diff --git a/.gitignore b/.gitignore
index f2440f6..57e6f50 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
+SOURCES/openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata
index 5e3b532..2ec0c41 100644
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@@ -1,2 +1,2 @@
-a3658fc54f198072f4c61090b712bfe6ff222928 SOURCES/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
+221ac8e48cf86a97fa03d6f628461a3a815d4cbb SOURCES/openjdk-jdk11u-jdk-11.0.16+8-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/SOURCES/CheckVendor.java b/SOURCES/CheckVendor.java
index e2101cf..29b296b 100644
--- a/SOURCES/CheckVendor.java
+++ b/SOURCES/CheckVendor.java
@@ -21,8 +21,8 @@ along with this program. If not, see .
public class CheckVendor {
public static void main(String[] args) {
- if (args.length < 3) {
- System.err.println("CheckVendor ");
+ if (args.length < 4) {
+ System.err.println("CheckVendor ");
System.exit(1);
}
@@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
- System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
- System.err.printf("Vendor information verified as %s, %s, %s\n",
- vendor, vendorURL, vendorBugURL);
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index acb5afb..b365726 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,360 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 11.0.16 (2022-07-19):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11016
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
+
+* Security fixes
+ - JDK-8277608: Address IP Addressing
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+ - JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
+ - JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
+ - JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
+ - JDK-8133713: [macosx] Accessible JTables always reported as empty
+ - JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph
+ - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
+ - JDK-8163498: Many long-running security libs tests
+ - JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28
+ - JDK-8169004: Fix redundant @requires tags in tests
+ - JDK-8181571: printing to CUPS fails on mac sandbox app
+ - JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher
+ - JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests
+ - JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException
+ - JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10"
+ - JDK-8202886: [macos] Test java/awt/MenuBar/8007006/bug8007006.java fails on MacOS
+ - JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java
+ - JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test
+ - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
+ - JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java
+ - JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start
+ - JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location
+ - JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests
+ - JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names
+ - JDK-8208697: vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace
+ - JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test
+ - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
+ - JDK-8209883: ZGC: Compile without C1 broken
+ - JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC
+ - JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun
+ - JDK-8210039: move OSInfo to top level testlibrary
+ - JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022
+ - JDK-8210112: remove jdk.testlibrary.ProcessTools
+ - JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244)
+ - JDK-8210732: remove jdk.testlibrary.Utils
+ - JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458
+ - JDK-8211822: Some tests fail after JDK-8210039
+ - JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound
+ - JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64
+ - JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp
+ - JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type"
+ - JDK-8214799: Add package declaration to each JTREG test case in the gc folder
+ - JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5
+ - JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
+ - JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests.
+ - JDK-8216366: Add rationale to PER_CPU_SHARES define
+ - JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265
+ - JDK-8217233: Update build settings for AIX/xlc
+ - JDK-8217340: Compilation failed: tools/launcher/Test7029048.java
+ - JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers
+ - JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX
+ - JDK-8218751: Do not store original classfiles inside the CDS archive
+ - JDK-8218965: aix: support xlclang++ in the compiler detection
+ - JDK-8220658: Improve the readability of container information in the error log
+ - JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X
+ - JDK-8222799: java.beans.Introspector uses an obsolete methods cache
+ - JDK-8222926: Shenandoah build fails with --with-jvm-features=-compiler1
+ - JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'.
+ - JDK-8223363: Bad node estimate assertion failure
+ - JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget())
+ - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+ - JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate
+ - JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw
+ - JDK-8225475: Node budget asserts on x86_32/64
+ - JDK-8227171: provide function names in native stack trace on aix with xlc16
+ - JDK-8227389: Remove unsupported xlc16 compile options on aix
+ - JDK-8229202: Docker reporting causes secondary crashes in error handling
+ - JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress
+ - JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21
+ - JDK-8229499: Node budget assert in fuzzed test
+ - JDK-8230305: Cgroups v2: Container awareness
+ - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+ - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+ - JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo
+ - JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare"
+ - JDK-8231565: More node budget asserts in fuzzed tests
+ - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
+ - JDK-8234382: Test tools/javac/processing/model/testgetallmembers/Main.java using too small heap
+ - JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101"
+ - JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak
+ - JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8237479: 8230305 causes slowdebug build failure
+ - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+ - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+ - JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java
+ - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+ - JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint
+ - JDK-8240734: ModuleHashes attribute not reproducible between builds
+ - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
+ - JDK-8241707: introduce randomness k/w to hotspot test suite
+ - JDK-8242310: use reproducible random in hotspot compiler tests
+ - JDK-8242311: use reproducible random in hotspot runtime tests
+ - JDK-8242312: use reproducible random in hotspot gc tests
+ - JDK-8242313: use reproducible random in hotspot svc tests
+ - JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows
+ - JDK-8243429: use reproducible random in :vmTestbase_nsk_stress
+ - JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps
+ - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+ - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
+ - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+ - JDK-8245938: Remove unused print_stack(void) method from XToolkit.c
+ - JDK-8246494: introduce vm.flagless at-requires property
+ - JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed
+ - JDK-8247589: Implementation of Alpine Linux/x64 Port
+ - JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide
+ - JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java
+ - JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out
+ - JDK-8248876: LoadObject with bad base address created for exec file on linux
+ - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
+ - JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect"
+ - JDK-8252248: __SIGRTMAX is not declared in musl libc
+ - JDK-8252250: isnanf is obsolete
+ - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+ - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+ - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+ - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+ - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+ - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+ - JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp
+ - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+ - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+ - JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
+ - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+ - JDK-8255266: Update Public Suffix List to 3c213aa
+ - JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect
+ - JDK-8255787: Tag container tests that use cGroups with cgroups keyword
+ - JDK-8256146: Cleanup test/jdk/java/nio/channels/DatagramChannel/Connect.java
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
+ - JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11
+ - JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result
+ - JDK-8259517: Incorrect test path in test cases
+ - JDK-8260518: Change default -mmacosx-version-min to 10.12
+ - JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0
+ - JDK-8262379: Add regression test for JDK-8257746
+ - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
+ - JDK-8263718: unused-result warning happens at os_linux.cpp
+ - JDK-8263856: Github Actions for macos/aarch64 cross-build
+ - JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2
+ - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8265297: javax/net/ssl/SSLSession/TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset"
+ - JDK-8265343: Update Debian-based cross-compilation recipes
+ - JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM
+ - JDK-8266318: Switch to macos prefix for macOS bundles
+ - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+ - JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8
+ - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
+ - JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available"
+ - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
+ - JDK-8270797: ShortECDSA.java test is not complete
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+ - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
+ - JDK-8272358: Some tests may fail when executed with other locales than the US
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
+ - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8273176: handle latest VS2019 in abstract_vm_version
+ - JDK-8273655: content-types.properties files are missing some common types
+ - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
+ - JDK-8274233: Minor cleanup for ToolBox
+ - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8275082: Update XML Security for Java to 2.3.0
+ - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8276657: XSLT compiler tries to define a class with empty name
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
+ - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
+ - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
+ - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
+ - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
+ - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
+ - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
+ - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
+ - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
+ - JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11
+ - JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8283018: 11u GHA: Update GCC 9 minor versions
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283323: libharfbuzz optimization level results in extreme build times
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean;
+ - JDK-8283424: compiler/loopopts/LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
+ - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
+ - JDK-8283614: [11] Repair compiler versions handling after 8233787
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+ - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+ - JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195
+ - JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+ - JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
+ - JDK-8285397: JNI exception pending in CUPSfuncs.c:250
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+ - JDK-8285686: Update FreeType to 2.12.0
+ - JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails to compile after backport of 8273655
+ - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287109: Distrust.java failed with CertificateExpiredException
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
+ - JDK-8287739: [11u] ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:serialization:
+
+JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
+=========================================================================================
+`java.util.Vector` is updated to correctly report
+`ClassNotFoundException that occurs during deserialization using
+`java.io.ObjectInputStream.GetField.get(name, object)` when the class
+of an element of the Vector is not found. Without this fix, a
+`StreamCorruptedException` is thrown that does not provide information
+about the missing class.
+
+core-libs/java.net:
+
+JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
+================================================================
+Support has been added for TLS channel binding tokens for
+Negotiate/Kerberos authentication over HTTPS through
+javax.net.HttpsURLConnection.
+
+Channel binding tokens are increasingly required as an enhanced form
+of security which can mitigate certain kinds of socially engineered,
+man in the middle (MITM) attacks. They work by communicating from a
+client to a server the client's understanding of the binding between
+connection security (as represented by a TLS server cert) and higher
+level authentication credentials (such as a username and
+password). The server can then detect if the client has been fooled by
+a MITM and shutdown the session/connection.
+
+The feature is controlled through a new system property
+`jdk.https.negotiate.cbt` which is described fully at the following
+page:
+
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
+
+core-libs/java.lang:
+
+JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
+=====================================================================
+ProcessBuilder on Windows is restored to address a regression caused
+by JDK-8250568. Previously, an argument to ProcessBuilder that
+started with a double-quote and ended with a backslash followed by a
+double-quote was passed to a command incorrectly and may cause the
+command to fail. For example the argument `"C:\\Program Files\"`,
+would be seen by the command with extra double-quotes. This update
+restores the long standing behavior that does not treat the backslash
+before the final double-quote specially.
+
+core-libs/java.util.jar:
+
+JDK-8278386: Default JDK compressor will be closed when IOException is encountered
+==================================================================================
+`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
+have been modified to close out the associated default JDK compressor
+before propagating a Throwable up the
+stack. `ZIPOutputStream.closeEntry()` method has been modified to
+close out the associated default JDK compressor before propagating an
+IOException, not of type ZipException, up the stack.
+
+core-libs/java.io:
+
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
+
New in release OpenJDK 11.0.15 (2022-04-19):
=============================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 06a0b07..552bd0f 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -9,35 +9,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties ");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
}
diff --git a/SOURCES/fips-11u-9087e80d0ab.patch b/SOURCES/fips-11u-9087e80d0ab.patch
new file mode 100644
index 0000000..a396fb8
--- /dev/null
+++ b/SOURCES/fips-11u-9087e80d0ab.patch
@@ -0,0 +1,1610 @@
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+index a73c0f38181..80710886ed8 100644
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_LIBFFI
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
++ LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_SOLARIS_STLPORT
+ LIB_TESTS_SETUP_GRAALUNIT
+
+@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT],
+ fi
+ ])
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+index 0ae23b93167..a242acc1234 100644
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
+index a529768f39e..daf9c947172 100644
+--- a/make/lib/Lib-java.base.gmk
++++ b/make/lib/Lib-java.base.gmk
+@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml
+index fb07d54c1f0..c5813e2b7aa 100644
+--- a/make/nb_native/nbproject/configurations.xml
++++ b/make/nb_native/nbproject/configurations.xml
+@@ -2950,6 +2950,9 @@
+ LinuxWatchService.c
+
+
++
++ systemconf.c
++
+
+
+
+@@ -29301,6 +29304,11 @@
+ tool="0"
+ flavor2="0">
+
++
++
+
++#include
++#include "jvm_md.h"
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#else
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index b36510a376b..ad5182e1e7c 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@ import java.net.URL;
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.misc.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ *
Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -67,6 +76,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -83,6 +105,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -98,6 +121,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -192,6 +216,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..90f6dd2ebc0
+--- /dev/null
++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry
-
-+
-+ systemconf.c
-+
-
-
-
-@@ -29301,6 +29304,11 @@
- tool="0"
- flavor2="0">
-
-+
-+
-
-+#include
-+#include
-+#include
-+
-+#ifdef SYSCONF_NSS
-+#include
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " SECMOD_GetSystemFIPSEnabled return value");
-+ }
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " read character");
-+ }
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
-@@ -30,13 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
-
--import java.nio.file.Files;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
-
- import sun.security.util.Debug;
-
-@@ -58,10 +54,21 @@
- private static final String CRYPTO_POLICIES_JAVA_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
-- private static final String CRYPTO_POLICIES_CONFIG =
-- CRYPTO_POLICIES_BASE_DIR + "/config";
-+ private static boolean systemFipsEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-
-- private static boolean systemFipsEnabled = false;
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-
- /*
- * Invoked when java.security.Security class is initialized, if
-@@ -170,16 +177,34 @@
- }
-
- /*
-- * FIPS is enabled only if crypto-policies are set to "FIPS"
-- * and the com.redhat.fips property is true.
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
- */
- private static boolean enableFips() throws Exception {
- boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (shouldEnable) {
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
- } else {
- return false;
- }
diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch
deleted file mode 100644
index ac9bdb5..0000000
--- a/SOURCES/rh1991003-enable_fips_keys_import.patch
+++ /dev/null
@@ -1,590 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 53f32d12cc..28ab184617 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -82,6 +82,10 @@ public final class Security {
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
- });
-
- // doPrivileged here because there are multiple
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 5565acb7c6..874c6221eb 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -55,6 +55,7 @@ final class SystemConfigurator {
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
- private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-
- private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-
-@@ -149,6 +150,16 @@ final class SystemConfigurator {
- }
- loadedProps = true;
- systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -176,6 +187,19 @@ final class SystemConfigurator {
- return systemFipsEnabled;
- }
-
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
- /*
- * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
- * system property is true (default) and the system is in FIPS mode.
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-index d8caa5640c..21bc6d0b59 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -27,4 +27,5 @@ package jdk.internal.misc;
-
- public interface JavaSecuritySystemConfiguratorAccess {
- boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
- }
-diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603..ff3d5e0e4a 100644
---- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
-
- import javax.net.ssl.*;
-
-+import jdk.internal.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- keyManager = new X509KeyManagerImpl(
- Collections.emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 0000000000..b848a1fd78
---- /dev/null
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static P11Key importerKey = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+
-+ private static Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 1eca1f8f0a..72674a7330 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
- private static final boolean systemFipsEnabled = SharedSecrets
- .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 04a369f453..8d2081abaa 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -150,16 +151,28 @@ public class PKCS11 {
-
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
- }
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
deleted file mode 100644
index a443dc8..0000000
--- a/SOURCES/rh1996182-login_to_nss_software_token.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
-index 5460efcf8c..f08dc2fafc 100644
---- openjdk.orig/src/java.base/share/classes/module-info.java
-+++ openjdk/src/java.base/share/classes/module-info.java
-@@ -182,6 +182,7 @@ module java.base {
- java.security.jgss,
- java.sql,
- java.xml,
-+ jdk.crypto.cryptoki,
- jdk.jartool,
- jdk.attach,
- jdk.charsets,
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 099caac605..ffadb43eb1 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback;
- import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
-
- import jdk.internal.misc.InnocuousThread;
-+import jdk.internal.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
deleted file mode 100644
index 9490624..0000000
--- a/SOURCES/rh2021263-fips_ensure_security_initialised.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
-Author: Andrew Hughes
-Date: Tue Jan 18 02:00:55 2022 +0000
-
- RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-index 2ec51d57806..8489b940c43 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-@@ -36,6 +36,7 @@ import java.io.FilePermission;
- import java.io.ObjectInputStream;
- import java.io.RandomAccessFile;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- /** A repository of "shared secrets", which are a mechanism for
-@@ -368,6 +369,9 @@ public class SharedSecrets {
- }
-
- public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
- return javaSecuritySystemConfiguratorAccess;
- }
- }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
deleted file mode 100644
index b8c8ba5..0000000
--- a/SOURCES/rh2021263-fips_missing_native_returns.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
-Author: Fridrich Strba
-Date: Mon Jan 17 19:44:03 2022 +0000
-
- RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 6f4656bfcb6..34d0ff0ce91 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
deleted file mode 100644
index b5351a8..0000000
--- a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
-Author: Andrew Hughes
-Date: Tue Jan 18 02:09:27 2022 +0000
-
- RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 28ab1846173..f9726741afd 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -61,10 +61,6 @@ public final class Security {
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-- /* System property file*/
-- private static final String SYSTEM_PROPERTIES =
-- "/etc/crypto-policies/back-ends/java.config";
--
- /* The java.security properties */
- private static Properties props;
-
-@@ -206,22 +202,36 @@ public final class Security {
- }
- }
-
-+ if (!loadedProps) {
-+ initializeStatic();
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties " +
-+ "-- using defaults");
-+ }
-+ }
-+
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
- "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-- if (SystemConfigurator.configure(props)) {
-- loadedProps = true;
-+ if (!SystemConfigurator.configureSysProps(props)) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
-+ }
- }
- }
-
-- if (!loadedProps) {
-- initializeStatic();
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
- if (sdebug != null) {
-- sdebug.println("unable to load security properties " +
-- "-- using defaults");
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
-+ }
- }
- }
--
- }
-
- /*
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 874c6221ebe..b7ed41acf0f 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
- * java.security.disableSystemPropertiesFile property is not set and
- * security.useSystemPropertiesFile is true.
- */
-- static boolean configure(Properties props) {
-+ static boolean configureSysProps(Properties props) {
- boolean loadedProps = false;
-
- try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
- e.printStackTrace();
- }
- }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-
- try {
- if (enableFips()) {
- if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-- loadedProps = false;
- // Remove all security providers
- Iterator> i = props.entrySet().iterator();
- while (i.hasNext()) {
diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
deleted file mode 100644
index dd30384..0000000
--- a/SOURCES/rh2052829-fips_runtime_nss_detection.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-commit e2be09f982af1cc05f5e6556d51900bca4757416
-Author: Andrew Hughes
-Date: Mon Feb 28 05:30:32 2022 +0000
-
- RH2051605: Detect NSS at Runtime for FIPS detection
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 34d0ff0ce91..8dcb7d9073f 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -23,25 +23,99 @@
- * questions.
- */
-
--#include
- #include
- #include
-+#include "jvm_md.h"
- #include
-
- #ifdef SYSCONF_NSS
- #include
-+#else
-+#include
- #endif //SYSCONF_NSS
-
- #include "java_security_SystemConfigurator.h"
-
-+#define MSG_MAX_SIZE 256
- #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
--#define MSG_MAX_SIZE 96
-
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
- static jmethodID debugPrintlnMethodID = NULL;
- static jobject debugObj = NULL;
-
--static void throwIOException(JNIEnv *env, const char *msg);
--static void dbgPrint(JNIEnv *env, const char* msg);
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-
- /*
- * Class: java_security_SystemConfigurator
-@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
- debugObj = (*env)->NewGlobalRef(env, debugObj);
- }
-
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
- return (*env)->GetVersion(env);
- }
-
-@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
- if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
- return; /* Should not happen */
- }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
- (*env)->DeleteGlobalRef(env, debugObj);
- }
- }
-@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- char msg[MSG_MAX_SIZE];
- int msg_bytes;
-
--#ifdef SYSCONF_NSS
--
-- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-- fips_enabled = SECMOD_GetSystemFIPSEnabled();
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " SECMOD_GetSystemFIPSEnabled return value");
-- }
-- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
--
--#else // SYSCONF_NSS
-+ FILE *fe;
-
-- FILE *fe;
--
-- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- fips_enabled = fgetc(fe);
-- fclose(fe);
-- if (fips_enabled == EOF) {
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " read character is '%c'", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " read character");
-- }
-- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
--
--#endif // SYSCONF_NSS
--}
--
--static void throwIOException(JNIEnv *env, const char *msg)
--{
-- jclass cls = (*env)->FindClass(env, "java/io/IOException");
-- if (cls != 0)
-- (*env)->ThrowNew(env, cls, msg);
--}
--
--static void dbgPrint(JNIEnv *env, const char* msg)
--{
-- jstring jMsg;
-- if (debugObj != NULL) {
-- jMsg = (*env)->NewStringUTF(env, msg);
-- CHECK_NULL(jMsg);
-- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
- }
- }
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index 4cf0434..e5a8d45 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -315,12 +315,8 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 15
+%global updatever 16
%global patchver 0
-# If you bump featurever, you must bump also vendor_version_string
-# Used via new version scheme. JDK 11 was
-# GA'ed in September 2018 => 18.9
-%global vendor_version_string 18.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -353,16 +349,19 @@
%endif
%endif
%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 9087e80d0ab
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 10
+%global buildver 8
%global rpmrelease 1
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -379,12 +378,11 @@
%endif
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Omit trailing 0 in filenames when the patch version is 0
-%if 0%{?patchver} > 0
-%global filever %{newjavaver}
-%else
-%global filever %{featurever}.%{interimver}.%{updatever}
-%endif
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
%global javaver %{featurever}
@@ -1127,8 +1125,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1141,6 +1139,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1286,7 +1286,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1337,28 +1337,28 @@ Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
-# FIPS support patches
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
-Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
-Patch1009: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
-# RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Return in C code after having generated Java exception
+# RH2052819: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
# RH2052819: Fix FIPS reliance on crypto policies
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
-# RH2052829: Detect NSS at Runtime for FIPS detection
-Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-11u-%{fipsver}.patch
#############################################
#
@@ -1378,10 +1378,6 @@ Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
-Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3695: Allow use of system crypto policy to be disabled by the user
-Patch7: pr3695-toggle_system_crypto_policy.patch
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Patch8: jdk8275535-rh2053256-ldap_auth.patch
@@ -1394,8 +1390,6 @@ Patch8: jdk8275535-rh2053256-ldap_auth.patch
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
-# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
-Patch101: jdk8257794-remove_broken_assert.patch
#############################################
#
@@ -1434,6 +1428,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1444,8 +1440,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1749,6 +1745,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1795,26 +1793,14 @@ pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch4 -p1
-%patch7 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
popd # openjdk
-%patch101
-
-%patch1000
%patch600
-%patch1001
-%patch1002
%patch1003
-%patch1004
-%patch1007
-%patch1008
-%patch1009
-%patch1011
-%patch1014
-%patch1015
-%patch1016
-%patch1017
%patch8
@@ -1935,7 +1921,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@@ -2013,6 +1999,10 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@@ -2023,6 +2013,10 @@ function installjdk() {
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
+
+ # Print release information
+ cat ${imagepath}/release
+
fi
}
@@ -2123,13 +2117,18 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@@ -2589,6 +2588,37 @@ require "copy_jdk_configs.lua"
%endif
%changelog
+* Sun Jul 17 2022 Andrew Hughes - 1:11.0.16.0.8-1
+- Update to jdk-11.0.16+8
+- Update release notes to 11.0.16+8
+- Use same tarball naming style as java-17-openjdk and java-latest-openjdk
+- Drop JDK-8257794 patch now upstreamed
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2106516
+- Resolves: rhbz#2099915
+- Resolves: rhbz#2107868
+
+* Thu Jul 14 2022 Jiri Vanek - 1:11.0.16.0.8-1
+- Add additional patch during tarball generation to align tests with ECC changes
+- Related: rhbz#2106516
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:11.0.16.0.8-1
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2107866
+
* Sun Apr 24 2022 Andrew Hughes - 1:11.0.15.0.10-1
- Update to jdk-11.0.15.0+10
- Update release notes to 11.0.15.0+10