From 9fe5397a6a6aff45238c222d355cf21dc85a9b8c Mon Sep 17 00:00:00 2001
From: CentOS Sources
Date: Nov 15 2022 06:36:38 +0000
Subject: import java-1.8.0-openjdk-1.8.0.345.b01-5.el9
---
diff --git a/.gitignore b/.gitignore
index 35138ce..ccfc525 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index ce1ddd8..493f497 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-11e3bf44f3c54d25e2018fc7df16c231daf041c5 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
+d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index 08b5588..a45c520 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,163 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release OpenJDK 8u352 (2022-10-18):
-===========================================
-Live versions of these release notes can be found at:
- * https://bit.ly/openjdk8u352
- * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt
-
-* Security fixes
- - JDK-8282252: Improve BigInteger/Decimal validation
- - JDK-8285662: Better permission resolution
- - JDK-8286511: Improve macro allocation
- - JDK-8286519: Better memory handling
- - JDK-8286526, CVE-2022-21619: Improve NTLM support
- - JDK-8286533, CVE-2022-21626: Key X509 usages
- - JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- - JDK-8286918, CVE-2022-21628: Better HttpServer service
- - JDK-8288508: Enhance ECDSA usage
-* Other changes
- - JDK-7131823: bug in GIFImageReader
- - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate
- - JDK-8028265: Add legacy tz tests to OpenJDK
- - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]
- - JDK-8049228: Improve multithreaded scalability of InetAddress cache
- - JDK-8071507: (ref) Clear phantom reference as soft and weak references do
- - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation
- - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9
- - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script
- - JDK-8139668: Generate README-build.html from markdown
- - JDK-8143847: Remove REF_CLEANER reference category
- - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl
- - JDK-8150669: C1 intrinsic for Class.isPrimitive
- - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
- - JDK-8173339: AArch64: Fix minimum stack size computations
- - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
- - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
- - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
- - JDK-8183107: PKCS11 regression regarding checkKeySize
- - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
- - JDK-8194873: right ALT key hotkeys no longer work in Swing components
- - JDK-8201793: (ref) Reference object should not support cloning
- - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
- - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
- - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
- - JDK-8235218: Minimal VM is broken after JDK-8173361
- - JDK-8235385: Crash on aarch64 JDK due to long offset
- - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles
- - JDK-8254178: Remove .hgignore
- - JDK-8254318: Remove .hgtags
- - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
- - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
- - JDK-8280963: Incorrect PrintFlags formatting on Windows
- - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
- - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
- - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3
- - JDK-8285497: Add system property for Java SE specification maintenance version
- - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE
- - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11
- - JDK-8287521: Bump update version of OpenJDK: 8u352
- - JDK-8288763: Pack200 extraction failure with invalid size
- - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
- - JDK-8290000: Bump macOS GitHub actions to macOS 11
- - JDK-8292579: (tz) Update Timezone Data to 2022c
- - JDK-8292688: Support Security properties in security.testlibrary.Proc
-
-Notes on individual issues:
-===========================
-
-core-libs/java.lang:
-
-JDK-8201793: (ref) Reference object should not support cloning
-==============================================================
-`java.lang.ref.Reference::clone` method always throws
-`CloneNotSupportedException`. `Reference` objects cannot be
-meaningfully cloned. To create a new Reference object, call the
-constructor to create a `Reference` object with the same referent and
-reference queue instead.
-
-JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
-===============================================================================================
-`java.lang.ref.Reference.enqueue` method clears the reference object
-before it is added to the registered queue. When the `enqueue` method
-is called, the reference object is cleared and `get()` method will
-return null in OpenJDK 8u352.
-
-Typically when a reference object is enqueued, it is expected that the
-reference object is cleared explicitly via the `clear` method to avoid
-memory leak because its referent is no longer referenced. In other
-words the `get` method is expected not to be called in common cases
-once the `enqueue`method is called. In the case when the `get` method
-from an enqueued reference object and existing code attempts to access
-members of the referent, `NullPointerException` may be thrown. Such
-code will need to be updated.
-
-JDK-8071507: (ref) Clear phantom reference as soft and weak references do
-=========================================================================
-This enhancement changes phantom references to be automatically
-cleared by the garbage collector as soft and weak references.
-
-An object becomes phantom reachable after it has been finalized. This
-change may cause the phantom reachable objects to be GC'ed earlier -
-previously the referent is kept alive until PhantomReference objects
-are GC'ed or cleared by the application. This potential behavioral
-change might only impact existing code that would depend on
-PhantomReference being enqueued rather than when the referent be freed
-from the heap.
-
-security-libs/javax.net.ssl:
-
-JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
-================================================================
-The TLSv1.3 implementation is now enabled by default for client roles
-in 8u352. It has been enabled by default for server roles since 8u272.
-
-Note that TLS 1.3 is not directly compatible with previous
-versions. Enabling it on the client may introduce compatibility issues
-on either the server or the client side. Here are some more details on
-potential compatibility issues that you should be aware of:
-
-* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions
- use a duplex-close policy. For applications that depend on the
- duplex-close policy, there may be compatibility issues when
- upgrading to TLS 1.3.
-
-* The signature_algorithms_cert extension requires that pre-defined
- signature algorithms are used for certificate authentication. In
- practice, however, an application may use non-supported signature
- algorithms.
-
-* The DSA signature algorithm is not supported in TLS 1.3. If a server
- is configured to only use DSA certificates, it cannot upgrade to TLS
- 1.3.
-
-* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2
- and prior versions. If an application hard-codes cipher suites which
- are no longer supported, it may not be able to use TLS 1.3 without
- modifying the application code.
-
-* The TLS 1.3 session resumption and key update behaviors are
- different from TLS 1.2 and prior versions. The compatibility should
- be minimal, but it could be a risk if an application depends on the
- handshake details of the TLS protocols.
-
-The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols
-system property:
-
-java -Djdk.tls.client.protocols="TLSv1.2" ...
-
-Alternatively, an application can explicitly set the enabled protocols
-with the javax.net.ssl APIs e.g.
-
-sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
-
-or:
-
-SSLParameters params = sslSocket.getSSLParameters();
-params.setProtocols(new String[] {"TLSv1.2"});
-slsSocket.setSSLParameters(params);
-
New in release OpenJDK 8u345 (2022-08-01):
===========================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 2967a32..552bd0f 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -1,20 +1,3 @@
-/* TestSecurityProperties -- Ensure system security properties can be used to
- enable the crypto policies.
- Copyright (C) 2022 Red Hat, Inc.
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see .
-*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java
deleted file mode 100644
index 7b2f09b..0000000
--- a/SOURCES/TestTranslations.java
+++ /dev/null
@@ -1,140 +0,0 @@
-/* TestTranslations -- Ensure translations are available for new timezones
- Copyright (C) 2022 Red Hat, Inc.
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see .
-*/
-
-import java.text.DateFormatSymbols;
-
-import java.time.ZoneId;
-import java.time.format.TextStyle;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Locale;
-import java.util.Objects;
-import java.util.TimeZone;
-
-public class TestTranslations {
-
- private static Map KYIV;
-
- static {
- Map map = new HashMap();
- map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
- "Eastern European Summer Time", "GMT+03:00", "EEST",
- "Eastern European Time", "GMT+02:00", "EET"});
- map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
- "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
- "Heure d'Europe de l'Est", "UTC+02:00", "EET"});
- map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
- "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
- "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
- KYIV = Collections.unmodifiableMap(map);
- }
-
-
- public static void main(String[] args) {
- if (args.length < 1) {
- System.err.println("Test must be started with the name of the locale provider.");
- System.exit(1);
- }
-
- String localeProvider = args[0];
- System.out.println("Checking sanity of full zone string set...");
- boolean invalid = Arrays.stream(Locale.getAvailableLocales())
- .peek(l -> System.out.println("Locale: " + l))
- .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
- .flatMap(zs -> Arrays.stream(zs))
- .flatMap(names -> Arrays.stream(names))
- .filter(name -> Objects.isNull(name) || name.isEmpty())
- .findAny()
- .isPresent();
- if (invalid) {
- System.err.println("Zone string for a locale returned null or empty string");
- System.exit(2);
- }
-
- for (Locale l : KYIV.keySet()) {
- String[] expected = KYIV.get(l);
- for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) {
- String expectedShortStd = null;
- String expectedShortDST = null;
- String expectedShortGen = null;
-
- System.out.printf("Checking locale %s for %s...\n", l, id);
-
- if ("JRE".equals(localeProvider)) {
- expectedShortStd = expected[2];
- expectedShortDST = expected[5];
- expectedShortGen = expected[8];
- } else if ("CLDR".equals(localeProvider)) {
- expectedShortStd = expected[1];
- expectedShortDST = expected[4];
- expectedShortGen = expected[7];
- } else {
- System.err.printf("Invalid locale provider %s\n", localeProvider);
- System.exit(3);
- }
- System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
- localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
-
- String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
- String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
- String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
- String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
- String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
- String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
-
- if (!expected[0].equals(longStd)) {
- System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
- id, l, longStd, expected[0]);
- System.exit(4);
- }
-
- if (!expectedShortStd.equals(shortStd)) {
- System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
- id, l, shortStd, expectedShortStd);
- System.exit(5);
- }
-
- if (!expected[3].equals(longDST)) {
- System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
- id, l, longDST, expected[3]);
- System.exit(6);
- }
-
- if (!expectedShortDST.equals(shortDST)) {
- System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
- id, l, shortDST, expectedShortDST);
- System.exit(7);
- }
-
- if (!expected[6].equals(longGen)) {
- System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
- id, l, longGen, expected[6]);
- System.exit(8);
- }
-
- if (!expectedShortGen.equals(shortGen)) {
- System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
- id, l, shortGen, expectedShortGen);
- System.exit(9);
- }
- }
- }
- }
-}
diff --git a/SOURCES/fips-8u-6d1aade0648.patch b/SOURCES/fips-8u-6d1aade0648.patch
deleted file mode 100644
index 58ab6e5..0000000
--- a/SOURCES/fips-8u-6d1aade0648.patch
+++ /dev/null
@@ -1,2007 +0,0 @@
-diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac
-index 151e5a109f8..a8761b500e0 100644
---- a/common/autoconf/configure.ac
-+++ b/common/autoconf/configure.ac
-@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE
- LIB_SETUP_ALSA
- LIB_SETUP_FONTCONFIG
- LIB_SETUP_MISC_LIBS
-+LIB_SETUP_SYSCONF_LIBS
- LIB_SETUP_STATIC_LINK_LIBSTDCPP
- LIB_SETUP_ON_WINDOWS
-
-diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
-index 71fabf4dbb3..17f4f50673d 100644
---- a/common/autoconf/generated-configure.sh
-+++ b/common/autoconf/generated-configure.sh
-@@ -651,6 +651,9 @@ LLVM_CONFIG
- LIBFFI_LIBS
- LIBFFI_CFLAGS
- STATIC_CXX_SETTING
-+USE_SYSCONF_NSS
-+NSS_LIBS
-+NSS_CFLAGS
- LIBDL
- LIBM
- LIBZIP_CAN_USE_MMAP
-@@ -1111,6 +1114,7 @@ with_fontconfig
- with_fontconfig_include
- with_giflib
- with_zlib
-+enable_sysconf_nss
- with_stdc__lib
- with_msvcr_dll
- with_msvcp_dll
-@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS
- FREETYPE_LIBS
- ALSA_CFLAGS
- ALSA_LIBS
-+NSS_CFLAGS
-+NSS_LIBS
- LIBFFI_CFLAGS
- LIBFFI_LIBS
- CCACHE'
-@@ -1871,6 +1877,8 @@ Optional Features:
- disable bundling of the freetype library with the
- build result [enabled on Windows or when using
- --with-freetype, disabled otherwise]
-+ --enable-sysconf-nss build the System Configurator (libsysconf) using the
-+ system NSS library if available [disabled]
- --enable-sjavac use sjavac to do fast incremental compiles
- [disabled]
- --disable-precompiled-headers
-@@ -2115,6 +2123,8 @@ Some influential environment variables:
- linker flags for FREETYPE, overriding pkg-config
- ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config
- ALSA_LIBS linker flags for ALSA, overriding pkg-config
-+ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config
-+ NSS_LIBS linker flags for NSS, overriding pkg-config
- LIBFFI_CFLAGS
- C compiler flags for LIBFFI, overriding pkg-config
- LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config
-@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }
- eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-
- } # ac_fn_c_check_header_compile
-+
-+# ac_fn_c_try_link LINENO
-+# -----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_link ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ rm -f conftest.$ac_objext conftest$ac_exeext
-+ if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest$ac_exeext && {
-+ test "$cross_compiling" = yes ||
-+ test -x conftest$ac_exeext
-+ }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-+ # interfere with the next link command; also delete a directory that is
-+ # left behind by Apple's compiler. We do this before executing the actions.
-+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_link
- cat >config.log <<_ACEOF
- This file contains any messages produced by compilers while
- running configure, to aid debugging if configure makes a mistake.
-@@ -4049,6 +4105,11 @@ fi
-
-
-
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+
-+
- #
- # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
- # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-@@ -49304,6 +49365,157 @@ fi
- LIBS="$save_LIBS"
-
-
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5
-+$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; }
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ # Check whether --enable-sysconf-nss was given.
-+if test "${enable_sysconf_nss+set}" = set; then :
-+ enableval=$enable_sysconf_nss;
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+
-+else
-+
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+
-+fi
-+
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5
-+$as_echo "$sysconf_nss" >&6; }
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+
-+pkg_failed=no
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5
-+$as_echo_n "checking for NSS... " >&6; }
-+
-+if test -n "$NSS_CFLAGS"; then
-+ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS"
-+ elif test -n "$PKG_CONFIG"; then
-+ if test -n "$PKG_CONFIG" && \
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
-+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then
-+ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null`
-+else
-+ pkg_failed=yes
-+fi
-+ else
-+ pkg_failed=untried
-+fi
-+if test -n "$NSS_LIBS"; then
-+ pkg_cv_NSS_LIBS="$NSS_LIBS"
-+ elif test -n "$PKG_CONFIG"; then
-+ if test -n "$PKG_CONFIG" && \
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
-+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then
-+ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null`
-+else
-+ pkg_failed=yes
-+fi
-+ else
-+ pkg_failed=untried
-+fi
-+
-+
-+
-+if test $pkg_failed = yes; then
-+
-+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-+ _pkg_short_errors_supported=yes
-+else
-+ _pkg_short_errors_supported=no
-+fi
-+ if test $_pkg_short_errors_supported = yes; then
-+ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1`
-+ else
-+ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1`
-+ fi
-+ # Put the nasty error message in config.log where it belongs
-+ echo "$NSS_PKG_ERRORS" >&5
-+
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+ NSS_FOUND=no
-+elif test $pkg_failed = untried; then
-+ NSS_FOUND=no
-+else
-+ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS
-+ NSS_LIBS=$pkg_cv_NSS_LIBS
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+ NSS_FOUND=yes
-+fi
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5
-+$as_echo_n "checking for system FIPS support in NSS... " >&6; }
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include
-+int
-+main ()
-+{
-+SECMOD_GetSystemFIPSEnabled()
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_link "$LINENO"; then :
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+else
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5
-+fi
-+rm -f core conftest.err conftest.$ac_objext \
-+ conftest$ac_exeext conftest.$ac_ext
-+ ac_ext=cpp
-+ac_cpp='$CXXCPP $CPPFLAGS'
-+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-+
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5
-+ fi
-+ fi
-+
-+
-+
- ###############################################################################
- #
- # statically link libstdc++ before C++ ABI is stablized on Linux unless
-diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
-index 6efae578ea9..0080846255b 100644
---- a/common/autoconf/libraries.m4
-+++ b/common/autoconf/libraries.m4
-@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
- BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
- fi
- ])
-+
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+ ])
-+ AC_MSG_RESULT([$sysconf_nss])
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ AC_MSG_CHECKING([for system FIPS support in NSS])
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ AC_LANG_PUSH([C])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
-+ [[SECMOD_GetSystemFIPSEnabled()]])],
-+ [AC_MSG_RESULT([yes])],
-+ [AC_MSG_RESULT([no])
-+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+ AC_LANG_POP([C])
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+ dnl in nss3/pk11pub.h.
-+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+ fi
-+ fi
-+ AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
-index 506cf617087..7241593b1a4 100644
---- a/common/autoconf/spec.gmk.in
-+++ b/common/autoconf/spec.gmk.in
-@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@
- ALSA_LIBS:=@ALSA_LIBS@
- ALSA_CFLAGS:=@ALSA_CFLAGS@
-
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- PACKAGE_PATH=@PACKAGE_PATH@
-
- # Source file for cacerts
-diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl
-index 3b79a526f56..d2a0e39b206 100644
---- a/common/bin/compare_exceptions.sh.incl
-+++ b/common/bin/compare_exceptions.sh.incl
-@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/i386/libsplashscreen.so
- ./jre/lib/i386/libsunec.so
- ./jre/lib/i386/libsunwjdga.so
-+./jre/lib/i386/libsystemconf.so
- ./jre/lib/i386/libt2k.so
- ./jre/lib/i386/libunpack.so
- ./jre/lib/i386/libverify.so
-@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/amd64/libsplashscreen.so
- ./jre/lib/amd64/libsunec.so
- ./jre/lib/amd64/libsunwjdga.so
-+//jre/lib/amd64/libsystemconf.so
- ./jre/lib/amd64/libt2k.so
- ./jre/lib/amd64/libunpack.so
- ./jre/lib/amd64/libverify.so
-@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/sparc/libsplashscreen.so
- ./jre/lib/sparc/libsunec.so
- ./jre/lib/sparc/libsunwjdga.so
-+./jre/lib/sparc/libsystemconf.so
- ./jre/lib/sparc/libt2k.so
- ./jre/lib/sparc/libunpack.so
- ./jre/lib/sparc/libverify.so
-@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/sparcv9/libsplashscreen.so
- ./jre/lib/sparcv9/libsunec.so
- ./jre/lib/sparcv9/libsunwjdga.so
-+./jre/lib/sparcv9/libsystemconf.so
- ./jre/lib/sparcv9/libt2k.so
- ./jre/lib/sparcv9/libunpack.so
- ./jre/lib/sparcv9/libverify.so
-diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml
-index d2beed0b93a..3b6aef98d9a 100644
---- a/common/nb_native/nbproject/configurations.xml
-+++ b/common/nb_native/nbproject/configurations.xml
-@@ -53,6 +53,9 @@
- jvmtiEnterTrace.cpp
-
-
-+
-+ systemconf.c
-+
-
-
-
-@@ -12772,6 +12775,11 @@
- tool="0"
- flavor2="0">
-
-+ -
-+
- - Additional default values of security properties are read from a
-+ * system-specific location, if available.
-+ *
- * @author Benjamin Renaud
- */
-
- public final class Security {
-
-+ private static final String SYS_PROP_SWITCH =
-+ "java.security.disableSystemPropertiesFile";
-+ private static final String SEC_PROP_SWITCH =
-+ "security.useSystemPropertiesFile";
-+
- /* Are we debugging? -- for developers */
- private static final Debug sdebug =
- Debug.getInstance("properties");
-@@ -62,6 +72,19 @@ public final class Security {
- }
-
- static {
-+ // Initialise here as used by code with system properties disabled
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
-+ });
-+
- // doPrivileged here because there are multiple
- // things in initialize that might require privs.
- // (the FileInputStream call and the File.exists call,
-@@ -78,6 +101,7 @@ public final class Security {
- props = new Properties();
- boolean loadedProps = false;
- boolean overrideAll = false;
-+ boolean systemSecPropsEnabled = false;
-
- // first load the system properties file
- // to determine the value of security.overridePropertiesFile
-@@ -93,6 +117,7 @@ public final class Security {
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -187,6 +212,61 @@ public final class Security {
- }
- }
-
-+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
-+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
-+ if (sdebug != null) {
-+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
-+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
-+ }
-+ if (!sysUseProps && secUseProps) {
-+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
-+ if (!systemSecPropsEnabled) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System security properties could not be loaded.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) {
-+ sdebug.println("System security property support disabled by user.");
-+ }
-+ }
-+
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps && systemSecPropsEnabled) {
-+ boolean shouldEnable;
-+ String sysProp = System.getProperty("com.redhat.fips");
-+ if (sysProp == null) {
-+ shouldEnable = true;
-+ if (sdebug != null) {
-+ sdebug.println("com.redhat.fips unset, using default value of true");
-+ }
-+ } else {
-+ shouldEnable = Boolean.valueOf(sysProp);
-+ if (sdebug != null) {
-+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
-+ }
-+ }
-+ if (shouldEnable) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
-+ if (sdebug != null) {
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS mode support configured and enabled.");
-+ } else {
-+ sdebug.println("FIPS mode support disabled.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null ) {
-+ sdebug.println("FIPS mode support disabled by user.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
-+ "system security properties being enabled.");
-+ }
-+ }
- }
-
- /*
-diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
-index 00000000000..a24a0445db2
---- /dev/null
-+++ b/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,248 @@
-+/*
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+final class SystemConfigurator {
-+
-+ private static final Debug sdebug =
-+ Debug.getInstance("properties");
-+
-+ private static final String CRYPTO_POLICIES_BASE_DIR =
-+ "/etc/crypto-policies";
-+
-+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+ private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-+
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-+
-+ /*
-+ * Invoked when java.security.Security class is initialized, if
-+ * java.security.disableSystemPropertiesFile property is not set and
-+ * security.useSystemPropertiesFile is true.
-+ */
-+ static boolean configureSysProps(Properties props) {
-+ boolean systemSecPropsLoaded = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ systemSecPropsLoaded = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+ return systemSecPropsLoaded;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-+
-+ try {
-+ if (enableFips()) {
-+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+ // Remove all security providers
-+ Iterator> i = props.entrySet().iterator();
-+ while (i.hasNext()) {
-+ Entry e = i.next();
-+ if (((String) e.getKey()).startsWith("security.provider")) {
-+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+ i.remove();
-+ }
-+ }
-+ // Add FIPS security providers
-+ String fipsProviderValue = null;
-+ for (int n = 1;
-+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+ String fipsProviderKey = "security.provider." + n;
-+ if (sdebug != null) {
-+ sdebug.println("Adding provider " + n + ": " +
-+ fipsProviderKey + "=" + fipsProviderValue);
-+ }
-+ props.put(fipsProviderKey, fipsProviderValue);
-+ }
-+ // Add other security properties
-+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+ if (keystoreTypeValue != null) {
-+ String nonFipsKeystoreType = props.getProperty("keystore.type");
-+ props.put("keystore.type", keystoreTypeValue);
-+ if (keystoreTypeValue.equals("PKCS11")) {
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ }
-+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+ // If no trustStoreType has been set, use the
-+ // previous keystore.type under FIPS mode. In
-+ // a default configuration, the Trust Store will
-+ // be 'cacerts' (JKS type).
-+ System.setProperty("javax.net.ssl.trustStoreType",
-+ nonFipsKeystoreType);
-+ }
-+ if (sdebug != null) {
-+ sdebug.println("FIPS mode default keystore.type = " +
-+ keystoreTypeValue);
-+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
-+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+ System.getProperty("javax.net.ssl.trustStoreType", ""));
-+ }
-+ }
-+ loadedProps = true;
-+ systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
-+ }
-+ } catch (Exception e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load FIPS configuration");
-+ e.printStackTrace();
-+ }
-+ }
-+ return loadedProps;
-+ }
-+
-+ /**
-+ * Returns whether or not global system FIPS alignment is enabled.
-+ *
-+ * Value is always 'false' before java.security.Security class is
-+ * initialized.
-+ *
-+ * Call from out of this package through SharedSecrets:
-+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ * .isSystemFipsEnabled();
-+ *
-+ * @return a boolean value indicating whether or not global
-+ * system FIPS alignment is enabled.
-+ */
-+ static boolean isSystemFipsEnabled() {
-+ return systemFipsEnabled;
-+ }
-+
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
-+ /**
-+ * Determines whether FIPS mode should be enabled.
-+ *
-+ * OpenJDK FIPS mode will be enabled only if the system is in
-+ * FIPS mode.
-+ *
-+ * Calls to this method only occur if the system property
-+ * com.redhat.fips is not set to false.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
-+ *
-+ * @return true if the system is in FIPS mode
-+ */
-+ private static boolean enableFips() throws IOException {
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ boolean fipsEnabled = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + fipsEnabled);
-+ }
-+ return fipsEnabled;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
-+ }
-+}
-diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-new file mode 100644
-index 00000000000..5c30a8b29c7
---- /dev/null
-+++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -0,0 +1,31 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.misc;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+ boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
-+}
-diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java
-index f065a2c685d..0dafe6f59cf 100644
---- a/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -31,6 +31,7 @@ import java.io.Console;
- import java.io.FileDescriptor;
- import java.io.ObjectInputStream;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- import java.security.AccessController;
-@@ -63,6 +64,7 @@ public class SharedSecrets {
- private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
- private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
- private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
-+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
-
- public static JavaUtilJarAccess javaUtilJarAccess() {
- if (javaUtilJarAccess == null) {
-@@ -248,4 +250,15 @@ public class SharedSecrets {
- }
- return javaxCryptoSealedObjectAccess;
- }
-+
-+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+ javaSecuritySystemConfiguratorAccess = jssca;
-+ }
-+
-+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
-+ return javaSecuritySystemConfiguratorAccess;
-+ }
- }
-diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 00000000000..14d19450390
---- /dev/null
-+++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static P11Key importerKey = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+
-+ private static Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = P11ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-index fedcd7743ef..f9d70863bd1 100644
---- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback;
- import javax.security.auth.callback.PasswordCallback;
- import javax.security.auth.callback.TextOutputCallback;
-
-+import sun.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
-
-@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
-diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 2e42d1d9fb0..1b7eed1c656 100644
---- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -145,18 +146,41 @@ public class PKCS11 {
- this.pkcs11ModulePath = pkcs11ModulePath;
- }
-
-+ /*
-+ * Compatibility wrapper to allow this method to work as before
-+ * when FIPS mode support is not active.
-+ */
-+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-+ boolean omitInitialize) throws IOException, PKCS11Exception {
-+ return getInstance(pkcs11ModulePath, functionList,
-+ pInitArgs, omitInitialize, null);
-+ }
-+
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
- }
-diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603b..98119479823 100644
---- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
-
- import javax.net.ssl.*;
-
-+import sun.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- keyManager = new X509KeyManagerImpl(
- Collections.emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
-diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-index 820e10164fc..6fe2c29389f 100644
---- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-@@ -31,6 +31,7 @@ import java.security.*;
- import java.security.cert.*;
- import java.util.*;
- import javax.net.ssl.*;
-+import sun.misc.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-
- static {
- if (SunJSSE.isFIPS()) {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- );
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ }
- } else {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
-@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-
- static ProtocolVersion[] getSupportedProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-
- static ProtocolVersion[] getProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[]{
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-index 2845dc37938..52337a7b6cf 100644
---- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-+++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
-
- import java.security.*;
-
-+import sun.misc.SharedSecrets;
-+
- /**
- * The JSSE provider.
- *
-@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider {
- "sun.security.ssl.SSLContextImpl$TLS11Context");
- put("SSLContext.TLSv1.2",
- "sun.security.ssl.SSLContextImpl$TLS12Context");
-- put("SSLContext.TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ put("SSLContext.TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ }
- put("SSLContext.TLS",
- "sun.security.ssl.SSLContextImpl$TLSContext");
- if (isfips == false) {
-diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
-index 7a93d4e6b59..681a24b905d 100644
---- a/jdk/src/share/lib/security/java.security-aix
-+++ b/jdk/src/share/lib/security/java.security-aix
-@@ -287,6 +287,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
-index 145a84f94cf..789c19a8cba 100644
---- a/jdk/src/share/lib/security/java.security-linux
-+++ b/jdk/src/share/lib/security/java.security-linux
-@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
- security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
- security.provider.9=sun.security.smartcardio.SunPCSC
-
-+#
-+# Security providers used when FIPS mode support is active
-+#
-+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
-+fips.provider.2=sun.security.provider.Sun
-+fips.provider.3=sun.security.ec.SunEC
-+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
-+
- #
- # Sun Provider SecureRandom seed source.
- #
-@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false
- #
- keystore.type=jks
-
-+#
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
- #
- # Controls compatibility mode for the JKS keystore type.
- #
-@@ -287,6 +300,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
-index 35fa140d7a5..d4da666af3b 100644
---- a/jdk/src/share/lib/security/java.security-macosx
-+++ b/jdk/src/share/lib/security/java.security-macosx
-@@ -290,6 +290,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
-index f79ba37ddb9..300132384a1 100644
---- a/jdk/src/share/lib/security/java.security-solaris
-+++ b/jdk/src/share/lib/security/java.security-solaris
-@@ -288,6 +288,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
-index d70503ce95f..64db5a5cd1e 100644
---- a/jdk/src/share/lib/security/java.security-windows
-+++ b/jdk/src/share/lib/security/java.security-windows
-@@ -290,6 +290,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c
-new file mode 100644
-index 00000000000..8dcb7d9073f
---- /dev/null
-+++ b/jdk/src/solaris/native/java/security/systemconf.c
-@@ -0,0 +1,224 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include
-+#include
-+#include "jvm_md.h"
-+#include
-+
-+#ifdef SYSCONF_NSS
-+#include
-+#else
-+#include
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define MSG_MAX_SIZE 256
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+ } else {
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+ }
-+}
diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-8e8bbf0ff74.patch
new file mode 100644
index 0000000..2379d45
--- /dev/null
+++ b/SOURCES/fips-8u-8e8bbf0ff74.patch
@@ -0,0 +1,2007 @@
+diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac
+index 151e5a109f8..a8761b500e0 100644
+--- a/common/autoconf/configure.ac
++++ b/common/autoconf/configure.ac
+@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE
+ LIB_SETUP_ALSA
+ LIB_SETUP_FONTCONFIG
+ LIB_SETUP_MISC_LIBS
++LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_STATIC_LINK_LIBSTDCPP
+ LIB_SETUP_ON_WINDOWS
+
+diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
+index e77ce854dc5..ec6e9b27ca5 100644
+--- a/common/autoconf/generated-configure.sh
++++ b/common/autoconf/generated-configure.sh
+@@ -651,6 +651,9 @@ LLVM_CONFIG
+ LIBFFI_LIBS
+ LIBFFI_CFLAGS
+ STATIC_CXX_SETTING
++USE_SYSCONF_NSS
++NSS_LIBS
++NSS_CFLAGS
+ LIBDL
+ LIBM
+ LIBZIP_CAN_USE_MMAP
+@@ -1111,6 +1114,7 @@ with_fontconfig
+ with_fontconfig_include
+ with_giflib
+ with_zlib
++enable_sysconf_nss
+ with_stdc__lib
+ with_msvcr_dll
+ with_msvcp_dll
+@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS
+ FREETYPE_LIBS
+ ALSA_CFLAGS
+ ALSA_LIBS
++NSS_CFLAGS
++NSS_LIBS
+ LIBFFI_CFLAGS
+ LIBFFI_LIBS
+ CCACHE'
+@@ -1871,6 +1877,8 @@ Optional Features:
+ disable bundling of the freetype library with the
+ build result [enabled on Windows or when using
+ --with-freetype, disabled otherwise]
++ --enable-sysconf-nss build the System Configurator (libsysconf) using the
++ system NSS library if available [disabled]
+ --enable-sjavac use sjavac to do fast incremental compiles
+ [disabled]
+ --disable-precompiled-headers
+@@ -2115,6 +2123,8 @@ Some influential environment variables:
+ linker flags for FREETYPE, overriding pkg-config
+ ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config
+ ALSA_LIBS linker flags for ALSA, overriding pkg-config
++ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config
++ NSS_LIBS linker flags for NSS, overriding pkg-config
+ LIBFFI_CFLAGS
+ C compiler flags for LIBFFI, overriding pkg-config
+ LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config
+@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+ } # ac_fn_c_check_header_compile
++
++# ac_fn_c_try_link LINENO
++# -----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_link ()
++{
++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++ rm -f conftest.$ac_objext conftest$ac_exeext
++ if { { ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++ (eval "$ac_link") 2>conftest.err
++ ac_status=$?
++ if test -s conftest.err; then
++ grep -v '^ *+' conftest.err >conftest.er1
++ cat conftest.er1 >&5
++ mv -f conftest.er1 conftest.err
++ fi
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ test -x conftest$ac_exeext
++ }; then :
++ ac_retval=0
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_retval=1
++fi
++ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
++ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
++ # interfere with the next link command; also delete a directory that is
++ # left behind by Apple's compiler. We do this before executing the actions.
++ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
++ as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_link
+ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+@@ -4049,6 +4105,11 @@ fi
+
+
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++
++
+ #
+ # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+@@ -49290,6 +49351,157 @@ fi
+ LIBS="$save_LIBS"
+
+
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5
++$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; }
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ # Check whether --enable-sysconf-nss was given.
++if test "${enable_sysconf_nss+set}" = set; then :
++ enableval=$enable_sysconf_nss;
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++
++else
++
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++
++fi
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5
++$as_echo "$sysconf_nss" >&6; }
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++
++pkg_failed=no
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5
++$as_echo_n "checking for NSS... " >&6; }
++
++if test -n "$NSS_CFLAGS"; then
++ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++if test -n "$NSS_LIBS"; then
++ pkg_cv_NSS_LIBS="$NSS_LIBS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++
++
++
++if test $pkg_failed = yes; then
++
++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
++ _pkg_short_errors_supported=yes
++else
++ _pkg_short_errors_supported=no
++fi
++ if test $_pkg_short_errors_supported = yes; then
++ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1`
++ else
++ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1`
++ fi
++ # Put the nasty error message in config.log where it belongs
++ echo "$NSS_PKG_ERRORS" >&5
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ NSS_FOUND=no
++elif test $pkg_failed = untried; then
++ NSS_FOUND=no
++else
++ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS
++ NSS_LIBS=$pkg_cv_NSS_LIBS
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++ NSS_FOUND=yes
++fi
++ if test "x${NSS_FOUND}" = "xyes"; then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5
++$as_echo_n "checking for system FIPS support in NSS... " >&6; }
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++#include
++int
++main ()
++{
++SECMOD_GetSystemFIPSEnabled()
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++else
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5
++fi
++rm -f core conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++ ac_ext=cpp
++ac_cpp='$CXXCPP $CPPFLAGS'
++ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
++
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5
++ fi
++ fi
++
++
++
+ ###############################################################################
+ #
+ # statically link libstdc++ before C++ ABI is stablized on Linux unless
+diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
+index 6efae578ea9..0080846255b 100644
+--- a/common/autoconf/libraries.m4
++++ b/common/autoconf/libraries.m4
+@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
+ BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
+ fi
+ ])
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
+index 506cf617087..7241593b1a4 100644
+--- a/common/autoconf/spec.gmk.in
++++ b/common/autoconf/spec.gmk.in
+@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@
+ ALSA_LIBS:=@ALSA_LIBS@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ PACKAGE_PATH=@PACKAGE_PATH@
+
+ # Source file for cacerts
+diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl
+index 3b79a526f56..d2a0e39b206 100644
+--- a/common/bin/compare_exceptions.sh.incl
++++ b/common/bin/compare_exceptions.sh.incl
+@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/i386/libsplashscreen.so
+ ./jre/lib/i386/libsunec.so
+ ./jre/lib/i386/libsunwjdga.so
++./jre/lib/i386/libsystemconf.so
+ ./jre/lib/i386/libt2k.so
+ ./jre/lib/i386/libunpack.so
+ ./jre/lib/i386/libverify.so
+@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/amd64/libsplashscreen.so
+ ./jre/lib/amd64/libsunec.so
+ ./jre/lib/amd64/libsunwjdga.so
++//jre/lib/amd64/libsystemconf.so
+ ./jre/lib/amd64/libt2k.so
+ ./jre/lib/amd64/libunpack.so
+ ./jre/lib/amd64/libverify.so
+@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparc/libsplashscreen.so
+ ./jre/lib/sparc/libsunec.so
+ ./jre/lib/sparc/libsunwjdga.so
++./jre/lib/sparc/libsystemconf.so
+ ./jre/lib/sparc/libt2k.so
+ ./jre/lib/sparc/libunpack.so
+ ./jre/lib/sparc/libverify.so
+@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparcv9/libsplashscreen.so
+ ./jre/lib/sparcv9/libsunec.so
+ ./jre/lib/sparcv9/libsunwjdga.so
++./jre/lib/sparcv9/libsystemconf.so
+ ./jre/lib/sparcv9/libt2k.so
+ ./jre/lib/sparcv9/libunpack.so
+ ./jre/lib/sparcv9/libverify.so
+diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml
+index d2beed0b93a..3b6aef98d9a 100644
+--- a/common/nb_native/nbproject/configurations.xml
++++ b/common/nb_native/nbproject/configurations.xml
+@@ -53,6 +53,9 @@
+ jvmtiEnterTrace.cpp
+
+
++
++ systemconf.c
++
+
+
+
+@@ -12772,6 +12775,11 @@
+ tool="0"
+ flavor2="0">
+
++ -
++
+ - Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -62,6 +72,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -78,6 +101,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -93,6 +117,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -187,6 +212,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..a24a0445db2
+--- /dev/null
++++ b/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction
() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws IOException {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..5c30a8b29c7
+--- /dev/null
++++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index f065a2c685d..0dafe6f59cf 100644
+--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java
++++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ import java.security.AccessController;
+@@ -63,6 +64,7 @@ public class SharedSecrets {
+ private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
+ private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -248,4 +250,15 @@ public class SharedSecrets {
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..14d19450390
+--- /dev/null
++++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = P11ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+index fedcd7743ef..f9d70863bd1 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback;
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+
+@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 2e42d1d9fb0..1b7eed1c656 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -145,18 +146,41 @@ public class PKCS11 {
+ this.pkcs11ModulePath = pkcs11ModulePath;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
+diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+index ffee2c1603b..98119479823 100644
+--- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
+
+ import javax.net.ssl.*;
+
++import sun.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ keyManager = new X509KeyManagerImpl(
+ Collections.emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+index cd0e9e98df9..fba760187c0 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import sun.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+index 2845dc37938..52337a7b6cf 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
++++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+
+ import java.security.*;
+
++import sun.misc.SharedSecrets;
++
+ /**
+ * The JSSE provider.
+ *
+@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context");
+ put("SSLContext.TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context");
+- put("SSLContext.TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context");
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ put("SSLContext.TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context");
++ }
+ put("SSLContext.TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext");
+ if (isfips == false) {
+diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
+index d3d64b3facd..bfe0c593adb 100644
+--- a/jdk/src/share/lib/security/java.security-aix
++++ b/jdk/src/share/lib/security/java.security-aix
+@@ -287,6 +287,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index db610d4bfbb..9d1c8fe8a8e 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
+ security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.9=sun.security.smartcardio.SunPCSC
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
++fips.provider.2=sun.security.provider.Sun
++fips.provider.3=sun.security.ec.SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
+ #
+ # Sun Provider SecureRandom seed source.
+ #
+@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=jks
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
+ #
+ # Controls compatibility mode for the JKS keystore type.
+ #
+@@ -287,6 +300,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
+index a919ba3d5cd..19047c61097 100644
+--- a/jdk/src/share/lib/security/java.security-macosx
++++ b/jdk/src/share/lib/security/java.security-macosx
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
+index 86265ba5fb6..7eda556ae13 100644
+--- a/jdk/src/share/lib/security/java.security-solaris
++++ b/jdk/src/share/lib/security/java.security-solaris
+@@ -288,6 +288,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
+index 9b4bda23cbe..dfa1a669aa9 100644
+--- a/jdk/src/share/lib/security/java.security-windows
++++ b/jdk/src/share/lib/security/java.security-windows
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c
+new file mode 100644
+index 00000000000..8dcb7d9073f
+--- /dev/null
++++ b/jdk/src/solaris/native/java/security/systemconf.c
+@@ -0,0 +1,224 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include
++#include
++#include "jvm_md.h"
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#else
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
diff --git a/SOURCES/jdk8294357-tzdata2022d.patch b/SOURCES/jdk8294357-tzdata2022d.patch
deleted file mode 100644
index 7356928..0000000
--- a/SOURCES/jdk8294357-tzdata2022d.patch
+++ /dev/null
@@ -1,506 +0,0 @@
-commit 8589b1229cffb9a0ab00baf62ce2d4376d31b055
-Author: Andrew John Hughes
-Date: Fri Oct 14 22:55:39 2022 +0100
-
- Backport f67b4de8a07b8158be1dfb5b09cdb4cc5b7ac93b
-
-diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
-index decb8716b22..889d0e6dad7 100644
---- a/jdk/make/data/tzdata/VERSION
-+++ b/jdk/make/data/tzdata/VERSION
-@@ -21,4 +21,4 @@
- # or visit www.oracle.com if you need additional information or have any
- # questions.
- #
--tzdata2022c
-+tzdata2022d
-diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
-index 6cb6d2c57cf..1dc7d34f88e 100644
---- a/jdk/make/data/tzdata/asia
-+++ b/jdk/make/data/tzdata/asia
-@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
- # The winter time in 2015 started on October 23 at 01:00.
- # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
- # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
--#
--# From Paul Eggert (2019-04-10):
--# For now, guess spring-ahead transitions are at 00:00 on the Saturday
--# preceding March's last Sunday (i.e., Sat>=24).
-
- # From P Chan (2021-10-18):
- # http://wafa.ps/Pages/Details/34701
-@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
- # From Heba Hamad (2022-03-10):
- # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
-
-+# From Heba Hamad (2022-08-30):
-+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
-+# 60 minutes backwards. Also the state of Palestine adopted the summer
-+# and winter time for the years: 2023,2024,2025,2026 ...
-+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
-+# (2022-08-31): ... the Saturday before the last Sunday in March and October
-+# at 2:00 AM ,for the years from 2023 to 2026.
-+# (2022-09-05): https://mtit.pna.ps/Site/New/1453
-+#
-+# From Paul Eggert (2022-08-31):
-+# For now, assume that this rule will also be used after 2026.
-+
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
- Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
- Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
-@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
- Rule Palestine 2014 only - Oct 24 0:00 0 -
- Rule Palestine 2015 only - Mar 28 0:00 1:00 S
- Rule Palestine 2015 only - Oct 23 1:00 0 -
--Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
--Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
-+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
-+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
- Rule Palestine 2019 only - Mar 29 0:00 1:00 S
--Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
--Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
-+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
-+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
- Rule Palestine 2020 only - Oct 24 1:00 0 -
--Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
--Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
-+Rule Palestine 2021 only - Oct 29 1:00 0 -
-+Rule Palestine 2022 only - Mar 27 0:00 1:00 S
-+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
-+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
-
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
-diff --git a/jdk/make/data/tzdata/backward b/jdk/make/data/tzdata/backward
-index d4a29e8cf29..7765d99aedf 100644
---- a/jdk/make/data/tzdata/backward
-+++ b/jdk/make/data/tzdata/backward
-@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
- Link Europe/London Europe/Belfast
- Link Europe/Kyiv Europe/Kiev
- Link Europe/Chisinau Europe/Tiraspol
-+Link Europe/Kyiv Europe/Uzhgorod
-+Link Europe/Kyiv Europe/Zaporozhye
- Link Europe/London GB
- Link Europe/London GB-Eire
- Link Etc/GMT GMT+0
-diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
-index f7eb7a387aa..9e0a538f86d 100644
---- a/jdk/make/data/tzdata/europe
-+++ b/jdk/make/data/tzdata/europe
-@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
- # From Alexander Krivenyshev (2014-03-17):
- # time change at 2:00 (2am) on March 30, 2014
- # https://vz.ru/news/2014/3/17/677464.html
--# From Paul Eggert (2014-03-30):
--# Simferopol and Sevastopol reportedly changed their central town clocks
--# late the previous day, but this appears to have been ceremonial
--# and the discrepancies are small enough to not worry about.
-+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
-+# The clocks at the railway station in Simferopol were put forward from 22:00
-+# to 24:00 the previous day in a "symbolic ceremony"; however, per
-+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
-+# time switch at 2am" on Sunday.
-+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
-+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
-+# https://www.bbc.com/news/av/world-europe-26806583
- 2:00 EU EE%sT 2014 Mar 30 2:00
- 4:00 - MSK 2014 Oct 26 2:00s
- 3:00 - MSK
-@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
- # US colleague David Cochrane) are still trying to get more
- # information upon these local deviations from Kiev rules.
- #
--# From Paul Eggert (2022-02-08):
--# For now, assume that Ukraine's other three zones followed the same rules,
-+# From Paul Eggert (2022-08-27):
-+# For now, assume that Ukraine's zones all followed the same rules,
- # except that Crimea switched to Moscow time in 1994 as described elsewhere.
-
- # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
-@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
- # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
- # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
-
--# From Paul Eggert (2022-04-12):
--# As is usual in tzdb, Ukrainian zones use the most common English spellings.
--# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
--# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
--# "Kyiv" is now more common due to widespread reporting of the current conflict.
--# Conversely, tzdb continues to use the names Europe/Uzhgorod and
--# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
--# certainly wrong as a transliteration of the Czech "Praha".
--# English-language spelling of Ukrainian names is in flux, and
--# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
--# common in English; in the meantime, do not change these
--# English spellings as that means less disruption for our users.
--
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--# This represents most of Ukraine. See above for the spelling of "Kyiv".
- Zone Europe/Kyiv 2:02:04 - LMT 1880
- 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
- 2:00 - EET 1930 Jun 21
-@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
- 2:00 1:00 EEST 1991 Sep 29 3:00
- 2:00 C-Eur EE%sT 1996 May 13
- 2:00 EU EE%sT
--# Transcarpathia used CET 1990/1991.
--# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
--# "Uzhgorod" is more common in English.
--Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
-- 1:00 - CET 1940
-- 1:00 C-Eur CE%sT 1944 Oct
-- 1:00 1:00 CEST 1944 Oct 26
-- 1:00 - CET 1945 Jun 29
-- 3:00 Russia MSK/MSD 1990
-- 3:00 - MSK 1990 Jul 1 2:00
-- 1:00 - CET 1991 Mar 31 3:00
-- 2:00 - EET 1992 Mar 20
-- 2:00 C-Eur EE%sT 1996 May 13
-- 2:00 EU EE%sT
--# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
--# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
--# "Zaporozh'ye" is more common in English. Use the common English
--# spelling, except omit the apostrophe as it is not allowed in
--# portable Posix file names.
--Zone Europe/Zaporozhye 2:20:40 - LMT 1880
-- 2:20 - +0220 1924 May 2
-- 2:00 - EET 1930 Jun 21
-- 3:00 - MSK 1941 Aug 25
-- 1:00 C-Eur CE%sT 1943 Oct 25
-- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
-- 2:00 E-Eur EE%sT 1992 Mar 20
-- 2:00 C-Eur EE%sT 1996 May 13
-- 2:00 EU EE%sT
-
- # Vatican City
- # See Europe/Rome.
-diff --git a/jdk/make/data/tzdata/southamerica b/jdk/make/data/tzdata/southamerica
-index 13ec081c7e0..3c0e0e2061c 100644
---- a/jdk/make/data/tzdata/southamerica
-+++ b/jdk/make/data/tzdata/southamerica
-@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
- # for America/Santiago will start on midnight of September 11th;
- # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
- # will keep UTC -3 "indefinitely"... This is because on September 4th
--# we will have a voting whether to approve a new Constitution....
--# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
-+# we will have a voting whether to approve a new Constitution.
-+#
-+# From Eduardo Romero Urra (2022-08-17):
-+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
-+#
-+# From Paul Eggert (2022-08-17):
-+# Although the presidential decree stops at fall 2026, assume that
-+# similar DST rules will continue thereafter.
-
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
- Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
-diff --git a/jdk/make/data/tzdata/zone.tab b/jdk/make/data/tzdata/zone.tab
-index 51b65fa273c..ee025196e50 100644
---- a/jdk/make/data/tzdata/zone.tab
-+++ b/jdk/make/data/tzdata/zone.tab
-@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
- TW +2503+12130 Asia/Taipei
- TZ -0648+03917 Africa/Dar_es_Salaam
- UA +5026+03031 Europe/Kyiv Ukraine (most areas)
--UA +4837+02218 Europe/Uzhgorod Transcarpathia
--UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
- UG +0019+03225 Africa/Kampala
- UM +2813-17722 Pacific/Midway Midway Islands
- UM +1917+16637 Pacific/Wake Wake Island
-diff --git a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
-index 43bddd5859a..4b84cda3067 100644
---- a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
-+++ b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
-@@ -573,12 +573,8 @@ public final class ZoneInfoFile {
- // we can then pass in the dom = -1, dow > 0 into ZoneInfo
- //
- // hacking, assume the >=24 is the result of ZRB optimization for
-- // "last", it works for now. From tzdata2020d this hacking
-- // will not work for Asia/Gaza and Asia/Hebron which follow
-- // Palestine DST rules.
-- if (dom < 0 || dom >= 24 &&
-- !(zoneId.equals("Asia/Gaza") ||
-- zoneId.equals("Asia/Hebron"))) {
-+ // "last", it works for now.
-+ if (dom < 0 || dom >= 24) {
- params[1] = -1;
- params[2] = toCalendarDOW[dow];
- } else {
-@@ -600,7 +596,6 @@ public final class ZoneInfoFile {
- params[7] = 0;
- } else {
- // hacking: see comment above
-- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
- if (dom < 0 || dom >= 24) {
- params[6] = -1;
- params[7] = toCalendarDOW[dow];
-diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
-index c32bee39fba..71470168456 100644
---- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
-+++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
-@@ -1 +1 @@
--tzdata2022c
-+tzdata2022d
-diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
-index a5e6428a3f5..e3ce742f887 100644
---- a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
-+++ b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
-@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT
- Link Europe/London Europe/Belfast
- Link Europe/Kyiv Europe/Kiev
- Link Europe/Chisinau Europe/Tiraspol
-+Link Europe/Kyiv Europe/Uzhgorod
-+Link Europe/Kyiv Europe/Zaporozhye
- Link Europe/London GB
- Link Europe/London GB-Eire
- Link Etc/GMT GMT+0
-diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
-index fc148537f1f..b3823958ae4 100644
---- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
-+++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
-@@ -163,11 +163,9 @@ Europe/Simferopol MSK
- Europe/Sofia EET EEST
- Europe/Tallinn EET EEST
- Europe/Tirane CET CEST
--Europe/Uzhgorod EET EEST
- Europe/Vienna CET CEST
- Europe/Vilnius EET EEST
- Europe/Warsaw CET CEST
--Europe/Zaporozhye EET EEST
- Europe/Zurich CET CEST
- HST HST
- MET MET MEST
-diff --git a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
-index 3aad69f8118..c682531d4bd 100644
---- a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
-+++ b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
-@@ -173,10 +173,19 @@ public class TestZoneInfo310 {
- * Temporary ignoring the failing TimeZones which are having zone
- * rules defined till year 2037 and/or above and have negative DST
- * save time in IANA tzdata. This bug is tracked via JDK-8223388.
-+ *
-+ * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
-+ * to be the last year. Thus javazic's rule is based on year 2037
-+ * (Mar 20th/Sep 20th are the cutover dates), while the real rule
-+ * has year 2087 where Mar 21st/Sep 21st are the cutover dates.
- */
-- if (zid.equals("Africa/Casablanca") || zid.equals("Africa/El_Aaiun")
-- || zid.equals("Asia/Tehran") || zid.equals("Iran")) {
-- continue;
-+ if (zid.equals("Africa/Casablanca") || // uses "Morocco" rule
-+ zid.equals("Africa/El_Aaiun") || // uses "Morocco" rule
-+ zid.equals("Asia/Tehran") || // last rule mismatch
-+ zid.equals("Asia/Gaza") || // uses "Palestine" rule
-+ zid.equals("Asia/Hebron") || // uses "Palestine" rule
-+ zid.equals("Iran")) { // last rule mismatch
-+ continue;
- }
- if (! zi.equalsTo(ziOLD)) {
- System.out.println(zi.diffsTo(ziOLD));
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
-index decb8716b22..889d0e6dad7 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
-@@ -21,4 +21,4 @@
- # or visit www.oracle.com if you need additional information or have any
- # questions.
- #
--tzdata2022c
-+tzdata2022d
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
-index 6cb6d2c57cf..1dc7d34f88e 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/asia
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
-@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
- # The winter time in 2015 started on October 23 at 01:00.
- # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
- # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
--#
--# From Paul Eggert (2019-04-10):
--# For now, guess spring-ahead transitions are at 00:00 on the Saturday
--# preceding March's last Sunday (i.e., Sat>=24).
-
- # From P Chan (2021-10-18):
- # http://wafa.ps/Pages/Details/34701
-@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
- # From Heba Hamad (2022-03-10):
- # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
-
-+# From Heba Hamad (2022-08-30):
-+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
-+# 60 minutes backwards. Also the state of Palestine adopted the summer
-+# and winter time for the years: 2023,2024,2025,2026 ...
-+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
-+# (2022-08-31): ... the Saturday before the last Sunday in March and October
-+# at 2:00 AM ,for the years from 2023 to 2026.
-+# (2022-09-05): https://mtit.pna.ps/Site/New/1453
-+#
-+# From Paul Eggert (2022-08-31):
-+# For now, assume that this rule will also be used after 2026.
-+
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
- Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
- Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
-@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
- Rule Palestine 2014 only - Oct 24 0:00 0 -
- Rule Palestine 2015 only - Mar 28 0:00 1:00 S
- Rule Palestine 2015 only - Oct 23 1:00 0 -
--Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
--Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
-+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
-+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
- Rule Palestine 2019 only - Mar 29 0:00 1:00 S
--Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
--Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
-+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
-+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
- Rule Palestine 2020 only - Oct 24 1:00 0 -
--Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
--Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
-+Rule Palestine 2021 only - Oct 29 1:00 0 -
-+Rule Palestine 2022 only - Mar 27 0:00 1:00 S
-+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
-+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
-
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/backward b/jdk/test/sun/util/calendar/zi/tzdata/backward
-index d4a29e8cf29..7765d99aedf 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/backward
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/backward
-@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
- Link Europe/London Europe/Belfast
- Link Europe/Kyiv Europe/Kiev
- Link Europe/Chisinau Europe/Tiraspol
-+Link Europe/Kyiv Europe/Uzhgorod
-+Link Europe/Kyiv Europe/Zaporozhye
- Link Europe/London GB
- Link Europe/London GB-Eire
- Link Etc/GMT GMT+0
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
-index f7eb7a387aa..9e0a538f86d 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/europe
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
-@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
- # From Alexander Krivenyshev (2014-03-17):
- # time change at 2:00 (2am) on March 30, 2014
- # https://vz.ru/news/2014/3/17/677464.html
--# From Paul Eggert (2014-03-30):
--# Simferopol and Sevastopol reportedly changed their central town clocks
--# late the previous day, but this appears to have been ceremonial
--# and the discrepancies are small enough to not worry about.
-+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
-+# The clocks at the railway station in Simferopol were put forward from 22:00
-+# to 24:00 the previous day in a "symbolic ceremony"; however, per
-+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
-+# time switch at 2am" on Sunday.
-+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
-+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
-+# https://www.bbc.com/news/av/world-europe-26806583
- 2:00 EU EE%sT 2014 Mar 30 2:00
- 4:00 - MSK 2014 Oct 26 2:00s
- 3:00 - MSK
-@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
- # US colleague David Cochrane) are still trying to get more
- # information upon these local deviations from Kiev rules.
- #
--# From Paul Eggert (2022-02-08):
--# For now, assume that Ukraine's other three zones followed the same rules,
-+# From Paul Eggert (2022-08-27):
-+# For now, assume that Ukraine's zones all followed the same rules,
- # except that Crimea switched to Moscow time in 1994 as described elsewhere.
-
- # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
-@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
- # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
- # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
-
--# From Paul Eggert (2022-04-12):
--# As is usual in tzdb, Ukrainian zones use the most common English spellings.
--# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
--# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
--# "Kyiv" is now more common due to widespread reporting of the current conflict.
--# Conversely, tzdb continues to use the names Europe/Uzhgorod and
--# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
--# certainly wrong as a transliteration of the Czech "Praha".
--# English-language spelling of Ukrainian names is in flux, and
--# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
--# common in English; in the meantime, do not change these
--# English spellings as that means less disruption for our users.
--
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--# This represents most of Ukraine. See above for the spelling of "Kyiv".
- Zone Europe/Kyiv 2:02:04 - LMT 1880
- 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
- 2:00 - EET 1930 Jun 21
-@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
- 2:00 1:00 EEST 1991 Sep 29 3:00
- 2:00 C-Eur EE%sT 1996 May 13
- 2:00 EU EE%sT
--# Transcarpathia used CET 1990/1991.
--# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
--# "Uzhgorod" is more common in English.
--Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
-- 1:00 - CET 1940
-- 1:00 C-Eur CE%sT 1944 Oct
-- 1:00 1:00 CEST 1944 Oct 26
-- 1:00 - CET 1945 Jun 29
-- 3:00 Russia MSK/MSD 1990
-- 3:00 - MSK 1990 Jul 1 2:00
-- 1:00 - CET 1991 Mar 31 3:00
-- 2:00 - EET 1992 Mar 20
-- 2:00 C-Eur EE%sT 1996 May 13
-- 2:00 EU EE%sT
--# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
--# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
--# "Zaporozh'ye" is more common in English. Use the common English
--# spelling, except omit the apostrophe as it is not allowed in
--# portable Posix file names.
--Zone Europe/Zaporozhye 2:20:40 - LMT 1880
-- 2:20 - +0220 1924 May 2
-- 2:00 - EET 1930 Jun 21
-- 3:00 - MSK 1941 Aug 25
-- 1:00 C-Eur CE%sT 1943 Oct 25
-- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
-- 2:00 E-Eur EE%sT 1992 Mar 20
-- 2:00 C-Eur EE%sT 1996 May 13
-- 2:00 EU EE%sT
-
- # Vatican City
- # See Europe/Rome.
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/southamerica b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
-index 13ec081c7e0..3c0e0e2061c 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/southamerica
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
-@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
- # for America/Santiago will start on midnight of September 11th;
- # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
- # will keep UTC -3 "indefinitely"... This is because on September 4th
--# we will have a voting whether to approve a new Constitution....
--# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
-+# we will have a voting whether to approve a new Constitution.
-+#
-+# From Eduardo Romero Urra (2022-08-17):
-+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
-+#
-+# From Paul Eggert (2022-08-17):
-+# Although the presidential decree stops at fall 2026, assume that
-+# similar DST rules will continue thereafter.
-
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
- Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
-index 51b65fa273c..ee025196e50 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
-@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
- TW +2503+12130 Asia/Taipei
- TZ -0648+03917 Africa/Dar_es_Salaam
- UA +5026+03031 Europe/Kyiv Ukraine (most areas)
--UA +4837+02218 Europe/Uzhgorod Transcarpathia
--UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
- UG +0019+03225 Africa/Kampala
- UM +2813-17722 Pacific/Midway Midway Islands
- UM +1917+16637 Pacific/Wake Wake Island
diff --git a/SOURCES/jdk8295173-tzdata2022e.patch b/SOURCES/jdk8295173-tzdata2022e.patch
deleted file mode 100644
index a7d23ef..0000000
--- a/SOURCES/jdk8295173-tzdata2022e.patch
+++ /dev/null
@@ -1,813 +0,0 @@
-commit 44ea8322b2f62e3d8139a78923e3bf017e535989
-Author: Andrew John Hughes
-Date: Sun Oct 16 03:02:37 2022 +0100
-
- Backport 21407dec0156301871a83328615e4d975c4287c4
-
-diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
-index 889d0e6dad7..b8cb36e69f4 100644
---- a/jdk/make/data/tzdata/VERSION
-+++ b/jdk/make/data/tzdata/VERSION
-@@ -21,4 +21,4 @@
- # or visit www.oracle.com if you need additional information or have any
- # questions.
- #
--tzdata2022d
-+tzdata2022e
-diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
-index 1dc7d34f88e..f1771e42a71 100644
---- a/jdk/make/data/tzdata/asia
-+++ b/jdk/make/data/tzdata/asia
-@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
- # From the Arabic version, it seems to say it would be at midnight
- # (assume 24:00) on the last Thursday in February, starting from 2022.
-
-+# From Issam Al-Zuwairi (2022-10-05):
-+# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
-+# that daylight saving time (DST) will be throughout the year....
-+#
-+# From Brian Inglis (2022-10-06):
-+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
-+#
-+# From Paul Eggert (2022-10-05):
-+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
-+# (non-DST) at the point where DST would otherwise have ended.
-+
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
- Rule Jordan 1973 only - Jun 6 0:00 1:00 S
- Rule Jordan 1973 1975 - Oct 1 0:00 0 -
-@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
- Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
- Rule Jordan 2013 only - Dec 20 0:00 0 -
- Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
--Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
--Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
-+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
-+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- Zone Asia/Amman 2:23:44 - LMT 1931
-- 2:00 Jordan EE%sT
-+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
-+ 3:00 - +03
-
-
- # Kazakhstan
-@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
- # Our brief summary:
- # https://www.timeanddate.com/news/time/syria-dst-2012.html
-
--# From Arthur David Olson (2012-03-27):
--# Assume last Friday in March going forward XXX.
-+# From Steffen Thorsen (2022-10-05):
-+# Syria is adopting year-round DST, starting this autumn....
-+# From https://www.enabbaladi.net/archives/607812
-+# "This [the decision] came after the weekly government meeting today,
-+# Tuesday 4 October ..."
-+#
-+# From Paul Eggert (2022-10-05):
-+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
-+# (non-DST) at the point where DST would otherwise have ended.
-
- Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
- Rule Syria 2008 only - Nov 1 0:00 0 -
- Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
- Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
--Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
--Rule Syria 2009 max - Oct lastFri 0:00 0 -
-+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
-+Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
-
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
-- 2:00 Syria EE%sT
-+ 2:00 Syria EE%sT 2022 Oct 28 0:00
-+ 3:00 - +03
-
- # Tajikistan
- # From Shanks & Pottenger.
-diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
-index 9e0a538f86d..930cede4cf4 100644
---- a/jdk/make/data/tzdata/europe
-+++ b/jdk/make/data/tzdata/europe
-@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
- 0:00 Spain WE%sT 1940 Mar 16 23:00
- 1:00 Spain CE%sT 1979
- 1:00 EU CE%sT
--Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
-+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
- 0:00 - WET 1918 May 6 23:00
- 0:00 1:00 WEST 1918 Oct 7 23:00
- 0:00 - WET 1924
-diff --git a/jdk/make/data/tzdata/northamerica b/jdk/make/data/tzdata/northamerica
-index 114cef14cce..ce4ee74582c 100644
---- a/jdk/make/data/tzdata/northamerica
-+++ b/jdk/make/data/tzdata/northamerica
-@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
- Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
- Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
-+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1920
- -6:00 Chicago C%sT 1936 Mar 1 2:00
- -5:00 - EST 1936 Nov 15 2:00
-@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
- -6:00 Chicago C%sT 1967
- -6:00 US C%sT
- # Oliver County, ND switched from mountain to central time on 1992-10-25.
--Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
-+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 1992 Oct 25 2:00
- -6:00 US C%sT
- # Morton County, ND, switched from mountain to central time on
-@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
- # Jones, Mellette, and Todd Counties in South Dakota;
- # but in practice these other counties were already observing central time.
- # See .
--Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
-+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 2003 Oct 26 2:00
- -6:00 US C%sT
-
-@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
- # largest city in Mercer County). Google Maps places Beulah's city hall
- # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
-
--Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
-+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 2010 Nov 7 2:00
- -6:00 US C%sT
-
-@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
- Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
- Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
-+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 1920
- -7:00 Denver M%sT 1942
- -7:00 US M%sT 1946
-@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
- Rule CA 1950 1961 - Sep lastSun 2:00 0 S
- Rule CA 1962 1966 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
-+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
- -8:00 US P%sT 1946
- -8:00 CA P%sT 1967
- -8:00 US P%sT
-@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
- # Go with the Arizona State Library instead.
-
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
-+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 1944 Jan 1 0:01
- -7:00 - MST 1944 Apr 1 0:01
- -7:00 US M%sT 1944 Oct 1 0:01
-@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
- # switched four weeks late in 1974.
- #
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
-+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
- -8:00 US P%sT 1923 May 13 2:00
- -7:00 US M%sT 1974
- -7:00 - MST 1974 Feb 3 2:00
-@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
- Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
- Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
-+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1920
- -6:00 Indianapolis C%sT 1942
- -6:00 US C%sT 1946
-@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
- Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
- Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
-+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1951
- -6:00 Marengo C%sT 1961 Apr 30 2:00
- -5:00 - EST 1969
-@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
- Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
- Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
-+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 Vincennes C%sT 1964 Apr 26 2:00
- -5:00 - EST 1969
-@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
- Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
- Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
-+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 Perry C%sT 1964 Apr 26 2:00
- -5:00 - EST 1967 Oct 29 2:00
-@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
- Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
- Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
-+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1955
- -6:00 Pike C%sT 1965 Apr 25 2:00
- -5:00 - EST 1966 Oct 30 2:00
-@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
- Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
- Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
-+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1947
- -6:00 Starke C%sT 1962 Apr 29 2:00
- -5:00 - EST 1963 Oct 27 2:00
-@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
- Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
- Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
-+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 Pulaski C%sT 1961 Apr 30 2:00
- -5:00 - EST 1969
-@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
- #
- # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
-+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1954 Apr 25 2:00
- -5:00 - EST 1969
- -5:00 US E%sT 1973
-@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
- Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
- Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
-+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1921
- -6:00 Louisville C%sT 1942
- -6:00 US C%sT 1946
-@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
- # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
- # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
- #
--Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
-+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 - CST 1968
- -6:00 US C%sT 2000 Oct 29 2:00
-@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
- # longitude they are located at.
-
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
-+Rule Mexico 1931 only - May 1 23:00 1:00 D
-+Rule Mexico 1931 only - Oct 1 0:00 0 S
- Rule Mexico 1939 only - Feb 5 0:00 1:00 D
- Rule Mexico 1939 only - Jun 25 0:00 0 S
- Rule Mexico 1940 only - Dec 9 0:00 1:00 D
-@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
- Rule Mexico 2002 max - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- # Quintana Roo; represented by Cancún
--Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
-+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1981 Dec 23
- -5:00 Mexico E%sT 1998 Aug 2 2:00
- -6:00 Mexico C%sT 2015 Feb 1 2:00
- -5:00 - EST
- # Campeche, Yucatán; represented by Mérida
--Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
-+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1981 Dec 23
- -5:00 - EST 1982 Dec 2
- -6:00 Mexico C%sT
-@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
- # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
- # 2016-03-12
- # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
--Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
-+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1988
- -6:00 US C%sT 1989
- -6:00 Mexico C%sT 2010
- -6:00 US C%sT
- # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
--Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
-+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1988
- -6:00 US C%sT 1989
- -6:00 Mexico C%sT
- # Central Mexico
--Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
-+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 Mexico C%sT 2001 Sep 30 2:00
- -6:00 - CST 2002 Feb 20
- -6:00 Mexico C%sT
-@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
- # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
- # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
- # (See the 2016-03-12 El Universal source mentioned above.)
--Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
-+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1996
- -6:00 Mexico C%sT 1998
- -6:00 - CST 1998 Apr Sun>=1 3:00
- -7:00 Mexico M%sT 2010
- -7:00 US M%sT
- # Chihuahua (away from US border)
--Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
-+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1996
- -6:00 Mexico C%sT 1998
- -6:00 - CST 1998 Apr Sun>=1 3:00
- -7:00 Mexico M%sT
- # Sonora
--Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
-+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1942 Apr 24
- -7:00 - MST 1949 Jan 14
- -8:00 - PST 1970
-@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
- # Use "Bahia_Banderas" to keep the name to fourteen characters.
-
- # Mazatlán
--Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
-+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1942 Apr 24
- -7:00 - MST 1949 Jan 14
- -8:00 - PST 1970
- -7:00 Mexico M%sT
-
- # Bahía de Banderas
--Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
-+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1942 Apr 24
- -7:00 - MST 1949 Jan 14
- -8:00 - PST 1970
-@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
- -6:00 Mexico C%sT
-
- # Baja California
--Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
-+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1924
- -8:00 - PST 1927 Jun 10 23:00
- -7:00 - MST 1930 Nov 15
-diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
-index 71470168456..0cad939008f 100644
---- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
-+++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
-@@ -1 +1 @@
--tzdata2022d
-+tzdata2022e
-diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
-index b3823958ae4..2f2786f1c69 100644
---- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
-+++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
-@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
- America/Yakutat AKST AKDT
- America/Yellowknife MST MDT
- Antarctica/Macquarie AEST AEDT
--Asia/Amman EET EEST
- Asia/Beirut EET EEST
--Asia/Damascus EET EEST
- Asia/Famagusta EET EEST
- Asia/Gaza EET EEST
- Asia/Hebron EET EEST
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
-index 889d0e6dad7..b8cb36e69f4 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
-@@ -21,4 +21,4 @@
- # or visit www.oracle.com if you need additional information or have any
- # questions.
- #
--tzdata2022d
-+tzdata2022e
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
-index 1dc7d34f88e..f1771e42a71 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/asia
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
-@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
- # From the Arabic version, it seems to say it would be at midnight
- # (assume 24:00) on the last Thursday in February, starting from 2022.
-
-+# From Issam Al-Zuwairi (2022-10-05):
-+# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
-+# that daylight saving time (DST) will be throughout the year....
-+#
-+# From Brian Inglis (2022-10-06):
-+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
-+#
-+# From Paul Eggert (2022-10-05):
-+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
-+# (non-DST) at the point where DST would otherwise have ended.
-+
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
- Rule Jordan 1973 only - Jun 6 0:00 1:00 S
- Rule Jordan 1973 1975 - Oct 1 0:00 0 -
-@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
- Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
- Rule Jordan 2013 only - Dec 20 0:00 0 -
- Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
--Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
--Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
-+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
-+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- Zone Asia/Amman 2:23:44 - LMT 1931
-- 2:00 Jordan EE%sT
-+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
-+ 3:00 - +03
-
-
- # Kazakhstan
-@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
- # Our brief summary:
- # https://www.timeanddate.com/news/time/syria-dst-2012.html
-
--# From Arthur David Olson (2012-03-27):
--# Assume last Friday in March going forward XXX.
-+# From Steffen Thorsen (2022-10-05):
-+# Syria is adopting year-round DST, starting this autumn....
-+# From https://www.enabbaladi.net/archives/607812
-+# "This [the decision] came after the weekly government meeting today,
-+# Tuesday 4 October ..."
-+#
-+# From Paul Eggert (2022-10-05):
-+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
-+# (non-DST) at the point where DST would otherwise have ended.
-
- Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
- Rule Syria 2008 only - Nov 1 0:00 0 -
- Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
- Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
--Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
--Rule Syria 2009 max - Oct lastFri 0:00 0 -
-+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
-+Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
-
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
-- 2:00 Syria EE%sT
-+ 2:00 Syria EE%sT 2022 Oct 28 0:00
-+ 3:00 - +03
-
- # Tajikistan
- # From Shanks & Pottenger.
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
-index 9e0a538f86d..930cede4cf4 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/europe
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
-@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
- 0:00 Spain WE%sT 1940 Mar 16 23:00
- 1:00 Spain CE%sT 1979
- 1:00 EU CE%sT
--Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
-+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
- 0:00 - WET 1918 May 6 23:00
- 0:00 1:00 WEST 1918 Oct 7 23:00
- 0:00 - WET 1924
-diff --git a/jdk/test/sun/util/calendar/zi/tzdata/northamerica b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
-index 114cef14cce..ce4ee74582c 100644
---- a/jdk/test/sun/util/calendar/zi/tzdata/northamerica
-+++ b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
-@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
- Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
- Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
-+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1920
- -6:00 Chicago C%sT 1936 Mar 1 2:00
- -5:00 - EST 1936 Nov 15 2:00
-@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
- -6:00 Chicago C%sT 1967
- -6:00 US C%sT
- # Oliver County, ND switched from mountain to central time on 1992-10-25.
--Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
-+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 1992 Oct 25 2:00
- -6:00 US C%sT
- # Morton County, ND, switched from mountain to central time on
-@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
- # Jones, Mellette, and Todd Counties in South Dakota;
- # but in practice these other counties were already observing central time.
- # See .
--Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
-+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 2003 Oct 26 2:00
- -6:00 US C%sT
-
-@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
- # largest city in Mercer County). Google Maps places Beulah's city hall
- # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
-
--Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
-+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 2010 Nov 7 2:00
- -6:00 US C%sT
-
-@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
- Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
- Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
-+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 1920
- -7:00 Denver M%sT 1942
- -7:00 US M%sT 1946
-@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
- Rule CA 1950 1961 - Sep lastSun 2:00 0 S
- Rule CA 1962 1966 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
-+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
- -8:00 US P%sT 1946
- -8:00 CA P%sT 1967
- -8:00 US P%sT
-@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
- # Go with the Arizona State Library instead.
-
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
-+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
- -7:00 US M%sT 1944 Jan 1 0:01
- -7:00 - MST 1944 Apr 1 0:01
- -7:00 US M%sT 1944 Oct 1 0:01
-@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
- # switched four weeks late in 1974.
- #
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
-+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
- -8:00 US P%sT 1923 May 13 2:00
- -7:00 US M%sT 1974
- -7:00 - MST 1974 Feb 3 2:00
-@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
- Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
- Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
-+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1920
- -6:00 Indianapolis C%sT 1942
- -6:00 US C%sT 1946
-@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
- Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
- Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
-+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1951
- -6:00 Marengo C%sT 1961 Apr 30 2:00
- -5:00 - EST 1969
-@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
- Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
- Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
-+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 Vincennes C%sT 1964 Apr 26 2:00
- -5:00 - EST 1969
-@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
- Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
- Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
-+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 Perry C%sT 1964 Apr 26 2:00
- -5:00 - EST 1967 Oct 29 2:00
-@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
- Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
- Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
-+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1955
- -6:00 Pike C%sT 1965 Apr 25 2:00
- -5:00 - EST 1966 Oct 30 2:00
-@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
- Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
- Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
-+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1947
- -6:00 Starke C%sT 1962 Apr 29 2:00
- -5:00 - EST 1963 Oct 27 2:00
-@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
- Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
- Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
-+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 Pulaski C%sT 1961 Apr 30 2:00
- -5:00 - EST 1969
-@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
- #
- # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
-+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1954 Apr 25 2:00
- -5:00 - EST 1969
- -5:00 US E%sT 1973
-@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
- Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
- Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
--Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
-+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1921
- -6:00 Louisville C%sT 1942
- -6:00 US C%sT 1946
-@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
- # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
- # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
- #
--Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
-+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
- -6:00 US C%sT 1946
- -6:00 - CST 1968
- -6:00 US C%sT 2000 Oct 29 2:00
-@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
- # longitude they are located at.
-
- # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
-+Rule Mexico 1931 only - May 1 23:00 1:00 D
-+Rule Mexico 1931 only - Oct 1 0:00 0 S
- Rule Mexico 1939 only - Feb 5 0:00 1:00 D
- Rule Mexico 1939 only - Jun 25 0:00 0 S
- Rule Mexico 1940 only - Dec 9 0:00 1:00 D
-@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
- Rule Mexico 2002 max - Oct lastSun 2:00 0 S
- # Zone NAME STDOFF RULES FORMAT [UNTIL]
- # Quintana Roo; represented by Cancún
--Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
-+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1981 Dec 23
- -5:00 Mexico E%sT 1998 Aug 2 2:00
- -6:00 Mexico C%sT 2015 Feb 1 2:00
- -5:00 - EST
- # Campeche, Yucatán; represented by Mérida
--Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
-+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1981 Dec 23
- -5:00 - EST 1982 Dec 2
- -6:00 Mexico C%sT
-@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
- # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
- # 2016-03-12
- # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
--Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
-+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1988
- -6:00 US C%sT 1989
- -6:00 Mexico C%sT 2010
- -6:00 US C%sT
- # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
--Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
-+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
- -6:00 - CST 1988
- -6:00 US C%sT 1989
- -6:00 Mexico C%sT
- # Central Mexico
--Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
-+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 Mexico C%sT 2001 Sep 30 2:00
- -6:00 - CST 2002 Feb 20
- -6:00 Mexico C%sT
-@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
- # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
- # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
- # (See the 2016-03-12 El Universal source mentioned above.)
--Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
-+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1996
- -6:00 Mexico C%sT 1998
- -6:00 - CST 1998 Apr Sun>=1 3:00
- -7:00 Mexico M%sT 2010
- -7:00 US M%sT
- # Chihuahua (away from US border)
--Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
-+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1996
- -6:00 Mexico C%sT 1998
- -6:00 - CST 1998 Apr Sun>=1 3:00
- -7:00 Mexico M%sT
- # Sonora
--Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
-+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1942 Apr 24
- -7:00 - MST 1949 Jan 14
- -8:00 - PST 1970
-@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
- # Use "Bahia_Banderas" to keep the name to fourteen characters.
-
- # Mazatlán
--Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
-+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1942 Apr 24
- -7:00 - MST 1949 Jan 14
- -8:00 - PST 1970
- -7:00 Mexico M%sT
-
- # Bahía de Banderas
--Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
-+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1927 Jun 10 23:00
- -6:00 - CST 1930 Nov 15
-- -7:00 - MST 1931 May 1 23:00
-- -6:00 - CST 1931 Oct
-- -7:00 - MST 1932 Apr 1
-+ -7:00 Mexico M%sT 1932 Apr 1
- -6:00 - CST 1942 Apr 24
- -7:00 - MST 1949 Jan 14
- -8:00 - PST 1970
-@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
- -6:00 Mexico C%sT
-
- # Baja California
--Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
-+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
- -7:00 - MST 1924
- -8:00 - PST 1927 Jun 10 23:00
- -7:00 - MST 1930 Nov 15
diff --git a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch b/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
deleted file mode 100644
index a42688d..0000000
--- a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1459487045 -3600
-# Fri Apr 01 06:04:05 2016 +0100
-# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
-# Parent 6b81fd2227d14226f2121f2d51b464536925686e
-PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
-PR3575: System cacerts database handling should not affect jssecacerts
-
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
-@@ -72,7 +72,7 @@
- * The preference of the default trusted KeyStore is:
- * javax.net.ssl.trustStore
- * jssecacerts
-- * cacerts
-+ * cacerts (system and local)
- */
- private static final class TrustStoreDescriptor {
- private static final String fileSep = File.separator;
-@@ -83,6 +83,10 @@
- defaultStorePath + fileSep + "cacerts";
- private static final String jsseDefaultStore =
- defaultStorePath + fileSep + "jssecacerts";
-+ /* Check system cacerts DB: /etc/pki/java/cacerts */
-+ private static final String systemStore =
-+ fileSep + "etc" + fileSep + "pki" +
-+ fileSep + "java" + fileSep + "cacerts";
-
- // the trust store name
- private final String storeName;
-@@ -146,7 +150,8 @@
- long temporaryTime = 0L;
- if (!"NONE".equals(storePropName)) {
- String[] fileNames =
-- new String[] {storePropName, defaultStore};
-+ new String[] {storePropName,
-+ systemStore, defaultStore};
- for (String fileName : fileNames) {
- File f = new File(fileName);
- if (f.isFile() && f.canRead()) {
-diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
---- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
-@@ -108,9 +108,14 @@
- throws Exception
- {
- String sep = File.separator;
-- File file = new File(System.getProperty("java.home") + sep
-- + "lib" + sep + "security" + sep
-- + "cacerts");
-+ /* Check system cacerts DB first; /etc/pki/java/cacerts */
-+ File file = new File(sep + "etc" + sep + "pki" + sep
-+ + "java" + sep + "cacerts");
-+ if (!file.exists()) {
-+ file = new File(System.getProperty("java.home") + sep
-+ + "lib" + sep + "security" + sep
-+ + "cacerts");
-+ }
- if (!file.exists()) {
- return null;
- }
diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch
new file mode 100644
index 0000000..1b88f2a
--- /dev/null
+++ b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch
@@ -0,0 +1,263 @@
+diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+index e7b4763db53..e8ec8467e6a 100644
+--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
++++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import sun.security.action.*;
++import sun.security.tools.KeyStoreUtil;
+ import sun.security.validator.TrustStoreUtil;
+
+ /**
+@@ -68,7 +69,7 @@ final class TrustStoreManager {
+ * The preference of the default trusted KeyStore is:
+ * javax.net.ssl.trustStore
+ * jssecacerts
+- * cacerts
++ * cacerts (system and local)
+ */
+ private static final class TrustStoreDescriptor {
+ private static final String fileSep = File.separator;
+@@ -76,7 +77,7 @@ final class TrustStoreManager {
+ GetPropertyAction.privilegedGetProperty("java.home") +
+ fileSep + "lib" + fileSep + "security";
+ private static final String defaultStore =
+- defaultStorePath + fileSep + "cacerts";
++ KeyStoreUtil.getCacertsKeyStoreFile().getPath();
+ private static final String jsseDefaultStore =
+ defaultStorePath + fileSep + "jssecacerts";
+
+@@ -139,6 +140,10 @@ final class TrustStoreManager {
+ String storePropPassword = System.getProperty(
+ "javax.net.ssl.trustStorePassword", "");
+
++ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
++ SSLLogger.fine("Default store: " + defaultStore);
++ }
++
+ String temporaryName = "";
+ File temporaryFile = null;
+ long temporaryTime = 0L;
+@@ -146,21 +151,22 @@ final class TrustStoreManager {
+ String[] fileNames =
+ new String[] {storePropName, defaultStore};
+ for (String fileName : fileNames) {
+- File f = new File(fileName);
+- if (f.isFile() && f.canRead()) {
+- temporaryName = fileName;;
+- temporaryFile = f;
+- temporaryTime = f.lastModified();
+-
+- break;
+- }
+-
+- // Not break, the file is inaccessible.
+- if (SSLLogger.isOn &&
++ if (fileName != null && !"".equals(fileName)) {
++ File f = new File(fileName);
++ if (f.isFile() && f.canRead()) {
++ temporaryName = fileName;;
++ temporaryFile = f;
++ temporaryTime = f.lastModified();
++
++ break;
++ }
++ // Not break, the file is inaccessible.
++ if (SSLLogger.isOn &&
+ SSLLogger.isOn("trustmanager")) {
+- SSLLogger.fine(
+- "Inaccessible trust store: " +
+- storePropName);
++ SSLLogger.fine(
++ "Inaccessible trust store: " +
++ fileName);
++ }
+ }
+ }
+ } else {
+diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+index fcc77786da1..f554f83a8b4 100644
+--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
++++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
+
+ import java.net.URL;
+
++import java.security.AccessController;
+ import java.security.KeyStore;
++import java.security.PrivilegedAction;
++import java.security.Security;
+
+ import java.security.cert.X509Certificate;
+ import java.text.Collator;
+@@ -54,6 +57,33 @@ public class KeyStoreUtil {
+
+ private static final String JKS = "jks";
+
++ private static final String PROP_NAME = "security.systemCACerts";
++
++ /**
++ * Returns the value of the security property propName, which can be overridden
++ * by a system property of the same name
++ *
++ * @param propName the name of the system or security property
++ * @return the value of the system or security property
++ */
++ @SuppressWarnings("removal")
++ public static String privilegedGetOverridable(String propName) {
++ if (System.getSecurityManager() == null) {
++ return getOverridableProperty(propName);
++ } else {
++ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName));
++ }
++ }
++
++ private static String getOverridableProperty(String propName) {
++ String val = System.getProperty(propName);
++ if (val == null) {
++ return Security.getProperty(propName);
++ } else {
++ return val;
++ }
++ }
++
+ /**
+ * Returns true if the certificate is self-signed, false otherwise.
+ */
+@@ -96,20 +126,38 @@ public class KeyStoreUtil {
+ }
+ }
+
++ /**
++ * Returns the path to the cacerts DB
++ */
++ public static File getCacertsKeyStoreFile()
++ {
++ String sep = File.separator;
++ File file = null;
++ /* Check system cacerts DB first, preferring system property over security property */
++ String systemDB = privilegedGetOverridable(PROP_NAME);
++ if (systemDB != null && !"".equals(systemDB)) {
++ file = new File(systemDB);
++ }
++ if (file == null || !file.exists()) {
++ file = new File(System.getProperty("java.home") + sep
++ + "lib" + sep + "security" + sep
++ + "cacerts");
++ }
++ if (file.exists()) {
++ return file;
++ }
++ return null;
++ }
++
+ /**
+ * Returns the keystore with the configured CA certificates.
+ */
+ public static KeyStore getCacertsKeyStore()
+ throws Exception
+ {
+- String sep = File.separator;
+- File file = new File(System.getProperty("java.home") + sep
+- + "lib" + sep + "security" + sep
+- + "cacerts");
+- if (!file.exists()) {
+- return null;
+- }
+ KeyStore caks = null;
++ File file = getCacertsKeyStoreFile();
++ if (file == null) { return null; }
+ try (FileInputStream fis = new FileInputStream(file)) {
+ caks = KeyStore.getInstance(JKS);
+ caks.load(fis, null);
+diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
+index bfe0c593adb..093bc09bf95 100644
+--- a/jdk/src/share/lib/security/java.security-aix
++++ b/jdk/src/share/lib/security/java.security-aix
+@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 9d1c8fe8a8e..16c9281cc1f 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
+index 19047c61097..43e034cdeaf 100644
+--- a/jdk/src/share/lib/security/java.security-macosx
++++ b/jdk/src/share/lib/security/java.security-macosx
+@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
+index 7eda556ae13..325937e97fb 100644
+--- a/jdk/src/share/lib/security/java.security-solaris
++++ b/jdk/src/share/lib/security/java.security-solaris
+@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
+index dfa1a669aa9..92ef777e065 100644
+--- a/jdk/src/share/lib/security/java.security-windows
++++ b/jdk/src/share/lib/security/java.security-windows
+@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
+ #
+ security.useSystemPropertiesFile=false
+
++#
++# Specifies the system certificate store
++# This property may be disabled using
++# -Djava.security.disableSystemCACerts=true
++#
++security.systemCACerts=${java.home}/lib/security/cacerts
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 348ef3b..febb3c4 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -26,6 +26,8 @@
%bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm}
@@ -34,6 +36,16 @@
%global build_hotspot_first 0
%endif
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global jpeg_lib |libjavajpeg[.]so.*
+%else
+%global system_libs 0
+%global link_type bundled
+%global jpeg_lib |libjpeg[.]so.*
+%endif
+
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -158,11 +170,15 @@
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%global bootstrap_targets images
%global release_targets images docs-zip
@@ -281,13 +297,17 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 3.15.0
# Define current Git revision for the FIPS support patches
-%global fipsver 6d1aade0648
+%global fipsver 8e8bbf0ff74
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
+# Settings for local security configuration
+%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os}
+%global cacerts_file /etc/pki/java/cacerts
+
# Define vendor information used by OpenJDK
%global oj_vendor Red Hat, Inc.
%global oj_vendor_url "https://www.redhat.com/"
@@ -311,7 +331,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project openjdk
%global shenandoah_repo shenandoah-jdk8u
-%global openjdk_revision jdk8u352-b08
+%global openjdk_revision jdk8u345-b01
%global shenandoah_revision shenandoah-%{openjdk_revision}
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
@@ -327,7 +347,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease 2
+%global rpmrelease 5
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -371,7 +391,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
+%global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*%{jpeg_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@@ -813,6 +833,7 @@ exit 0
%{_jvmdir}/%{jrelnk -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
+%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream
%dir %{_jvmdir}/%{jredir -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/bin
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib
@@ -895,7 +916,11 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so
+%if %{system_libs}
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so
+%else
+%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so
+%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so
@@ -937,6 +962,7 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
%{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
@@ -1210,17 +1236,19 @@ Provides: jre%{?1} = %{epoch}:%{version}-%{release}
Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
-# 2022d required as of JDK-8294357
-# Should be bumped to 2022e once available (JDK-8295173)
-Requires: tzdata-java >= 2022d
+# Require zoneinfo data provided by tzdata-java subpackage.
+# 2022a required as of JDK-8283350 in 8u342
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression
Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs
+%endif
# for printing support
Requires: cups-libs
# for system security properties
@@ -1389,15 +1417,13 @@ Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
-# Ensure translations are available for new timezones
-Source18: TestTranslations.java
-
Source20: repackReproduciblePolycies.sh
# New versions of config files with aarch64 support. This is not upstream yet.
Source100: config.guess
Source101: config.sub
+
############################################
#
# RPM/distribution specific patches
@@ -1455,7 +1481,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_
Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch
# PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
# PR3575, RH1567204: System cacerts database handling should not affect jssecacerts
-Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
+# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
+# Must be applied after FIPS patch as it also changes java.security
+Patch539: pr2888-rh2055274-support_system_cacerts.patch
# enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch
# JDK-8218811: replace open by os::open in hotspot coding
@@ -1514,17 +1542,13 @@ Patch581: jdk8257794-remove_broken_assert.patch
#############################################
#
-# Patches appearing in 8u362
+# Patches appearing in 8u282
#
# This section includes patches which are present
# in the listed OpenJDK 8u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
-# JDK-8294357: (tz) Update Timezone Data to 2022d
-Patch2002: jdk8294357-tzdata2022d.patch
-# JDK-8295173: (tz) Update Timezone Data to 2022e
-Patch2003: jdk8295173-tzdata2022e.patch
#############################################
#
@@ -1570,12 +1594,8 @@ BuildRequires: desktop-file-utils
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
-BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXext-devel
@@ -1598,9 +1618,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2022d required as of JDK-8294357
-# Should be bumped to 2022e once available (JDK-8295173)
-BuildRequires: tzdata-java >= 2022d
+# 2022a required as of JDK-8283350 in 8u342
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1608,6 +1627,24 @@ BuildRequires: gcc >= 4.8.3-8
BuildRequires: systemtap-sdt-devel
%endif
+%if %{system_libs}
+BuildRequires: giflib-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h
+Provides: bundled(lcms2) = 2.10.0
+# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in jdk/src/share/native/sun/awt/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@@ -1860,14 +1897,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/
# OpenJDK patches
+%if %{system_libs}
# Remove libraries that are linked
sh %{SOURCE12}
+%endif
# System library fixes
+%if %{system_libs}
%patch201
%patch202
%patch203
%patch204
+%endif
%patch5
@@ -1900,13 +1941,11 @@ pushd %{top_level_dir_name}
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
-# tzdata updates targetted for 8u362
-%patch2002 -p1
-%patch2003 -p1
+# cacerts patch; must follow FIPS patch as it also alters java.security
+%patch539 -p1
popd
# RPM-only fixes
-%patch539
%patch600
%patch1003
@@ -1970,7 +2009,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+# Setup security policy
+sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file}
+
%build
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -2008,11 +2051,18 @@ function buildjdk() {
local buildjdk=${2}
local maketargets="${3}"
local debuglevel=${4}
+ local link_opt=${5}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
# Variable used in hs_err hook on build failures
local top_builddir_abs_path=$(pwd)/${outputdir}
+ if [ "x${link_opt}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}"
@@ -2041,12 +2091,14 @@ function buildjdk() {
--with-debug-level=${debuglevel} \
--disable-sysconf-nss \
--enable-unlimited-crypto \
- --with-zlib=system \
- --with-libjpeg=system \
- --with-giflib=system \
- --with-libpng=system \
- --with-lcms=system \
- --with-stdc++lib=dynamic \
+ --with-zlib=${link_opt} \
+ --with-giflib=${link_opt} \
+%if %{with system_libs}
+ --with-libjpeg=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+%endif
+ --with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-asflags="$EXTRA_ASFLAGS" \
@@ -2115,8 +2167,13 @@ function installjdk() {
${imagepath}/jre/lib/security/java.security
# Use system-wide tzdata
- rm ${imagepath}/jre/lib/tzdb.dat
- ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
+ mv ${imagepath}/jre/lib/tzdb.dat{,.upstream}
+ ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
+
+ # Rename OpenJDK cacerts database
+ mv ${imagepath}/jre/lib/security/cacerts{,.upstream}
+ # Install cacerts symlink needed by some apps which hard-code the path
+ ln -sv %{cacerts_file} ${imagepath}/jre/lib/security
# add alt-java man page
pushd ${imagepath}
@@ -2152,6 +2209,7 @@ builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir}
+link_opt="%{link_type}"
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
@@ -2165,13 +2223,13 @@ else
fi
if ${run_bootstrap} ; then
- buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
installjdk ${bootbuilddir} ${bootinstalldir}
- buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
+ buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
else
- buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi
@@ -2212,14 +2270,11 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
-# Check translations are available for new timezones
-$JAVA_HOME/bin/javac -d . %{SOURCE18}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
do
@@ -2335,13 +2390,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien
done
%endif
- # Remove empty cacerts database
- rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts
- # Install cacerts symlink needed by some apps which hardcode the path
- pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security
- ln -sf /etc/pki/java/cacerts .
- popd
-
# Install versioned symlinks
pushd $RPM_BUILD_ROOT%{_jvmdir}
ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix}
@@ -2671,32 +2719,45 @@ cjc.mainProgram(args)
%endif
%changelog
-* Sun Oct 16 2022 Andrew Hughes - 1:1.8.0.352.b08-2
-- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
-- Add test to ensure timezones can be translated
-- Related: rhbz#2133695
-
-* Fri Oct 14 2022 Andrew Hughes - 1:1.8.0.352.b08-1
-- Update to shenandoah-jdk8u352-b08 (GA)
-- Update release notes for shenandoah-8u352-b08.
-- Rebase FIPS patch against 8u352-b07
-- * This tarball is embargoed until 2022-10-18 @ 1pm PT. *
-- Resolves: rhbz#2133695
-
-* Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-1
+* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5
+- Allow the default keystore to be configured using security.systemCACerts
+- Use of the property can now be disabled using -Dsecurity.systemCACerts=
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Resolves: rhbz#2077006
+
+* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-4
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2121273
+
+* Mon Aug 29 2022 Stephan Bergmann - 1:1.8.0.345.b01-3
+- Disable copy-jdk-configs for Flatpak builds
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102727
+
+* Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-2
- Update to shenandoah-jdk8u345-b01 (GA)
- Update release notes for 8u345-b01.
-- Resolves: rhbz#2115463
+- Resolves: rhbz#2112405
+
+* Sun Jul 24 2022 Andrew Hughes - 1:1.8.0.342.b07-2
+- Update to shenandoah-jdk8u342-b07 (GA)
+- Update release notes for 8u342-b07.
+- Switch to GA mode for final release.
+- Resolves: rhbz#2106509
-* Mon Jul 18 2022 Andrew Hughes - 1:1.8.0.342.b07-1
-- Update to shenandoah-jdk8u342-b07
-- Update release notes for shenandoah-8u342-b07.
+* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.342.b06-0.1.ea
+- Update to shenandoah-jdk8u342-b06 (EA)
+- Update release notes for shenandoah-8u342-b06.
+- Switch to EA mode for 8u342 pre-release builds.
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Use "git apply" with patches in the tarball script to allow binary diffs
- Remove redundant "REPOS" variable from tarball script
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
+- Resolves: rhbz#2083322
+
+* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.332.b09-3
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
@@ -2706,19 +2767,29 @@ cjc.mainProgram(args)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
- Explicitly require crypto-policies during build and runtime for system security properties
-- Resolves: rhbz#2099916
-- Resolves: rhbz#2107958
-- Resolves: rhbz#2084776
-- Resolves: rhbz#2106508
+- Resolves: rhbz#2099801
+- Resolves: rhbz#2100678
* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:1.8.0.332.b09-2
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
-- Resolves: rhbz#2107956
+- Resolves: rhbz#2102435
* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b09-1
- Update to shenandoah-jdk8u332-b09 (GA)
- Update release notes for 8u332-b09.
-- Resolves: rhbz#2074649
+- Switch to GA mode for final release.
+- Resolves: rhbz#2074650
+
+* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b06-0.1.ea
+- Update to shenandoah-jdk8u332-b06 (EA)
+- Update release notes for shenandoah-8u332-b06.
+- Resolves: rhbz#2050457
+
+* Sun Apr 17 2022 Andrew Hughes - 1:1.8.0.332.b01-0.1.ea
+- Update to shenandoah-jdk8u332-b01 (EA)
+- Update release notes for shenandoah-8u332-b01.
+- Switch to EA mode.
+- Related: rhbz#2050457
* Mon Feb 28 2022 Andrew Hughes - 1:1.8.0.322.b06-9
- Remove 'java --version' test as this is not supported on java-1.8.0-openjdk