Additional default values of security properties are read from a ++ * system-specific location, if available.
++ * + * @author Benjamin Renaud + * @since 1.1 + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -84,6 +106,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -99,6 +122,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -193,6 +217,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..98ffced455b +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,249 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction+ * PKCS#11 structure: + *
+ * typedef struct CK_PBE_PARAMS {
+- * CK_CHAR_PTR pInitVector;
+- * CK_CHAR_PTR pPassword;
++ * CK_BYTE_PTR pInitVector;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+- * CK_CHAR_PTR pSalt;
++ * CK_BYTE_PTR pSalt;
+ * CK_ULONG ulSaltLen;
+ * CK_ULONG ulIteration;
+ * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pInitVector;
++ * CK_BYTE_PTR pInitVector;
+ *
+ */
+- public char[] pInitVector;
++ public byte[] pInitVector;
+
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pPassword;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+ *
+ */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pSalt
++ * CK_BYTE_PTR pSalt
+ * CK_ULONG ulSaltLen;
+ *
+ */
+- public char[] pSalt;
++ public byte[] pSalt;
+
+ /**
+ * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+ */
+ public long ulIteration;
+
++ public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++ this.pPassword = pPassword;
++ this.pSalt = pSalt;
++ this.ulIteration = ulIteration;
++ }
++
+ /**
+ * Returns the string representation of CK_PBE_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+index fb90bfced27..a01beb0753a 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+
+ package sun.security.pkcs11.wrapper;
+
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+ /**
+ * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+ * PKCS#11 structure:
+ *
+ * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ * CK_VOID_PTR pSaltSourceData;
+ * CK_ULONG ulSaltSourceDataLen;
+ * CK_ULONG iterations;
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ * CK_VOID_PTR pPrfData;
+ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG_PTR ulPasswordLen;
+ * } CK_PKCS5_PBKD2_PARAMS;
+ *
+ *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+ */
+ public byte[] pPrfData;
+
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG_PTR ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
+ /**
+ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+new file mode 100644
+index 00000000000..935db656639
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.
++ * PKCS#11 structure:
++ *
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ * CK_ULONG iterations;
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ *
++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *
++ */
++ public long saltSource;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ *
++ */
++ public byte[] pSaltSourceData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_ULONG iterations;
++ *
++ */
++ public long iterations;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *
++ */
++ public long prf;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ *
++ */
++ public byte[] pPrfData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
++ /**
++ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++ *
++ * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++ */
++ public String toString() {
++ StringBuilder sb = new StringBuilder();
++
++ sb.append(Constants.INDENT);
++ sb.append("saltSource: ");
++ sb.append(saltSource);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pSaltSourceData: ");
++ sb.append(Functions.toHexString(pSaltSourceData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulSaltSourceDataLen: ");
++ sb.append(pSaltSourceData.length);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("iterations: ");
++ sb.append(iterations);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("prf: ");
++ sb.append(prf);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pPrfData: ");
++ sb.append(Functions.toHexString(pPrfData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulPrfDataLen: ");
++ sb.append(pPrfData.length);
++
++ return sb.toString();
++ }
++
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+index 1f9c4d39f57..5e3c1b9d29f 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+ public byte[] pPublicData;
+
+ /**
+- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++ * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+ *
+- * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++ * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+ */
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 5c0aacd1a67..5fbf8addcba 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -113,6 +116,8 @@ public class PKCS11 {
+
+ private long pNativeData;
+
++ private CK_INFO pInfo;
++
+ /**
+ * This method does the initialization of the native library. It is called
+ * exactly once for this class.
+@@ -145,23 +150,49 @@ public class PKCS11 {
+ * @postconditions
+ */
+ PKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ connect(pkcs11ModulePath, functionListName);
+ this.pkcs11ModulePath = pkcs11ModulePath;
++ pInfo = C_GetInfo();
++ }
++
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null, null);
+ }
+
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter,
++ MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null &&
++ fipsKeyExporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -179,6 +210,14 @@ public class PKCS11 {
+ return pkcs11;
+ }
+
++ /**
++ * Returns the CK_INFO structure fetched at initialization with
++ * C_GetInfo. This structure represent Cryptoki library information.
++ */
++ public CK_INFO getInfo() {
++ return pInfo;
++ }
++
+ /**
+ * Connects this object to the specified PKCS#11 library. This method is for
+ * internal use only.
+@@ -1625,7 +1664,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+
+ SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ super(pkcs11ModulePath, functionListName);
+ }
+
+@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(PKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ FIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.PKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ SynchronizedFIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public synchronized void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++ MethodHandle fipsKeyExporter, long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ Map sensitiveAttrs = new HashMap<>();
++ List nonSensitiveAttrs = new LinkedList<>();
++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++ sensitiveAttrs, nonSensitiveAttrs);
++ try {
++ if (sensitiveAttrs.size() > 0) {
++ long keyClass = -1L;
++ long keyType = -1L;
++ try {
++ // Secret and private keys have both class and type
++ // attributes, so we can query them at once.
++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++ new CK_ATTRIBUTE(CKA_CLASS),
++ new CK_ATTRIBUTE(CKA_KEY_TYPE),
++ };
++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++ keyClass = queryAttrs[0].getLong();
++ keyType = queryAttrs[1].getLong();
++ } catch (PKCS11Exception e) {
++ // If the query fails, the object is neither a secret nor a
++ // private key. As this case won't be handled with the FIPS
++ // Key Exporter, we keep keyClass initialized to -1L.
++ }
++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++ sensitiveAttrs);
++ if (nonSensitiveAttrs.size() > 0) {
++ CK_ATTRIBUTE[] pNonSensitiveAttrs =
++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++ int i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ pNonSensitiveAttrs[i++] = nonSensAttr;
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject,
++ pNonSensitiveAttrs);
++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++ // update the reference on the previous CK_ATTRIBUTEs
++ i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++ }
++ }
++ return;
++ }
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++ Map sensitiveAttrs,
++ List nonSensitiveAttrs) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ long type = attr.type;
++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++ type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++ type == CKA_COEFFICIENT) {
++ sensitiveAttrs.put(type, attr);
++ } else {
++ nonSensitiveAttrs.add(attr);
++ }
++ }
++ }
++}
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+index 0d65ee26805..38fd4aff1f3 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+ public static final long CKD_BLAKE2B_384_KDF = 0x00000019L;
+ public static final long CKD_BLAKE2B_512_KDF = 0x0000001aL;
+
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
+-
+- public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
+-
+ public static final long CK_OTP_VALUE = 0x00000000L;
+ public static final long CK_OTP_PIN = 0x00000001L;
+ public static final long CK_OTP_CHALLENGE = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+ public static final long CKF_HKDF_SALT_KEY = 0x00000004L;
+ */
+
++ // PBKDF2 support, used in P11Util
++ public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
++
+ // private NSS attribute (for DSA and DH private keys)
+ public static final long CKA_NETSCAPE_DB = 0xD5A0DB00L;
+
+ // base number of NSS private attributes
+ public static final long CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+- = 0xCE534350L;
++ /* now known as CKM_NSS ^ */ = 0xCE534350L;
+
+ // object type for NSS trust
+ public static final long CKO_NETSCAPE_TRUST = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+ = 0xCE534355L;
+ public static final long CKT_NETSCAPE_VALID = 0xCE53435AL;
+ public static final long CKT_NETSCAPE_VALID_DELEGATOR = 0xCE53435BL;
++
++ // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++ public static final long CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++ /* (CKM_NSS + 29) */ = 0xCE53436DL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++ /* (CKM_NSS + 30) */ = 0xCE53436EL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++ /* (CKM_NSS + 31) */ = 0xCE53436FL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++ /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+index d941b574cc7..e2de13648be 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+ ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+ break;
+ case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ // retrieve java values
+ jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+ if (jPbeParamsClass == NULL) { return NULL; }
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+ if (fieldID == NULL) { return NULL; }
+ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+
+ // populate using java values
+ ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+- jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++ jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++ jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++ jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+ }
+ }
+
++#define PBKD2_PARAM_SET(member, value) \
++ do { \
++ if(ckParamPtr->version == PARAMS) { \
++ ckParamPtr->params.v1.member = value; \
++ } else { \
++ ckParamPtr->params.v2.member = value; \
++ } \
++ } while(0)
++
++#define PBKD2_PARAM_ADDR(member) \
++ ( \
++ (ckParamPtr->version == PARAMS) ? \
++ (void*) &ckParamPtr->params.v1.member : \
++ (void*) &ckParamPtr->params.v2.member \
++ )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+ * pointer
+ *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+ * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+ */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+- CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++ VersionedPbkd2ParamsPtr ckParamPtr;
++ ParamVersion paramVersion;
++ CK_ULONG_PTR pUlPasswordLen;
+ jclass jPkcs5Pbkd2ParamsClass;
+ jfieldID fieldID;
+ jlong jSaltSource, jIteration, jPrf;
+- jobject jSaltSourceData, jPrfData;
++ jobject jSaltSourceData, jPrfData, jPassword;
+
+ if (pLength != NULL) {
+ *pLength = 0L;
+ }
+
+ // retrieve java values
+- jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+- if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++ if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS;
++ } else if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS2;
++ } else {
++ return NULL;
++ }
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+ if (fieldID == NULL) { return NULL; }
+ jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++ if (fieldID == NULL) { return NULL; }
++ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+
+- // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+- ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++ // allocate memory for VersionedPbkd2Params and store the structure version
++ ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+ if (ckParamPtr == NULL) {
+ throwOutOfMemoryError(env, 0);
+ return NULL;
+ }
++ ckParamPtr->version = paramVersion;
+
+ // populate using java values
+- ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+- jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++ PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++ jByteArrayToCKByteArray(env, jSaltSourceData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++ PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- ckParamPtr->iterations = jLongToCKULong(jIteration);
+- ckParamPtr->prf = jLongToCKULong(jPrf);
+- jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++ PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++ PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++ jByteArrayToCKByteArray(env, jPrfData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++ PBKD2_PARAM_ADDR(ulPrfDataLen));
++ if ((*env)->ExceptionCheck(env)) {
++ goto cleanup;
++ }
++ if (ckParamPtr->version == PARAMS) {
++ pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++ if (pUlPasswordLen == NULL) {
++ throwOutOfMemoryError(env, 0);
++ goto cleanup;
++ }
++ ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++ } else {
++ pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++ }
++ jCharArrayToCKUTF8CharArray(env, jPassword,
++ (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++ pUlPasswordLen);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+
+ if (pLength != NULL) {
+- *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++ *pLength = (ckParamPtr->version == PARAMS ?
++ sizeof(ckParamPtr->params.v1) :
++ sizeof(ckParamPtr->params.v2));
+ }
++ // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+ return ckParamPtr;
+ cleanup:
+- free(ckParamPtr->pSaltSourceData);
+- free(ckParamPtr->pPrfData);
++ FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+ free(ckParamPtr);
+ return NULL;
+
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+index 520bd52a2cd..aa76945283d 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+ case CKM_CAMELLIA_CTR:
+ // params do not contain pointers
+ break;
++ case CKM_PKCS5_PBKD2:
++ // get the versioned structure from behind memory
++ TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++ "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++ "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++ FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++ break;
++ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++ free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++ break;
+ default:
+ // currently unsupported mechs by SunPKCS11 provider
+ // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+ // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+- // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++ // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+ // PBE mechs, WTLS mechs, CMS mechs,
+ // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+ // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+ jboolean* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+ jbyte* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+ jlong* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+ jchar* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+ jchar* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+index eb6d01b9e47..450e4d27d62 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+
+ #define CKA_NETSCAPE_BASE (0x80000000 + 0x4E534350)
++/* ^ now known as CKM_NSS (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB 0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL 0x80000373
+
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 32)
++
+ /*
+
+ Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+ jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++ union {
++ CK_PKCS5_PBKD2_PARAMS v1;
++ CK_PKCS5_PBKD2_PARAMS2 v2;
++ } params;
++ ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr) \
++ do { \
++ if ((verParamsPtr)->version == PARAMS) { \
++ free((verParamsPtr)->params.v1.pSaltSourceData); \
++ free((verParamsPtr)->params.v1.pPrfData); \
++ free((verParamsPtr)->params.v1.pPassword); \
++ free((verParamsPtr)->params.v1.ulPasswordLen); \
++ } else { \
++ free((verParamsPtr)->params.v2.pSaltSourceData); \
++ free((verParamsPtr)->params.v2.pPrfData); \
++ free((verParamsPtr)->params.v2.pPassword); \
++ } \
++ } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 8c9e4f9dbe6..883dc04758e 100644
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+
+ private static final long serialVersionUID = -2279741672933606418L;
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private static class ProviderServiceA extends ProviderService {
+ ProviderServiceA(Provider p, String type, String algo, String cn,
+ HashMap attrs) {
+@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
+
+ putXDHEntries();
+ putEdDSAEntries();
+-
+- /*
+- * Signature engines
+- */
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+- null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$RawinP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA1withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+- putService(new ProviderService(this, "Signature",
+- "SHA3-224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+- /*
+- * Key Pair Generator engine
+- */
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EC", "sun.security.ec.ECKeyPairGenerator",
+- List.of("EllipticCurve"), ATTRS));
+-
+- /*
+- * Key Agreement engine
+- */
+- putService(new ProviderService(this, "KeyAgreement",
+- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ if (!systemFipsEnabled) {
++ /*
++ * Signature engines
++ */
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++ null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$RawinP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA1withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++ putService(new ProviderService(this, "Signature",
++ "SHA3-224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++ /*
++ * Key Pair Generator engine
++ */
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EC", "sun.security.ec.ECKeyPairGenerator",
++ List.of("EllipticCurve"), ATTRS));
++
++ /*
++ * Key Agreement engine
++ */
++ putService(new ProviderService(this, "KeyAgreement",
++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ }
+ }
+
+ private void putXDHEntries() {
+@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+ "X448", "sun.security.ec.XDHKeyFactory.X448",
+ ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "KeyAgreement",
+- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X448", "sun.security.ec.XDHKeyAgreement.X448",
+- ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++ ATTRS));
++
++ putService(new ProviderService(this, "KeyAgreement",
++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X448", "sun.security.ec.XDHKeyAgreement.X448",
++ ATTRS));
++ }
+ }
+
+ private void putEdDSAEntries() {
+@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+ putService(new ProviderServiceA(this, "KeyFactory",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ }
+
+ }
+ }
diff --git a/SOURCES/fips-17u-f8142a23d0a.patch b/SOURCES/fips-17u-f8142a23d0a.patch
deleted file mode 100644
index c07a4bf..0000000
--- a/SOURCES/fips-17u-f8142a23d0a.patch
+++ /dev/null
@@ -1,3658 +0,0 @@
-diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
-new file mode 100644
-index 00000000000..b2b1c1787da
---- /dev/null
-+++ b/make/autoconf/lib-sysconf.m4
-@@ -0,0 +1,84 @@
-+#
-+# Copyright (c) 2021, Red Hat, Inc.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation. Oracle designates this
-+# particular file as subject to the "Classpath" exception as provided
-+# by Oracle in the LICENSE file that accompanied this code.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+ ])
-+ AC_MSG_RESULT([$sysconf_nss])
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ AC_MSG_CHECKING([for system FIPS support in NSS])
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ AC_LANG_PUSH([C])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
-+ [[SECMOD_GetSystemFIPSEnabled()]])],
-+ [AC_MSG_RESULT([yes])],
-+ [AC_MSG_RESULT([no])
-+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+ AC_LANG_POP([C])
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+ dnl in nss3/pk11pub.h.
-+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+ fi
-+ fi
-+ AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
-index a65d91ee974..a8f054c1397 100644
---- a/make/autoconf/libraries.m4
-+++ b/make/autoconf/libraries.m4
-@@ -33,6 +33,7 @@ m4_include([lib-std.m4])
- m4_include([lib-x11.m4])
- m4_include([lib-fontconfig.m4])
- m4_include([lib-tests.m4])
-+m4_include([lib-sysconf.m4])
-
- ################################################################################
- # Determine which libraries are needed for this configuration
-@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
- LIB_SETUP_BUNDLED_LIBS
- LIB_SETUP_MISC_LIBS
- LIB_TESTS_SETUP_GTEST
-+ LIB_SETUP_SYSCONF_LIBS
-
- BASIC_JDKLIB_LIBS=""
- if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
-diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
-index c2c9c4adf3a..9d105b37acf 100644
---- a/make/autoconf/spec.gmk.in
-+++ b/make/autoconf/spec.gmk.in
-@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
- # Libraries
- #
-
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
- LCMS_CFLAGS:=@LCMS_CFLAGS@
- LCMS_LIBS:=@LCMS_LIBS@
-diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
-index 5658ff342e5..cb7a56852f7 100644
---- a/make/modules/java.base/Lib.gmk
-+++ b/make/modules/java.base/Lib.gmk
-@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true)
- endif
- endif
-
-+################################################################################
-+# Create the systemconf library
-+
-+LIBSYSTEMCONF_CFLAGS :=
-+LIBSYSTEMCONF_CXXFLAGS :=
-+
-+ifeq ($(USE_SYSCONF_NSS), true)
-+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+endif
-+
-+ifeq ($(OPENJDK_BUILD_OS), linux)
-+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
-+ NAME := systemconf, \
-+ OPTIMIZATION := LOW, \
-+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
-+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
-+ LDFLAGS := $(LDFLAGS_JDKLIB) \
-+ $(call SET_SHARED_LIBRARY_ORIGIN), \
-+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
-+ ))
-+
-+ TARGETS += $(BUILD_LIBSYSTEMCONF)
-+endif
-+
- ################################################################################
- # Create the symbols file for static builds.
-
-diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c
-new file mode 100644
-index 00000000000..8dcb7d9073f
---- /dev/null
-+++ b/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -0,0 +1,224 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include
-+#include
-+#include "jvm_md.h"
-+#include
-+
-+#ifdef SYSCONF_NSS
-+#include
-+#else
-+#include
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define MSG_MAX_SIZE 256
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+ } else {
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+ }
-+}
-diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
-index a020e1c15d8..6d459fdec01 100644
---- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
-+++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
-@@ -31,6 +31,7 @@ import java.security.SecureRandom;
- import java.security.PrivilegedAction;
- import java.util.HashMap;
- import java.util.List;
-+import jdk.internal.access.SharedSecrets;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
- import static sun.security.util.SecurityProviderConstants.*;
-
-@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*;
-
- public final class SunJCE extends Provider {
-
-+ private static final boolean systemFipsEnabled =
-+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled();
-+
- @java.io.Serial
- private static final long serialVersionUID = 6812507587804302833L;
-
-@@ -143,285 +148,287 @@ public final class SunJCE extends Provider {
- void putEntries() {
- // reuse attribute map and reset before each reuse
- HashMap attrs = new HashMap<>(3);
-- attrs.put("SupportedModes", "ECB");
-- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
-- + "|OAEPWITHMD5ANDMGF1PADDING"
-- + "|OAEPWITHSHA1ANDMGF1PADDING"
-- + "|OAEPWITHSHA-1ANDMGF1PADDING"
-- + "|OAEPWITHSHA-224ANDMGF1PADDING"
-- + "|OAEPWITHSHA-256ANDMGF1PADDING"
-- + "|OAEPWITHSHA-384ANDMGF1PADDING"
-- + "|OAEPWITHSHA-512ANDMGF1PADDING"
-- + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
-- + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
-- attrs.put("SupportedKeyClasses",
-- "java.security.interfaces.RSAPublicKey" +
-- "|java.security.interfaces.RSAPrivateKey");
-- ps("Cipher", "RSA",
-- "com.sun.crypto.provider.RSACipher", null, attrs);
--
-- // common block cipher modes, pads
-- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
-- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
-- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
-- final String BLOCK_MODES128 = BLOCK_MODES +
-- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
-- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
-- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
--
-- attrs.clear();
-- attrs.put("SupportedModes", BLOCK_MODES);
-- attrs.put("SupportedPaddings", BLOCK_PADS);
-- attrs.put("SupportedKeyFormats", "RAW");
-- ps("Cipher", "DES",
-- "com.sun.crypto.provider.DESCipher", null, attrs);
-- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
-- attrs);
-- ps("Cipher", "Blowfish",
-- "com.sun.crypto.provider.BlowfishCipher", null, attrs);
--
-- ps("Cipher", "RC2",
-- "com.sun.crypto.provider.RC2Cipher", null, attrs);
--
-- attrs.clear();
-- attrs.put("SupportedModes", BLOCK_MODES128);
-- attrs.put("SupportedPaddings", BLOCK_PADS);
-- attrs.put("SupportedKeyFormats", "RAW");
-- psA("Cipher", "AES",
-- "com.sun.crypto.provider.AESCipher$General", attrs);
--
-- attrs.clear();
-- attrs.put("SupportedKeyFormats", "RAW");
-- psA("Cipher", "AES/KW/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
-- attrs);
-- ps("Cipher", "AES/KW/PKCS5Padding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
-- null, attrs);
-- psA("Cipher", "AES/KWP/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
-- attrs);
--
-- psA("Cipher", "AES_128/ECB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_128/CBC/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
-- attrs);
-- psA("Cipher", "AES_128/OFB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_128/CFB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_128/KW/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
-- attrs);
-- ps("Cipher", "AES_128/KW/PKCS5Padding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
-- null, attrs);
-- psA("Cipher", "AES_128/KWP/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
-- attrs);
--
-- psA("Cipher", "AES_192/ECB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_192/CBC/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
-- attrs);
-- psA("Cipher", "AES_192/OFB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_192/CFB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_192/KW/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
-- attrs);
-- ps("Cipher", "AES_192/KW/PKCS5Padding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
-- null, attrs);
-- psA("Cipher", "AES_192/KWP/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
-- attrs);
--
-- psA("Cipher", "AES_256/ECB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_256/CBC/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
-- attrs);
-- psA("Cipher", "AES_256/OFB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_256/CFB/NoPadding",
-- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
-- attrs);
-- psA("Cipher", "AES_256/KW/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
-- attrs);
-- ps("Cipher", "AES_256/KW/PKCS5Padding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
-- null, attrs);
-- psA("Cipher", "AES_256/KWP/NoPadding",
-- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
-- attrs);
--
-- attrs.clear();
-- attrs.put("SupportedModes", "GCM");
-- attrs.put("SupportedKeyFormats", "RAW");
--
-- ps("Cipher", "AES/GCM/NoPadding",
-- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
-- attrs);
-- psA("Cipher", "AES_128/GCM/NoPadding",
-- "com.sun.crypto.provider.GaloisCounterMode$AES128",
-- attrs);
-- psA("Cipher", "AES_192/GCM/NoPadding",
-- "com.sun.crypto.provider.GaloisCounterMode$AES192",
-- attrs);
-- psA("Cipher", "AES_256/GCM/NoPadding",
-- "com.sun.crypto.provider.GaloisCounterMode$AES256",
-- attrs);
--
-- attrs.clear();
-- attrs.put("SupportedModes", "CBC");
-- attrs.put("SupportedPaddings", "NOPADDING");
-- attrs.put("SupportedKeyFormats", "RAW");
-- ps("Cipher", "DESedeWrap",
-- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
--
-- attrs.clear();
-- attrs.put("SupportedModes", "ECB");
-- attrs.put("SupportedPaddings", "NOPADDING");
-- attrs.put("SupportedKeyFormats", "RAW");
-- psA("Cipher", "ARCFOUR",
-- "com.sun.crypto.provider.ARCFOURCipher", attrs);
--
-- attrs.clear();
-- attrs.put("SupportedKeyFormats", "RAW");
-- ps("Cipher", "ChaCha20",
-- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
-- null, attrs);
-- psA("Cipher", "ChaCha20-Poly1305",
-- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
-- attrs);
--
-- // PBES1
-- psA("Cipher", "PBEWithMD5AndDES",
-- "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
-- null);
-- ps("Cipher", "PBEWithMD5AndTripleDES",
-- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
-- psA("Cipher", "PBEWithSHA1AndDESede",
-- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
-- null);
-- psA("Cipher", "PBEWithSHA1AndRC2_40",
-- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
-- null);
-- psA("Cipher", "PBEWithSHA1AndRC2_128",
-- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
-- null);
-- psA("Cipher", "PBEWithSHA1AndRC4_40",
-- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
-- null);
--
-- psA("Cipher", "PBEWithSHA1AndRC4_128",
-- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
-- null);
--
-- // PBES2
-- ps("Cipher", "PBEWithHmacSHA1AndAES_128",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
--
-- ps("Cipher", "PBEWithHmacSHA224AndAES_128",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
--
-- ps("Cipher", "PBEWithHmacSHA256AndAES_128",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
--
-- ps("Cipher", "PBEWithHmacSHA384AndAES_128",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
--
-- ps("Cipher", "PBEWithHmacSHA512AndAES_128",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
--
-- ps("Cipher", "PBEWithHmacSHA1AndAES_256",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
--
-- ps("Cipher", "PBEWithHmacSHA224AndAES_256",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
--
-- ps("Cipher", "PBEWithHmacSHA256AndAES_256",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
--
-- ps("Cipher", "PBEWithHmacSHA384AndAES_256",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
--
-- ps("Cipher", "PBEWithHmacSHA512AndAES_256",
-- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
--
-- /*
-- * Key(pair) Generator engines
-- */
-- ps("KeyGenerator", "DES",
-- "com.sun.crypto.provider.DESKeyGenerator");
-- psA("KeyGenerator", "DESede",
-- "com.sun.crypto.provider.DESedeKeyGenerator",
-- null);
-- ps("KeyGenerator", "Blowfish",
-- "com.sun.crypto.provider.BlowfishKeyGenerator");
-- psA("KeyGenerator", "AES",
-- "com.sun.crypto.provider.AESKeyGenerator",
-- null);
-- ps("KeyGenerator", "RC2",
-- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
-- psA("KeyGenerator", "ARCFOUR",
-- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
-- null);
-- ps("KeyGenerator", "ChaCha20",
-- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
-- ps("KeyGenerator", "HmacMD5",
-- "com.sun.crypto.provider.HmacMD5KeyGenerator");
--
-- psA("KeyGenerator", "HmacSHA1",
-- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
-- psA("KeyGenerator", "HmacSHA224",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
-- null);
-- psA("KeyGenerator", "HmacSHA256",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
-- null);
-- psA("KeyGenerator", "HmacSHA384",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
-- null);
-- psA("KeyGenerator", "HmacSHA512",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
-- null);
-- psA("KeyGenerator", "HmacSHA512/224",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
-- null);
-- psA("KeyGenerator", "HmacSHA512/256",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
-- null);
--
-- psA("KeyGenerator", "HmacSHA3-224",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
-- null);
-- psA("KeyGenerator", "HmacSHA3-256",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
-- null);
-- psA("KeyGenerator", "HmacSHA3-384",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
-- null);
-- psA("KeyGenerator", "HmacSHA3-512",
-- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
-- null);
--
-- psA("KeyPairGenerator", "DiffieHellman",
-- "com.sun.crypto.provider.DHKeyPairGenerator",
-- null);
-+ if (!systemFipsEnabled) {
-+ attrs.put("SupportedModes", "ECB");
-+ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
-+ + "|OAEPWITHMD5ANDMGF1PADDING"
-+ + "|OAEPWITHSHA1ANDMGF1PADDING"
-+ + "|OAEPWITHSHA-1ANDMGF1PADDING"
-+ + "|OAEPWITHSHA-224ANDMGF1PADDING"
-+ + "|OAEPWITHSHA-256ANDMGF1PADDING"
-+ + "|OAEPWITHSHA-384ANDMGF1PADDING"
-+ + "|OAEPWITHSHA-512ANDMGF1PADDING"
-+ + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
-+ + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
-+ attrs.put("SupportedKeyClasses",
-+ "java.security.interfaces.RSAPublicKey" +
-+ "|java.security.interfaces.RSAPrivateKey");
-+ ps("Cipher", "RSA",
-+ "com.sun.crypto.provider.RSACipher", null, attrs);
-+
-+ // common block cipher modes, pads
-+ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
-+ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
-+ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
-+ final String BLOCK_MODES128 = BLOCK_MODES +
-+ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
-+ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
-+ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
-+
-+ attrs.clear();
-+ attrs.put("SupportedModes", BLOCK_MODES);
-+ attrs.put("SupportedPaddings", BLOCK_PADS);
-+ attrs.put("SupportedKeyFormats", "RAW");
-+ ps("Cipher", "DES",
-+ "com.sun.crypto.provider.DESCipher", null, attrs);
-+ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
-+ attrs);
-+ ps("Cipher", "Blowfish",
-+ "com.sun.crypto.provider.BlowfishCipher", null, attrs);
-+
-+ ps("Cipher", "RC2",
-+ "com.sun.crypto.provider.RC2Cipher", null, attrs);
-+
-+ attrs.clear();
-+ attrs.put("SupportedModes", BLOCK_MODES128);
-+ attrs.put("SupportedPaddings", BLOCK_PADS);
-+ attrs.put("SupportedKeyFormats", "RAW");
-+ psA("Cipher", "AES",
-+ "com.sun.crypto.provider.AESCipher$General", attrs);
-+
-+ attrs.clear();
-+ attrs.put("SupportedKeyFormats", "RAW");
-+ psA("Cipher", "AES/KW/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
-+ attrs);
-+ ps("Cipher", "AES/KW/PKCS5Padding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
-+ null, attrs);
-+ psA("Cipher", "AES/KWP/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
-+ attrs);
-+
-+ psA("Cipher", "AES_128/ECB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_128/CBC/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_128/OFB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_128/CFB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_128/KW/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
-+ attrs);
-+ ps("Cipher", "AES_128/KW/PKCS5Padding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
-+ null, attrs);
-+ psA("Cipher", "AES_128/KWP/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
-+ attrs);
-+
-+ psA("Cipher", "AES_192/ECB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_192/CBC/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_192/OFB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_192/CFB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_192/KW/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
-+ attrs);
-+ ps("Cipher", "AES_192/KW/PKCS5Padding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
-+ null, attrs);
-+ psA("Cipher", "AES_192/KWP/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
-+ attrs);
-+
-+ psA("Cipher", "AES_256/ECB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_256/CBC/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_256/OFB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_256/CFB/NoPadding",
-+ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
-+ attrs);
-+ psA("Cipher", "AES_256/KW/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
-+ attrs);
-+ ps("Cipher", "AES_256/KW/PKCS5Padding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
-+ null, attrs);
-+ psA("Cipher", "AES_256/KWP/NoPadding",
-+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
-+ attrs);
-+
-+ attrs.clear();
-+ attrs.put("SupportedModes", "GCM");
-+ attrs.put("SupportedKeyFormats", "RAW");
-+
-+ ps("Cipher", "AES/GCM/NoPadding",
-+ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
-+ attrs);
-+ psA("Cipher", "AES_128/GCM/NoPadding",
-+ "com.sun.crypto.provider.GaloisCounterMode$AES128",
-+ attrs);
-+ psA("Cipher", "AES_192/GCM/NoPadding",
-+ "com.sun.crypto.provider.GaloisCounterMode$AES192",
-+ attrs);
-+ psA("Cipher", "AES_256/GCM/NoPadding",
-+ "com.sun.crypto.provider.GaloisCounterMode$AES256",
-+ attrs);
-+
-+ attrs.clear();
-+ attrs.put("SupportedModes", "CBC");
-+ attrs.put("SupportedPaddings", "NOPADDING");
-+ attrs.put("SupportedKeyFormats", "RAW");
-+ ps("Cipher", "DESedeWrap",
-+ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
-+
-+ attrs.clear();
-+ attrs.put("SupportedModes", "ECB");
-+ attrs.put("SupportedPaddings", "NOPADDING");
-+ attrs.put("SupportedKeyFormats", "RAW");
-+ psA("Cipher", "ARCFOUR",
-+ "com.sun.crypto.provider.ARCFOURCipher", attrs);
-+
-+ attrs.clear();
-+ attrs.put("SupportedKeyFormats", "RAW");
-+ ps("Cipher", "ChaCha20",
-+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
-+ null, attrs);
-+ psA("Cipher", "ChaCha20-Poly1305",
-+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
-+ attrs);
-+
-+ // PBES1
-+ psA("Cipher", "PBEWithMD5AndDES",
-+ "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
-+ null);
-+ ps("Cipher", "PBEWithMD5AndTripleDES",
-+ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
-+ psA("Cipher", "PBEWithSHA1AndDESede",
-+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
-+ null);
-+ psA("Cipher", "PBEWithSHA1AndRC2_40",
-+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
-+ null);
-+ psA("Cipher", "PBEWithSHA1AndRC2_128",
-+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
-+ null);
-+ psA("Cipher", "PBEWithSHA1AndRC4_40",
-+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
-+ null);
-+
-+ psA("Cipher", "PBEWithSHA1AndRC4_128",
-+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
-+ null);
-+
-+ // PBES2
-+ ps("Cipher", "PBEWithHmacSHA1AndAES_128",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
-+
-+ ps("Cipher", "PBEWithHmacSHA224AndAES_128",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
-+
-+ ps("Cipher", "PBEWithHmacSHA256AndAES_128",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
-+
-+ ps("Cipher", "PBEWithHmacSHA384AndAES_128",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
-+
-+ ps("Cipher", "PBEWithHmacSHA512AndAES_128",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
-+
-+ ps("Cipher", "PBEWithHmacSHA1AndAES_256",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
-+
-+ ps("Cipher", "PBEWithHmacSHA224AndAES_256",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
-+
-+ ps("Cipher", "PBEWithHmacSHA256AndAES_256",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
-+
-+ ps("Cipher", "PBEWithHmacSHA384AndAES_256",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
-+
-+ ps("Cipher", "PBEWithHmacSHA512AndAES_256",
-+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
-+
-+ /*
-+ * Key(pair) Generator engines
-+ */
-+ ps("KeyGenerator", "DES",
-+ "com.sun.crypto.provider.DESKeyGenerator");
-+ psA("KeyGenerator", "DESede",
-+ "com.sun.crypto.provider.DESedeKeyGenerator",
-+ null);
-+ ps("KeyGenerator", "Blowfish",
-+ "com.sun.crypto.provider.BlowfishKeyGenerator");
-+ psA("KeyGenerator", "AES",
-+ "com.sun.crypto.provider.AESKeyGenerator",
-+ null);
-+ ps("KeyGenerator", "RC2",
-+ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
-+ psA("KeyGenerator", "ARCFOUR",
-+ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
-+ null);
-+ ps("KeyGenerator", "ChaCha20",
-+ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
-+ ps("KeyGenerator", "HmacMD5",
-+ "com.sun.crypto.provider.HmacMD5KeyGenerator");
-+
-+ psA("KeyGenerator", "HmacSHA1",
-+ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
-+ psA("KeyGenerator", "HmacSHA224",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
-+ null);
-+ psA("KeyGenerator", "HmacSHA256",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
-+ null);
-+ psA("KeyGenerator", "HmacSHA384",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
-+ null);
-+ psA("KeyGenerator", "HmacSHA512",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
-+ null);
-+ psA("KeyGenerator", "HmacSHA512/224",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
-+ null);
-+ psA("KeyGenerator", "HmacSHA512/256",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
-+ null);
-+
-+ psA("KeyGenerator", "HmacSHA3-224",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
-+ null);
-+ psA("KeyGenerator", "HmacSHA3-256",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
-+ null);
-+ psA("KeyGenerator", "HmacSHA3-384",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
-+ null);
-+ psA("KeyGenerator", "HmacSHA3-512",
-+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
-+ null);
-+
-+ psA("KeyPairGenerator", "DiffieHellman",
-+ "com.sun.crypto.provider.DHKeyPairGenerator",
-+ null);
-+ }
-
- /*
- * Algorithm parameter generation engines
-@@ -430,15 +437,17 @@ public final class SunJCE extends Provider {
- "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator",
- null);
-
-- /*
-- * Key Agreement engines
-- */
-- attrs.clear();
-- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
-- "|javax.crypto.interfaces.DHPrivateKey");
-- psA("KeyAgreement", "DiffieHellman",
-- "com.sun.crypto.provider.DHKeyAgreement",
-- attrs);
-+ if (!systemFipsEnabled) {
-+ /*
-+ * Key Agreement engines
-+ */
-+ attrs.clear();
-+ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
-+ "|javax.crypto.interfaces.DHPrivateKey");
-+ psA("KeyAgreement", "DiffieHellman",
-+ "com.sun.crypto.provider.DHKeyAgreement",
-+ attrs);
-+ }
-
- /*
- * Algorithm Parameter engines
-@@ -531,197 +540,199 @@ public final class SunJCE extends Provider {
- psA("AlgorithmParameters", "ChaCha20-Poly1305",
- "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null);
-
-- /*
-- * Key factories
-- */
-- psA("KeyFactory", "DiffieHellman",
-- "com.sun.crypto.provider.DHKeyFactory",
-- null);
--
-- /*
-- * Secret-key factories
-- */
-- ps("SecretKeyFactory", "DES",
-- "com.sun.crypto.provider.DESKeyFactory");
--
-- psA("SecretKeyFactory", "DESede",
-- "com.sun.crypto.provider.DESedeKeyFactory", null);
--
-- psA("SecretKeyFactory", "PBEWithMD5AndDES",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES",
-- null);
--
-- /*
-- * Internal in-house crypto algorithm used for
-- * the JCEKS keystore type. Since this was developed
-- * internally, there isn't an OID corresponding to this
-- * algorithm.
-- */
-- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES");
--
-- psA("SecretKeyFactory", "PBEWithSHA1AndDESede",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede",
-- null);
--
-- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40",
-- null);
--
-- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128",
-- null);
--
-- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40",
-- null);
--
-- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128",
-- null);
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256");
--
-- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256",
-- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256");
--
-- // PBKDF2
-- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
-- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
-- null);
-- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
-- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
-- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
-- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
-- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
-- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
-- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
-- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
--
-- /*
-- * MAC
-- */
-- attrs.clear();
-- attrs.put("SupportedKeyFormats", "RAW");
-- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
-- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
-- attrs);
-- psA("Mac", "HmacSHA224",
-- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
-- psA("Mac", "HmacSHA256",
-- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
-- psA("Mac", "HmacSHA384",
-- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
-- psA("Mac", "HmacSHA512",
-- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
-- psA("Mac", "HmacSHA512/224",
-- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
-- psA("Mac", "HmacSHA512/256",
-- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
-- psA("Mac", "HmacSHA3-224",
-- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
-- psA("Mac", "HmacSHA3-256",
-- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
-- psA("Mac", "HmacSHA3-384",
-- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
-- psA("Mac", "HmacSHA3-512",
-- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
--
-- ps("Mac", "HmacPBESHA1",
-- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
-- null, attrs);
-- ps("Mac", "HmacPBESHA224",
-- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
-- null, attrs);
-- ps("Mac", "HmacPBESHA256",
-- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
-- null, attrs);
-- ps("Mac", "HmacPBESHA384",
-- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
-- null, attrs);
-- ps("Mac", "HmacPBESHA512",
-- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
-- null, attrs);
-- ps("Mac", "HmacPBESHA512/224",
-- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
-- null, attrs);
-- ps("Mac", "HmacPBESHA512/256",
-- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
-- null, attrs);
--
--
-- // PBMAC1
-- ps("Mac", "PBEWithHmacSHA1",
-- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
-- ps("Mac", "PBEWithHmacSHA224",
-- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
-- ps("Mac", "PBEWithHmacSHA256",
-- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
-- ps("Mac", "PBEWithHmacSHA384",
-- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
-- ps("Mac", "PBEWithHmacSHA512",
-- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
-- ps("Mac", "SslMacMD5",
-- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
-- ps("Mac", "SslMacSHA1",
-- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
--
-- /*
-- * KeyStore
-- */
-- ps("KeyStore", "JCEKS",
-- "com.sun.crypto.provider.JceKeyStore");
--
-- /*
-- * SSL/TLS mechanisms
-- *
-- * These are strictly internal implementations and may
-- * be changed at any time. These names were chosen
-- * because PKCS11/SunPKCS11 does not yet have TLS1.2
-- * mechanisms, and it will cause calls to come here.
-- */
-- ps("KeyGenerator", "SunTlsPrf",
-- "com.sun.crypto.provider.TlsPrfGenerator$V10");
-- ps("KeyGenerator", "SunTls12Prf",
-- "com.sun.crypto.provider.TlsPrfGenerator$V12");
--
-- ps("KeyGenerator", "SunTlsMasterSecret",
-- "com.sun.crypto.provider.TlsMasterSecretGenerator",
-- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
-- null);
--
-- ps("KeyGenerator", "SunTlsKeyMaterial",
-- "com.sun.crypto.provider.TlsKeyMaterialGenerator",
-- List.of("SunTls12KeyMaterial"), null);
--
-- ps("KeyGenerator", "SunTlsRsaPremasterSecret",
-- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
-- List.of("SunTls12RsaPremasterSecret"), null);
-+ if (!systemFipsEnabled) {
-+ /*
-+ * Key factories
-+ */
-+ psA("KeyFactory", "DiffieHellman",
-+ "com.sun.crypto.provider.DHKeyFactory",
-+ null);
-+
-+ /*
-+ * Secret-key factories
-+ */
-+ ps("SecretKeyFactory", "DES",
-+ "com.sun.crypto.provider.DESKeyFactory");
-+
-+ psA("SecretKeyFactory", "DESede",
-+ "com.sun.crypto.provider.DESedeKeyFactory", null);
-+
-+ psA("SecretKeyFactory", "PBEWithMD5AndDES",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES",
-+ null);
-+
-+ /*
-+ * Internal in-house crypto algorithm used for
-+ * the JCEKS keystore type. Since this was developed
-+ * internally, there isn't an OID corresponding to this
-+ * algorithm.
-+ */
-+ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES");
-+
-+ psA("SecretKeyFactory", "PBEWithSHA1AndDESede",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede",
-+ null);
-+
-+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40",
-+ null);
-+
-+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128",
-+ null);
-+
-+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40",
-+ null);
-+
-+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128",
-+ null);
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256");
-+
-+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256",
-+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256");
-+
-+ // PBKDF2
-+ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
-+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
-+ null);
-+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
-+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
-+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
-+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
-+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
-+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
-+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
-+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
-+
-+ /*
-+ * MAC
-+ */
-+ attrs.clear();
-+ attrs.put("SupportedKeyFormats", "RAW");
-+ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
-+ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
-+ attrs);
-+ psA("Mac", "HmacSHA224",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
-+ psA("Mac", "HmacSHA256",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
-+ psA("Mac", "HmacSHA384",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
-+ psA("Mac", "HmacSHA512",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
-+ psA("Mac", "HmacSHA512/224",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
-+ psA("Mac", "HmacSHA512/256",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
-+ psA("Mac", "HmacSHA3-224",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
-+ psA("Mac", "HmacSHA3-256",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
-+ psA("Mac", "HmacSHA3-384",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
-+ psA("Mac", "HmacSHA3-512",
-+ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
-+
-+ ps("Mac", "HmacPBESHA1",
-+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
-+ null, attrs);
-+ ps("Mac", "HmacPBESHA224",
-+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
-+ null, attrs);
-+ ps("Mac", "HmacPBESHA256",
-+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
-+ null, attrs);
-+ ps("Mac", "HmacPBESHA384",
-+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
-+ null, attrs);
-+ ps("Mac", "HmacPBESHA512",
-+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
-+ null, attrs);
-+ ps("Mac", "HmacPBESHA512/224",
-+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
-+ null, attrs);
-+ ps("Mac", "HmacPBESHA512/256",
-+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
-+ null, attrs);
-+
-+
-+ // PBMAC1
-+ ps("Mac", "PBEWithHmacSHA1",
-+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
-+ ps("Mac", "PBEWithHmacSHA224",
-+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
-+ ps("Mac", "PBEWithHmacSHA256",
-+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
-+ ps("Mac", "PBEWithHmacSHA384",
-+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
-+ ps("Mac", "PBEWithHmacSHA512",
-+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
-+ ps("Mac", "SslMacMD5",
-+ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
-+ ps("Mac", "SslMacSHA1",
-+ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
-+
-+ /*
-+ * KeyStore
-+ */
-+ ps("KeyStore", "JCEKS",
-+ "com.sun.crypto.provider.JceKeyStore");
-+
-+ /*
-+ * SSL/TLS mechanisms
-+ *
-+ * These are strictly internal implementations and may
-+ * be changed at any time. These names were chosen
-+ * because PKCS11/SunPKCS11 does not yet have TLS1.2
-+ * mechanisms, and it will cause calls to come here.
-+ */
-+ ps("KeyGenerator", "SunTlsPrf",
-+ "com.sun.crypto.provider.TlsPrfGenerator$V10");
-+ ps("KeyGenerator", "SunTls12Prf",
-+ "com.sun.crypto.provider.TlsPrfGenerator$V12");
-+
-+ ps("KeyGenerator", "SunTlsMasterSecret",
-+ "com.sun.crypto.provider.TlsMasterSecretGenerator",
-+ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
-+ null);
-+
-+ ps("KeyGenerator", "SunTlsKeyMaterial",
-+ "com.sun.crypto.provider.TlsKeyMaterialGenerator",
-+ List.of("SunTls12KeyMaterial"), null);
-+
-+ ps("KeyGenerator", "SunTlsRsaPremasterSecret",
-+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
-+ List.of("SunTls12RsaPremasterSecret"), null);
-+ }
- }
-
- // Return the instance of this class or create one if needed.
-diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index ff2bc942c03..96a3ba4040c 100644
---- a/src/java.base/share/classes/java/security/Security.java
-+++ b/src/java.base/share/classes/java/security/Security.java
-@@ -32,6 +32,7 @@ import java.net.URL;
-
- import jdk.internal.event.EventHelper;
- import jdk.internal.event.SecurityPropertyModificationEvent;
-+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
- import jdk.internal.access.SharedSecrets;
- import jdk.internal.util.StaticProperty;
- import sun.security.util.Debug;
-@@ -47,12 +48,20 @@ import sun.security.jca.*;
- * implementation-specific location, which is typically the properties file
- * {@code conf/security/java.security} in the Java installation directory.
- *
-+ * Additional default values of security properties are read from a
-+ * system-specific location, if available.
-+ *
- * @author Benjamin Renaud
- * @since 1.1
- */
-
- public final class Security {
-
-+ private static final String SYS_PROP_SWITCH =
-+ "java.security.disableSystemPropertiesFile";
-+ private static final String SEC_PROP_SWITCH =
-+ "security.useSystemPropertiesFile";
-+
- /* Are we debugging? -- for developers */
- private static final Debug sdebug =
- Debug.getInstance("properties");
-@@ -67,6 +76,19 @@ public final class Security {
- }
-
- static {
-+ // Initialise here as used by code with system properties disabled
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
-+ });
-+
- // doPrivileged here because there are multiple
- // things in initialize that might require privs.
- // (the FileInputStream call and the File.exists call,
-@@ -84,6 +106,7 @@ public final class Security {
- props = new Properties();
- boolean loadedProps = false;
- boolean overrideAll = false;
-+ boolean systemSecPropsEnabled = false;
-
- // first load the system properties file
- // to determine the value of security.overridePropertiesFile
-@@ -99,6 +122,7 @@ public final class Security {
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -193,6 +217,61 @@ public final class Security {
- }
- }
-
-+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
-+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
-+ if (sdebug != null) {
-+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
-+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
-+ }
-+ if (!sysUseProps && secUseProps) {
-+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
-+ if (!systemSecPropsEnabled) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System security properties could not be loaded.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) {
-+ sdebug.println("System security property support disabled by user.");
-+ }
-+ }
-+
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps && systemSecPropsEnabled) {
-+ boolean shouldEnable;
-+ String sysProp = System.getProperty("com.redhat.fips");
-+ if (sysProp == null) {
-+ shouldEnable = true;
-+ if (sdebug != null) {
-+ sdebug.println("com.redhat.fips unset, using default value of true");
-+ }
-+ } else {
-+ shouldEnable = Boolean.valueOf(sysProp);
-+ if (sdebug != null) {
-+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
-+ }
-+ }
-+ if (shouldEnable) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
-+ if (sdebug != null) {
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS mode support configured and enabled.");
-+ } else {
-+ sdebug.println("FIPS mode support disabled.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null ) {
-+ sdebug.println("FIPS mode support disabled by user.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
-+ "system security properties being enabled.");
-+ }
-+ }
- }
-
- /*
-diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
-index 00000000000..98ffced455b
---- /dev/null
-+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,249 @@
-+/*
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+final class SystemConfigurator {
-+
-+ private static final Debug sdebug =
-+ Debug.getInstance("properties");
-+
-+ private static final String CRYPTO_POLICIES_BASE_DIR =
-+ "/etc/crypto-policies";
-+
-+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+ private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-+
-+ static {
-+ @SuppressWarnings("removal")
-+ var dummy = AccessController.doPrivileged(new PrivilegedAction() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-+
-+ /*
-+ * Invoked when java.security.Security class is initialized, if
-+ * java.security.disableSystemPropertiesFile property is not set and
-+ * security.useSystemPropertiesFile is true.
-+ */
-+ static boolean configureSysProps(Properties props) {
-+ boolean systemSecPropsLoaded = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ systemSecPropsLoaded = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+ return systemSecPropsLoaded;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-+
-+ try {
-+ if (enableFips()) {
-+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+ // Remove all security providers
-+ Iterator> i = props.entrySet().iterator();
-+ while (i.hasNext()) {
-+ Entry e = i.next();
-+ if (((String) e.getKey()).startsWith("security.provider")) {
-+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+ i.remove();
-+ }
-+ }
-+ // Add FIPS security providers
-+ String fipsProviderValue = null;
-+ for (int n = 1;
-+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+ String fipsProviderKey = "security.provider." + n;
-+ if (sdebug != null) {
-+ sdebug.println("Adding provider " + n + ": " +
-+ fipsProviderKey + "=" + fipsProviderValue);
-+ }
-+ props.put(fipsProviderKey, fipsProviderValue);
-+ }
-+ // Add other security properties
-+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+ if (keystoreTypeValue != null) {
-+ String nonFipsKeystoreType = props.getProperty("keystore.type");
-+ props.put("keystore.type", keystoreTypeValue);
-+ if (keystoreTypeValue.equals("PKCS11")) {
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ }
-+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+ // If no trustStoreType has been set, use the
-+ // previous keystore.type under FIPS mode. In
-+ // a default configuration, the Trust Store will
-+ // be 'cacerts' (JKS type).
-+ System.setProperty("javax.net.ssl.trustStoreType",
-+ nonFipsKeystoreType);
-+ }
-+ if (sdebug != null) {
-+ sdebug.println("FIPS mode default keystore.type = " +
-+ keystoreTypeValue);
-+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
-+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+ System.getProperty("javax.net.ssl.trustStoreType", ""));
-+ }
-+ }
-+ loadedProps = true;
-+ systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
-+ }
-+ } catch (Exception e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load FIPS configuration");
-+ e.printStackTrace();
-+ }
-+ }
-+ return loadedProps;
-+ }
-+
-+ /**
-+ * Returns whether or not global system FIPS alignment is enabled.
-+ *
-+ * Value is always 'false' before java.security.Security class is
-+ * initialized.
-+ *
-+ * Call from out of this package through SharedSecrets:
-+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ * .isSystemFipsEnabled();
-+ *
-+ * @return a boolean value indicating whether or not global
-+ * system FIPS alignment is enabled.
-+ */
-+ static boolean isSystemFipsEnabled() {
-+ return systemFipsEnabled;
-+ }
-+
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
-+ /**
-+ * Determines whether FIPS mode should be enabled.
-+ *
-+ * OpenJDK FIPS mode will be enabled only if the system is in
-+ * FIPS mode.
-+ *
-+ * Calls to this method only occur if the system property
-+ * com.redhat.fips is not set to false.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
-+ *
-+ * @return true if the system is in FIPS mode
-+ */
-+ private static boolean enableFips() throws Exception {
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ boolean fipsEnabled = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + fipsEnabled);
-+ }
-+ return fipsEnabled;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
-+ }
-+}
-diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
-new file mode 100644
-index 00000000000..3f3caac64dc
---- /dev/null
-+++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
-@@ -0,0 +1,31 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package jdk.internal.access;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+ boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
-+}
-diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
-index f6d3638c3dd..a1ee182d913 100644
---- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
-+++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
-@@ -39,6 +39,7 @@ import java.io.FilePermission;
- import java.io.ObjectInputStream;
- import java.io.RandomAccessFile;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- /** A repository of "shared secrets", which are a mechanism for
-@@ -81,6 +82,7 @@ public class SharedSecrets {
- private static JavaSecuritySpecAccess javaSecuritySpecAccess;
- private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
- private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
-+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
-
- public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
- javaUtilCollectionAccess = juca;
-@@ -442,4 +444,15 @@ public class SharedSecrets {
- MethodHandles.lookup().ensureInitialized(c);
- } catch (IllegalAccessException e) {}
- }
-+
-+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+ javaSecuritySystemConfiguratorAccess = jssca;
-+ }
-+
-+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ ensureClassInitialized(Security.class);
-+ }
-+ return javaSecuritySystemConfiguratorAccess;
-+ }
- }
-diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
-index 63bb580eb3a..dbbf11bbb22 100644
---- a/src/java.base/share/classes/module-info.java
-+++ b/src/java.base/share/classes/module-info.java
-@@ -152,6 +152,8 @@ module java.base {
- java.naming,
- java.rmi,
- jdk.charsets,
-+ jdk.crypto.cryptoki,
-+ jdk.crypto.ec,
- jdk.jartool,
- jdk.jlink,
- jdk.net,
-diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java
-index 912cad59714..709d32912ca 100644
---- a/src/java.base/share/classes/sun/security/provider/SunEntries.java
-+++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java
-@@ -30,6 +30,7 @@ import java.net.*;
- import java.util.*;
- import java.security.*;
-
-+import jdk.internal.access.SharedSecrets;
- import jdk.internal.util.StaticProperty;
- import sun.security.action.GetPropertyAction;
- import sun.security.util.SecurityProviderConstants;
-@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
-
- public final class SunEntries {
-
-+ private static final boolean systemFipsEnabled =
-+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled();
-+
- // the default algo used by SecureRandom class for new SecureRandom() calls
- public static final String DEF_SECURE_RANDOM_ALGO;
-
-@@ -94,99 +99,101 @@ public final class SunEntries {
- // common attribute map
- HashMap attrs = new HashMap<>(3);
-
-- /*
-- * SecureRandom engines
-- */
-- attrs.put("ThreadSafe", "true");
-- if (NativePRNG.isAvailable()) {
-- add(p, "SecureRandom", "NativePRNG",
-- "sun.security.provider.NativePRNG", attrs);
-- }
-- if (NativePRNG.Blocking.isAvailable()) {
-- add(p, "SecureRandom", "NativePRNGBlocking",
-- "sun.security.provider.NativePRNG$Blocking", attrs);
-- }
-- if (NativePRNG.NonBlocking.isAvailable()) {
-- add(p, "SecureRandom", "NativePRNGNonBlocking",
-- "sun.security.provider.NativePRNG$NonBlocking", attrs);
-- }
-- attrs.put("ImplementedIn", "Software");
-- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
-- add(p, "SecureRandom", "SHA1PRNG",
-- "sun.security.provider.SecureRandom", attrs);
--
-- /*
-- * Signature engines
-- */
-- attrs.clear();
-- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
-- "|java.security.interfaces.DSAPrivateKey";
-- attrs.put("SupportedKeyClasses", dsaKeyClasses);
-- attrs.put("ImplementedIn", "Software");
--
-- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
--
-- addWithAlias(p, "Signature", "SHA1withDSA",
-- "sun.security.provider.DSA$SHA1withDSA", attrs);
-- addWithAlias(p, "Signature", "NONEwithDSA",
-- "sun.security.provider.DSA$RawDSA", attrs);
--
-- // for DSA signatures with 224/256-bit digests
-- attrs.put("KeySize", "2048");
--
-- addWithAlias(p, "Signature", "SHA224withDSA",
-- "sun.security.provider.DSA$SHA224withDSA", attrs);
-- addWithAlias(p, "Signature", "SHA256withDSA",
-- "sun.security.provider.DSA$SHA256withDSA", attrs);
--
-- addWithAlias(p, "Signature", "SHA3-224withDSA",
-- "sun.security.provider.DSA$SHA3_224withDSA", attrs);
-- addWithAlias(p, "Signature", "SHA3-256withDSA",
-- "sun.security.provider.DSA$SHA3_256withDSA", attrs);
--
-- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
--
-- addWithAlias(p, "Signature", "SHA384withDSA",
-- "sun.security.provider.DSA$SHA384withDSA", attrs);
-- addWithAlias(p, "Signature", "SHA512withDSA",
-- "sun.security.provider.DSA$SHA512withDSA", attrs);
-- addWithAlias(p, "Signature", "SHA3-384withDSA",
-- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
-- addWithAlias(p, "Signature", "SHA3-512withDSA",
-- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
--
-- attrs.remove("KeySize");
-+ if (!systemFipsEnabled) {
-+ /*
-+ * SecureRandom engines
-+ */
-+ attrs.put("ThreadSafe", "true");
-+ if (NativePRNG.isAvailable()) {
-+ add(p, "SecureRandom", "NativePRNG",
-+ "sun.security.provider.NativePRNG", attrs);
-+ }
-+ if (NativePRNG.Blocking.isAvailable()) {
-+ add(p, "SecureRandom", "NativePRNGBlocking",
-+ "sun.security.provider.NativePRNG$Blocking", attrs);
-+ }
-+ if (NativePRNG.NonBlocking.isAvailable()) {
-+ add(p, "SecureRandom", "NativePRNGNonBlocking",
-+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
-+ }
-+ attrs.put("ImplementedIn", "Software");
-+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
-+ add(p, "SecureRandom", "SHA1PRNG",
-+ "sun.security.provider.SecureRandom", attrs);
-
-- add(p, "Signature", "SHA1withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
-- add(p, "Signature", "NONEwithDSAinP1363Format",
-- "sun.security.provider.DSA$RawDSAinP1363Format");
-- add(p, "Signature", "SHA224withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
-- add(p, "Signature", "SHA256withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
-- add(p, "Signature", "SHA384withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
-- add(p, "Signature", "SHA512withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
-- add(p, "Signature", "SHA3-224withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
-- add(p, "Signature", "SHA3-256withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
-- add(p, "Signature", "SHA3-384withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
-- add(p, "Signature", "SHA3-512withDSAinP1363Format",
-- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
-- /*
-- * Key Pair Generator engines
-- */
-- attrs.clear();
-- attrs.put("ImplementedIn", "Software");
-- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
-+ /*
-+ * Signature engines
-+ */
-+ attrs.clear();
-+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
-+ "|java.security.interfaces.DSAPrivateKey";
-+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
-+ attrs.put("ImplementedIn", "Software");
-+
-+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
-+
-+ addWithAlias(p, "Signature", "SHA1withDSA",
-+ "sun.security.provider.DSA$SHA1withDSA", attrs);
-+ addWithAlias(p, "Signature", "NONEwithDSA",
-+ "sun.security.provider.DSA$RawDSA", attrs);
-+
-+ // for DSA signatures with 224/256-bit digests
-+ attrs.put("KeySize", "2048");
-+
-+ addWithAlias(p, "Signature", "SHA224withDSA",
-+ "sun.security.provider.DSA$SHA224withDSA", attrs);
-+ addWithAlias(p, "Signature", "SHA256withDSA",
-+ "sun.security.provider.DSA$SHA256withDSA", attrs);
-+
-+ addWithAlias(p, "Signature", "SHA3-224withDSA",
-+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
-+ addWithAlias(p, "Signature", "SHA3-256withDSA",
-+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
-+
-+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
-+
-+ addWithAlias(p, "Signature", "SHA384withDSA",
-+ "sun.security.provider.DSA$SHA384withDSA", attrs);
-+ addWithAlias(p, "Signature", "SHA512withDSA",
-+ "sun.security.provider.DSA$SHA512withDSA", attrs);
-+ addWithAlias(p, "Signature", "SHA3-384withDSA",
-+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
-+ addWithAlias(p, "Signature", "SHA3-512withDSA",
-+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
-+
-+ attrs.remove("KeySize");
-+
-+ add(p, "Signature", "SHA1withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
-+ add(p, "Signature", "NONEwithDSAinP1363Format",
-+ "sun.security.provider.DSA$RawDSAinP1363Format");
-+ add(p, "Signature", "SHA224withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
-+ add(p, "Signature", "SHA256withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
-+ add(p, "Signature", "SHA384withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
-+ add(p, "Signature", "SHA512withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
-+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
-+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
-+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
-+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
-+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
-+ /*
-+ * Key Pair Generator engines
-+ */
-+ attrs.clear();
-+ attrs.put("ImplementedIn", "Software");
-+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
-
-- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
-- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
-- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
-+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
-+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
-+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
-+ }
-
- /*
- * Algorithm Parameter Generator engines
-@@ -201,40 +208,42 @@ public final class SunEntries {
- addWithAlias(p, "AlgorithmParameters", "DSA",
- "sun.security.provider.DSAParameters", attrs);
-
-- /*
-- * Key factories
-- */
-- addWithAlias(p, "KeyFactory", "DSA",
-- "sun.security.provider.DSAKeyFactory", attrs);
--
-- /*
-- * Digest engines
-- */
-- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
-- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
-- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
-- attrs);
-+ if (!systemFipsEnabled) {
-+ /*
-+ * Key factories
-+ */
-+ addWithAlias(p, "KeyFactory", "DSA",
-+ "sun.security.provider.DSAKeyFactory", attrs);
-
-- addWithAlias(p, "MessageDigest", "SHA-224",
-- "sun.security.provider.SHA2$SHA224", attrs);
-- addWithAlias(p, "MessageDigest", "SHA-256",
-- "sun.security.provider.SHA2$SHA256", attrs);
-- addWithAlias(p, "MessageDigest", "SHA-384",
-- "sun.security.provider.SHA5$SHA384", attrs);
-- addWithAlias(p, "MessageDigest", "SHA-512",
-- "sun.security.provider.SHA5$SHA512", attrs);
-- addWithAlias(p, "MessageDigest", "SHA-512/224",
-- "sun.security.provider.SHA5$SHA512_224", attrs);
-- addWithAlias(p, "MessageDigest", "SHA-512/256",
-- "sun.security.provider.SHA5$SHA512_256", attrs);
-- addWithAlias(p, "MessageDigest", "SHA3-224",
-- "sun.security.provider.SHA3$SHA224", attrs);
-- addWithAlias(p, "MessageDigest", "SHA3-256",
-- "sun.security.provider.SHA3$SHA256", attrs);
-- addWithAlias(p, "MessageDigest", "SHA3-384",
-- "sun.security.provider.SHA3$SHA384", attrs);
-- addWithAlias(p, "MessageDigest", "SHA3-512",
-- "sun.security.provider.SHA3$SHA512", attrs);
-+ /*
-+ * Digest engines
-+ */
-+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
-+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
-+ attrs);
-+
-+ addWithAlias(p, "MessageDigest", "SHA-224",
-+ "sun.security.provider.SHA2$SHA224", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA-256",
-+ "sun.security.provider.SHA2$SHA256", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA-384",
-+ "sun.security.provider.SHA5$SHA384", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA-512",
-+ "sun.security.provider.SHA5$SHA512", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA-512/224",
-+ "sun.security.provider.SHA5$SHA512_224", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA-512/256",
-+ "sun.security.provider.SHA5$SHA512_256", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA3-224",
-+ "sun.security.provider.SHA3$SHA224", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA3-256",
-+ "sun.security.provider.SHA3$SHA256", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA3-384",
-+ "sun.security.provider.SHA3$SHA384", attrs);
-+ addWithAlias(p, "MessageDigest", "SHA3-512",
-+ "sun.security.provider.SHA3$SHA512", attrs);
-+ }
-
- /*
- * Certificates
-diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
-index ca79f25cc44..225517ac69b 100644
---- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
-+++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
-@@ -27,6 +27,7 @@ package sun.security.rsa;
-
- import java.util.*;
- import java.security.Provider;
-+import jdk.internal.access.SharedSecrets;
- import static sun.security.util.SecurityProviderConstants.getAliases;
-
- /**
-@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
- */
- public final class SunRsaSignEntries {
-
-+ private static final boolean systemFipsEnabled =
-+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled();
-+
- private void add(Provider p, String type, String algo, String cn,
- List aliases, HashMap attrs) {
- services.add(new Provider.Service(p, type, algo, cn,
-@@ -56,49 +61,58 @@ public final class SunRsaSignEntries {
- // start populating content using the specified provider
- // common attribute map
- HashMap attrs = new HashMap<>(3);
-- attrs.put("SupportedKeyClasses",
-- "java.security.interfaces.RSAPublicKey" +
-- "|java.security.interfaces.RSAPrivateKey");
-+ if (!systemFipsEnabled) {
-+ attrs.put("SupportedKeyClasses",
-+ "java.security.interfaces.RSAPublicKey" +
-+ "|java.security.interfaces.RSAPrivateKey");
-+ }
-
- add(p, "KeyFactory", "RSA",
- "sun.security.rsa.RSAKeyFactory$Legacy",
- getAliases("PKCS1"), null);
-- add(p, "KeyPairGenerator", "RSA",
-- "sun.security.rsa.RSAKeyPairGenerator$Legacy",
-- getAliases("PKCS1"), null);
-- addA(p, "Signature", "MD2withRSA",
-- "sun.security.rsa.RSASignature$MD2withRSA", attrs);
-- addA(p, "Signature", "MD5withRSA",
-- "sun.security.rsa.RSASignature$MD5withRSA", attrs);
-- addA(p, "Signature", "SHA1withRSA",
-- "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
-- addA(p, "Signature", "SHA224withRSA",
-- "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
-- addA(p, "Signature", "SHA256withRSA",
-- "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
-- addA(p, "Signature", "SHA384withRSA",
-- "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
-- addA(p, "Signature", "SHA512withRSA",
-- "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
-- addA(p, "Signature", "SHA512/224withRSA",
-- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
-- addA(p, "Signature", "SHA512/256withRSA",
-- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
-- addA(p, "Signature", "SHA3-224withRSA",
-- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
-- addA(p, "Signature", "SHA3-256withRSA",
-- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
-- addA(p, "Signature", "SHA3-384withRSA",
-- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
-- addA(p, "Signature", "SHA3-512withRSA",
-- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
-+
-+ if (!systemFipsEnabled) {
-+ add(p, "KeyPairGenerator", "RSA",
-+ "sun.security.rsa.RSAKeyPairGenerator$Legacy",
-+ getAliases("PKCS1"), null);
-+ addA(p, "Signature", "MD2withRSA",
-+ "sun.security.rsa.RSASignature$MD2withRSA", attrs);
-+ addA(p, "Signature", "MD5withRSA",
-+ "sun.security.rsa.RSASignature$MD5withRSA", attrs);
-+ addA(p, "Signature", "SHA1withRSA",
-+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
-+ addA(p, "Signature", "SHA224withRSA",
-+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
-+ addA(p, "Signature", "SHA256withRSA",
-+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
-+ addA(p, "Signature", "SHA384withRSA",
-+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
-+ addA(p, "Signature", "SHA512withRSA",
-+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
-+ addA(p, "Signature", "SHA512/224withRSA",
-+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
-+ addA(p, "Signature", "SHA512/256withRSA",
-+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
-+ addA(p, "Signature", "SHA3-224withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
-+ addA(p, "Signature", "SHA3-256withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
-+ addA(p, "Signature", "SHA3-384withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
-+ addA(p, "Signature", "SHA3-512withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
-+ }
-
- addA(p, "KeyFactory", "RSASSA-PSS",
- "sun.security.rsa.RSAKeyFactory$PSS", attrs);
-- addA(p, "KeyPairGenerator", "RSASSA-PSS",
-- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
-- addA(p, "Signature", "RSASSA-PSS",
-- "sun.security.rsa.RSAPSSSignature", attrs);
-+
-+ if (!systemFipsEnabled) {
-+ addA(p, "KeyPairGenerator", "RSASSA-PSS",
-+ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
-+ addA(p, "Signature", "RSASSA-PSS",
-+ "sun.security.rsa.RSAPSSSignature", attrs);
-+ }
-+
- addA(p, "AlgorithmParameters", "RSASSA-PSS",
- "sun.security.rsa.PSSParameters", null);
- }
-diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
-index 6ffdfeda18d..775b185fb06 100644
---- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
-+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
-@@ -32,6 +32,7 @@ import java.security.cert.*;
- import java.util.*;
- import java.util.concurrent.locks.ReentrantLock;
- import javax.net.ssl.*;
-+import jdk.internal.access.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi {
- private static final List serverDefaultCipherSuites;
-
- static {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10,
-- ProtocolVersion.SSL30,
-- ProtocolVersion.SSL20Hello
-- );
--
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10,
-+ ProtocolVersion.SSL30,
-+ ProtocolVersion.SSL20Hello
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ }
-
- supportedCipherSuites = getApplicableSupportedCipherSuites(
- supportedProtocols);
-@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
- ProtocolVersion[] candidates;
- if (refactored.isEmpty()) {
- // Client and server use the same default protocols.
-- candidates = new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- };
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ candidates = new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ } else {
-+ candidates = new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- } else {
- // Use the customized TLS protocols.
- candidates =
-diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
-index 894e26dfad8..8b16378b96b 100644
---- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
-+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
-@@ -27,6 +27,8 @@ package sun.security.ssl;
-
- import java.security.*;
- import java.util.*;
-+
-+import jdk.internal.access.SharedSecrets;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
-
- /**
-@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider {
- "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
- ps("SSLContext", "TLSv1.2",
- "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
-- ps("SSLContext", "TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ ps("SSLContext", "TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
-+ }
- ps("SSLContext", "TLS",
- "sun.security.ssl.SSLContextImpl$TLSContext",
- List.of("SSL"), null);
-diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index 6d91e3f8e4e..adfaf57d29e 100644
---- a/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
-@@ -79,6 +79,16 @@ security.provider.tbd=Apple
- #endif
- security.provider.tbd=SunPKCS11
-
-+#
-+# Security providers used when FIPS mode support is active
-+#
-+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
-+fips.provider.2=SUN
-+fips.provider.3=SunEC
-+fips.provider.4=SunJSSE
-+fips.provider.5=SunJCE
-+fips.provider.6=SunRsaSign
-+
- #
- # A list of preferred providers for specific algorithms. These providers will
- # be searched for matching algorithms before the list of registered providers.
-@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false
- #
- keystore.type=pkcs12
-
-+#
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
- #
- # Controls compatibility mode for JKS and PKCS12 keystore types.
- #
-@@ -326,6 +341,13 @@ package.definition=sun.misc.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
-index b22f26947af..3ee2ce6ea88 100644
---- a/src/java.base/share/lib/security/default.policy
-+++ b/src/java.base/share/lib/security/default.policy
-@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" {
- grant codeBase "jrt:/jdk.crypto.ec" {
- permission java.lang.RuntimePermission
- "accessClassInPackage.sun.security.*";
-+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
- permission java.lang.RuntimePermission "loadLibrary.sunec";
- permission java.security.SecurityPermission "putProviderProperty.SunEC";
- permission java.security.SecurityPermission "clearProviderProperties.SunEC";
-@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
- grant codeBase "jrt:/jdk.crypto.cryptoki" {
- permission java.lang.RuntimePermission
- "accessClassInPackage.com.sun.crypto.provider";
-+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
- permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
- permission java.lang.RuntimePermission
- "accessClassInPackage.sun.security.*";
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 00000000000..9bb31555f48
---- /dev/null
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,490 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.security.interfaces.RSAPrivateCrtKey;
-+import java.security.interfaces.RSAPrivateKey;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.SecretKeyFactory;
-+import javax.crypto.spec.SecretKeySpec;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAPrivateCrtKeyImpl;
-+import sun.security.rsa.RSAUtil;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static volatile P11Key importerKey = null;
-+ private static SecretKeySpec exporterKey = null;
-+ private static volatile P11Key exporterKeyP11 = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ // Do not take the exporterKeyLock with the importerKeyLock held.
-+ private static final ReentrantLock exporterKeyLock = new ReentrantLock();
-+ private static volatile CK_MECHANISM importerKeyMechanism = null;
-+ private static volatile CK_MECHANISM exporterKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+ private static Cipher exporterCipher = null;
-+
-+ private static volatile Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static volatile KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ " fips key importer");
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ " fips key importer");
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ " fips key importer");
-+ }
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ importerKeyLock.lock();
-+ try {
-+ // No need to reset the cipher object because no multi-part
-+ // operations are performed.
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ if (t instanceof PKCS11Exception) {
-+ throw (PKCS11Exception)t;
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ t.getMessage());
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject,
-+ long keyClass, long keyType, Map sensitiveAttrs)
-+ throws PKCS11Exception {
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be exported in" +
-+ " system FIPS mode.");
-+ }
-+ if (exporterKeyP11 == null) {
-+ try {
-+ exporterKeyLock.lock();
-+ if (exporterKeyP11 == null) {
-+ if (exporterKeyMechanism == null) {
-+ // Exporter Key creation has not been tried yet. Try it.
-+ createExporterKey(token);
-+ }
-+ if (exporterKeyP11 == null || exporterCipher == null) {
-+ if (debug != null) {
-+ debug.println("Exporter Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ " fips key exporter");
-+ }
-+ if (debug != null) {
-+ debug.println("Exporter Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ exporterKeyLock.unlock();
-+ }
-+ }
-+ long exporterKeyID = exporterKeyP11.getKeyID();
-+ try {
-+ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession,
-+ exporterKeyMechanism, exporterKeyID, hObject);
-+ byte[] plainExportedKey = null;
-+ exporterKeyLock.lock();
-+ try {
-+ // No need to reset the cipher object because no multi-part
-+ // operations are performed.
-+ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes);
-+ } finally {
-+ exporterKeyLock.unlock();
-+ }
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey);
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE);
-+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
-+ // size is greater than 0 and no invalid attributes exist
-+ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey;
-+ } else {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ " fips key exporter");
-+ }
-+ } catch (Throwable t) {
-+ if (t instanceof PKCS11Exception) {
-+ throw (PKCS11Exception)t;
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ t.getMessage());
-+ } finally {
-+ exporterKeyP11.releaseKeyID();
-+ }
-+ }
-+
-+ private static void exportPrivateKey(
-+ Map sensitiveAttrs, long keyType,
-+ byte[] plainExportedKey) throws Throwable {
-+ if (keyType == CKK_RSA) {
-+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
-+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
-+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
-+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
-+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey
-+ );
-+ CK_ATTRIBUTE attr;
-+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
-+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
-+ }
-+ if (rsaPKey instanceof RSAPrivateCrtKey) {
-+ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey;
-+ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) {
-+ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray();
-+ }
-+ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) {
-+ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray();
-+ }
-+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) {
-+ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray();
-+ }
-+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) {
-+ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray();
-+ }
-+ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) {
-+ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray();
-+ }
-+ } else {
-+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
-+ CKA_PRIVATE_EXPONENT);
-+ }
-+ } else if (keyType == CKK_DSA) {
-+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE);
-+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
-+ // size is greater than 0 and no invalid attributes exist
-+ sensitiveAttrs.get(CKA_VALUE).pValue =
-+ new sun.security.provider.DSAPrivateKey(plainExportedKey)
-+ .getX().toByteArray();
-+ } else if (keyType == CKK_EC) {
-+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE);
-+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
-+ // size is greater than 0 and no invalid attributes exist
-+ sensitiveAttrs.get(CKA_VALUE).pValue =
-+ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey)
-+ .getS().toByteArray();
-+ } else {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ " unsupported CKO_PRIVATE_KEY key type: " + keyType);
-+ }
-+ }
-+
-+ private static void checkAttrs(Map sensitiveAttrs,
-+ String keyName, long... validAttrs)
-+ throws PKCS11Exception {
-+ int sensitiveAttrsCount = sensitiveAttrs.size();
-+ if (sensitiveAttrsCount <= validAttrs.length) {
-+ int validAttrsCount = 0;
-+ for (long validAttr : validAttrs) {
-+ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++;
-+ }
-+ if (validAttrsCount == sensitiveAttrsCount) return;
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ " invalid attribute types for a " + keyName + " key object");
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec(
-+ (byte[])importerKeyMechanism.pParameter), null);
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ if (debug != null) {
-+ debug.println("Error generating the Importer Key");
-+ }
-+ }
-+ }
-+
-+ private static void createExporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Exporter Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ byte[] exporterKeyRaw = new byte[32];
-+ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw);
-+ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES");
-+ try {
-+ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES");
-+ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey));
-+ if (exporterKeyP11 != null) {
-+ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey,
-+ new IvParameterSpec(
-+ (byte[])exporterKeyMechanism.pParameter), null);
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ exporterKey = null;
-+ exporterKeyP11 = null;
-+ exporterCipher = null;
-+ // exporterKeyMechanism value is kept initialized to indicate that
-+ // Exporter Key creation has been tried and failed.
-+ if (debug != null) {
-+ debug.println("Error generating the Exporter Key");
-+ }
-+ }
-+ }
-+}
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-index 9b69072280e..b403e6d3c6d 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-@@ -37,6 +37,8 @@ import javax.crypto.*;
- import javax.crypto.interfaces.*;
- import javax.crypto.spec.*;
-
-+import jdk.internal.access.SharedSecrets;
-+
- import sun.security.rsa.RSAUtil.KeyType;
- import sun.security.rsa.RSAPublicKeyImpl;
- import sun.security.rsa.RSAPrivateCrtKeyImpl;
-@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil;
- */
- abstract class P11Key implements Key, Length {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- private static final long serialVersionUID = -2575874101938349339L;
-
- private static final String PUBLIC = "public";
-@@ -379,7 +384,8 @@ abstract class P11Key implements Key, Length {
- new CK_ATTRIBUTE(CKA_SENSITIVE),
- new CK_ATTRIBUTE(CKA_EXTRACTABLE),
- });
-- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) {
-+ if (!plainKeySupportEnabled && (attributes[1].getBoolean() ||
-+ (attributes[2].getBoolean() == false))) {
- return new P11PrivateKey
- (session, keyID, algorithm, keyLength, attributes);
- } else {
-@@ -461,7 +467,8 @@ abstract class P11Key implements Key, Length {
- }
- public String getFormat() {
- token.ensureValid();
-- if (sensitive || (extractable == false)) {
-+ if (!plainKeySupportEnabled &&
-+ (sensitive || (extractable == false))) {
- return null;
- } else {
- return "RAW";
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 112b639aa96..5549cd9ed4e 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback;
-
- import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
-
-+import jdk.internal.access.SharedSecrets;
- import jdk.internal.misc.InnocuousThread;
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
-@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ private static final MethodHandle fipsExportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ MethodHandle fipsExportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ fipsExportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "exportKey",
-+ MethodType.methodType(void.class, SunPKCS11.class,
-+ long.class, long.class,
-+ long.class, long.class, Map.class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer-exporter" +
-+ " initialization failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ fipsExportKey = fipsExportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ MethodHandle fipsKeyExporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ fipsKeyExporter = MethodHandles.insertArguments(
-+ fipsExportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter,
-+ fipsKeyExporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -339,7 +383,8 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter,
-+ fipsKeyExporter);
- }
- p11 = tmpPKCS11;
-
-@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 5c0aacd1a67..1e98ce2e280 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -150,18 +153,43 @@ public class PKCS11 {
- this.pkcs11ModulePath = pkcs11ModulePath;
- }
-
-+ /*
-+ * Compatibility wrapper to allow this method to work as before
-+ * when FIPS mode support is not active.
-+ */
-+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-+ boolean omitInitialize) throws IOException, PKCS11Exception {
-+ return getInstance(pkcs11ModulePath, functionList,
-+ pInitArgs, omitInitialize, null, null);
-+ }
-+
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter,
-+ MethodHandle fipsKeyExporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null &&
-+ fipsKeyExporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter, fipsKeyExporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter, fipsKeyExporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ private MethodHandle fipsKeyExporter;
-+ private MethodHandle hC_GetAttributeValue;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+ throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ this.fipsKeyExporter = fipsKeyExporter;
-+ try {
-+ hC_GetAttributeValue = MethodHandles.insertArguments(
-+ MethodHandles.lookup().findSpecial(PKCS11.class,
-+ "C_GetAttributeValue", MethodType.methodType(
-+ void.class, long.class, long.class,
-+ CK_ATTRIBUTE[].class),
-+ FIPSPKCS11.class), 0, this);
-+ } catch (Throwable t) {
-+ throw new RuntimeException(
-+ "sun.security.pkcs11.wrapper.PKCS11" +
-+ "::C_GetAttributeValue method not found.", t);
-+ }
-+ }
-+
-+ public long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ if (t instanceof PKCS11Exception) {
-+ throw (PKCS11Exception)t;
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ t.getMessage());
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+
-+ public void C_GetAttributeValue(long hSession, long hObject,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
-+ fipsKeyExporter, hSession, hObject, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ private MethodHandle fipsKeyExporter;
-+ private MethodHandle hC_GetAttributeValue;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+ throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ this.fipsKeyExporter = fipsKeyExporter;
-+ try {
-+ hC_GetAttributeValue = MethodHandles.insertArguments(
-+ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
-+ "C_GetAttributeValue", MethodType.methodType(
-+ void.class, long.class, long.class,
-+ CK_ATTRIBUTE[].class),
-+ SynchronizedFIPSPKCS11.class), 0, this);
-+ } catch (Throwable t) {
-+ throw new RuntimeException(
-+ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
-+ "::C_GetAttributeValue method not found.", t);
-+ }
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ if (t instanceof PKCS11Exception) {
-+ throw (PKCS11Exception)t;
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ t.getMessage());
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+
-+ public synchronized void C_GetAttributeValue(long hSession, long hObject,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
-+ fipsKeyExporter, hSession, hObject, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
-+ MethodHandle fipsKeyExporter, long hSession, long hObject,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ Map sensitiveAttrs = new HashMap<>();
-+ List nonSensitiveAttrs = new LinkedList<>();
-+ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
-+ sensitiveAttrs, nonSensitiveAttrs);
-+ try {
-+ if (sensitiveAttrs.size() > 0) {
-+ long keyClass = -1L;
-+ long keyType = -1L;
-+ try {
-+ // Secret and private keys have both class and type
-+ // attributes, so we can query them at once.
-+ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
-+ new CK_ATTRIBUTE(CKA_CLASS),
-+ new CK_ATTRIBUTE(CKA_KEY_TYPE),
-+ };
-+ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
-+ keyClass = queryAttrs[0].getLong();
-+ keyType = queryAttrs[1].getLong();
-+ } catch (PKCS11Exception e) {
-+ // If the query fails, the object is neither a secret nor a
-+ // private key. As this case won't be handled with the FIPS
-+ // Key Exporter, we keep keyClass initialized to -1L.
-+ }
-+ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
-+ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
-+ sensitiveAttrs);
-+ if (nonSensitiveAttrs.size() > 0) {
-+ CK_ATTRIBUTE[] pNonSensitiveAttrs =
-+ new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
-+ int i = 0;
-+ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
-+ pNonSensitiveAttrs[i++] = nonSensAttr;
-+ }
-+ hC_GetAttributeValue.invoke(hSession, hObject,
-+ pNonSensitiveAttrs);
-+ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
-+ // update the reference on the previous CK_ATTRIBUTEs
-+ i = 0;
-+ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
-+ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
-+ }
-+ }
-+ return;
-+ }
-+ }
-+ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
-+ } catch (Throwable t) {
-+ if (t instanceof PKCS11Exception) {
-+ throw (PKCS11Exception)t;
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+ t.getMessage());
-+ }
-+ }
-+ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
-+ Map sensitiveAttrs,
-+ List nonSensitiveAttrs) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ long type = attr.type;
-+ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
-+ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
-+ type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
-+ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
-+ type == CKA_COEFFICIENT) {
-+ sensitiveAttrs.put(type, attr);
-+ } else {
-+ nonSensitiveAttrs.add(attr);
-+ }
-+ }
-+ }
-+}
- }
-diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-index 8c9e4f9dbe6..883dc04758e 100644
---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-@@ -38,6 +38,7 @@ import java.util.HashMap;
- import java.util.Iterator;
- import java.util.List;
-
-+import jdk.internal.access.SharedSecrets;
- import sun.security.ec.ed.EdDSAAlgorithmParameters;
- import sun.security.ec.ed.EdDSAKeyFactory;
- import sun.security.ec.ed.EdDSAKeyPairGenerator;
-@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
-
- private static final long serialVersionUID = -2279741672933606418L;
-
-+ private static final boolean systemFipsEnabled =
-+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled();
-+
- private static class ProviderServiceA extends ProviderService {
- ProviderServiceA(Provider p, String type, String algo, String cn,
- HashMap attrs) {
-@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
-
- putXDHEntries();
- putEdDSAEntries();
--
-- /*
-- * Signature engines
-- */
-- putService(new ProviderService(this, "Signature",
-- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
-- null, ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
-- ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
-- ATTRS));
--
-- putService(new ProviderService(this, "Signature",
-- "NONEwithECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$RawinP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA1withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA224withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA256withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA384withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA512withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
--
-- putService(new ProviderService(this, "Signature",
-- "SHA3-224withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA3-256withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA3-384withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
-- putService(new ProviderService(this, "Signature",
-- "SHA3-512withECDSAinP1363Format",
-- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
--
-- /*
-- * Key Pair Generator engine
-- */
-- putService(new ProviderService(this, "KeyPairGenerator",
-- "EC", "sun.security.ec.ECKeyPairGenerator",
-- List.of("EllipticCurve"), ATTRS));
--
-- /*
-- * Key Agreement engine
-- */
-- putService(new ProviderService(this, "KeyAgreement",
-- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
-+ if (!systemFipsEnabled) {
-+ /*
-+ * Signature engines
-+ */
-+ putService(new ProviderService(this, "Signature",
-+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
-+ null, ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
-+ ATTRS));
-+
-+ putService(new ProviderService(this, "Signature",
-+ "NONEwithECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$RawinP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA1withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA224withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA256withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA384withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA512withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
-+
-+ putService(new ProviderService(this, "Signature",
-+ "SHA3-224withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA3-256withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA3-384withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
-+ putService(new ProviderService(this, "Signature",
-+ "SHA3-512withECDSAinP1363Format",
-+ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
-+
-+ /*
-+ * Key Pair Generator engine
-+ */
-+ putService(new ProviderService(this, "KeyPairGenerator",
-+ "EC", "sun.security.ec.ECKeyPairGenerator",
-+ List.of("EllipticCurve"), ATTRS));
-+
-+ /*
-+ * Key Agreement engine
-+ */
-+ putService(new ProviderService(this, "KeyAgreement",
-+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
-+ }
- }
-
- private void putXDHEntries() {
-@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
- "X448", "sun.security.ec.XDHKeyFactory.X448",
- ATTRS));
-
-- putService(new ProviderService(this, "KeyPairGenerator",
-- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
-- putService(new ProviderServiceA(this, "KeyPairGenerator",
-- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
-- ATTRS));
-- putService(new ProviderServiceA(this, "KeyPairGenerator",
-- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
-- ATTRS));
--
-- putService(new ProviderService(this, "KeyAgreement",
-- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
-- putService(new ProviderServiceA(this, "KeyAgreement",
-- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
-- ATTRS));
-- putService(new ProviderServiceA(this, "KeyAgreement",
-- "X448", "sun.security.ec.XDHKeyAgreement.X448",
-- ATTRS));
-+ if (!systemFipsEnabled) {
-+ putService(new ProviderService(this, "KeyPairGenerator",
-+ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
-+ putService(new ProviderServiceA(this, "KeyPairGenerator",
-+ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "KeyPairGenerator",
-+ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
-+ ATTRS));
-+
-+ putService(new ProviderService(this, "KeyAgreement",
-+ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
-+ putService(new ProviderServiceA(this, "KeyAgreement",
-+ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "KeyAgreement",
-+ "X448", "sun.security.ec.XDHKeyAgreement.X448",
-+ ATTRS));
-+ }
- }
-
- private void putEdDSAEntries() {
-@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
- putService(new ProviderServiceA(this, "KeyFactory",
- "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
-
-- putService(new ProviderService(this, "KeyPairGenerator",
-- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
-- putService(new ProviderServiceA(this, "KeyPairGenerator",
-- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
-- ATTRS));
-- putService(new ProviderServiceA(this, "KeyPairGenerator",
-- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
-- ATTRS));
--
-- putService(new ProviderService(this, "Signature",
-- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
-- putService(new ProviderServiceA(this, "Signature",
-- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
-+ if (!systemFipsEnabled) {
-+ putService(new ProviderService(this, "KeyPairGenerator",
-+ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
-+ putService(new ProviderServiceA(this, "KeyPairGenerator",
-+ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
-+ ATTRS));
-+ putService(new ProviderServiceA(this, "KeyPairGenerator",
-+ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
-+ ATTRS));
-+
-+ putService(new ProviderService(this, "Signature",
-+ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
-+ putService(new ProviderServiceA(this, "Signature",
-+ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
-+ }
-
- }
- }
diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
deleted file mode 100644
index 51bd6d2..0000000
--- a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-index 70903206ea0..09956084cf9 100644
---- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
- ctx = getLdapCtxFromUrl(
- r.getDomainName(), url, new LdapURL(u), env);
- return ctx;
-+ } catch (AuthenticationException e) {
-+ // do not retry on a different endpoint to avoid blocking
-+ // the user if authentication credentials are wrong.
-+ throw e;
- } catch (NamingException e) {
- // try the next element
- lastException = e;
-@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
- for (String u : urls) {
- try {
- return getUsingURL(u, env);
-+ } catch (AuthenticationException e) {
-+ // do not retry on a different URL to avoid blocking
-+ // the user if authentication credentials are wrong.
-+ throw e;
- } catch (NamingException e) {
- ex = e;
- }
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
deleted file mode 100644
index 2d9ec35..0000000
--- a/SOURCES/nss.fips.cfg.in
+++ /dev/null
@@ -1,8 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = sql:/etc/pki/nssdb
-nssDbMode = readOnly
-nssModule = fips
-
-attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
-
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
index e999c7e..25c2fc8 100644
--- a/SOURCES/remove-intree-libraries.sh
+++ b/SOURCES/remove-intree-libraries.sh
@@ -5,6 +5,7 @@ TREE=${1}
TYPE=${2}
ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@@ -31,15 +32,21 @@ cd ${TREE}
echo "Removing built-in libs (they will be linked)"
-# On full runs, allow for zlib having already been deleted by minimal
+# On full runs, allow for zlib & freetype having already been deleted by minimal
echo "Removing zlib"
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
echo "${ZIP_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+ echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
-# Minimal is limited to just zlib so finish here
+# Minimal is limited to just zlib and freetype so finish here
if test "x${TYPE}" = "xminimal"; then
echo "Finished.";
exit 0;
diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec
index bae8bdb..79000e6 100644
--- a/SPECS/java-17-openjdk.spec
+++ b/SPECS/java-17-openjdk.spec
@@ -23,6 +23,8 @@
%bcond_without staticlibs
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@@ -39,6 +41,16 @@
%global build_hotspot_first 0
%endif
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -190,11 +202,15 @@
%global staticlibs_loop %{nil}
%endif
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@@ -305,7 +321,7 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
-%global updatever 4
+%global updatever 6
%global patchver 0
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
@@ -345,14 +361,14 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
-%global fipsver f8142a23d0a
+%global fipsver 72d08e3226f
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 8
+%global buildver 9
%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -379,7 +395,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global build_type GA
%global ea_designator ""
@@ -411,7 +427,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@@ -815,6 +831,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@@ -933,7 +952,7 @@ exit 0
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
-%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@@ -972,11 +991,11 @@ exit 0
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap}
%dir %{tapsetroot}
@@ -1099,8 +1118,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-# 2022a required as of JDK-8283350 in 17.0.4
-Requires: tzdata-java >= 2022a
+# 2022g required as of JDK-8297804
+Requires: tzdata-java >= 2022g
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1292,8 +1311,8 @@ Source15: TestSecurityProperties.java
# Ensure vendor settings are correct
Source16: CheckVendor.java
-# nss fips configuration file
-Source17: nss.fips.cfg.in
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
############################################
#
@@ -1338,6 +1357,14 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# RH2094027: SunEC runtime permission for FIPS
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores
+# RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
Patch1001: fips-17u-%{fipsver}.patch
#############################################
@@ -1345,8 +1372,6 @@ Patch1001: fips-17u-%{fipsver}.patch
# OpenJDK patches in need of upstreaming
#
#############################################
-# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
-Patch2000: jdk8275535-rh2053256-ldap_auth.patch
#############################################
#
@@ -1354,6 +1379,12 @@ Patch2000: jdk8275535-rh2053256-ldap_auth.patch
#
#############################################
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
+#
+#############################################
+
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: alsa-lib-devel
@@ -1363,14 +1394,8 @@ BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
@@ -1392,8 +1417,8 @@ BuildRequires: java-17-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2022a required as of JDK-8283350 in 17.0.4
-BuildRequires: tzdata-java >= 2022a
+# 2022g required as of JDK-8297804
+BuildRequires: tzdata-java >= 2022g
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1402,6 +1427,30 @@ BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 4.4.1
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@@ -1751,8 +1800,11 @@ if [ $prioritylength -ne 8 ] ; then
fi
# OpenJDK patches
+
+%if %{system_libs}
# Remove libraries that are linked by both static and dynamic builds
sh %{SOURCE12} %{top_level_dir_name}
+%endif
# Patch the JDK
pushd %{top_level_dir_name}
@@ -1768,8 +1820,6 @@ popd # openjdk
%patch600
-%patch2000
-
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
@@ -1787,8 +1837,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
echo "WARNING: Designator mismatch";
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
- # Don't fail at present as upstream are not maintaining the value correctly
- #exit 17
+ exit 17
fi
# Extract systemtap tapsets
@@ -1840,9 +1889,6 @@ done
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
-
%build
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
@@ -1886,6 +1932,14 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
+ # This must be set using the global, so that the
+ # static libraries still use a dynamic stdc++lib
+ if [ "x%{link_type}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
@@ -1897,6 +1951,10 @@ function buildjdk() {
mkdir -p ${outputdir}
pushd ${outputdir}
+ # Note: zlib and freetype use %{link_type}
+ # rather than ${link_opt} as the system versions
+ # are always used in a system_libs build, even
+ # for the static library build
bash ${top_dir_abs_src_path}/configure \
%ifarch %{zero_arches}
--with-jvm-variants=zero \
@@ -1917,13 +1975,14 @@ function buildjdk() {
--with-native-debug-symbols="%{debug_symbols}" \
--disable-sysconf-nss \
--enable-unlimited-crypto \
- --with-zlib=system \
+ --with-zlib=%{link_type} \
+ --with-freetype=%{link_type} \
--with-libjpeg=${link_opt} \
--with-giflib=${link_opt} \
--with-libpng=${link_opt} \
--with-lcms=${link_opt} \
--with-harfbuzz=${link_opt} \
- --with-stdc++lib=dynamic \
+ --with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-ldflags="%{ourldflags}" \
@@ -1963,9 +2022,6 @@ function installjdk() {
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
- # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
- install -m 644 nss.fips.cfg ${imagepath}/conf/security/
-
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security
@@ -2009,12 +2065,13 @@ for suffix in %{build_loop} ; do
bootbuilddir=boot${builddir}
if test "x${loop}" = "x%{main_suffix}" ; then
+ link_opt="%{link_type}"
+%if %{system_libs}
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
- # Use system libraries
- link_opt="system"
+%endif
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
# slower builds.
@@ -2032,9 +2089,11 @@ for suffix in %{build_loop} ; do
else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi
+%if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
else
# Use bundled libraries for building statically
link_opt="bundled"
@@ -2102,6 +2161,11 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
@@ -2558,9 +2622,88 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Jan 04 2023 Andrew Hughes - 1:17.0.6.0.9-0.3.ea
+- Update to jdk-17.0.6+9
+- Update release notes to 17.0.6+9
+- Drop local copy of JDK-8293834 now this is upstream
+- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
+- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
+- Resolves: rhbz#2150198
+
+* Sat Dec 03 2022 Andrew Hughes - 1:17.0.6.0.1-0.3.ea
+- Update to jdk-17.0.6+1
+- Update release notes to 17.0.6+1
+- Switch to EA mode for 17.0.6 pre-release builds.
+- Re-enable EA upstream status check now it is being actively maintained.
+- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
+- Drop JDK-8275535 local patch now this has been accepted and backported upstream
+- Bump tzdata requirement to 2022e now the package is available in RHEL
+- Related: rhbz#2150198
+
+* Wed Nov 23 2022 Andrew Hughes - 1:17.0.5.0.8-5
+- Update FIPS support to bring in latest changes
+- * Add nss.fips.cfg support to OpenJDK tree
+- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+- * Remove forgotten dead code from RH2020290 and RH2104724
+- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
+- Resolves: rhbz#2118493
+
+* Wed Oct 26 2022 Andrew Hughes - 1:17.0.5.0.8-2
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
+- Remove freetype sources along with zlib sources
+- Resolves: rhbz#2133695
+
+* Tue Oct 04 2022 Andrew Hughes - 1:17.0.5.0.7-0.2.ea
+- Update to jdk-17.0.5+7
+- Update release notes to 17.0.5+7
+- Resolves: rhbz#2130622
+
+* Mon Oct 03 2022 Andrew Hughes - 1:17.0.5.0.1-0.2.ea
+- Update to jdk-17.0.5+1
+- Update release notes to 17.0.5+1
+- Switch to EA mode for 17.0.5 pre-release builds.
+- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
+- Bump FreeType bundled version to 2.12.1 following JDK-8290334
+- Related: rhbz#2130622
+
+* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-5
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2121268
+
+* Mon Aug 29 2022 Stephan Bergmann - 1:17.0.4.1.1-4
+- Fix flatpak builds (catering for their uncompressed manual pages)
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102726
+
+* Mon Aug 29 2022 Andrew Hughes - 1:17.0.4.1.1-3
+- Update FIPS support to bring in latest changes
+- * RH2104724: Avoid import/export of DH private keys
+- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+- * Build the systemconf library on all platforms
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- Resolves: rhbz#2104725
+- Resolves: rhbz#2117758
+- Resolves: rhbz#2115164
+- Resolves: rhbz#2029665
+
+* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-2
+- Update to jdk-17.0.4.1+1
+- Update release notes to 17.0.4.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119532
+
* Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-3
-- Update to jdk-17.0.3.0+8
-- Update release notes to 17.0.3.0+8
+- Update to jdk-17.0.4.0+8
+- Update release notes to 17.0.4.0+8
- Switch to GA mode for release
- Resolves: rhbz#2106524