dsecurity.systemCACerts=
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Related: rhbz#2055274
+
+* Mon Aug 29 2022 Stephan Bergmann - 1:1.8.0.345.b01-3
+- Disable copy-jdk-configs for Flatpak builds
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102733
+
+* Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-2
+- Update to shenandoah-jdk8u345-b01 (GA)
+- Update release notes for 8u345-b01.
+- Resolves: rhbz#2112403
+
+* Sun Jul 24 2022 Andrew Hughes - 1:1.8.0.342.b07-2
+- Update to shenandoah-jdk8u342-b07 (GA)
+- Update release notes for 8u342-b07.
+- Switch to GA mode for final release.
+- Resolves: rhbz#2106507
+
+* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.342.b06-0.1.ea
+- Update to shenandoah-jdk8u342-b06 (EA)
+- Update release notes for shenandoah-8u342-b06.
+- Switch to EA mode for 8u342 pre-release builds.
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Remove redundant "REPOS" variable from tarball script
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Resolves: rhbz#2083265
+
+* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.332.b09-5
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Rebase PR2888/RH2055274 cacerts patch so it applies after the current FIPS patch
+- Perform configuration changes (e.g. nss.cfg, nss.fips.cfg, tzdb.dat) in installjdk
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Resolves: rhbz#2097152
+- Resolves: rhbz#2100675
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:1.8.0.332.b09-4
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102431
+
+* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b09-3
+- Update to shenandoah-jdk8u332-b09 (GA)
+- Update release notes for 8u332-b09.
+- Switch to GA mode for final release.
+- Resolves: rhbz#2074646
+
+* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b06-0.2.ea
+- Allow the default keystore to be configured using security.systemCACerts
+- Use of the property can now be disabled using -Djava.security.disableSystemCACerts=true
+- Resolves: rhbz#2055274
+
+* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b06-0.1.ea
+- Update to shenandoah-jdk8u332-b06 (EA)
+- Update release notes for shenandoah-8u332-b06.
+- Resolves: rhbz#2047536
+
+* Sun Apr 17 2022 Andrew Hughes - 1:1.8.0.332.b01-0.1.ea
+- Update to shenandoah-jdk8u332-b01 (EA)
+- Update release notes for shenandoah-8u332-b01.
+- Switch to EA mode.
+- Remove JDK-8279077 patch now upstream.
+- Related: rhbz#2047536
+
* Mon Feb 28 2022 Jiri Vanek - 1:1.8.0.322.b06-11
- Storing and restoring alterntives during update manually
- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE