diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..659f4f9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
+SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata
new file mode 100644
index 0000000..46765c0
--- /dev/null
+++ b/.java-17-openjdk.metadata
@@ -0,0 +1,2 @@
+47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
+c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
new file mode 100644
index 0000000..78938f4
--- /dev/null
+++ b/SOURCES/NEWS
@@ -0,0 +1,996 @@
+Key:
+
+JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
+CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+
+New in release OpenJDK 17.0.2 (2022-01-18):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk1702
+ * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt
+
+* Security fixes
+ - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
+ - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
+ - JDK-8268488: More valuable DerValues
+ - JDK-8268494: Better inlining of inlined interfaces
+ - JDK-8268512: More content for ContentInfo
+ - JDK-8268813, CVE-2022-21283: Better String matching
+ - JDK-8269151: Better construction of EncryptedPrivateKeyInfo
+ - JDK-8269944: Better HTTP transport redux
+ - JDK-8270386, CVE-2022-21291: Better verification of scan methods
+ - JDK-8270392, CVE-2022-21293: Improve String constructions
+ - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
+ - JDK-8270492, CVE-2022-21282: Better resolution of URIs
+ - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
+ - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
+ - JDK-8270952, CVE-2022-21277: Improve TIFF file handling
+ - JDK-8271962: Better TrueType font loading
+ - JDK-8271968: Better canonical naming
+ - JDK-8271987: Manifest improved manifest entries
+ - JDK-8272014, CVE-2022-21305: Better array indexing
+ - JDK-8272026, CVE-2022-21340: Verify Jar Verification
+ - JDK-8272236, CVE-2022-21341: Improve serial forms for transport
+ - JDK-8272272: Enhance jcmd communication
+ - JDK-8272462: Enhance image handling
+ - JDK-8273290: Enhance sound handling
+ - JDK-8273756, CVE-2022-21360: Enhance BMP image support
+ - JDK-8273838, CVE-2022-21365: Enhanced BMP processing
+ - JDK-8274096, CVE-2022-21366: Improve decoding of image files
+* Other changes
+ - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException
+ - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
+ - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap
+ - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
+ - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
+ - JDK-8214761: Bug in parallel Kahan summation implementation
+ - JDK-8223923: C2: Missing interference with mismatched unsafe accesses
+ - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir().
+ - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name
+ - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines()))
+ - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
+ - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic
+ - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol
+ - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null
+ - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
+ - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
+ - JDK-8263375: Support stack watermarks in Zero VM
+ - JDK-8263773: Reenable German localization for builds at Oracle
+ - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer
+ - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer
+ - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer
+ - JDK-8264292: Create implementation for NSAccessibilityList protocol peer
+ - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer
+ - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer
+ - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer
+ - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer
+ - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer
+ - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer
+ - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer
+ - JDK-8266239: Some duplicated javac command-line options have repeated effect
+ - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color
+ - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true
+ - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
+ - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility
+ - JDK-8267387: Create implementation for NSAccessibilityOutline protocol
+ - JDK-8267388: Create implementation for NSAccessibilityTable protocol
+ - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button"
+ - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs.
+ - JDK-8268361: Fix the infinite loop in next_line
+ - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
+ - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests
+ - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler
+ - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions
+ - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
+ - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type
+ - JDK-8268893: jcmd to trim the glibc heap
+ - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
+ - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)"
+ - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783
+ - JDK-8269113: Javac throws when compiling switch (null)
+ - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java
+ - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException
+ - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString()
+ - JDK-8269481: SctpMultiChannel never releases own file descriptor
+ - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows
+ - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
+ - JDK-8269687: pauth_aarch64.hpp include name is incorrect
+ - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
+ - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts
+ - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
+ - JDK-8270110: Shenandoah: Add test for JDK-8269661
+ - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
+ - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests
+ - JDK-8270290: NTLM authentication fails if HEAD request is used
+ - JDK-8270317: Large Allocation in CipherSuite
+ - JDK-8270320: JDK-8270110 committed invalid copyright headers
+ - JDK-8270517: Add Zero support for LoongArch
+ - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
+ - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
+ - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
+ - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType
+ - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String
+ - JDK-8271071: accessibility of a table on macOS lacks cell navigation
+ - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug
+ - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h
+ - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment
+ - JDK-8271215: Fix data races in G1PeriodicGCTask
+ - JDK-8271254: javac generates unreachable code when using empty semicolon statement
+ - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
+ - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call
+ - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes
+ - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1
+ - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
+ - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
+ - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
+ - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
+ - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
+ - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
+ - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
+ - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop
+ - JDK-8271605: Update JMH devkit to 1.32
+ - JDK-8271718: Crash when during color transformation the color profile is replaced
+ - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers
+ - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest
+ - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used
+ - JDK-8271868: Warn user when using mac-sign option with unsigned app-image.
+ - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18
+ - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late
+ - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112
+ - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64
+ - JDK-8272114: Unused _last_state in osThread_windows
+ - JDK-8272170: Missing memory barrier when checking active state for regions
+ - JDK-8272305: several hotspot runtime/modules don't check exit codes
+ - JDK-8272318: Improve performance of HeapDumpAllTest
+ - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher
+ - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes
+ - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
+ - JDK-8272345: macos doesn't check `os::set_boot_path()` result
+ - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0"
+ - JDK-8272391: Undeleted debug information
+ - JDK-8272413: Incorrect num of element count calculation for vector cast
+ - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
+ - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late
+ - JDK-8272570: C2: crash in PhaseCFG::global_code_motion
+ - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
+ - JDK-8272639: jpackaged applications using microphone on mac
+ - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO
+ - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
+ - JDK-8272783: Epsilon: Refactor tests to improve performance
+ - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
+ - JDK-8272838: Move CriticalJNI tests out of tier1
+ - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1
+ - JDK-8272850: Drop zapping values in the Zap* option descriptions
+ - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test
+ - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag
+ - JDK-8272859: Javadoc external links should only have feature version number in URL
+ - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
+ - JDK-8272970: Parallelize runtime/InvocationTests/
+ - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop
+ - JDK-8273021: C2: Improve Add and Xor ideal optimizations
+ - JDK-8273026: Slow LoginContext.login() on multi threading application
+ - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7
+ - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert
+ - JDK-8273176: handle latest VS2019 in abstract_vm_version
+ - JDK-8273229: Update OS detection code to recognize Windows Server 2022
+ - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash
+ - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
+ - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT
+ - JDK-8273308: PatternMatchTest.java fails on CI
+ - JDK-8273314: Add tier4 test groups
+ - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test
+ - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory
+ - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods
+ - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs
+ - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
+ - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size
+ - JDK-8273361: InfoOptsTest is failing in tier1
+ - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
+ - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop
+ - JDK-8273376: Zero: Disable vtable/itableStub gtests
+ - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP
+ - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record
+ - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1}
+ - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java
+ - JDK-8273450: Fix the copyright header of SVML files
+ - JDK-8273451: Remove unreachable return in mutexLocker::wait
+ - JDK-8273483: Zero: Clear pending JNI exception check in native method handler
+ - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option
+ - JDK-8273487: Zero: Handle "zero" variant in runtime tests
+ - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths
+ - JDK-8273498: compiler/c2/Test7179138_1.java timed out
+ - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
+ - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
+ - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
+ - JDK-8273592: Backout JDK-8271868
+ - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image.
+ - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian
+ - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
+ - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests
+ - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
+ - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
+ - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease
+ - JDK-8273695: Safepoint deadlock on VMOperation_lock
+ - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
+ - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly
+ - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java
+ - JDK-8273808: Cleanup AddFontsToX11FontPath
+ - JDK-8273826: Correct Manifest file name and NPE checks
+ - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out
+ - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
+ - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release()
+ - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
+ - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported
+ - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds
+ - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
+ - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled
+ - JDK-8273968: JCK javax_xml tests fail in CI
+ - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
+ - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM
+ - JDK-8274083: Update testing docs to mention tiered testing
+ - JDK-8274087: Windows DLL path not set correctly.
+ - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition
+ - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
+ - JDK-8274215: Remove globalsignr2ca root from 17.0.2
+ - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86
+ - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
+ - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
+ - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160
+ - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
+ - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
+ - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
+ - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile
+ - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU
+ - JDK-8274381: missing CAccessibility definitions in JNI code
+ - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread
+ - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API
+ - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough"
+ - JDK-8274407: (tz) Update Timezone Data to 2021c
+ - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl
+ - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
+ - JDK-8274468: TimeZoneTest.java fails with tzdata2021b
+ - JDK-8274501: c2i entry barriers read int as long on AArch64
+ - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected
+ - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
+ - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
+ - JDK-8274550: c2i entry barriers read int as long on PPC
+ - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah
+ - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
+ - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
+ - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume.
+ - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
+ - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers
+ - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
+ - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
+ - JDK-8274840: Update OS detection code to recognize Windows 11
+ - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior
+ - JDK-8274851: [ppc64] Port zgc to linux on ppc64le
+ - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
+ - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
+ - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register
+ - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
+ - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed
+ - JDK-8275104: IR framework does not handle client VM builds correctly
+ - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
+ - JDK-8275131: Exceptions after a touchpad gesture on macOS
+ - JDK-8275141: recover corrupted line endings for the version-numbers.conf
+ - JDK-8275145: file.encoding system property has an incorrect value on Windows
+ - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges
+ - JDK-8275302: unexpected compiler error: cast, intersection types and sealed
+ - JDK-8275426: PretouchTask num_chunks calculation can overflow
+ - JDK-8275604: Zero: Reformat opclabels_data
+ - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless
+ - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
+ - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak
+ - JDK-8275766: (tz) Update Timezone Data to 2021e
+ - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:]
+ - JDK-8275811: Incorrect instance to dispose
+ - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective
+ - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
+ - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings
+ - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml
+ - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency
+ - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
+ - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3
+ - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
+ - JDK-8276112: Inconsistent scalar replacement debug info at safepoints
+ - JDK-8276122: Change openjdk project in jcheck to jdk-updates
+ - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme
+ - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
+ - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
+ - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
+ - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration
+ - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition
+ - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
+ - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
+ - JDK-8276572: Fake libsyslookup.so library causes tooling issues
+ - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
+ - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah
+ - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager
+ - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32
+ - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1
+ - JDK-8276854: Windows GHA builds fail due to broken Cygwin
+ - JDK-8276864: Update boot JDKs to 17.0.1 in GHA
+ - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders
+ - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le
+ - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
+ - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
+ - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
+ - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest]
+ - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches
+ - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
+ - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
+ - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:serialization:
+
+JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
+=========================================================================================
+`java.util.Vector` is updated to correctly report
+`ClassNotFoundException that occurs during deserialization using
+`java.io.ObjectInputStream.GetField.get(name, object)` when the class
+of an element of the Vector is not found. Without this fix, a
+`StreamCorruptedException` is thrown that does not provide information
+about the missing class.
+
+security-libs/java.security:
+
+JDK-8272535: Removed Google's GlobalSign Root Certificate
+=========================================================
+The following root certificate from Google has been removed from the
+`cacerts` keystore:
+
+Alias Name: globalsignr2ca [jdk]
+Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
+
+core-libs/java.io:
+
+JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows
+============================================================================
+The initialization of the `file.encoding` system property on non macOS
+platforms has been reverted to align with the behavior on or before
+JDK 11. This has been an issue especially on Windows where the system
+and user's locales are not the same.
+
+hotspot/gc:
+
+JDK-8277533: ZGC: Fixed long Process Non-Strong References times
+================================================================
+A bug has been fixed that could cause long "Concurrent Process
+Non-Strong References" times with ZGC. The bug blocked the GC from
+making significant progress, and caused both latency and throughput
+issues for the Java application.
+
+The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g.
+
+[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms
+
+core-libs/java.time:
+
+JDK-8274857: Update Timezone Data to 2021c
+===========================================
+IANA Time Zone Database, on which JDK's Date/Time libraries are based,
+has been updated to version 2021c
+(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
+that with this update, some of the time zone rules prior to the year
+1970 have been modified according to the changes which were introduced
+with 2021b. For more detail, refer to the announcement of 2021b
+(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
+
+New in release OpenJDK 17.0.1 (2021-10-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt
+
+* Security fixes
+ - JDK-8263314: Enhance XML Dsig modes
+ - JDK-8265167, CVE-2021-35556: Richer Text Editors
+ - JDK-8265574: Improve handling of sheets
+ - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
+ - JDK-8265776: Improve Stream handling for SSL
+ - JDK-8266097, CVE-2021-35561: Better hashing support
+ - JDK-8266103: Better specified spec values
+ - JDK-8266109: More Resilient Classloading
+ - JDK-8266115: More Manifest Jar Loading
+ - JDK-8266137, CVE-2021-35564: Improve Keystore integrity
+ - JDK-8266689, CVE-2021-35567: More Constrained Delegation
+ - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
+ - JDK-8267712: Better LDAP reference processing
+ - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
+ - JDK-8267735, CVE-2021-35586: Better BMP support
+ - JDK-8268193: Improve requests of certificates
+ - JDK-8268199: Correct certificate requests
+ - JDK-8268205: Enhance DTLS client handshake
+ - JDK-8268500: Better specified ParameterSpecs
+ - JDK-8268506: More Manifest Digests
+ - JDK-8269618, CVE-2021-35603: Better session identification
+ - JDK-8269624: Enhance method selection support
+ - JDK-8270398: Enhance canonicalization
+ - JDK-8270404: Better canonicalization
+* Other changes
+ - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
+ - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
+ - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
+ - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations
+ - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
+ - JDK-8263531: Remove unused buffer int
+ - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
+ - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
+ - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
+ - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
+ - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
+ - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
+ - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms
+ - JDK-8269297: Bump version numbers for JDK 17.0.1
+ - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
+ - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
+ - JDK-8269763: The JEditorPane is blank after JDK-8265167
+ - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
+ - JDK-8269882: stack-use-after-scope in NewObjectA
+ - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible
+ - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
+ - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
+ - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations
+ - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
+ - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert
+ - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
+ - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
+ - JDK-8270344: Session resumption errors
+ - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added
+ - JDK-8271276: C2: Wrong JVM state used for receiver null check
+ - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4
+ - JDK-8271589: fatal error with variable shift count integer rotate operation.
+ - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java
+ - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests
+ - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier
+ - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
+ - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
+ - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails
+ - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
+ - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
+ - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
+ - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
+ - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
+ - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
+ - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
+ - JDK-8273358: macOS Monterey does not have the font Times needed by Serif
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8271434: Removed IdenTrust Root Certificate
+===============================================
+The following root certificate from IdenTrust has been removed from
+the `cacerts` keystore:
+
+Alias Name: identrustdstx3 [jdk]
+Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
+
+New in release OpenJDK 17.0.0 (2021-09-14):
+===========================================
+The full list of changes in the interim releases from 11u to 17u can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-12.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-13.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-14.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-15.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-16.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-17.txt
+
+Major changes are listed below. Some changes may have been backported
+to earlier releases following their first appearance in OpenJDK 12
+through to 17.
+
+NEW FEATURES
+============
+
+Language Features
+=================
+
+Switch Expressions
+==================
+https://openjdk.java.net/jeps/325
+https://openjdk.java.net/jeps/354
+https://openjdk.java.net/jeps/361
+
+Extend the `switch` statement so that it can be used as either a
+statement or an expression, and that both forms can use either a
+"traditional" or "simplified" scoping and control flow behavior. Both
+forms can use either traditional `case ... :` labels (with fall
+through) or new `case ... ->` labels (with no fall through), with a
+further new statement for yielding a value from a `switch`
+expression. These changes will simplify everyday coding, and also
+prepare the way for the use of pattern matching in `switch`.
+
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 12 & 13 and became final in OpenJDK 14.
+
+Text Blocks
+===========
+https://openjdk.java.net/jeps/355
+https://openjdk.java.net/jeps/368
+https://openjdk.java.net/jeps/378
+
+Add text blocks to the Java language. A text block is a multi-line
+string literal that avoids the need for most escape sequences,
+automatically formats the string in a predictable way, and gives the
+developer control over format when desired.
+
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 13 & 14 and became final in OpenJDK 15.
+
+Pattern Matching for instanceof
+===============================
+https://openjdk.java.net/jeps/305
+https://openjdk.java.net/jeps/375
+https://openjdk.java.net/jeps/394
+http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html
+
+Enhance the Java programming language with pattern matching for the
+`instanceof` operator. Pattern matching allows common logic in a
+program, namely the conditional extraction of components from objects,
+to be expressed more concisely and safely.
+
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 14 & 15 and became final in OpenJDK 16.
+
+Records
+=======
+https://openjdk.java.net/jeps/359
+https://openjdk.java.net/jeps/384
+https://openjdk.java.net/jeps/395
+
+Enhance the Java programming language with records. Records provide a
+compact syntax for declaring classes which are transparent holders for
+shallowly immutable data.
+
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 14 & 15 and became final in OpenJDK 16.
+
+Sealed Classes
+==============
+https://openjdk.java.net/jeps/360
+https://openjdk.java.net/jeps/397
+https://openjdk.java.net/jeps/409
+https://cr.openjdk.java.net/~briangoetz/amber/datum.html
+
+Enhance the Java programming language with sealed classes and
+interfaces. Sealed classes and interfaces restrict which other classes
+or interfaces may extend or implement them.
+
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 15 & 16 and became final in OpenJDK 17.
+
+Restore Always-Strict Floating-Point Semantics
+==============================================
+https://openjdk.java.net/jeps/306
+
+Make floating-point operations consistently strict, rather than have
+both strict floating-point semantics (`strictfp`) and subtly different
+default floating-point semantics. This will restore the original
+floating-point semantics to the language and VM, matching the
+semantics before the introduction of strict and default floating-point
+modes in Java SE 1.2.
+
+Pattern Matching for switch
+===========================
+https://openjdk.java.net/jeps/406
+
+Enhance the Java programming language with pattern matching for
+`switch` expressions and statements, along with extensions to the
+language of patterns. Extending pattern matching to `switch` allows an
+expression to be tested against a number of patterns, each with a
+specific action, so that complex data-oriented queries can be
+expressed concisely and safely.
+
+This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK
+17.
+
+Library Features
+================
+
+JVM Constants API
+=================
+https://openjdk.java.net/jeps/334
+
+Introduce an API to model nominal descriptions of key class-file and
+run-time artifacts, in particular constants that are loadable from the
+constant pool.
+
+Reimplement the Legacy Socket API
+=================================
+https://openjdk.java.net/jeps/353
+
+Replace the underlying implementation used by the `java.net.Socket`
+and `java.net.ServerSocket` APIs with a simpler and more modern
+implementation that is easy to maintain and debug. The new
+implementation will be easy to adapt to work with user-mode threads,
+a.k.a. fibers, currently being explored in Project Loom
+(https://openjdk.java.net/projects/loom).
+
+JFR Event Streaming
+===================
+https://openjdk.java.net/jeps/349
+
+Expose JDK Flight Recorder data for continuous monitoring.
+
+Non-Volatile Mapped Byte Buffers
+================================
+https://openjdk.java.net/jeps/352
+
+Add new JDK-specific file mapping modes so that the `FileChannel` API
+can be used to create `MappedByteBuffer` instances that refer to
+non-volatile memory.
+
+Helpful NullPointerExceptions
+=============================
+https://openjdk.java.net/jeps/358
+
+Improve the usability of `NullPointerException`s generated by the JVM
+by describing precisely which variable was `null`.
+
+Foreign-Memory Access API
+=========================
+https://openjdk.java.net/jeps/370
+https://openjdk.java.net/jeps/383
+https://openjdk.java.net/jeps/393
+
+Introduce an API to allow Java programs to safely and efficiently
+access foreign memory outside of the Java heap.
+
+This was a incubation feature (https://openjdk.java.net/jeps/11) in
+OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory
+API in OpenJDK 17 (see below).
+
+Edwards-Curve Digital Signature Algorithm (EdDSA)
+=================================================
+https://openjdk.java.net/jeps/339
+
+Implement cryptographic signatures using the Edwards-Curve Digital
+Signature Algorithm (EdDSA) as described by RFC 8032
+(https://tools.ietf.org/html/rfc8032).
+
+Hidden Classes
+==============
+https://openjdk.java.net/jeps/371
+
+Introduce hidden classes, which are classes that cannot be used
+directly by the bytecode of other classes. Hidden classes are intended
+for use by frameworks that generate classes at run time and use them
+indirectly, via reflection. A hidden class may be defined as a member
+of an access control nest (https://openjdk.java.net/jeps/181), and may
+be unloaded independently of other classes.
+
+Reimplement the Legacy DatagramSocket API
+=========================================
+https://openjdk.java.net/jeps/373
+
+Replace the underlying implementations of the
+`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with
+simpler and more modern implementations that are easy to maintain and
+debug. The new implementations will be easy to adapt to work with
+virtual threads, currently being explored in Project Loom
+(https://openjdk.java.net/projects/loom). This is a follow-on to JEP
+353 (see above), which already reimplemented the legacy Socket API.
+
+Vector API
+==========
+https://openjdk.java.net/jeps/338
+https://openjdk.java.net/jeps/414
+
+Provide an initial iteration of an incubator module,
+`jdk.incubator.vector`, to express vector computations that reliably
+compile at runtime to optimal vector hardware instructions on
+supported CPU architectures and thus achieve superior performance to
+equivalent scalar computations.
+
+This is an incubation feature (https://openjdk.java.net/jeps/11)
+introduced in OpenJDK 16.
+
+Unix-Domain Socket Channels
+===========================
+https://openjdk.java.net/jeps/380
+
+Add Unix-domain (`AF_UNIX`) socket support to the socket channel and
+server-socket channel APIs in the `java.nio.channels` package. Extend
+the inherited channel mechanism to support Unix-domain socket channels
+and server socket channels.
+
+Foreign Linker API (Incubator)
+==============================
+https://openjdk.java.net/jeps/389
+
+Introduce an API that offers statically-typed, pure-Java access to
+native code. This API, together with the Foreign-Memory API (see
+above), will considerably simplify the otherwise error-prone process
+of binding to a native library.
+
+This was an incubation feature (https://openjdk.java.net/jeps/11)
+introduced in OpenJDK 16, now superseded by the Foreign Function &
+Memory API in OpenJDK 17 (see below).
+
+Strongly Encapsulate JDK Internals by Default
+=============================================
+https://openjdk.java.net/jeps/396
+https://openjdk.java.net/jeps/403
+
+Strongly encapsulate all internal elements of the JDK by default,
+except for critical internal APIs such as `sun.misc.Unsafe`. It will
+no longer be possible to relax the strong encapsulation of internal
+elements via a single command-line option, as was possible in OpenJDK
+9 through 16.
+
+Enhanced Pseudo-Random Number Generators
+========================================
+https://openjdk.java.net/jeps/356
+
+Provide new interface types and implementations for pseudo-random
+number generators (PRNGs), including jumpable PRNGs and an additional
+class of splittable PRNG algorithms (LXM).
+
+Foreign Function & Memory API
+=============================
+https://openjdk.java.net/jeps/412
+
+Introduce an API by which Java programs can interoperate with code and
+data outside of the Java runtime. By efficiently invoking foreign
+functions (i.e., code outside the JVM), and by safely accessing
+foreign memory (i.e., memory not managed by the JVM), the API enables
+Java programs to call native libraries and process native data without
+the brittleness and danger of JNI.
+
+This API is an incubation feature (https://openjdk.java.net/jeps/11)
+introduced in OpenJDK 17, and is an evolution of the Foreign Memory
+Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK
+16) (see above).
+
+Context-Specific Deserialization Filters
+========================================
+https://openjdk.java.net/jeps/415
+
+Allow applications to configure context-specific and
+dynamically-selected deserialization filters via a JVM-wide filter
+factory that is invoked to select a filter for each individual
+deserialization operation.
+
+Tools
+=====
+
+Packaging Tool
+==============
+https://openjdk.java.net/jeps/343
+https://openjdk.java.net/jeps/392
+
+Provide the `jpackage` tool, for packaging self-contained Java
+applications.
+
+JVM Features
+============
+
+Shenandoah: A Low-Pause-Time Garbage Collector
+==============================================
+https://openjdk.java.net/jeps/189
+https://openjdk.java.net/jeps/379
+
+Add a new garbage collection (GC) algorithm named Shenandoah which
+reduces GC pause times by doing evacuation work concurrently with the
+running Java threads. Pause times with Shenandoah are independent of
+heap size, meaning you will have the same consistent pause times
+whether your heap is 200 MB or 200 GB.
+
+Shenandoah has been provided in Red Hat builds of OpenJDK 8 since
+8u131 in April 2017 and in all 11u builds.
+
+Upstream, it was introduced in OpenJDK 12 as an experimental feature
+and became a production feature in OpenJDK 15. It was backported to
+OpenJDK 11 with the 11.0.9 release in October 2020.
+
+Abortable Mixed Collections for G1
+==================================
+https://openjdk.java.net/jeps/344
+
+Make G1 mixed collections abortable if they might exceed the pause
+target.
+
+Promptly Return Unused Committed Memory from G1
+===============================================
+https://openjdk.java.net/jeps/346
+
+Enhance the G1 garbage collector to automatically return Java heap
+memory to the operating system when idle.
+
+Dynamic CDS Archives
+====================
+https://openjdk.java.net/jeps/310
+https://openjdk.java.net/jeps/350
+
+Extend application class-data sharing to allow the dynamic archiving
+of classes at the end of Java application execution. The archived
+classes will include all loaded application classes and library
+classes that are not present in the default, base-layer CDS archive.
+
+ZGC: Uncommit Unused Memory (Experimental)
+==========================================
+https://openjdk.java.net/jeps/351
+
+Enhance ZGC to return unused heap memory to the operating system.
+
+NUMA-Aware Memory Allocation for G1
+===================================
+https://openjdk.java.net/jeps/345
+
+Improve G1 performance on large machines by implementing NUMA-aware
+memory allocation.
+
+ZGC on macOS (Experimental)
+===========================
+https://openjdk.java.net/jeps/364
+
+Port the ZGC garbage collector to macOS.
+
+ZGC on Windows (Experimental)
+=============================
+https://openjdk.java.net/jeps/365
+
+Port the ZGC garbage collector to Windows.
+
+ZGC: A Scalable Low-Latency Garbage Collector (Production)
+==========================================================
+https://openjdk.java.net/jeps/377
+
+Change the Z Garbage Collector from an experimental feature into a
+product feature.
+
+ZGC: Concurrent Thread-Stack Processing
+=======================================
+https://openjdk.java.net/jeps/376
+
+Move ZGC thread-stack processing from safepoints to a concurrent
+phase.
+
+Elastic Metaspace
+=================
+https://openjdk.java.net/jeps/387
+
+Return unused HotSpot class-metadata (i.e., metaspace) memory to the
+operating system more promptly, reduce metaspace footprint, and
+simplify the metaspace code in order to reduce maintenance costs.
+
+Ports
+=====
+
+Alpine Linux Port
+=================
+https://openjdk.java.net/jeps/386
+
+Port the JDK to Alpine Linux, and to other Linux distributions that
+use musl as their primary C library, on both the x64 and AArch64
+architectures,
+
+Windows/AArch64 Port
+====================
+https://openjdk.java.net/jeps/388
+
+Port the JDK to Windows/AArch64.
+
+New macOS Rendering Pipeline
+============================
+https://openjdk.java.net/jeps/382
+
+Implement a Java 2D internal rendering pipeline for macOS using the
+Apple Metal API as alternative to the existing pipeline, which uses
+the deprecated Apple OpenGL API.
+
+macOS/AArch64 Port
+==================
+https://openjdk.java.net/jeps/391
+
+Port the JDK to macOS/AArch64.
+
+DEPRECATIONS
+============
+
+Deprecate the ParallelScavenge + SerialOld GC Combination
+=========================================================
+https://openjdk.java.net/jeps/366
+
+Deprecate the combination of the Parallel Scavenge and Serial Old
+garbage collection algorithms.
+
+Deprecate and Disable Biased Locking
+====================================
+https://openjdk.java.net/jeps/374
+
+Disable biased locking by default, and deprecate all related
+command-line options.
+
+Warnings for Value-Based Classes
+================================
+https://openjdk.java.net/jeps/390
+
+Designate the primitive wrapper classes as value-based and deprecate
+their constructors for removal, prompting new deprecation
+warnings. Provide warnings about improper attempts to synchronize on
+instances of any value-based classes in the Java Platform.
+
+Deprecate the Applet API for Removal
+====================================
+https://openjdk.java.net/jeps/398
+
+Deprecate the Applet API for removal. It is essentially irrelevant
+since all web-browser vendors have either removed support for Java
+browser plug-ins or announced plans to do so.
+
+Deprecate the Security Manager for Removal
+==========================================
+https://openjdk.java.net/jeps/411
+
+Deprecate the Security Manager for removal in a future release. The
+Security Manager dates from Java 1.0. It has not been the primary
+means of securing client-side Java code for many years, and it has
+rarely been used to secure server-side code. To move Java forward, we
+intend to deprecate the Security Manager for removal in concert with
+the legacy Applet API (see above). .
+
+REMOVALS
+========
+
+Remove the Concurrent Mark Sweep (CMS) Garbage Collector
+========================================================
+https://openjdk.java.net/jeps/363
+
+Remove the Concurrent Mark Sweep (CMS) garbage collector.
+
+Remove the Pack200 Tools and API
+================================
+https://openjdk.java.net/jeps/336
+https://openjdk.java.net/jeps/367
+
+Remove the `pack200` and `unpack200` tools, and the `Pack200` API in
+the `java.util.jar` package. These tools and API were deprecated for
+removal in OpenJDK 11 with the express intent to remove them in a
+future release.
+
+Remove the Nashorn JavaScript Engine
+====================================
+https://openjdk.java.net/jeps/372
+
+Remove the Nashorn JavaScript script engine and APIs, and the `jjs`
+tool. The engine, the APIs, and the tool were deprecated for removal
+in OpenJDK 11 with the express intent to remove them in a future
+release.
+
+Remove the Solaris and SPARC Ports
+==================================
+https://openjdk.java.net/jeps/362
+https://openjdk.java.net/jeps/381
+
+Remove the source code and build support for the Solaris/SPARC,
+Solaris/x64, and Linux/SPARC ports. These ports were deprecated for
+removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381).
+
+Remove RMI Activation
+=====================
+https://openjdk.java.net/jeps/385
+https://openjdk.java.net/jeps/407
+https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html
+
+Remove the Remote Method Invocation (RMI) Activation mechanism, while
+preserving the rest of RMI. RMI Activation is an obsolete part of RMI
+that has been optional since OpenJDK 8 and was deprecated in OpenJDK
+15.
+
+Remove the Experimental AOT and JIT Compiler
+============================================
+https://openjdk.java.net/jeps/410
+
+Remove the experimental Java-based ahead-of-time (AOT) and
+just-in-time (JIT) compiler. This compiler has seen little use since
+its introduction and the effort required to maintain it is
+significant. Retain the experimental Java-level JVM compiler
+interface (JVMCI) so that developers can continue to use
+externally-built versions of the compiler for JIT compilation.
diff --git a/SOURCES/TestCryptoLevel.java b/SOURCES/TestCryptoLevel.java
new file mode 100644
index 0000000..b32b7ae
--- /dev/null
+++ b/SOURCES/TestCryptoLevel.java
@@ -0,0 +1,72 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+ Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+ public static void main(String[] args)
+ throws NoSuchFieldException, ClassNotFoundException,
+ IllegalAccessException, InvocationTargetException
+ {
+ Class cls = null;
+ Method def = null, exempt = null;
+
+ try
+ {
+ cls = Class.forName("javax.crypto.JceSecurity");
+ }
+ catch (ClassNotFoundException ex)
+ {
+ System.err.println("Running a non-Sun JDK.");
+ System.exit(0);
+ }
+ try
+ {
+ def = cls.getDeclaredMethod("getDefaultPolicy");
+ exempt = cls.getDeclaredMethod("getExemptPolicy");
+ }
+ catch (NoSuchMethodException ex)
+ {
+ System.err.println("Running IcedTea with the original crypto patch.");
+ System.exit(0);
+ }
+ def.setAccessible(true);
+ exempt.setAccessible(true);
+ PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+ PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+ Class apCls = Class.forName("javax.crypto.CryptoAllPermission");
+ Field apField = apCls.getDeclaredField("INSTANCE");
+ apField.setAccessible(true);
+ Permission allPerms = (Permission) apField.get(null);
+ if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+ {
+ System.err.println("Running with the unlimited policy.");
+ System.exit(0);
+ }
+ else
+ {
+ System.err.println("WARNING: Running with a restricted crypto policy.");
+ System.exit(-1);
+ }
+ }
+}
diff --git a/SOURCES/TestECDSA.java b/SOURCES/TestECDSA.java
new file mode 100644
index 0000000..6eb9cb2
--- /dev/null
+++ b/SOURCES/TestECDSA.java
@@ -0,0 +1,49 @@
+/* TestECDSA -- Ensure ECDSA signatures are working.
+ Copyright (C) 2016 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+
+/**
+ * @test
+ */
+public class TestECDSA {
+
+ public static void main(String[] args) throws Exception {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+ KeyPair key = keyGen.generateKeyPair();
+
+ byte[] data = "This is a string to sign".getBytes("UTF-8");
+
+ Signature dsa = Signature.getInstance("NONEwithECDSA");
+ dsa.initSign(key.getPrivate());
+ dsa.update(data);
+ byte[] sig = dsa.sign();
+ System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
+
+ Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
+ dsaCheck.initVerify(key.getPublic());
+ dsaCheck.update(data);
+ boolean success = dsaCheck.verify(sig);
+ if (!success) {
+ throw new RuntimeException("Test failed. Signature verification error");
+ }
+ System.out.println("Test passed.");
+ }
+}
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
new file mode 100644
index 0000000..06a0b07
--- /dev/null
+++ b/SOURCES/TestSecurityProperties.java
@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+ // JDK 11
+ private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+ // JDK 8
+ private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+ public static void main(String[] args) {
+ Properties jdkProps = new Properties();
+ loadProperties(jdkProps);
+ for (Object key: jdkProps.keySet()) {
+ String sKey = (String)key;
+ String securityVal = Security.getProperty(sKey);
+ String jdkSecVal = jdkProps.getProperty(sKey);
+ if (!securityVal.equals(jdkSecVal)) {
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ sKey + "'" + " but got value '" + securityVal + "'";
+ throw new RuntimeException("Test failed! " + msg);
+ } else {
+ System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ }
+ }
+ System.out.println("TestSecurityProperties PASSED!");
+ }
+
+ private static void loadProperties(Properties props) {
+ String javaVersion = System.getProperty("java.version");
+ System.out.println("Debug: Java version is " + javaVersion);
+ String propsFile = JDK_PROPS_FILE_JDK_11;
+ if (javaVersion.startsWith("1.8.0")) {
+ propsFile = JDK_PROPS_FILE_JDK_8;
+ }
+ try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+}
diff --git a/SOURCES/jconsole.desktop.in b/SOURCES/jconsole.desktop.in
new file mode 100644
index 0000000..8a3b04d
--- /dev/null
+++ b/SOURCES/jconsole.desktop.in
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Comment=Monitor and manage OpenJDK applications
+Exec=_SDKBINDIR_/jconsole
+Icon=java-@JAVA_VER@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0
diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
new file mode 100644
index 0000000..51bd6d2
--- /dev/null
+++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
@@ -0,0 +1,26 @@
+diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+index 70903206ea0..09956084cf9 100644
+--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ ctx = getLdapCtxFromUrl(
+ r.getDomainName(), url, new LdapURL(u), env);
+ return ctx;
++ } catch (AuthenticationException e) {
++ // do not retry on a different endpoint to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ // try the next element
+ lastException = e;
+@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ for (String u : urls) {
+ try {
+ return getUsingURL(u, env);
++ } catch (AuthenticationException e) {
++ // do not retry on a different URL to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ ex = e;
+ }
diff --git a/SOURCES/nss.cfg.in b/SOURCES/nss.cfg.in
new file mode 100644
index 0000000..377a39c
--- /dev/null
+++ b/SOURCES/nss.cfg.in
@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
new file mode 100644
index 0000000..1aff153
--- /dev/null
+++ b/SOURCES/nss.fips.cfg.in
@@ -0,0 +1,6 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = sql:/etc/pki/nssdb
+nssDbMode = readOnly
+nssModule = fips
+
diff --git a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
new file mode 100644
index 0000000..4efbe9a
--- /dev/null
+++ b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
@@ -0,0 +1,88 @@
+
+# HG changeset patch
+# User andrew
+# Date 1478057514 0
+# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
+# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
+PR3183: Support Fedora/RHEL system crypto policy
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
+@@ -43,6 +43,9 @@
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ * Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+@@ -52,6 +55,10 @@
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
++ /* System property file*/
++ private static final String SYSTEM_PROPERTIES =
++ "/etc/crypto-policies/back-ends/java.config";
++
+ /* The java.security properties */
+ private static Properties props;
+
+@@ -93,6 +100,7 @@
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -114,6 +122,31 @@
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ SYSTEM_PROPERTIES);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ SYSTEM_PROPERTIES);
++ e.printStackTrace();
++ }
++ }
++ }
++
++ if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+
+ String extraPropFile = System.getProperty
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
+--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
+@@ -276,6 +276,13 @@
+ security.overridePropertiesFile=true
+
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #
diff --git a/SOURCES/pr3695-toggle_system_crypto_policy.patch b/SOURCES/pr3695-toggle_system_crypto_policy.patch
new file mode 100644
index 0000000..3799237
--- /dev/null
+++ b/SOURCES/pr3695-toggle_system_crypto_policy.patch
@@ -0,0 +1,78 @@
+# HG changeset patch
+# User andrew
+# Date 1545198926 0
+# Wed Dec 19 05:55:26 2018 +0000
+# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
+# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
+PR3695: Allow use of system crypto policy to be disabled by the user
+Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
+
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -125,31 +125,6 @@
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
+-
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
+- loadedProps = true;
+-
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- SYSTEM_PROPERTIES);
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- SYSTEM_PROPERTIES);
+- e.printStackTrace();
+- }
+- }
+- }
+-
+- if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+
+ String extraPropFile = System.getProperty
+@@ -215,6 +190,33 @@
+ }
+ }
+
++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
++ if (disableSystemProps == null &&
++ "true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ SYSTEM_PROPERTIES);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ SYSTEM_PROPERTIES);
++ e.printStackTrace();
++ }
++ }
++ }
++
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
new file mode 100644
index 0000000..e999c7e
--- /dev/null
+++ b/SOURCES/remove-intree-libraries.sh
@@ -0,0 +1,157 @@
+#!/bin/sh
+
+# Arguments:
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+ echo "$0 (MINIMAL|FULL)";
+ exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${ZIP_SRC}
+
+# Minimal is limited to just zlib so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+fi
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..3042186
--- /dev/null
+++ b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,16 @@
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+ toolkit = new HeadlessToolkit(toolkit);
+ }
+ if (!GraphicsEnvironment.isHeadless()) {
+- loadAssistiveTechnologies();
++ try {
++ loadAssistiveTechnologies();
++ } catch (AWTError error) {
++ // ignore silently
++ }
+ }
+ }
+ return toolkit;
diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..7be1fae
--- /dev/null
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,12 @@
+diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
+index 534bdae5a16..2df2b59cbf6 100644
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
+ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # A list of preferred providers for specific algorithms. These providers will
diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # Determines whether this properties file can be appended to
diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch
new file mode 100644
index 0000000..80cd91c
--- /dev/null
+++ b/SOURCES/rh1655466-global_crypto_and_fips.patch
@@ -0,0 +1,205 @@
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -196,26 +196,8 @@
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+-
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
++ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+-
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- SYSTEM_PROPERTIES);
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- SYSTEM_PROPERTIES);
+- e.printStackTrace();
+- }
+ }
+ }
+
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+--- /dev/null
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,151 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.nio.file.Files;
++import java.nio.file.Path;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++import java.util.function.Consumer;
++import java.util.regex.Matcher;
++import java.util.regex.Pattern;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static final String CRYPTO_POLICIES_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/config";
++
++ private static final class SecurityProviderInfo {
++ int number;
++ String key;
++ String value;
++ SecurityProviderInfo(int number, String key, String value) {
++ this.number = number;
++ this.key = key;
++ this.value = value;
++ }
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configure(Properties props) {
++ boolean loadedProps = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ loadedProps = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ loadedProps = false;
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ loadedProps = true;
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /*
++ * FIPS is enabled only if crypto-policies are set to "FIPS"
++ * and the com.redhat.fips property is true.
++ */
++ private static boolean enableFips() throws Exception {
++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++ if (fipsEnabled) {
++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
++ return pattern.matcher(cryptoPoliciesConfig).find();
++ } else {
++ return false;
++ }
++ }
++}
+diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
+--- openjdk.orig/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -87,6 +87,14 @@
+ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
++# Security providers used when global crypto-policies are set to FIPS.
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=SunJSSE
++
++#
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+ # Entries containing errors (parsing, etc) will be ignored. Use the
diff --git a/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
new file mode 100644
index 0000000..5e2b254
--- /dev/null
+++ b/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@@ -0,0 +1,13 @@
+--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100
++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100
+@@ -48,8 +48,8 @@
+
+ private final static String PROP_NAME = "sun.security.smartcardio.library";
+
+- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
++ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
+ private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+
+ PlatformPCSC() {
diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch
new file mode 100644
index 0000000..88f5e5a
--- /dev/null
+++ b/SOURCES/rh1750419-redhat_alt_java.patch
@@ -0,0 +1,117 @@
+diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
+index 700ddefda49..2882de68eb2 100644
+--- openjdk.orig/make/modules/java.base/Launcher.gmk
++++ openjdk/make/modules/java.base/Launcher.gmk
+@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
+ OPTIMIZATION := HIGH, \
+ ))
+
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++ OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(call isTargetOs, windows), true)
+ $(eval $(call SetupBuildLauncher, javaw, \
+ CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
+new file mode 100644
+index 00000000000..697df2898ac
+--- /dev/null
++++ openjdk/src/java.base/share/native/launcher/alt_main.h
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL 52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL 53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS 0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED 0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++ if ( prctl(PR_SET_SPECULATION_CTRL,
++ PR_SPEC_STORE_BYPASS,
++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++ return;
++ }
++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
+index b734fe2ba78..79dc8307650 100644
+--- openjdk.orig/src/java.base/share/native/launcher/main.c
++++ openjdk/src/java.base/share/native/launcher/main.c
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+
diff --git a/SOURCES/rh1818909-fips_default_keystore_type.patch b/SOURCES/rh1818909-fips_default_keystore_type.patch
new file mode 100644
index 0000000..ff34f3e
--- /dev/null
+++ b/SOURCES/rh1818909-fips_default_keystore_type.patch
@@ -0,0 +1,52 @@
+diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
+@@ -123,6 +123,33 @@
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
+--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
+@@ -299,6 +299,11 @@
+ keystore.type=pkcs12
+
+ #
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
++#
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+ # When set to 'true', both JKS and PKCS12 keystore types support loading
diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
new file mode 100644
index 0000000..8dcd9a8
--- /dev/null
+++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
@@ -0,0 +1,318 @@
+diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index f9baf8c9742..60fa75cab45 100644
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -1,11 +1,13 @@
+ /*
+- * Copyright (c) 2019, Red Hat, Inc.
++ * Copyright (c) 2019, 2020, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation.
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+@@ -34,10 +36,10 @@ import java.nio.file.Path;
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.function.Consumer;
+-import java.util.regex.Matcher;
+ import java.util.regex.Pattern;
+
++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
++import jdk.internal.access.SharedSecrets;
+ import sun.security.util.Debug;
+
+ /**
+@@ -47,7 +49,7 @@ import sun.security.util.Debug;
+ *
+ */
+
+-class SystemConfigurator {
++final class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -61,15 +63,16 @@ class SystemConfigurator {
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+- private static final class SecurityProviderInfo {
+- int number;
+- String key;
+- String value;
+- SecurityProviderInfo(int number, String key, String value) {
+- this.number = number;
+- this.key = key;
+- this.value = value;
+- }
++ private static boolean systemFipsEnabled = false;
++
++ static {
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ });
+ }
+
+ /*
+@@ -128,9 +131,9 @@ class SystemConfigurator {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+- // If keystore.type is PKCS11, javax.net.ssl.keyStore
+- // must be "NONE". See JDK-8238264.
+- System.setProperty("javax.net.ssl.keyStore", "NONE");
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+@@ -144,12 +147,13 @@ class SystemConfigurator {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+- System.getProperty("javax.net.ssl.keyStore", ""));
++ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
+ loadedProps = true;
++ systemFipsEnabled = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+@@ -160,13 +164,30 @@ class SystemConfigurator {
+ return loadedProps;
+ }
+
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+- if (fipsEnabled) {
++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++ if (shouldEnable) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..a31e93ec02e
+--- /dev/null
++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.access;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++}
+diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+index f6d3638c3dd..5a2c9eb0c46 100644
+--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+@@ -81,6 +81,7 @@ public class SharedSecrets {
+ private static JavaSecuritySpecAccess javaSecuritySpecAccess;
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
+ private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
+ javaUtilCollectionAccess = juca;
+@@ -442,4 +443,12 @@ public class SharedSecrets {
+ MethodHandles.lookup().ensureInitialized(c);
+ } catch (IllegalAccessException e) {}
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+index 6ffdfeda18d..775b185fb06 100644
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -32,6 +32,7 @@ import java.security.cert.*;
+ import java.util.*;
+ import java.util.concurrent.locks.ReentrantLock;
+ import javax.net.ssl.*;
++import jdk.internal.access.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+ private static final List serverDefaultCipherSuites;
+
+ static {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10,
+- ProtocolVersion.SSL30,
+- ProtocolVersion.SSL20Hello
+- );
+-
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10,
++ ProtocolVersion.SSL30,
++ ProtocolVersion.SSL20Hello
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+
+ supportedCipherSuites = getApplicableSupportedCipherSuites(
+ supportedProtocols);
+@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+ ProtocolVersion[] candidates;
+ if (refactored.isEmpty()) {
+ // Client and server use the same default protocols.
+- candidates = new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- };
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ candidates = new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ } else {
++ candidates = new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ } else {
+ // Use the customized TLS protocols.
+ candidates =
+diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+index 894e26dfad8..8b16378b96b 100644
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+@@ -27,6 +27,8 @@ package sun.security.ssl;
+
+ import java.security.*;
+ import java.util.*;
++
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+
+ /**
+@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
+ ps("SSLContext", "TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
+- ps("SSLContext", "TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ ps("SSLContext", "TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ }
+ ps("SSLContext", "TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext",
+ List.of("SSL"), null);
diff --git a/SOURCES/rh1915071-always_initialise_configurator_access.patch b/SOURCES/rh1915071-always_initialise_configurator_access.patch
new file mode 100644
index 0000000..513fbbf
--- /dev/null
+++ b/SOURCES/rh1915071-always_initialise_configurator_access.patch
@@ -0,0 +1,70 @@
+diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+index f1633afb627..ce32c939253 100644
+--- openjdk/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@ import java.net.URL;
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -74,6 +75,15 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -194,9 +204,8 @@ public final class Security {
+ }
+
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+- if (disableSystemProps == null &&
+- "true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+ }
+diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 60fa75cab45..10b54aa4ce4 100644
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -38,8 +38,6 @@ import java.util.Map.Entry;
+ import java.util.Properties;
+ import java.util.regex.Pattern;
+
+-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+-import jdk.internal.access.SharedSecrets;
+ import sun.security.util.Debug;
+
+ /**
+@@ -65,16 +63,6 @@ final class SystemConfigurator {
+
+ private static boolean systemFipsEnabled = false;
+
+- static {
+- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+- new JavaSecuritySystemConfiguratorAccess() {
+- @Override
+- public boolean isSystemFipsEnabled() {
+- return SystemConfigurator.isSystemFipsEnabled();
+- }
+- });
+- }
+-
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
diff --git a/SOURCES/rh1929465-dont_define_unused_throwioexception.patch b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch
new file mode 100644
index 0000000..eba090f
--- /dev/null
+++ b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch
@@ -0,0 +1,69 @@
+commit 90e344e7d4987af610fa0054c92d18fe1c2edd41
+Author: Andrew Hughes
+Date: Sat Aug 28 01:15:28 2021 +0100
+
+ RH1929465: Don't define unused throwIOException function when using NSS detection
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 6f4656bfcb6..38919d6bb0f 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -34,14 +34,34 @@
+
+ #include "java_security_SystemConfigurator.h"
+
+-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+ #define MSG_MAX_SIZE 96
+
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+
+-static void throwIOException(JNIEnv *env, const char *msg);
+-static void dbgPrint(JNIEnv *env, const char* msg);
++// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
++#ifndef SYSCONF_NSS
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++#endif
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
+
+ /*
+ * Class: java_security_SystemConfigurator
+@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+
+ #endif // SYSCONF_NSS
+ }
+-
+-static void throwIOException(JNIEnv *env, const char *msg)
+-{
+- jclass cls = (*env)->FindClass(env, "java/io/IOException");
+- if (cls != 0)
+- (*env)->ThrowNew(env, cls, msg);
+-}
+-
+-static void dbgPrint(JNIEnv *env, const char* msg)
+-{
+- jstring jMsg;
+- if (debugObj != NULL) {
+- jMsg = (*env)->NewStringUTF(env, msg);
+- CHECK_NULL(jMsg);
+- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+- }
+-}
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection.patch b/SOURCES/rh1929465-improve_system_FIPS_detection.patch
new file mode 100644
index 0000000..4dfd1d4
--- /dev/null
+++ b/SOURCES/rh1929465-improve_system_FIPS_detection.patch
@@ -0,0 +1,428 @@
+diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4
+new file mode 100644
+index 00000000000..b2b1c1787da
+--- /dev/null
++++ openjdk/make/autoconf/lib-sysconf.m4
+@@ -0,0 +1,84 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation. Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
+index a65d91ee974..a8f054c1397 100644
+--- openjdk/make/autoconf/libraries.m4
++++ openjdk/make/autoconf/libraries.m4
+@@ -33,6 +33,7 @@ m4_include([lib-std.m4])
+ m4_include([lib-x11.m4])
+ m4_include([lib-fontconfig.m4])
+ m4_include([lib-tests.m4])
++m4_include([lib-sysconf.m4])
+
+ ################################################################################
+ # Determine which libraries are needed for this configuration
+@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
+ LIB_TESTS_SETUP_GTEST
++ LIB_SETUP_SYSCONF_LIBS
+
+ BASIC_JDKLIB_LIBS=""
+ if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
+diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
+index 29445c8c24f..9b1b512a34a 100644
+--- openjdk/make/autoconf/spec.gmk.in
++++ openjdk/make/autoconf/spec.gmk.in
+@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk
+index 5658ff342e5..cb7a56852f7 100644
+--- openjdk/make/modules/java.base/Lib.gmk
++++ openjdk/make/modules/java.base/Lib.gmk
+@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+new file mode 100644
+index 00000000000..6f4656bfcb6
+--- /dev/null
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -0,0 +1,168 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include
++#include
++#include
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++#define MSG_MAX_SIZE 96
++
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void throwIOException(JNIEnv *env, const char *msg);
++static void dbgPrint(JNIEnv *env, const char* msg);
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++#ifdef SYSCONF_NSS
++
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = SECMOD_GetSystemFIPSEnabled();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " SECMOD_GetSystemFIPSEnabled return value");
++ }
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++
++#else // SYSCONF_NSS
++
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " read character");
++ }
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++
++#endif // SYSCONF_NSS
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
+diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 10b54aa4ce4..6aa1419dfd0 100644
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2019, 2020, Red Hat, Inc.
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+@@ -30,13 +30,9 @@ import java.io.BufferedInputStream;
+ import java.io.FileInputStream;
+ import java.io.IOException;
+
+-import java.nio.file.Files;
+-import java.nio.file.Path;
+-
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.regex.Pattern;
+
+ import sun.security.util.Debug;
+
+@@ -58,11 +54,23 @@ final class SystemConfigurator {
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+- private static final String CRYPTO_POLICIES_CONFIG =
+- CRYPTO_POLICIES_BASE_DIR + "/config";
+-
+ private static boolean systemFipsEnabled = false;
+
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ @SuppressWarnings("removal")
++ var dummy = AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+@@ -170,16 +178,34 @@ final class SystemConfigurator {
+ }
+
+ /*
+- * FIPS is enabled only if crypto-policies are set to "FIPS"
+- * and the com.redhat.fips property is true.
++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
++ * system property is true (default) and the system is in FIPS mode.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+- return pattern.matcher(cryptoPoliciesConfig).find();
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ shouldEnable = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + shouldEnable);
++ }
++ return shouldEnable;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
+ } else {
+ return false;
+ }
diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch
new file mode 100644
index 0000000..79d2743
--- /dev/null
+++ b/SOURCES/rh1991003-enable_fips_keys_import.patch
@@ -0,0 +1,579 @@
+commit abcd0954643eddbf826d96291d44a143038ab750
+Author: Martin Balao
+Date: Sun Oct 10 18:14:01 2021 +0100
+
+ RH1991003: Enable the import of plain keys into the NSS software token.
+
+ This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false
+
+diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+index ce32c939253..dc7020ce668 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -82,6 +82,10 @@ public final class Security {
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
+ });
+
+ // doPrivileged here because there are multiple
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 6aa1419dfd0..ecab722848e 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -55,6 +55,7 @@ final class SystemConfigurator {
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+@@ -150,6 +151,16 @@ final class SystemConfigurator {
+ }
+ loadedProps = true;
+ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+@@ -177,6 +188,19 @@ final class SystemConfigurator {
+ return systemFipsEnabled;
+ }
+
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
+ /*
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+index a31e93ec02e..3f3caac64dc 100644
+--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+@@ -27,4 +27,5 @@ package jdk.internal.access;
+
+ public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
+ }
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..bee3a1e1537
+--- /dev/null
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,291 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 5d3963ea893..42c72b393fd 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 5c0aacd1a67..4d80145cb91 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -152,16 +153,28 @@ public class PKCS11 {
+
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+index e2d6d371bec..dc5e7eefdd3 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception {
+ return "0x" + Functions.toFullHexString((int)errorCode);
+ }
+
++ /**
++ * Constructor taking the error code (the CKR_* constants in PKCS#11) with
++ * no extra info for the error message.
++ */
++ public PKCS11Exception(long errorCode) {
++ this(errorCode, null);
++ }
++
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) and
+ * extra info for error message.
diff --git a/SOURCES/rh1995150-disable_non-fips_crypto.patch b/SOURCES/rh1995150-disable_non-fips_crypto.patch
new file mode 100644
index 0000000..de06552
--- /dev/null
+++ b/SOURCES/rh1995150-disable_non-fips_crypto.patch
@@ -0,0 +1,591 @@
+diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 63bb580eb3a..238735c0c8c 100644
+--- openjdk.orig/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -152,6 +152,7 @@ module java.base {
+ java.naming,
+ java.rmi,
+ jdk.charsets,
++ jdk.crypto.ec,
+ jdk.jartool,
+ jdk.jlink,
+ jdk.net,
+diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+index 912cad59714..7cb5ebcde51 100644
+--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+@@ -30,6 +30,7 @@ import java.net.*;
+ import java.util.*;
+ import java.security.*;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.util.SecurityProviderConstants;
+@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ public final class SunEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ // the default algo used by SecureRandom class for new SecureRandom() calls
+ public static final String DEF_SECURE_RANDOM_ALGO;
+
+@@ -94,147 +99,149 @@ public final class SunEntries {
+ // common attribute map
+ HashMap attrs = new HashMap<>(3);
+
+- /*
+- * SecureRandom engines
+- */
+- attrs.put("ThreadSafe", "true");
+- if (NativePRNG.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNG",
+- "sun.security.provider.NativePRNG", attrs);
+- }
+- if (NativePRNG.Blocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGBlocking",
+- "sun.security.provider.NativePRNG$Blocking", attrs);
+- }
+- if (NativePRNG.NonBlocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGNonBlocking",
+- "sun.security.provider.NativePRNG$NonBlocking", attrs);
+- }
+- attrs.put("ImplementedIn", "Software");
+- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+- add(p, "SecureRandom", "SHA1PRNG",
+- "sun.security.provider.SecureRandom", attrs);
+-
+- /*
+- * Signature engines
+- */
+- attrs.clear();
+- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+- "|java.security.interfaces.DSAPrivateKey";
+- attrs.put("SupportedKeyClasses", dsaKeyClasses);
+- attrs.put("ImplementedIn", "Software");
+-
+- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+-
+- addWithAlias(p, "Signature", "SHA1withDSA",
+- "sun.security.provider.DSA$SHA1withDSA", attrs);
+- addWithAlias(p, "Signature", "NONEwithDSA",
+- "sun.security.provider.DSA$RawDSA", attrs);
+-
+- // for DSA signatures with 224/256-bit digests
+- attrs.put("KeySize", "2048");
+-
+- addWithAlias(p, "Signature", "SHA224withDSA",
+- "sun.security.provider.DSA$SHA224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA256withDSA",
+- "sun.security.provider.DSA$SHA256withDSA", attrs);
+-
+- addWithAlias(p, "Signature", "SHA3-224withDSA",
+- "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-256withDSA",
+- "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+-
+- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+-
+- addWithAlias(p, "Signature", "SHA384withDSA",
+- "sun.security.provider.DSA$SHA384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA512withDSA",
+- "sun.security.provider.DSA$SHA512withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-384withDSA",
+- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-512withDSA",
+- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+-
+- attrs.remove("KeySize");
+-
+- add(p, "Signature", "SHA1withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+- add(p, "Signature", "NONEwithDSAinP1363Format",
+- "sun.security.provider.DSA$RawDSAinP1363Format");
+- add(p, "Signature", "SHA224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+- add(p, "Signature", "SHA256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+- add(p, "Signature", "SHA384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+- add(p, "Signature", "SHA512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+- add(p, "Signature", "SHA3-224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+- add(p, "Signature", "SHA3-256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+- add(p, "Signature", "SHA3-384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+- add(p, "Signature", "SHA3-512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+- /*
+- * Key Pair Generator engines
+- */
+- attrs.clear();
+- attrs.put("ImplementedIn", "Software");
+- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
++ if (!systemFipsEnabled) {
++ /*
++ * SecureRandom engines
++ */
++ attrs.put("ThreadSafe", "true");
++ if (NativePRNG.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNG",
++ "sun.security.provider.NativePRNG", attrs);
++ }
++ if (NativePRNG.Blocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGBlocking",
++ "sun.security.provider.NativePRNG$Blocking", attrs);
++ }
++ if (NativePRNG.NonBlocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGNonBlocking",
++ "sun.security.provider.NativePRNG$NonBlocking", attrs);
++ }
++ attrs.put("ImplementedIn", "Software");
++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
++ add(p, "SecureRandom", "SHA1PRNG",
++ "sun.security.provider.SecureRandom", attrs);
+
+- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++ /*
++ * Signature engines
++ */
++ attrs.clear();
++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
++ "|java.security.interfaces.DSAPrivateKey";
++ attrs.put("SupportedKeyClasses", dsaKeyClasses);
++ attrs.put("ImplementedIn", "Software");
++
++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
++
++ addWithAlias(p, "Signature", "SHA1withDSA",
++ "sun.security.provider.DSA$SHA1withDSA", attrs);
++ addWithAlias(p, "Signature", "NONEwithDSA",
++ "sun.security.provider.DSA$RawDSA", attrs);
++
++ // for DSA signatures with 224/256-bit digests
++ attrs.put("KeySize", "2048");
++
++ addWithAlias(p, "Signature", "SHA224withDSA",
++ "sun.security.provider.DSA$SHA224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA256withDSA",
++ "sun.security.provider.DSA$SHA256withDSA", attrs);
++
++ addWithAlias(p, "Signature", "SHA3-224withDSA",
++ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-256withDSA",
++ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
++
++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
++
++ addWithAlias(p, "Signature", "SHA384withDSA",
++ "sun.security.provider.DSA$SHA384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA512withDSA",
++ "sun.security.provider.DSA$SHA512withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-384withDSA",
++ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-512withDSA",
++ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
++
++ attrs.remove("KeySize");
++
++ add(p, "Signature", "SHA1withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
++ add(p, "Signature", "NONEwithDSAinP1363Format",
++ "sun.security.provider.DSA$RawDSAinP1363Format");
++ add(p, "Signature", "SHA224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
++ add(p, "Signature", "SHA256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
++ add(p, "Signature", "SHA384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
++ add(p, "Signature", "SHA512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
++ add(p, "Signature", "SHA3-224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
++ add(p, "Signature", "SHA3-256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
++ add(p, "Signature", "SHA3-384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
++ add(p, "Signature", "SHA3-512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
++ /*
++ * Key Pair Generator engines
++ */
++ attrs.clear();
++ attrs.put("ImplementedIn", "Software");
++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+
+- /*
+- * Algorithm Parameter Generator engines
+- */
+- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+- "sun.security.provider.DSAParameterGenerator", attrs);
+- attrs.remove("KeySize");
++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
+
+- /*
+- * Algorithm Parameter engines
+- */
+- addWithAlias(p, "AlgorithmParameters", "DSA",
+- "sun.security.provider.DSAParameters", attrs);
++ /*
++ * Algorithm Parameter Generator engines
++ */
++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
++ "sun.security.provider.DSAParameterGenerator", attrs);
++ attrs.remove("KeySize");
+
+- /*
+- * Key factories
+- */
+- addWithAlias(p, "KeyFactory", "DSA",
+- "sun.security.provider.DSAKeyFactory", attrs);
++ /*
++ * Algorithm Parameter engines
++ */
++ addWithAlias(p, "AlgorithmParameters", "DSA",
++ "sun.security.provider.DSAParameters", attrs);
+
+- /*
+- * Digest engines
+- */
+- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+- attrs);
++ /*
++ * Key factories
++ */
++ addWithAlias(p, "KeyFactory", "DSA",
++ "sun.security.provider.DSAKeyFactory", attrs);
+
+- addWithAlias(p, "MessageDigest", "SHA-224",
+- "sun.security.provider.SHA2$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-256",
+- "sun.security.provider.SHA2$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-384",
+- "sun.security.provider.SHA5$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512",
+- "sun.security.provider.SHA5$SHA512", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/224",
+- "sun.security.provider.SHA5$SHA512_224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/256",
+- "sun.security.provider.SHA5$SHA512_256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-224",
+- "sun.security.provider.SHA3$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-256",
+- "sun.security.provider.SHA3$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-384",
+- "sun.security.provider.SHA3$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-512",
+- "sun.security.provider.SHA3$SHA512", attrs);
++ /*
++ * Digest engines
++ */
++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
++ attrs);
++
++ addWithAlias(p, "MessageDigest", "SHA-224",
++ "sun.security.provider.SHA2$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-256",
++ "sun.security.provider.SHA2$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-384",
++ "sun.security.provider.SHA5$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512",
++ "sun.security.provider.SHA5$SHA512", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/224",
++ "sun.security.provider.SHA5$SHA512_224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/256",
++ "sun.security.provider.SHA5$SHA512_256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-224",
++ "sun.security.provider.SHA3$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-256",
++ "sun.security.provider.SHA3$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-384",
++ "sun.security.provider.SHA3$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-512",
++ "sun.security.provider.SHA3$SHA512", attrs);
++ }
+
+ /*
+ * Certificates
+diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 8c9e4f9dbe6..883dc04758e 100644
+--- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+
+ private static final long serialVersionUID = -2279741672933606418L;
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private static class ProviderServiceA extends ProviderService {
+ ProviderServiceA(Provider p, String type, String algo, String cn,
+ HashMap attrs) {
+@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
+
+ putXDHEntries();
+ putEdDSAEntries();
+-
+- /*
+- * Signature engines
+- */
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+- null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$RawinP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA1withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+- putService(new ProviderService(this, "Signature",
+- "SHA3-224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+- /*
+- * Key Pair Generator engine
+- */
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EC", "sun.security.ec.ECKeyPairGenerator",
+- List.of("EllipticCurve"), ATTRS));
+-
+- /*
+- * Key Agreement engine
+- */
+- putService(new ProviderService(this, "KeyAgreement",
+- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ if (!systemFipsEnabled) {
++ /*
++ * Signature engines
++ */
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++ null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$RawinP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA1withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++ putService(new ProviderService(this, "Signature",
++ "SHA3-224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++ /*
++ * Key Pair Generator engine
++ */
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EC", "sun.security.ec.ECKeyPairGenerator",
++ List.of("EllipticCurve"), ATTRS));
++
++ /*
++ * Key Agreement engine
++ */
++ putService(new ProviderService(this, "KeyAgreement",
++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ }
+ }
+
+ private void putXDHEntries() {
+@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+ "X448", "sun.security.ec.XDHKeyFactory.X448",
+ ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "KeyAgreement",
+- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X448", "sun.security.ec.XDHKeyAgreement.X448",
+- ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++ ATTRS));
++
++ putService(new ProviderService(this, "KeyAgreement",
++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X448", "sun.security.ec.XDHKeyAgreement.X448",
++ ATTRS));
++ }
+ }
+
+ private void putEdDSAEntries() {
+@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+ putService(new ProviderServiceA(this, "KeyFactory",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ }
+
+ }
+ }
diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch
new file mode 100644
index 0000000..7622622
--- /dev/null
+++ b/SOURCES/rh1996182-extend_security_policy.patch
@@ -0,0 +1,18 @@
+commit bfd7c5dae9c15266799cb885b8c60199217b65b9
+Author: Andrew Hughes
+Date: Mon Aug 30 16:14:14 2021 +0100
+
+ RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
+
+diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
+index 8356e56367b..23925f048be 100644
+--- openjdk.orig/src/java.base/share/lib/security/default.policy
++++ openjdk/src/java.base/share/lib/security/default.policy
+@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.com.sun.crypto.provider";
++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.sun.security.*";
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
new file mode 100644
index 0000000..96a8204
--- /dev/null
+++ b/SOURCES/rh1996182-login_to_nss_software_token.patch
@@ -0,0 +1,65 @@
+commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
+Author: Martin Balao
+Date: Sat Aug 28 00:35:44 2021 +0100
+
+ RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 238735c0c8c..dbbf11bbb22 100644
+--- openjdk.orig/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -152,6 +152,7 @@ module java.base {
+ java.naming,
+ java.rmi,
+ jdk.charsets,
++ jdk.crypto.cryptoki,
+ jdk.crypto.ec,
+ jdk.jartool,
+ jdk.jlink,
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 112b639aa96..5d3963ea893 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
+
+ import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.misc.InnocuousThread;
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
new file mode 100644
index 0000000..8dc0122
--- /dev/null
+++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
@@ -0,0 +1,28 @@
+commit 4ac1a03b3ec73358988553fe9e200130847ea3b4
+Author: Andrew Hughes
+Date: Mon Jan 10 20:19:40 2022 +0000
+
+ RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+index 5a2c9eb0c46..a1ee182d913 100644
+--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+@@ -39,6 +39,7 @@ import java.io.FilePermission;
+ import java.io.ObjectInputStream;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -449,6 +450,9 @@ public class SharedSecrets {
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ ensureClassInitialized(Security.class);
++ }
+ return javaSecuritySystemConfiguratorAccess;
+ }
+ }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
new file mode 100644
index 0000000..5a056ce
--- /dev/null
+++ b/SOURCES/rh2021263-fips_missing_native_returns.patch
@@ -0,0 +1,24 @@
+commit 8f6e35dc9e9289aed290b36e260beeda76986bb5
+Author: Fridrich Strba
+Date: Mon Jan 10 19:32:01 2022 +0000
+
+ RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 38919d6bb0f..caf678a7dd6 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
new file mode 100644
index 0000000..b5351a8
--- /dev/null
+++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
@@ -0,0 +1,99 @@
+commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
+Author: Andrew Hughes
+Date: Tue Jan 18 02:09:27 2022 +0000
+
+ RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+
+diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+index 28ab1846173..f9726741afd 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -61,10 +61,6 @@ public final class Security {
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+- /* System property file*/
+- private static final String SYSTEM_PROPERTIES =
+- "/etc/crypto-policies/back-ends/java.config";
+-
+ /* The java.security properties */
+ private static Properties props;
+
+@@ -206,22 +202,36 @@ public final class Security {
+ }
+ }
+
++ if (!loadedProps) {
++ initializeStatic();
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties " +
++ "-- using defaults");
++ }
++ }
++
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+- if (SystemConfigurator.configure(props)) {
+- loadedProps = true;
++ if (!SystemConfigurator.configureSysProps(props)) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System properties could not be loaded.");
++ }
+ }
+ }
+
+- if (!loadedProps) {
+- initializeStatic();
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+ if (sdebug != null) {
+- sdebug.println("unable to load security properties " +
+- "-- using defaults");
++ if (fipsEnabled) {
++ sdebug.println("FIPS support enabled.");
++ } else {
++ sdebug.println("FIPS support disabled.");
++ }
+ }
+ }
+-
+ }
+
+ /*
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 874c6221ebe..b7ed41acf0f 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -76,7 +76,7 @@ final class SystemConfigurator {
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+- static boolean configure(Properties props) {
++ static boolean configureSysProps(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+@@ -96,11 +96,19 @@ final class SystemConfigurator {
+ e.printStackTrace();
+ }
+ }
++ return loadedProps;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+- loadedProps = false;
+ // Remove all security providers
+ Iterator> i = props.entrySet().iterator();
+ while (i.hasNext()) {
diff --git a/SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch b/SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch
new file mode 100644
index 0000000..7488ea5
--- /dev/null
+++ b/SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch
@@ -0,0 +1,1182 @@
+commit 6e74f283739af0d867df01d20f82865f559a45ea
+Author: Martin Balao
+Date: Mon Feb 28 04:58:05 2022 +0000
+
+ RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+
+diff --git openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+index a020e1c15d8..6d459fdec01 100644
+--- openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
++++ openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+@@ -31,6 +31,7 @@ import java.security.SecureRandom;
+ import java.security.PrivilegedAction;
+ import java.util.HashMap;
+ import java.util.List;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.util.SecurityProviderConstants.*;
+
+@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*;
+
+ public final class SunJCE extends Provider {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ @java.io.Serial
+ private static final long serialVersionUID = 6812507587804302833L;
+
+@@ -143,285 +148,287 @@ public final class SunJCE extends Provider {
+ void putEntries() {
+ // reuse attribute map and reset before each reuse
+ HashMap attrs = new HashMap<>(3);
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
+- + "|OAEPWITHMD5ANDMGF1PADDING"
+- + "|OAEPWITHSHA1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-256ANDMGF1PADDING"
+- + "|OAEPWITHSHA-384ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
+- attrs.put("SupportedKeyClasses",
+- "java.security.interfaces.RSAPublicKey" +
+- "|java.security.interfaces.RSAPrivateKey");
+- ps("Cipher", "RSA",
+- "com.sun.crypto.provider.RSACipher", null, attrs);
+-
+- // common block cipher modes, pads
+- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
+- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
+- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
+- final String BLOCK_MODES128 = BLOCK_MODES +
+- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
+- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
+- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DES",
+- "com.sun.crypto.provider.DESCipher", null, attrs);
+- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
+- attrs);
+- ps("Cipher", "Blowfish",
+- "com.sun.crypto.provider.BlowfishCipher", null, attrs);
+-
+- ps("Cipher", "RC2",
+- "com.sun.crypto.provider.RC2Cipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES128);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES",
+- "com.sun.crypto.provider.AESCipher$General", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_128/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_128/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_128/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_192/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_192/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_192/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_256/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_256/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_256/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "GCM");
+- attrs.put("SupportedKeyFormats", "RAW");
+-
+- ps("Cipher", "AES/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
+- attrs);
+- psA("Cipher", "AES_128/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES128",
+- attrs);
+- psA("Cipher", "AES_192/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES192",
+- attrs);
+- psA("Cipher", "AES_256/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES256",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "CBC");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DESedeWrap",
+- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "ARCFOUR",
+- "com.sun.crypto.provider.ARCFOURCipher", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "ChaCha20",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
+- null, attrs);
+- psA("Cipher", "ChaCha20-Poly1305",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
+- attrs);
+-
+- // PBES1
+- psA("Cipher", "PBEWithMD5AndDES",
+- "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
+- null);
+- ps("Cipher", "PBEWithMD5AndTripleDES",
+- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
+- psA("Cipher", "PBEWithSHA1AndDESede",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_40",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_128",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC4_40",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
+- null);
+-
+- psA("Cipher", "PBEWithSHA1AndRC4_128",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
+- null);
+-
+- // PBES2
+- ps("Cipher", "PBEWithHmacSHA1AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA1AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
+-
+- /*
+- * Key(pair) Generator engines
+- */
+- ps("KeyGenerator", "DES",
+- "com.sun.crypto.provider.DESKeyGenerator");
+- psA("KeyGenerator", "DESede",
+- "com.sun.crypto.provider.DESedeKeyGenerator",
+- null);
+- ps("KeyGenerator", "Blowfish",
+- "com.sun.crypto.provider.BlowfishKeyGenerator");
+- psA("KeyGenerator", "AES",
+- "com.sun.crypto.provider.AESKeyGenerator",
+- null);
+- ps("KeyGenerator", "RC2",
+- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
+- psA("KeyGenerator", "ARCFOUR",
+- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
+- null);
+- ps("KeyGenerator", "ChaCha20",
+- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
+- ps("KeyGenerator", "HmacMD5",
+- "com.sun.crypto.provider.HmacMD5KeyGenerator");
+-
+- psA("KeyGenerator", "HmacSHA1",
+- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
+- psA("KeyGenerator", "HmacSHA224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
+- null);
+- psA("KeyGenerator", "HmacSHA256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
+- null);
+- psA("KeyGenerator", "HmacSHA384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
+- null);
+- psA("KeyGenerator", "HmacSHA512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
+- null);
+- psA("KeyGenerator", "HmacSHA512/224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
+- null);
+- psA("KeyGenerator", "HmacSHA512/256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
+- null);
+-
+- psA("KeyGenerator", "HmacSHA3-224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
+- null);
+- psA("KeyGenerator", "HmacSHA3-256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
+- null);
+- psA("KeyGenerator", "HmacSHA3-384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
+- null);
+- psA("KeyGenerator", "HmacSHA3-512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
+- null);
+-
+- psA("KeyPairGenerator", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyPairGenerator",
+- null);
++ if (!systemFipsEnabled) {
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
++ + "|OAEPWITHMD5ANDMGF1PADDING"
++ + "|OAEPWITHSHA1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-256ANDMGF1PADDING"
++ + "|OAEPWITHSHA-384ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
++ attrs.put("SupportedKeyClasses",
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey");
++ ps("Cipher", "RSA",
++ "com.sun.crypto.provider.RSACipher", null, attrs);
++
++ // common block cipher modes, pads
++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
++ final String BLOCK_MODES128 = BLOCK_MODES +
++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DES",
++ "com.sun.crypto.provider.DESCipher", null, attrs);
++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
++ attrs);
++ ps("Cipher", "Blowfish",
++ "com.sun.crypto.provider.BlowfishCipher", null, attrs);
++
++ ps("Cipher", "RC2",
++ "com.sun.crypto.provider.RC2Cipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES128);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES",
++ "com.sun.crypto.provider.AESCipher$General", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_128/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_128/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_128/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_192/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_192/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_192/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_256/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_256/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_256/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "GCM");
++ attrs.put("SupportedKeyFormats", "RAW");
++
++ ps("Cipher", "AES/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
++ attrs);
++ psA("Cipher", "AES_128/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES128",
++ attrs);
++ psA("Cipher", "AES_192/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES192",
++ attrs);
++ psA("Cipher", "AES_256/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES256",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "CBC");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DESedeWrap",
++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "ARCFOUR",
++ "com.sun.crypto.provider.ARCFOURCipher", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "ChaCha20",
++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
++ null, attrs);
++ psA("Cipher", "ChaCha20-Poly1305",
++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
++ attrs);
++
++ // PBES1
++ psA("Cipher", "PBEWithMD5AndDES",
++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
++ null);
++ ps("Cipher", "PBEWithMD5AndTripleDES",
++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
++ psA("Cipher", "PBEWithSHA1AndDESede",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_40",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_128",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC4_40",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
++ null);
++
++ psA("Cipher", "PBEWithSHA1AndRC4_128",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
++ null);
++
++ // PBES2
++ ps("Cipher", "PBEWithHmacSHA1AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA1AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
++
++ /*
++ * Key(pair) Generator engines
++ */
++ ps("KeyGenerator", "DES",
++ "com.sun.crypto.provider.DESKeyGenerator");
++ psA("KeyGenerator", "DESede",
++ "com.sun.crypto.provider.DESedeKeyGenerator",
++ null);
++ ps("KeyGenerator", "Blowfish",
++ "com.sun.crypto.provider.BlowfishKeyGenerator");
++ psA("KeyGenerator", "AES",
++ "com.sun.crypto.provider.AESKeyGenerator",
++ null);
++ ps("KeyGenerator", "RC2",
++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
++ psA("KeyGenerator", "ARCFOUR",
++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
++ null);
++ ps("KeyGenerator", "ChaCha20",
++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
++ ps("KeyGenerator", "HmacMD5",
++ "com.sun.crypto.provider.HmacMD5KeyGenerator");
++
++ psA("KeyGenerator", "HmacSHA1",
++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
++ psA("KeyGenerator", "HmacSHA224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
++ null);
++ psA("KeyGenerator", "HmacSHA256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
++ null);
++ psA("KeyGenerator", "HmacSHA384",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
++ null);
++ psA("KeyGenerator", "HmacSHA512",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
++ null);
++ psA("KeyGenerator", "HmacSHA512/224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
++ null);
++ psA("KeyGenerator", "HmacSHA512/256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
++ null);
++
++ psA("KeyGenerator", "HmacSHA3-224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
++ null);
++ psA("KeyGenerator", "HmacSHA3-256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
++ null);
++ psA("KeyGenerator", "HmacSHA3-384",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
++ null);
++ psA("KeyGenerator", "HmacSHA3-512",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
++ null);
++
++ psA("KeyPairGenerator", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyPairGenerator",
++ null);
++ }
+
+ /*
+ * Algorithm parameter generation engines
+@@ -430,15 +437,17 @@ public final class SunJCE extends Provider {
+ "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator",
+ null);
+
+- /*
+- * Key Agreement engines
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
+- "|javax.crypto.interfaces.DHPrivateKey");
+- psA("KeyAgreement", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyAgreement",
+- attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * Key Agreement engines
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
++ "|javax.crypto.interfaces.DHPrivateKey");
++ psA("KeyAgreement", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyAgreement",
++ attrs);
++ }
+
+ /*
+ * Algorithm Parameter engines
+@@ -531,197 +540,199 @@ public final class SunJCE extends Provider {
+ psA("AlgorithmParameters", "ChaCha20-Poly1305",
+ "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null);
+
+- /*
+- * Key factories
+- */
+- psA("KeyFactory", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyFactory",
+- null);
+-
+- /*
+- * Secret-key factories
+- */
+- ps("SecretKeyFactory", "DES",
+- "com.sun.crypto.provider.DESKeyFactory");
+-
+- psA("SecretKeyFactory", "DESede",
+- "com.sun.crypto.provider.DESedeKeyFactory", null);
+-
+- psA("SecretKeyFactory", "PBEWithMD5AndDES",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES",
+- null);
+-
+- /*
+- * Internal in-house crypto algorithm used for
+- * the JCEKS keystore type. Since this was developed
+- * internally, there isn't an OID corresponding to this
+- * algorithm.
+- */
+- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES");
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndDESede",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128",
+- null);
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256");
+-
+- // PBKDF2
+- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
+- null);
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
+-
+- /*
+- * MAC
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
+- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
+- attrs);
+- psA("Mac", "HmacSHA224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
+- psA("Mac", "HmacSHA256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
+- psA("Mac", "HmacSHA384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
+- psA("Mac", "HmacSHA512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
+- psA("Mac", "HmacSHA512/224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
+- psA("Mac", "HmacSHA512/256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
+- psA("Mac", "HmacSHA3-224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
+- psA("Mac", "HmacSHA3-256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
+- psA("Mac", "HmacSHA3-384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
+- psA("Mac", "HmacSHA3-512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
+-
+- ps("Mac", "HmacPBESHA1",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
+- null, attrs);
+- ps("Mac", "HmacPBESHA224",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA256",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
+- null, attrs);
+- ps("Mac", "HmacPBESHA384",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/224",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/256",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
+- null, attrs);
+-
+-
+- // PBMAC1
+- ps("Mac", "PBEWithHmacSHA1",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
+- ps("Mac", "PBEWithHmacSHA224",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
+- ps("Mac", "PBEWithHmacSHA256",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
+- ps("Mac", "PBEWithHmacSHA384",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
+- ps("Mac", "PBEWithHmacSHA512",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
+- ps("Mac", "SslMacMD5",
+- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
+- ps("Mac", "SslMacSHA1",
+- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
+-
+- /*
+- * KeyStore
+- */
+- ps("KeyStore", "JCEKS",
+- "com.sun.crypto.provider.JceKeyStore");
+-
+- /*
+- * SSL/TLS mechanisms
+- *
+- * These are strictly internal implementations and may
+- * be changed at any time. These names were chosen
+- * because PKCS11/SunPKCS11 does not yet have TLS1.2
+- * mechanisms, and it will cause calls to come here.
+- */
+- ps("KeyGenerator", "SunTlsPrf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V10");
+- ps("KeyGenerator", "SunTls12Prf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V12");
+-
+- ps("KeyGenerator", "SunTlsMasterSecret",
+- "com.sun.crypto.provider.TlsMasterSecretGenerator",
+- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
+- null);
+-
+- ps("KeyGenerator", "SunTlsKeyMaterial",
+- "com.sun.crypto.provider.TlsKeyMaterialGenerator",
+- List.of("SunTls12KeyMaterial"), null);
+-
+- ps("KeyGenerator", "SunTlsRsaPremasterSecret",
+- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
+- List.of("SunTls12RsaPremasterSecret"), null);
++ if (!systemFipsEnabled) {
++ /*
++ * Key factories
++ */
++ psA("KeyFactory", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyFactory",
++ null);
++
++ /*
++ * Secret-key factories
++ */
++ ps("SecretKeyFactory", "DES",
++ "com.sun.crypto.provider.DESKeyFactory");
++
++ psA("SecretKeyFactory", "DESede",
++ "com.sun.crypto.provider.DESedeKeyFactory", null);
++
++ psA("SecretKeyFactory", "PBEWithMD5AndDES",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES",
++ null);
++
++ /*
++ * Internal in-house crypto algorithm used for
++ * the JCEKS keystore type. Since this was developed
++ * internally, there isn't an OID corresponding to this
++ * algorithm.
++ */
++ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES");
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndDESede",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128",
++ null);
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256");
++
++ // PBKDF2
++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
++ null);
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
++
++ /*
++ * MAC
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
++ attrs);
++ psA("Mac", "HmacSHA224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
++ psA("Mac", "HmacSHA256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
++ psA("Mac", "HmacSHA384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
++ psA("Mac", "HmacSHA512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
++ psA("Mac", "HmacSHA512/224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
++ psA("Mac", "HmacSHA512/256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
++ psA("Mac", "HmacSHA3-224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
++ psA("Mac", "HmacSHA3-256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
++ psA("Mac", "HmacSHA3-384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
++ psA("Mac", "HmacSHA3-512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
++
++ ps("Mac", "HmacPBESHA1",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
++ null, attrs);
++ ps("Mac", "HmacPBESHA224",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA256",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
++ null, attrs);
++ ps("Mac", "HmacPBESHA384",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/224",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/256",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
++ null, attrs);
++
++
++ // PBMAC1
++ ps("Mac", "PBEWithHmacSHA1",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
++ ps("Mac", "PBEWithHmacSHA224",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
++ ps("Mac", "PBEWithHmacSHA256",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
++ ps("Mac", "PBEWithHmacSHA384",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
++ ps("Mac", "PBEWithHmacSHA512",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
++ ps("Mac", "SslMacMD5",
++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
++ ps("Mac", "SslMacSHA1",
++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
++
++ /*
++ * KeyStore
++ */
++ ps("KeyStore", "JCEKS",
++ "com.sun.crypto.provider.JceKeyStore");
++
++ /*
++ * SSL/TLS mechanisms
++ *
++ * These are strictly internal implementations and may
++ * be changed at any time. These names were chosen
++ * because PKCS11/SunPKCS11 does not yet have TLS1.2
++ * mechanisms, and it will cause calls to come here.
++ */
++ ps("KeyGenerator", "SunTlsPrf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V10");
++ ps("KeyGenerator", "SunTls12Prf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V12");
++
++ ps("KeyGenerator", "SunTlsMasterSecret",
++ "com.sun.crypto.provider.TlsMasterSecretGenerator",
++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
++ null);
++
++ ps("KeyGenerator", "SunTlsKeyMaterial",
++ "com.sun.crypto.provider.TlsKeyMaterialGenerator",
++ List.of("SunTls12KeyMaterial"), null);
++
++ ps("KeyGenerator", "SunTlsRsaPremasterSecret",
++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
++ List.of("SunTls12RsaPremasterSecret"), null);
++ }
+ }
+
+ // Return the instance of this class or create one if needed.
+diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+index 7cb5ebcde51..709d32912ca 100644
+--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+@@ -193,20 +193,22 @@ public final class SunEntries {
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++ }
+
+- /*
+- * Algorithm Parameter Generator engines
+- */
+- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+- "sun.security.provider.DSAParameterGenerator", attrs);
+- attrs.remove("KeySize");
++ /*
++ * Algorithm Parameter Generator engines
++ */
++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
++ "sun.security.provider.DSAParameterGenerator", attrs);
++ attrs.remove("KeySize");
+
+- /*
+- * Algorithm Parameter engines
+- */
+- addWithAlias(p, "AlgorithmParameters", "DSA",
+- "sun.security.provider.DSAParameters", attrs);
++ /*
++ * Algorithm Parameter engines
++ */
++ addWithAlias(p, "AlgorithmParameters", "DSA",
++ "sun.security.provider.DSAParameters", attrs);
+
++ if (!systemFipsEnabled) {
+ /*
+ * Key factories
+ */
+diff --git openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+index ca79f25cc44..16c5ad2e227 100644
+--- openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
++++ openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+@@ -27,6 +27,7 @@ package sun.security.rsa;
+
+ import java.util.*;
+ import java.security.Provider;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ /**
+@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+ */
+ public final class SunRsaSignEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private void add(Provider p, String type, String algo, String cn,
+ List aliases, HashMap attrs) {
+ services.add(new Provider.Service(p, type, algo, cn,
+@@ -56,49 +61,52 @@ public final class SunRsaSignEntries {
+ // start populating content using the specified provider
+ // common attribute map
+ HashMap attrs = new HashMap<>(3);
+- attrs.put("SupportedKeyClasses",
+- "java.security.interfaces.RSAPublicKey" +
+- "|java.security.interfaces.RSAPrivateKey");
++ if (!systemFipsEnabled) {
++ attrs.put("SupportedKeyClasses",
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey");
++
++ add(p, "KeyFactory", "RSA",
++ "sun.security.rsa.RSAKeyFactory$Legacy",
++ getAliases("PKCS1"), null);
++ add(p, "KeyPairGenerator", "RSA",
++ "sun.security.rsa.RSAKeyPairGenerator$Legacy",
++ getAliases("PKCS1"), null);
++ addA(p, "Signature", "MD2withRSA",
++ "sun.security.rsa.RSASignature$MD2withRSA", attrs);
++ addA(p, "Signature", "MD5withRSA",
++ "sun.security.rsa.RSASignature$MD5withRSA", attrs);
++ addA(p, "Signature", "SHA1withRSA",
++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
++ addA(p, "Signature", "SHA224withRSA",
++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
++ addA(p, "Signature", "SHA256withRSA",
++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
++ addA(p, "Signature", "SHA384withRSA",
++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
++ addA(p, "Signature", "SHA512withRSA",
++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
++ addA(p, "Signature", "SHA512/224withRSA",
++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
++ addA(p, "Signature", "SHA512/256withRSA",
++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-224withRSA",
++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
++ addA(p, "Signature", "SHA3-256withRSA",
++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-384withRSA",
++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
++ addA(p, "Signature", "SHA3-512withRSA",
++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
+
+- add(p, "KeyFactory", "RSA",
+- "sun.security.rsa.RSAKeyFactory$Legacy",
+- getAliases("PKCS1"), null);
+- add(p, "KeyPairGenerator", "RSA",
+- "sun.security.rsa.RSAKeyPairGenerator$Legacy",
+- getAliases("PKCS1"), null);
+- addA(p, "Signature", "MD2withRSA",
+- "sun.security.rsa.RSASignature$MD2withRSA", attrs);
+- addA(p, "Signature", "MD5withRSA",
+- "sun.security.rsa.RSASignature$MD5withRSA", attrs);
+- addA(p, "Signature", "SHA1withRSA",
+- "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
+- addA(p, "Signature", "SHA224withRSA",
+- "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
+- addA(p, "Signature", "SHA256withRSA",
+- "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
+- addA(p, "Signature", "SHA384withRSA",
+- "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
+- addA(p, "Signature", "SHA512withRSA",
+- "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
+- addA(p, "Signature", "SHA512/224withRSA",
+- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
+- addA(p, "Signature", "SHA512/256withRSA",
+- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-224withRSA",
+- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
+- addA(p, "Signature", "SHA3-256withRSA",
+- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-384withRSA",
+- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
+- addA(p, "Signature", "SHA3-512withRSA",
+- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++ addA(p, "KeyFactory", "RSASSA-PSS",
++ "sun.security.rsa.RSAKeyFactory$PSS", attrs);
++ addA(p, "KeyPairGenerator", "RSASSA-PSS",
++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
++ addA(p, "Signature", "RSASSA-PSS",
++ "sun.security.rsa.RSAPSSSignature", attrs);
++ }
+
+- addA(p, "KeyFactory", "RSASSA-PSS",
+- "sun.security.rsa.RSAKeyFactory$PSS", attrs);
+- addA(p, "KeyPairGenerator", "RSASSA-PSS",
+- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
+- addA(p, "Signature", "RSASSA-PSS",
+- "sun.security.rsa.RSAPSSSignature", attrs);
+ addA(p, "AlgorithmParameters", "RSASSA-PSS",
+ "sun.security.rsa.PSSParameters", null);
+ }
+diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
+index 3a322854204..5a355e70cae 100644
+--- openjdk.orig/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -86,6 +86,8 @@ fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+ fips.provider.2=SUN
+ fips.provider.3=SunEC
+ fips.provider.4=SunJSSE
++fips.provider.5=SunJCE
++fips.provider.6=SunRsaSign
+
+ #
+ # A list of preferred providers for specific algorithms. These providers will
diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
new file mode 100644
index 0000000..c609fce
--- /dev/null
+++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
@@ -0,0 +1,213 @@
+commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
+Author: Andrew Hughes
+Date: Mon Feb 7 15:33:27 2022 +0000
+
+ RH2051605: Detect NSS at Runtime for FIPS detection
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index caf678a7dd6..8dcb7d9073f 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -23,26 +23,37 @@
+ * questions.
+ */
+
+-#include
+ #include
+ #include
++#include "jvm_md.h"
+ #include
+
+ #ifdef SYSCONF_NSS
+ #include
++#else
++#include
+ #endif //SYSCONF_NSS
+
+ #include "java_security_SystemConfigurator.h"
+
+-#define MSG_MAX_SIZE 96
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+
+-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
+-#ifndef SYSCONF_NSS
+-
+-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
+
+ static void throwIOException(JNIEnv *env, const char *msg)
+ {
+@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
+ (*env)->ThrowNew(env, cls, msg);
+ }
+
+-#endif
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
+
+-static void dbgPrint(JNIEnv *env, const char* msg)
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
+ {
+- jstring jMsg;
+- if (debugObj != NULL) {
+- jMsg = (*env)->NewStringUTF(env, msg);
+- CHECK_NULL(jMsg);
+- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+- }
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
+ }
+
++#endif
++
+ /*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
+ return (*env)->GetVersion(env);
+ }
+
+@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+ }
+@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+-#ifdef SYSCONF_NSS
+-
+- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+- fips_enabled = SECMOD_GetSystemFIPSEnabled();
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " SECMOD_GetSystemFIPSEnabled return value");
+- }
+- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ FILE *fe;
+
+-#else // SYSCONF_NSS
+-
+- FILE *fe;
+-
+- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+- }
+- fips_enabled = fgetc(fe);
+- fclose(fe);
+- if (fips_enabled == EOF) {
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+ }
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " read character is '%c'", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
+- } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " read character");
+- }
+- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+-
+-#endif // SYSCONF_NSS
+ }
diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
new file mode 100644
index 0000000..1b706a1
--- /dev/null
+++ b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+ /* and fill it in */
+ dst_ptr = icc_data;
+ for (seq_no = first; seq_no < last; seq_no++) {
+- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ unsigned int length =
+ icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+
diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec
new file mode 100644
index 0000000..c8cd963
--- /dev/null
+++ b/SPECS/java-17-openjdk.spec
@@ -0,0 +1,3303 @@
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-17-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# With LTO flags enabled, debuginfo checks fail for some reason. Disable
+# LTO for a passing build. This really needs to be looked at.
+%define _lto_cflags %{nil}
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
+# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
+%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libjsvml.so)
+%global svml_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+%global gdb_arches %{jit_arches} %{zero_arches}
+
+# By default, we build a debug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
+%global debug_symbols internal
+
+# unlike portables,the rpms have to use static_libs_target very dynamically
+%global bootstrap_targets images
+%global release_targets images docs-zip
+# No docs nor bootcycle for debug builds
+%global debug_targets images
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 17
+%global interimver 0
+%global updatever 2
+%global patchver 0
+# If you bump featurever, you must also bump vendor_version_string
+# Used via new version scheme. JDK 17 was
+# GA'ed in September 2021 => 21.9
+%global vendor_version_string 21.9
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver 17
+# We don't add any LTS designator for STS packages (Fedora and EPEL).
+# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
+%if 0%{?rhel} && !0%{?epel}
+ %global lts_designator "LTS"
+ %global lts_designator_zip -%{lts_designator}
+%else
+ %global lts_designator ""
+ %global lts_designator_zip ""
+%endif
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 6.0.0pre00-c848b93a8598
+
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{origin}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 8
+%global rpmrelease 13
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver %{featurever}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 1
+%if %{is_ga}
+%global build_type GA
+%global expected_ea_designator ""
+%global ea_designator_zip ""
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global expected_ea_designator ea
+%global ea_designator_zip -%{expected_ea_designator}
+%global extraver .%{expected_ea_designator}
+%global eaprefix 0.
+%endif
+
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for any debug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+%global family %{name}.%{_arch}
+%global family_noarch %{name}
+
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific sub-dir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinguish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka target_cpu as architecture specific directory name.
+%global tapsetroot /usr/share/systemtap
+%global tapsetdirttapset %{tapsetroot}/tapset/
+%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
+%endif
+
+# not-duplicated scriptlets for normal/debug packages
+%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+
+%define save_alternatives() %{expand:
+ # warning! alternatives are localised!
+ # LANG=cs_CZ.UTF-8 alternatives --display java | head
+ # LANG=en_US.UTF-8 alternatives --display java | head
+ function nonLocalisedAlternativesDisplayOfMaster() {
+ LANG=en_US.UTF-8 alternatives --display "$MASTER"
+ }
+ function headOfAbove() {
+ nonLocalisedAlternativesDisplayOfMaster | head -n $1
+ }
+ MASTER="%{?1}"
+ LOCAL_LINK="%{?2}"
+ FAMILY="%{?3}"
+ rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
+ if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
+ if headOfAbove 1 | grep -q manual ; then
+ if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
+ headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
+ fi
+ fi
+ fi
+}
+
+%define save_and_remove_alternatives() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ upgrade1_uninstal0=%{?3}
+ if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
+ %{save_alternatives %{?1} %{?2} %{?4}}
+ fi
+ alternatives --remove "%{?1}" "%{?2}"
+}
+
+%define set_if_needed_alternatives() %{expand:
+ MASTER="%{?1}"
+ FAMILY="%{?2}"
+ ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
+ if [ -e "$ALTERNATIVES_FILE" ] ; then
+ rm "$ALTERNATIVES_FILE"
+ alternatives --set $MASTER $FAMILY
+ fi
+}
+
+
+%define post_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+exit 0
+}
+
+%define alternatives_java_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=java
+alternatives \\
+ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
+ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
+ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
+ --slave %{_mandir}/man1/java.1$ext java.1$ext \\
+ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
+ %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
+ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
+ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+ key=jre_"$X"
+ alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
+done
+
+key=jre_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+%endif
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+# see pretrans where this file is declared
+# also see that pretrans is only for non-debug
+if [ ! "%{?1}" == %{debug_suffix} ]; then
+ if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
+ sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}}
+ fi
+fi
+
+exit 0
+}
+
+%define postun_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+
+%define postun_headless() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
+}
+
+%define posttrans_script() %{expand:
+%{update_desktop_icons}
+}
+
+
+%define alternatives_javac_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=javac
+alternatives \\
+ --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\
+ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
+ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+ --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
+%endif
+%endif
+ --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
+ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
+ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
+ --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
+ --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
+ --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
+ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
+ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
+ --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
+ --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
+ --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
+ --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
+ --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
+ --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
+ --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\
+ --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
+ --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
+ --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
+ --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
+ --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
+ --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
+ --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
+ %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
+ %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
+ %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
+ %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
+ %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+ %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
+ %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
+ %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
+ %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
+ %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
+ %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
+ %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\
+ %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
+ %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
+ %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
+ %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
+ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
+ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+ key=java_sdk_"$X"
+ alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
+done
+
+key=java_sdk_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+
+%define post_devel() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+exit 0
+}
+
+%define postun_devel() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+%define posttrans_devel() %{expand:
+%{alternatives_javac_install -- %{?1}}
+%{update_desktop_icons}
+}
+
+%define alternatives_javadoc_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+key=javadocdir
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+exit 0
+}
+
+%define alternatives_javadoczip_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+key=javadoczip
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc_zip() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+exit 0
+}
+
+%define files_jre() %{expand:
+%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
+}
+
+
+%define files_jre_headless() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
+%dir %{_sysconfdir}/.java/.systemPrefs
+%dir %{_sysconfdir}/.java
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}
+%{_jvmdir}/%{sdkdir -- %{?1}}/release
+%{_jvmdir}/%{jrelnk -- %{?1}}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
+%ifarch %{jit_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
+%ifarch %{svml_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
+%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
+%ifarch %{share_arches}
+%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
+%endif
+%dir %{etcjavasubdir}
+%dir %{etcjavadir -- %{?1}}
+%dir %{etcjavadir -- %{?1}}/lib
+%dir %{etcjavadir -- %{?1}}/lib/security
+%{etcjavadir -- %{?1}}/lib/security/cacerts
+%dir %{etcjavadir -- %{?1}}/conf
+%dir %{etcjavadir -- %{?1}}/conf/sdp
+%dir %{etcjavadir -- %{?1}}/conf/management
+%dir %{etcjavadir -- %{?1}}/conf/security
+%dir %{etcjavadir -- %{?1}}/conf/security/policy
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
+ %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
+# This is a config template, thus not config-noreplace
+%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
+%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/conf
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/java
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_jvmdir}/jre
+%ghost %{_bindir}/keytool
+%ghost %{_bindir}/pack200
+%ghost %{_bindir}/rmid
+%ghost %{_bindir}/rmiregistry
+%ghost %{_bindir}/unpack200
+%ghost %{_jvmdir}/jre-%{origin}
+%ghost %{_jvmdir}/jre-%{javaver}
+%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
+%endif
+%endif
+# https://bugzilla.redhat.com/show_bug.cgi?id=1820172
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
+}
+
+%define files_devel() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
+%{_jvmdir}/%{sdkdir -- %{?1}}/include
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
+%if %{with_systemtap}
+%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
+%endif
+%{_datadir}/applications/*jconsole%{?1}.desktop
+%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
+
+%if %{with_systemtap}
+%dir %{tapsetroot}
+%dir %{tapsetdirttapset}
+%dir %{tapsetdir}
+%{tapsetdir}/*%{_arch}%{?1}.stp
+%endif
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/javac
+%ghost %{_jvmdir}/java
+%ghost %{_jvmdir}/%{alt_java_name}
+%ghost %{_bindir}/jlink
+%ghost %{_bindir}/jmod
+%ghost %{_bindir}/jhsdb
+%ghost %{_bindir}/jar
+%ghost %{_bindir}/jarsigner
+%ghost %{_bindir}/javadoc
+%ghost %{_bindir}/javap
+%ghost %{_bindir}/jcmd
+%ghost %{_bindir}/jconsole
+%ghost %{_bindir}/jdb
+%ghost %{_bindir}/jdeps
+%ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jimage
+%ghost %{_bindir}/jinfo
+%ghost %{_bindir}/jmap
+%ghost %{_bindir}/jps
+%ghost %{_bindir}/jrunscript
+%ghost %{_bindir}/jshell
+%ghost %{_bindir}/jstack
+%ghost %{_bindir}/jstat
+%ghost %{_bindir}/jstatd
+%ghost %{_bindir}/serialver
+%ghost %{_jvmdir}/java-%{origin}
+%ghost %{_jvmdir}/java-%{javaver}
+%ghost %{_jvmdir}/java-%{javaver}-%{origin}
+%endif
+%endif
+}
+
+%define files_jmods() %{expand:
+%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
+}
+
+%define files_demo() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/demo
+%{_jvmdir}/%{sdkdir -- %{?1}}/sample
+}
+
+%define files_src() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
+}
+
+%define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+}
+
+%define files_javadoc() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java
+%endif
+%endif
+}
+
+%define files_javadoc_zip() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java-zip
+%endif
+%endif
+}
+
+# x86 is not supported by OpenJDK 17
+ExcludeArch: %{ix86}
+
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+Requires: fontconfig%{?_isa}
+Requires: xorg-x11-fonts-Type1
+# Require libXcomposite explicitly since it's only dynamically loaded
+# at runtime. Fixes screenshot issues. See JDK-8150954.
+Requires: libXcomposite%{?_isa}
+# Requires rest of java
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# for java-X-openjdk package's desktop binding
+# Where recommendations are available, recommend Gtk+ for the Swing look and feel
+%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
+Recommends: gtk3%{?_isa}
+%endif
+
+Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_headless_rpo() %{expand:
+# Require /etc/pki/java/cacerts
+Requires: ca-certificates
+# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
+Requires: javapackages-filesystem
+# Require zone-info data provided by tzdata-java sub-package
+Requires: tzdata-java >= 2015d
+# for support of kernel stream control
+# libsctp.so.1 is being `dlopen`ed on demand
+Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
+# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
+# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
+# considered as regression
+Requires: copy-jdk-configs >= 4.0
+OrderWithRequires: copy-jdk-configs
+%endif
+# for printing support
+Requires: cups-libs
+# for FIPS PKCS11 provider
+Requires: nss
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+# Where suggestions are available, recommend the sctp and pcsc libraries
+# for optional support of kernel stream control and card reader
+%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
+Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
+%endif
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_devel_rpo() %{expand:
+# Requires base package
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage devel provides
+Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_static_libs_rpo() %{expand:
+Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+}
+
+%define java_jmods_rpo() %{expand:
+# Requires devel package
+# as jmods are bytecode, they should be OK without any _isa
+Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_demo_rpo() %{expand:
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_javadoc_rpo() %{expand:
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install javadoc alternative
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall javadoc alternative
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage javadoc provides
+Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_src_rpo() %{expand:
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage sources provides
+Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+
+Name: java-%{javaver}-%{origin}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch: 1
+Summary: %{origin_nice} %{featurever} Runtime Environment
+# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+
+
+# to regenerate source0 (jdk) run update_package.sh
+# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
+Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# nss configuration file
+Source11: nss.cfg.in
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# NSS via SunPKCS11 Provider (disabled comment
+# due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
+Patch600: rh1750419-redhat_alt_java.patch
+
+# Ignore AWTError when assistive technologies are loaded
+Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+# Restrict access to java-atk-wrapper classes
+Patch2: rh1648644-java_access_bridge_privileged_security.patch
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# Follow system wide crypto policy RHBZ#1249083
+Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+# PR3695: Allow use of system crypto policy to be disabled by the user
+Patch5: pr3695-toggle_system_crypto_policy.patch
+# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
+Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+# FIPS support patches
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+Patch1001: rh1655466-global_crypto_and_fips.patch
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+Patch1002: rh1818909-fips_default_keystore_type.patch
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+Patch1007: rh1915071-always_initialise_configurator_access.patch
+# RH1929465: Improve system FIPS detection
+Patch1008: rh1929465-improve_system_FIPS_detection.patch
+Patch1011: rh1929465-dont_define_unused_throwioexception.patch
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+Patch1009: rh1995150-disable_non-fips_crypto.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1010: rh1996182-login_to_nss_software_token.patch
+Patch1012: rh1996182-extend_security_policy.patch
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+Patch1013: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2052819: Fix FIPS reliance on crypto policies
+Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
+# RH2052829: Detect NSS at Runtime for FIPS detection
+Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch2000: jdk8275535-rh2053256-ldap_auth.patch
+
+#############################################
+#
+# OpenJDK patches appearing in 17.0.1
+#
+#############################################
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+BuildRequires: javapackages-filesystem
+BuildRequires: java-17-openjdk-devel
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+BuildRequires: tzdata-java >= 2015d
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package headless
+Summary: %{origin_nice} %{featurever} Headless Runtime Environment
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_headless_rpo %{nil}}
+
+%description headless
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%endif
+
+%if %{include_debug_build}
+%package headless-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_headless_rpo -- %{debug_suffix_unquoted}}
+
+%description headless-slowdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package headless-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description headless-fastdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Tools
+%endif
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} development tools .
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package jmods
+Summary: JMods for %{origin_nice} %{featurever}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_jmods_rpo %{nil}}
+
+%description jmods
+The JMods for %{origin_nice} %{featurever}.
+%endif
+
+%if %{include_debug_build}
+%package jmods-slowdebug
+Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_jmods_rpo -- %{debug_suffix_unquoted}}
+
+%description jmods-slowdebug
+The JMods for %{origin_nice} %{featurever}.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package jmods-fastdebug
+Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Tools
+%endif
+
+%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description jmods-fastdebug
+The JMods for %{origin_nice} %{featurever}.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package demo
+Summary: %{origin_nice} %{featurever} Demos
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo %{nil}}
+
+%description demo
+The %{origin_nice} %{featurever} demos.
+%endif
+
+%if %{include_debug_build}
+%package demo-slowdebug
+Summary: %{origin_nice} %{featurever} Demos %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo -- %{debug_suffix_unquoted}}
+
+%description demo-slowdebug
+The %{origin_nice} %{featurever} demos.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package demo-fastdebug
+Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description demo-fastdebug
+The %{origin_nice} %{featurever} demos.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package src
+Summary: %{origin_nice} %{featurever} Source Bundle
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_src_rpo %{nil}}
+
+%description src
+The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
+class library source code for use by IDE indexers and debuggers.
+%endif
+
+%if %{include_debug_build}
+%package src-slowdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_src_rpo -- %{debug_suffix_unquoted}}
+
+%description src-slowdebug
+The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_debug}.
+%endif
+
+%if %{include_fastdebug_build}
+%package src-fastdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description src-fastdebug
+The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
+%endif
+
+%if %{include_normal_build}
+%package javadoc
+Summary: %{origin_nice} %{featurever} API documentation
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc
+The %{origin_nice} %{featurever} API documentation.
+%endif
+
+%if %{include_normal_build}
+%package javadoc-zip
+Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo -- %{nil} -zip}
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc-zip
+The %{origin_nice} %{featurever} API documentation compressed in a single archive.
+%endif
+
+%prep
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
+%else
+ %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+else
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+else
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+fi
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+
+# Patch the JDK
+pushd %{top_level_dir_name}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+popd # openjdk
+
+%patch1000
+%patch600
+%patch1001
+%patch1002
+%patch1004
+%patch1007
+%patch1008
+%patch1009
+%patch1010
+%patch1011
+%patch1012
+%patch1013
+%patch1014
+%patch1015
+%patch1016
+%patch1017
+%patch1018
+
+%patch2000
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+ sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
+ sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+ sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
+%else
+ sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
+%endif
+ sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
+ sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+ done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# The _X_ syntax indicates variables that are replaced by make upstream
+# The @X@ syntax indicates variables that are replaced by configure upstream
+for suffix in %{build_loop} ; do
+for file in %{SOURCE9}; do
+ FILE=`basename $file | sed -e s:\.in$::g`
+ EXT="${FILE##*.}"
+ NAME="${FILE%.*}"
+ OUTPUT_FILE=$NAME$suffix.$EXT
+ sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
+ sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
+ sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
+done
+done
+
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+
+%build
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
+
+function buildjdk() {
+ local outputdir=${1}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
+ local link_opt=${5}
+
+ local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+ local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+ # The OpenJDK version file includes the current
+ # upstream version information. For some reason,
+ # configure does not automatically use the
+ # default pre-version supplied there (despite
+ # what the file claims), so we pass it manually
+ # to configure
+ VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
+ if [ -f ${VERSION_FILE} ] ; then
+ EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+ else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+ fi
+ if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
+ echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
+ exit 17
+ fi
+
+ echo "Using output directory: ${outputdir}";
+ echo "Checking build JDK ${buildjdk} is operational..."
+ ${buildjdk}/bin/java -version
+ echo "Using make targets: ${maketargets}"
+ echo "Using debuglevel: ${debuglevel}"
+ echo "Using link_opt: ${link_opt}"
+ echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}"
+
+ mkdir -p ${outputdir}
+ pushd ${outputdir}
+
+ bash ${top_dir_abs_src_path}/configure \
+%ifarch %{zero_arches}
+ --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+ --with-jobs=1 \
+%endif
+ --with-version-build=%{buildver} \
+ --with-version-pre="${EA_DESIGNATOR}" \
+ --with-version-opt=%{lts_designator} \
+ --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-name="Red Hat, Inc." \
+ --with-vendor-url="https://www.redhat.com/" \
+ --with-vendor-bug-url="%{bugs}" \
+ --with-vendor-vm-bug-url="%{bugs}" \
+ --with-boot-jdk=${buildjdk} \
+ --with-debug-level=${debuglevel} \
+ --with-native-debug-symbols="%{debug_symbols}" \
+ --disable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=system \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=dynamic \
+ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+ --with-extra-cflags="$EXTRA_CFLAGS" \
+ --with-extra-ldflags="%{ourldflags}" \
+ --with-num-cores="$NUM_PROC" \
+ --with-source-date="${SOURCE_DATE_EPOCH}" \
+ --disable-javac-server \
+%ifarch %{zgc_arches}
+ --with-jvm-features=zgc \
+%endif
+ --disable-warnings-as-errors
+
+ cat spec.gmk
+
+ make \
+ LOG=trace \
+ WARNINGS_ARE_ERRORS="-Wno-error" \
+ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
+ $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
+
+ popd
+}
+
+function installjdk() {
+ local imagepath=${1}
+
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
+
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+
+ # Use system-wide tzdata
+ rm ${imagepath}/lib/tzdb.dat
+ ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+ fi
+}
+
+%if %{build_hotspot_first}
+ # Build a fresh libjvm.so first and use it to bootstrap
+ cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+ systemjdk=$(pwd)/newboot
+ buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
+ mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
+%else
+ systemjdk=%{bootjdk}
+%endif
+
+for suffix in %{build_loop} ; do
+
+ if [ "x$suffix" = "x" ] ; then
+ debugbuild=release
+ else
+ # change --something to something
+ debugbuild=`echo $suffix | sed "s/-//g"`
+ fi
+
+
+ for loop in %{main_suffix} %{staticlibs_loop} ; do
+
+ builddir=%{buildoutputdir -- ${suffix}${loop}}
+ bootbuilddir=boot${builddir}
+
+ if test "x${loop}" = "x%{main_suffix}" ; then
+ # Copy the source tree so we can remove all in-tree libraries
+ cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+ # Remove all libraries that are linked
+ sh %{SOURCE12} %{top_level_dir_name} full
+ # Use system libraries
+ link_opt="system"
+ # Debug builds don't need same targets as release for
+ # build speed-up. We also avoid bootstrapping these
+ # slower builds.
+ if echo $debugbuild | grep -q "debug" ; then
+ maketargets="%{debug_targets}"
+ run_bootstrap=false
+ else
+ maketargets="%{release_targets}"
+ run_bootstrap=%{bootstrap_build}
+ fi
+ if ${run_bootstrap} ; then
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
+ buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
+ rm -rf ${bootbuilddir}
+ else
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ fi
+ # Restore original source tree we modified by removing full in-tree sources
+ rm -rf %{top_level_dir_name}
+ mv %{top_level_dir_name_backup} %{top_level_dir_name}
+ else
+ # Use bundled libraries for building statically
+ link_opt="bundled"
+ # Static library cycle only builds the static libraries
+ maketargets="%{static_libs_target}"
+ # Always just do the one build for the static libraries
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ fi
+
+ done # end of main / staticlibs loop
+
+ # Final setup on the main image
+ top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+ installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) can be disabled
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+%endif
+
+so_suffix="so"
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" <
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
+-- if copy-jdk-configs is in transaction, it installs in pretrans to temp
+-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is
+-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
+-- whether copy-jdk-configs is installed or not. If so, then configs are copied
+-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
+local posix = require "posix"
+
+if (os.getenv("debug") == "true") then
+ debug = true;
+ print("cjc: in spec debug is on")
+else
+ debug = false;
+end
+
+SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
+SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
+
+local stat1 = posix.stat(SOURCE1, "type");
+local stat2 = posix.stat(SOURCE2, "type");
+
+ if (stat1 ~= nil) then
+ if (debug) then
+ print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
+ end;
+ package.path = package.path .. ";" .. SOURCE1
+else
+ if (stat2 ~= nil) then
+ if (debug) then
+ print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
+ end;
+ package.path = package.path .. ";" .. SOURCE2
+ else
+ if (debug) then
+ print(SOURCE1 .." does NOT exists")
+ print(SOURCE2 .." does NOT exists")
+ print("No config files will be copied")
+ end
+ return
+ end
+end
+arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
+cjc = require "copy_jdk_configs.lua"
+args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+cjc.mainProgram(args)
+
+%post
+%{post_script %{nil}}
+
+%post headless
+%{post_headless %{nil}}
+
+%postun
+%{postun_script %{nil}}
+
+%postun headless
+%{postun_headless %{nil}}
+
+%posttrans
+%{posttrans_script %{nil}}
+
+%posttrans headless
+%{alternatives_java_install %{nil}}
+
+%post devel
+%{post_devel %{nil}}
+
+%postun devel
+%{postun_devel %{nil}}
+
+%posttrans devel
+%{posttrans_devel %{nil}}
+
+%posttrans javadoc
+%{alternatives_javadoc_install %{nil}}
+
+%postun javadoc
+%{postun_javadoc %{nil}}
+
+%posttrans javadoc-zip
+%{alternatives_javadoczip_install %{nil}}
+
+%postun javadoc-zip
+%{postun_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%post slowdebug
+%{post_script -- %{debug_suffix_unquoted}}
+
+%post headless-slowdebug
+%{post_headless -- %{debug_suffix_unquoted}}
+
+%posttrans headless-slowdebug
+%{alternatives_java_install -- %{debug_suffix_unquoted}}
+
+%postun slowdebug
+%{postun_script -- %{debug_suffix_unquoted}}
+
+%postun headless-slowdebug
+%{postun_headless -- %{debug_suffix_unquoted}}
+
+%posttrans slowdebug
+%{posttrans_script -- %{debug_suffix_unquoted}}
+
+%post devel-slowdebug
+%{post_devel -- %{debug_suffix_unquoted}}
+
+%postun devel-slowdebug
+%{postun_devel -- %{debug_suffix_unquoted}}
+
+%posttrans devel-slowdebug
+%{posttrans_devel -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%post fastdebug
+%{post_script -- %{fastdebug_suffix_unquoted}}
+
+%post headless-fastdebug
+%{post_headless -- %{fastdebug_suffix_unquoted}}
+
+%postun fastdebug
+%{postun_script -- %{fastdebug_suffix_unquoted}}
+
+%postun headless-fastdebug
+%{postun_headless -- %{fastdebug_suffix_unquoted}}
+
+%posttrans fastdebug
+%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+
+%posttrans headless-fastdebug
+%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
+
+%post devel-fastdebug
+%{post_devel -- %{fastdebug_suffix_unquoted}}
+
+%postun devel-fastdebug
+%{postun_devel -- %{fastdebug_suffix_unquoted}}
+
+%posttrans devel-fastdebug
+%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%if %{include_normal_build}
+%files
+# main package builds always
+%{files_jre %{nil}}
+%else
+%files
+# placeholder
+%endif
+
+
+%if %{include_normal_build}
+%files headless
+# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
+%{files_jre_headless %{nil}}
+
+%files devel
+%{files_devel %{nil}}
+
+%if %{include_staticlibs}
+%files static-libs
+%{files_static_libs %{nil}}
+%endif
+
+%files jmods
+%{files_jmods %{nil}}
+
+%files demo
+%{files_demo %{nil}}
+
+%files src
+%{files_src %{nil}}
+
+%files javadoc
+%{files_javadoc %{nil}}
+
+# This puts a huge documentation file in /usr/share
+# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
+# same for debug variant
+%files javadoc-zip
+%{files_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%files slowdebug
+%{files_jre -- %{debug_suffix_unquoted}}
+
+%files headless-slowdebug
+%{files_jre_headless -- %{debug_suffix_unquoted}}
+
+%files devel-slowdebug
+%{files_devel -- %{debug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{files_static_libs -- %{debug_suffix_unquoted}}
+%endif
+
+%files jmods-slowdebug
+%{files_jmods -- %{debug_suffix_unquoted}}
+
+%files demo-slowdebug
+%{files_demo -- %{debug_suffix_unquoted}}
+
+%files src-slowdebug
+%{files_src -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%files fastdebug
+%{files_jre -- %{fastdebug_suffix_unquoted}}
+
+%files headless-fastdebug
+%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
+
+%files devel-fastdebug
+%{files_devel -- %{fastdebug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{files_static_libs -- %{fastdebug_suffix_unquoted}}
+%endif
+
+%files jmods-fastdebug
+%{files_jmods -- %{fastdebug_suffix_unquoted}}
+
+%files demo-fastdebug
+%{files_demo -- %{fastdebug_suffix_unquoted}}
+
+%files src-fastdebug
+%{files_src -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%changelog
+* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-13
+- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+- Resolves: rhbz#2055383
+
+* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-12
+- Add rpminspect.yaml to turn off Java bytecode inspections
+- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
+- Resolves: rhbz#2023540
+
+* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-11
+- Introduce tests/tests.yml, based on the one in java-11-openjdk
+- Resolves: rhbz#2058490
+
+* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-10
+- Storing and restoring alterntives during update manually
+- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
+-- The move of alternatives creation to posttrans to fix:
+-- Bug 1200302 - dnf reinstall breaks alternatives
+-- Had caused the alternatives to be removed, and then created again,
+-- instead of being added, and then removing the old, and thus persisting
+-- the selection in family
+-- Thus this fix, is storing the family of manually selected master, and if
+-- stored, then it is restoring the family of the master
+- Resolves: rhbz#2008206
+
+* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-9
+- Family extracted to globals
+- Related: rhbz#2008206
+
+* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-8
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2052829
+
+* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053521
+
+* Mon Feb 21 2022 Andrew Hughes - 1:17.0.2.0.8-6
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+- Resolves: rhbz#2052819
+
+* Fri Feb 18 2022 Andrew Hughes - 1:17.0.2.0.8-5
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Resolves: rhbz#2023531
+
+* Thu Feb 17 2022 Andrew Hughes - 1:17.0.2.0.8-4
+- Restructure the build so a minimal initial build is then used for the final build (with docs)
+- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Handle Fedora in distro conditionals that currently only pertain to RHEL.
+- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
+- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
+- Need to support noarch for creating source RPMs for non-scratch builds.
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
+- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Resolves: rhbz#2022826
+
+* Thu Feb 17 2022 Jiri Vanek - 1:17.0.2.0.8-4
+- Replaced tabs by sets of spaces to make rpmlint happy
+- javadoc-zip gets its own provides next to plain javadoc ones
+- Resolves: rhbz#2022826
+
+* Wed Feb 16 2022 Jiri Vanek - 1:17.0.2.0.8-3
+- Minor cosmetic improvements to make spec more comparable between variants
+- Related: rhbz#2022826
+
+* Wed Feb 16 2022 Andrew Hughes - 1:17.0.2.0.8-2
+- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
+- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
+- Related: rhbz#2022826
+
+* Fri Feb 11 2022 Andrew Hughes - 1:17.0.2.0.8-1
+- January 2022 security update to jdk 17.0.2+8
+- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
+- Rename libsvml.so to libjsvml.so following JDK-8276025
+- Drop JDK-8276572 patch which is now upstream
+- Resolves: rhbz#2039392
+
+* Thu Feb 10 2022 Andrew Hughes - 1:17.0.1.0.12-3
+- Sync desktop files with upstream IcedTea release 3.15.0 using new script
+- Related: rhbz#2022826
+
+* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-2
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+ secmod.db file as part of nss
+- Resolves: rhbz#2023537
+
+* Tue Nov 16 2021 Andrew Hughes - 1:17.0.1.0.12-1
+- Drop JDK-8272332 patch now included upstream.
+- Resolves: rhbz#2013846
+
+* Tue Nov 16 2021 Petra Alice Mikova - 1:17.0.1.0.12-1
+- October CPU update to jdk 17.0.1+12
+- Dropped commented-out source line
+- Resolves: rhbz#2013846
+
+* Tue Nov 09 2021 Andrew Hughes - 1:17.0.0.0.35-8
+- Extend LTS check to exclude EPEL.
+- Related: rhbz#2013846
+
+* Tue Nov 09 2021 Severin Gehwolf - 1:17.0.0.0.35-8
+- Set LTS designator.
+- Related: rhbz#2013846
+
+* Mon Nov 08 2021 Jiri Vanek - 1:17.0.0.0.35-7
+- alternatives creation moved to posttrans
+- Thus fixing the old reinstall issue:
+- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
+- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
+- Resolves: rhbz#2008206
+
+* Fri Nov 05 2021 Andrew Hughes - 1:17.0.0.0.35-6
+- Patch syslookup.c so it actually has some code to be compiled into libsyslookup
+- Related: rhbz#2013846
+
+* Sun Oct 10 2021 Andrew Hughes - 1:17.0.0.0.35-5
+- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Resolves: rhbz#1994682
+
+* Sun Oct 10 2021 Martin Balao - 1:17.0.0.0.35-5
+- Add patch to allow plain key import.
+- Resolves: rhbz#1994682
+
+* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-4
+- Update release notes to document the major changes between OpenJDK 11 & 17.
+- Resolves: rhbz#2000925
+
+* Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-3
+- Update to jdk-17+35, also known as jdk-17-ga.
+- Switch to GA mode.
+- Add JDK-8272332 fix so we actually link against HarfBuzz.
+- Resolves: rhbz#2000925
+
+* Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
+- Resolves: rhbz#1997359
+
+* Sat Aug 28 2021 Andrew Hughes - 1:17.0.0.0.33-0.4.ea
+- Fix unused function compiler warning found in systemconf.c
+- Related: rhbz#1995889
+
+* Sat Aug 28 2021 Martin Balao - 1:17.0.0.0.33-0.4.ea
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997359
+
+* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.3.ea
+- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
+- Resolves: rhbz#1995889
+
+* Fri Aug 27 2021 Andrew Hughes - 1:17.0.0.0.33-0.2.ea
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Related: rhbz#1995889
+
+* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.2.ea
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Related: rhbz#1995889
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.1.ea
+- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
+- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
+- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
+- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
+- Disable FIPS mode support unless com.redhat.fips is set to "true".
+- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
+- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
+- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
+- Related: rhbz#1995889
+
+* Thu Aug 26 2021 Martin Balao - 1:17.0.0.0.33-0.1.ea
+- Support the FIPS mode crypto policy (RH1655466)
+- Use appropriate keystore types when in FIPS mode (RH1818909)
+- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
+- Related: rhbz#1995889
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.0.ea
+- Update to jdk-17+33, including JDWP fix and July 2021 CPU
+- Resolves: rhbz#1870625
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.26-0.5.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Resolves: rhbz#1870625
+
+* Mon Aug 09 2021 Mohan Boddu - 1:17.0.0.0.26-0.4.ea.1
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Wed Jul 14 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.4.ea
+- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
+- Resolves: rhbz#1870625
+
+* Tue Jul 13 2021 Jiri Vanek - 1:17.0.0.0.26-0.3.ea
+- Add gating support
+- Resolves: rhbz#1870625
+
+* Fri Jun 25 2021 Severin Gehwolf - 1:17.0.0.0.26-0.2.ea
+- Re-enable TestSecurityProperties after inclusion of PR3695
+- Resolves: rhbz#1870625
+
+* Fri Jun 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.2.ea
+- Add PR3695 to allow the system crypto policy to be turned off
+- Resolves: rhbz#1870625
+
+* Fri Jun 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.1.ea
+- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
+- Resolves: rhbz#1870625
+
+* Thu Jun 24 2021 Severin Gehwolf - 1:17.0.0.0.26-0.1.ea
+- Update buildjdkver to 17 so as to build with itself
+- Resolves: rhbz#1870625
+
+* Mon Jun 21 2021 Andrew Hughes - 1:17.0.0.0.26-0.0.ea
+- Rename to java-17-openjdk and bootstrap using boot JDK in local sources
+- Exclude x86 as this is not supported by OpenJDK 17
+- Use unzip to test src.zip to avoid looking for jar on path
+- Resolves: rhbz#1870625
+
+* Fri Jun 11 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.0.ea.rolling
+- update sources to jdk 17.0.0+26
+- set is_ga to 0, as this is early access build
+- change vendor_version_string
+- change path to the version-numbers.conf
+- removed rmid binary from files and from slaves
+- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407
+- add lib/libsyslookup.so to files
+- renamed lib/security/blacklisted.certs to lib/security/blocked.certs
+- add lib/libsvml.so for intel
+- skip debuginfo check for libsyslookup.so on s390x
+
+* Fri May 07 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling
+- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
+
+* Thu Apr 29 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling
+- adapted to debug handling in newer cjc
+- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution
+- Disable copy-jdk-configs for Flatpak builds
+
+* Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling
+- update to 16.0.1+9 april cpu tag
+- dropped jdk8259949-allow_cf-protection_on_x86.patch
+
+* Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling
+- Perform static library build on a separate source tree with bundled image libraries
+- Make static library build optional
+- Based on initial work by Severin Gehwolf
+
+* Tue Mar 09 2021 Jiri Vanek - 1:16.0.0.0.36-1.rolling
+- fixed suggests of wrong pcsc-lite-devel%{?_isa} to correct pcsc-lite-libs%{?_isa}
+- bumped buildjdkver to build by itself - 16
+
+* Fri Feb 19 2021 Andrew Hughes - 1:16.0.0.0.36-0.rolling
+- Update to jdk-16.0.0.0+36
+- Update tarball generation script to use git following OpenJDK's move to github
+- Update tarball generation script to use PR3823 which handles JDK-8235710 changes
+- Use upstream default for version-pre rather than setting it to "ea" or ""
+- Drop libsunec.so which is no longer generated, thanks to JDK-8235710
+- Drop unnecessary compiler flags, dating back to work on GCC 6 & 10
+- Adapt RH1750419 alt-java patch to still apply after some variable re-naming in the makefiles
+- Update filever to remove any trailing zeros, as in the OpenJDK build, and use for source filename
+- Use system harfbuzz now this is supported.
+- Pass SOURCE_DATE_EPOCH to build for reproducible builds
+
+* Fri Feb 19 2021 Stephan Bergmann - 1:15.0.2.0.7-1.rolling
+- Hardcode /usr/sbin/alternatives for Flatpak builds
+
+* Tue Jan 26 2021 Fedora Release Engineering - 1:15.0.2.0.7-0.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Andrew Hughes - 1:15.0.2.0.7-0.rolling
+- Update to jdk-15.0.2.0+7
+- Add release notes for 15.0.1.0 & 15.0.2.0
+- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
+- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags.
+- Cleanup debug package descriptions and version number placement.
+- Remove unused patch files.
+
+* Tue Jan 19 2021 Andrew Hughes - 1:15.0.1.9-10.rolling
+- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
+
+* Tue Dec 22 2020 Jiri Vanek - 1:15.0.1.9-9.rolling
+- fixed missing condition for fastdebug packages being counted as debug ones
+
+* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-8.rolling
+- removed lib-style provides for fastdebug_suffix_unquoted
+
+* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling
+- many cosmetic changes taken from more maintained jdk11
+- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
+ instead of various hardcoded ifarches
+- updated systemtap
+- added requires excludes for debug pkgs
+- removed redundant logic around jsa files
+- added runtime requires of lksctp-tools and libXcomposite%
+- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies
+- s390x excluded form fastdebug build
+
+* Thu Dec 17 2020 Andrew Hughes - 1:15.0.1.9-5.rolling
+- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
+- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
+- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
+
+* Wed Dec 9 2020 Jiri Vanek - 1:15.0.1.9-4.rolling
+- moved wrongly placed licenses to accompany other ones
+- this bad placement was killng parallel-installability and thus having bad impact to leapp if used
+
+* Tue Dec 01 2020 Jiri Vanek - 1:15.0.1.9-3.rolling
+- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
+- no longer copying of java->alt-java as it is created by patch600
+
+* Mon Nov 23 2020 Jiri Vanek - 1:15.0.1.9-2.rolling
+- Create a copy of java as alt-java with alternatives and man pages
+- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
+
+* Sun Oct 25 2020 Petra Alice Mikova - 1:15.0.1.9-1.rolling
+- updated to October CPU 2020 sources
+
+* Thu Oct 22 2020 Severin Gehwolf - 1:15.0.0.36-4.rolling
+- Fix directory ownership of -static-libs sub-package.
+
+* Fri Oct 09 2020 Jiri Vanek - 1:15.0.0.36-3.rolling
+- Build static-libs-image and add resulting files via -static-libs sub-package.
+- Disable stripping of debug symbols for static libraries part of the -static-libs sub-package.
+- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard.
+- Update static-libs packaging to new layout
+
+* Mon Sep 21 2020 Petra Alice Mikova - 1:15.0.0.36-2.rolling
+- Add support for fastdebug builds on 64 bit architectures
+
+* Tue Sep 15 2020 Severin Gehwolf - 1:15.0.0.36-1.rolling
+- Remove EA designation
+- Re-generate sources with PR3803 patch
+
+* Mon Aug 31 2020 Petra Alice Mikova - 1:15.0.0.36-0.1.ea.rolling
+- Update to jdk 15.0.0.36 tag
+- Modify rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+- Update vendor version string to 20.9
+- jjs removed from packaging after JEP 372: Nashorn removal
+- rmic removed from packaging after JDK-8225319
+
+* Mon Jul 27 2020 Severin Gehwolf - 1:14.0.2.12-2.rolling
+- Disable LTO so as to pass debuginfo check
+
+* Wed Jul 22 2020 Petra Alice Mikova - 1:14.0.2.12-1.rolling
+- update to jdk 14.0.2.12 CPU version
+- remove upstreamed patch jdk8237879-make_4_3_build_fixes.patch
+- remove upstreamed patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h.patch
+- remove upstreamed patch jdk8243059-build_fails_when_with_vendor_contains_comma.patch
+
+* Thu Jul 09 2020 Andrew Hughes - 1:14.0.1.7-4.rolling
+- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds.
+- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk.
+
+* Thu May 14 2020 Petra Alice Mikova - 1:14.0.1.7-3.rolling
+- introduce patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h to fix build issues in rawhide
+- rename and reorganize patch sections
+
+* Thu Apr 23 2020 Severin Gehwolf - 1:14.0.1.7-2.rolling
+- Fix vendor version to 20.3 (from 19.9)
+
+* Fri Apr 17 2020 Petra Alice Mikova - 1:14.0.1.7-1.rolling
+- April security update
+- uploaded new src tarball
+
+* Wed Apr 08 2020 Jiri Vanek - 1:14.0.0.36-4.rolling
+- set vendor property and vendor urls
+- made urls to be preconfigured by os
+
+* Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling
+- Remove s390x workaround flags for GCC 10
+- bump buildjdkver to 14
+- uploaded new src tarball
+
+* Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling
+- removed a whitespace causing fail of postinstall script
+- removed backslashes at the end of alternatives command
+
+* Fri Mar 13 2020 Petra Alice Mikova - 1:14.0.0.36-1.rolling
+- update to jdk 14+36 ga build
+- remove JDK-8224851 patch, as OpenJDK 14 already contains it
+- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library
+- added listings for jpackage binary, manpages and added slave records to alternatives
+
+* Thu Mar 12 2020 Petra Alice Mikova - 1:13.0.2.8-4.rolling
+- add patch for build issues with make 4.3
+
+* Thu Feb 27 2020 Severin Gehwolf - 1:13.0.2.8-3.rolling
+- add workaround for issues with build with GCC10 on s390x (see RHBZ#1799531)
+- fix issues with build with GCC10: JDK-8224851, -fcommon switch
+
+* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling
+- Add JDK-8224851 patch to resolve aarch64 issues
+
+* Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling
+- fix Release, as it was broken by last rpmdev-bumpspec
+
+* Wed Jan 29 2020 Fedora Release Engineering - 1:13.0.2.8-1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 17 2020 Petra Alice Mikova - 1:13.0.2.8-1.rolling
+- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+- updated sources to the 13.0.2+8 tag
+
+* Fri Oct 25 2019 Petra Alice Mikova - 1:13.0.1.9-2.rolling
+- Fixed hardcoded major version in jdk13u to macro
+- added jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- added jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+
+* Mon Oct 21 2019 Petra Alice Mikova - 1:13.0.1.9-1.rolling
+- Updated to October 2019 CPU sources
+
+* Wed Oct 16 2019 Petra Alice Mikova - 1:13.0.0.33-3.rolling
+- synced up generate tarball script with other OpenJDK packages
+- dropped pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch from the sources
+- regenerated sources with the updated script
+
+* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling
+- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it.
+
+* Wed Oct 02 2019 Andrew John Hughes - 1:13.0.0.33-3.rolling
+- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
+- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
+- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
+- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
+
+* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling
+- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively.
+
+* Tue Oct 01 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling
+- Don't produce javadoc/javadoc-zip sub packages for the
+ debug variant build.
+- Don't perform a bootcycle build for the debug variant build.
+
+* Mon Sep 30 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling
+- Fix vendor version as JDK 13 has been GA'ed September 2019: 19.3 => 19.9
+
+* Wed Aug 14 2019 Petra Alice Mikova - 1:13.0.0.33-1.rolling
+- updated to 13+33 sources
+- added two manpages to file listings (jfr, jaotc)
+- set is_ga to 1 to match build from jdk.java.net
+
+* Fri Jul 26 2019 Severin Gehwolf - 1:13.0.0.28-0.2.ea.rolling
+- Fix bootjdkver macro. It attempted to build with jdk 12, which is
+ no longer available in rawhide (it's 13 instead).
+- Fix Release as rpmdev-bumpspec doesn't do it correctly.
+
+* Thu Jul 25 2019 Fedora Release Engineering - 1:13.0.0.28-0.1.ea.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 09 2019 Petra Alice Mikova - 1:13.0.0.28-0.1.ea.rolling
+- updated to jdk 13
+- adapted pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch
+- adapted rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+- fixed file listings
+- included https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/49:
+- Include 'ea' designator in Release when appropriate
+- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately
+
+* Tue May 21 2019 Petra Alice Mikova - 1:12.0.1.12-2.rolling
+- fixed requires/provides for the non-system JDK case (backport of RHBZ#1702324)
+
+* Thu Apr 18 2019 Petra Mikova - 1:12.0.1.12-1.rolling
+- updated sources to current CPU release
+
+* Thu Apr 04 2019 Petra Mikova - 1:12.0.0.33-4.rolling
+- added slave for jfr binary in devel package
+
+* Thu Mar 21 2019 Petra Mikova - 1:12.0.0.33-3.rolling
+- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs.
+- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc
+- removed LTS string from LTS designator, because epel builds get identified as rhel and JDK 12 is not LTS
+- removed duplicated dependency on lksctp-tools
+
+* Wed Mar 20 2019 Peter Robinson 1:12.0.0.33-2.ea.1.rolling
+- Drop chkconfig dep, 1.7 shipped in f24
+
+* Thu Mar 07 2019 Petra Mikova - 1:12.0.0.33-1.ea.1.rolling
+- bumped sources to jdk12+33
+
+* Mon Feb 11 2019 Severin Gehwolf - 1:12.0.0.30-1.ea.1.rolling
+- Only build 'bootcycle-images docs' target and 'images docs' targets, respectively.
+
+* Fri Feb 01 2019 Fedora Release Engineering - 1:12.0.0.25-0.ea.1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec 21 2018 Jiri Vanek - 1:12.0.0.25-0.ea.1.rolling
+- bumped sources to jdk12. Crypto list synced.
+- adapted patches to usptream (removed are upstreamed)
+- removed fixed upstreamed patch6, jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch:
+- renamed patch5, pr1983-rh1565658-..._sunec_provider_jdk11.patch to pr1983-rh1565658-..._sunec_provider_jdk12.patch
+- adapted patch5, pr1983-rh1565658 to jdk12 (libraries.m4 and /Lib-jdk.crypto.ec.gmk)
+- removed patch8, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
+- removed patch9, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
+- removed patch10, jdk8210647-rh1632174. Is rummored to be in upstream
+- removed patch11, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
+- removed patch12, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
+- removed patch584, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- removed patch585, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- set build jdk to jdk11; buildjdkver set to 11
+- todo, revisit _privatelibs and slaves, discuse patch10, more?
+- now building with --no-print-directory to workaround JDK8215213
+- renamed original of docs zip to jdk-major+build
+- check shenandaoh with -XX:+UnlockExperimentalVMOptions
+- libjli moved from lib/libjli to lib
+- added lib/jspawnhelper and bin/jfr and conf/sdp/sdp.conf.template
+- added explanation to the --no-print-directory
+- re-added lts_designator_zip macro
+- added patch6 for rh1673833-remove_removal_of_wformat_during_test_compilation.patch
+
+* Wed Dec 5 2018 Jiri Vanek - 1:11.0.1.13-10.rolling
+- for non debug supackages, ghosted all masters and slaves (rhbz1649776)
+- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic
+- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides
+
+* Tue Dec 04 2018 Severin Gehwolf - 1:11.0.1.13-9
+- Added %%global _find_debuginfo_opts -g
+- Resolves: RHBZ#1520879 (Detailed NMT issue)
+
+* Fri Nov 30 2018 Jiri Vanek - 1:11.0.1.13-8
+- added rolling suffix to release (before dist) to prevent conflict with java-11-openjdk which now have same major version
+
+* Mon Nov 12 2018 Jiri Vanek - 1:11.0.1.13-6
+- fixed tck failures of arraycopy and process exec with shenandoah on
+- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch
+
+* Wed Nov 07 2018 Jiri Vanek - 1:11.0.1.13-5
+- headless' suggests of cups, replaced by Requires of cups-libs
+
+* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3
+- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+
+* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3
+- Use upstream's version of Aarch64 intrinsics disable patch:
+ - Removed:
+ RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
+ RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+ - Superceded by:
+ jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2
+- Use LTS designator in version output for RHEL.
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-1
+- Update to October 2018 CPU release, 11.0.1+13.
+
+* Wed Oct 17 2018 Severin Gehwolf - 1:11.0.0.28-2
+- Use --with-vendor-version-string=18.9 so as to show original
+ GA date for the JDK.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.0.28-1
+- Identify as GA version and no longer as early access (EA).
+- JDK 11 has been released for GA on 2018-09-25.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9
+- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
+ RHBZ-1624122.
+- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libjsig.
+- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- Reinstate filtering of opt flags coming from redhat-rpm-config.
+
+* Thu Sep 27 2018 Jiri Vanek - 1:11.0.ea.28-8
+- removed version less provides
+- javadocdir moved to arched dir as it is no longer noarch
+
+* Thu Sep 20 2018 Severin Gehwolf - 1:11.0.ea.28-6
+- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch,
+ so as to disable log math intrinsic on aarch64. Work-around for
+ JDK-8210858
+
+* Thu Sep 13 2018 Severin Gehwolf - 1:11.0.ea.28-5
+- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch,
+ so as to disable dsin/dcos math intrinsics on aarch64. Work-around for
+ JDK-8210461.
+
+* Wed Sep 12 2018 Severin Gehwolf - 1:11.0.ea.22-6
+- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- No longer filter -O flags from C flags coming from
+ redhat-rpm-config.
+
+* Mon Sep 10 2018 Jiri Vanek - 1:11.0.ea.28-4
+- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x
+
+* Fri Sep 7 2018 Severin Gehwolf - 1:11.0.ea.28-3
+- Enable ZGC on x86_64.
+
+* Tue Sep 4 2018 Jiri Vanek - 1:11.0.ea.28-2
+- jfr/*jfc files listed for all arches
+- lib/classlist do not exists s390, ifarch-ed via jit_arches out
+
+* Fri Aug 31 2018 Severin Gehwolf - 1:11.0.ea.28-1
+- Update to latest upstream build jdk11+28, the first release
+ candidate.
+
+* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8
+- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
+ as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
+
+* Thu Aug 23 2018 Jiri Vanek - 1:11.0.ea.22-6
+- dissabled accessibility, fixed provides for main package's debug variant
+
+* Mon Jul 30 2018 Jiri Vanek - 1:11.0.ea.22-5
+- now buildrequires javapackages-filesystem as the issue with macros should be fixed
+
+* Wed Jul 18 2018 Jiri Vanek - 1:11.0.ea.22-2
+- changed to build by itself instead of by jdk10
+
+* Tue Jul 17 2018 Jiri Vanek - 1:11.0.ea.22-1
+- added Recommends gtk3 for main package
+- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped)
+- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package
+- see RHBZ1598152
+- added trick to catch hs_err files (sgehwolf)
+- updated to shenandaoh-jdk-11+22
+
+* Sat Jul 07 2018 Jiri Vanek - 1:11.0.ea.20-1
+- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch
+- improved a bit generate_source_tarball.sh to serve also for systemtap
+- thus deleted generate_tapsets.sh
+- simplified and cleared update_package.sh
+- moved to single source jdk - from shenandoah/jdk11
+- bumped to latest jdk11+20
+- adapted PR2126 to jdk11+20
+- adapted handling of systemtap sources to new style
+- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory)
+- shortened summaries and descriptions to around 80 chars
+- Hunspell spell checked
+- license fixed to correct jdk11 (sgehwolf)
+- more correct handling of internal libraries (sgehwolf)
+- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815)
+- added test for shenandaoh GC presence where expected
+- Removed workaround for broken aarch64 slowdebug build
+- Removed all defattrs
+- Removed no longer necessary cleanup of diz and debuginfo files
+
+* Fri Jun 22 2018 Jiri Vanek - 1:11.0.ea.19-1
+- updated sources to jdk-11+19
+- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit
+- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit
+
+* Thu Jun 14 2018 Severin Gehwolf - 1:11.0.ea.16-5
+- Revert rename: java-11-openjdk => java-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-4
+- Add aarch64 to aot_arches.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-3
+- Rename to package java-11-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-2
+- Disable Aarch64 slowdebug build (see JDK-8204331).
+- s390x doesn't have the SA even though it's a JIT arch.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-1
+- Initial version of JDK 11 ea based on tag jdk-11+16.
+- Removed patches no longer needed or upstream:
+ sorted-diff.patch (see JDK-8198844)
+ JDK-8201788-bootcycle-images-jobs.patch
+ JDK-8201509-s390-atomic_store.patch
+ JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11)
+ JDK-8193802-npe-jar-getVersionMap.patch
+- Updated and renamed patches:
+ java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch
+- Updated patches for JDK 11:
+ pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Tue Jun 12 2018 Severin Gehwolf - 1:10.0.1.10-9
+- Use proper private_libs expression for filtering requires/provides.
+
+* Fri Jun 08 2018 Severin Gehwolf - 1:10.0.1.10-8
+- Bump release and rebuild for fixed gdb. See RHBZ#1589118.
+
+* Mon Jun 04 2018 Jiri Vanek - 1:10.0.1.10-7
+- quoted sed expressions, changed possibly confusing # by @
+- added vendor(origin) into icons
+- removed last trace of relative symlinks
+- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem
+
+* Thu May 17 2018 Severin Gehwolf - 1:10.0.1.10-5
+- Move to javapackages-filesystem for directory ownership.
+ Resolves RHBZ#1500288
+
+* Mon Apr 30 2018 Severin Gehwolf - 1:10.0.1.10-4
+- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix
+ RHBZ#1557375.
+
+* Mon Apr 23 2018 Severin Gehwolf - 1:10.0.1.10-3
+- Inject build flags properly. See RHBZ#1571359
+- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch
+ since libjsig.so doesn't get linker flags injected properly.
+
+* Fri Apr 20 2018 Severin Gehwolf - 1:10.0.1.10-2
+- Removed unneeded patches:
+ PStack-808293.patch
+ multiple-pkcs11-library-init.patch
+ ppc_stack_overflow_fix.patch
+- Added patches for s390 Zero builds:
+ JDK-8201495-s390-java-opts.patch
+ JDK-8201509-s390-atomic_store.patch
+- Renamed patches for clarity:
+ aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch
+ systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+ bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch
+ system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1
+- updated to security update 1
+- jexec unlinked from path
+- used java-openjdk as boot jdk
+- aligned provides/requires
+- renamed zip javadoc
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12
+- Enable basic EC ciphers test in %%check.
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11
+- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.
+- Resolves RHBZ#1565658
+
+* Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10
+- jexec linked to path
+
+* Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9
+- subpackage(s) replaced by sub-package(s) and other cosmetic changes
+
+* Tue Apr 03 2018 Jiri Vanek - 1:10.0.0.46-8
+- removed accessibility sub-packages
+- kept applied patch and properties files
+- debug sub-packages renamed to slowdebug
+
+* Fri Feb 23 2018 Jiri Vanek - 1:10.0.0.46-1
+- initial load