diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a899280
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/openjdk-jdk17-jdk-17+33.tar.xz
+SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata
new file mode 100644
index 0000000..045cd9d
--- /dev/null
+++ b/.java-17-openjdk.metadata
@@ -0,0 +1,2 @@
+e2edecf5fbb3d791367caf2a0e148d643ad7e9cf SOURCES/openjdk-jdk17-jdk-17+33.tar.xz
+7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
new file mode 100644
index 0000000..c88d968
--- /dev/null
+++ b/SOURCES/NEWS
@@ -0,0 +1,154 @@
+Key:
+
+JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
+CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+
+New in release OpenJDK 15.0.2 (2021-01-19):
+===========================================
+Live versions of these release notes can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-15.0.2.txt
+
+* Security fixes
+ - JDK-8247619: Improve Direct Buffering of Characters
+* Other changes
+ - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8
+ - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test
+ - JDK-8247741: Test test/hotspot/jtreg/runtime/7162488/TestUnrecognizedVmOption.java fails when -XX:+IgnoreUnrecognizedVMOptions is set
+ - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted
+ - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled
+ - JDK-8248667: Need support for building native libraries located in the test/lib directory
+ - JDK-8249176: Update GlobalSignR6CA test certificates
+ - JDK-8249192: MonitorInfo stores raw oops across safepoints
+ - JDK-8249217: Unexpected StackOverflowError in "process reaper" thread still happens
+ - JDK-8249781: AArch64: AOT compiled code crashes if C2 allocates r27
+ - JDK-8250257: Bump release strings for JDK 15.0.2
+ - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray
+ - JDK-8251859: sun/security/validator/PKIXValAndRevCheckTests.java fails
+ - JDK-8253191: C2: Masked byte comparisons with large masks produce wrong result on x86
+ - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209)
+ - JDK-8253566: clazz.isAssignableFrom will return false for interface implementors
+ - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*)
+ - JDK-8253791: Issue with useAppleColor check in CSystemColors.m
+ - JDK-8253960: Memory leak in Java_java_lang_ClassLoader_defineClass0()
+ - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate
+ - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp
+ - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ - JDK-8254319: Shenandoah: Interpreter native-LRB needs to activate during HAS_FORWARDED
+ - JDK-8254320: Shenandoah: C2 native LRB should activate for non-cset objects
+ - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics
+ - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations
+ - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ - JDK-8255065: Zero: accessor_entry misses the IRIW case
+ - JDK-8255067: Restore Copyright line in file modified by 8253191
+ - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
+ - JDK-8255599: Change jdk 15.0.2 milestone to fcs for build b04
+ - JDK-8255603: Memory/Performance regression after JDK-8210985
+ - JDK-8256051: nmethod_entry_barrier stub miscalculates xmm spill size on x86_32
+ - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX
+ - JDK-8256618: Zero: Linux x86_32 build still fails
+ - JDK-8257181: s390x builds are very noisy with gc-sections messages
+ - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false
+ - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays
+
+Notes on individual issues:
+===========================
+
+core-libs/java.time:
+
+JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b
+====================================================================
+Following JDK's update to tzdata2020b, the long-obsolete files
+pacificnew and systemv have been removed. As a result, the
+"US/Pacific-New" zone name declared in the pacificnew data file is no
+longer available for use.
+
+Information regarding the update can be viewed at
+https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
+
+New in release OpenJDK 15.0.1 (2020-10-20):
+===========================================
+Live versions of these release notes can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-15.0.1.txt
+
+* Security fixes
+ - JDK-8233624: Enhance JNI linkage
+ - JDK-8236196: Improve string pooling
+ - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ - JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ - JDK-8240124: Better VM Interning
+ - JDK-8241114, CVE-2020-14792: Better range handling
+ - JDK-8242680, CVE-2020-14796: Improved URI Support
+ - JDK-8242685, CVE-2020-14797: Better Path Validation
+ - JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ - JDK-8243302: Advanced class supports
+ - JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ - JDK-8244479: Further constrain certificates
+ - JDK-8244955: Additional Fix for JDK-8240124
+ - JDK-8245407: Enhance zoning of times
+ - JDK-8245412: Better class definitions
+ - JDK-8245417: Improve certificate chain handling
+ - JDK-8248574: Improve jpeg processing
+ - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ - JDK-8253019: Enhanced JPEG decoding
+* Other changes
+ - JDK-8232114: JVM crashed at imjpapi.dll in native code
+ - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+ - JDK-8247251: Assert '(_pcs_length == 0 || last_pc()->pc_offset() < pc_offset) failed: must specify a new, larger pc offset' failure
+ - JDK-8248495: [macos] zerovm is broken due to libffi headers location
+ - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms
+ - JDK-8249165: Remove unneeded nops introduced by 8234160 changes
+ - JDK-8249183: JVM crash in "AwtFrame::WmSize" method
+ - JDK-8249266: Bump release strings for JDK 15.0.1
+ - JDK-8249266: Change jdk 15.0.1 milestone to fcs for build b02
+ - JDK-8250612: jvmciCompilerToVM.cpp declares jio_printf with "void" return type, should be "int"
+ - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY
+ - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
+ - JDK-8250876: Fix issues with cross-compile on macos
+ - JDK-8250928: JFR: Improve hash algorithm for stack traces
+ - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier
+ - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed"
+ - JDK-8251859: sun/security/validator/PKIXValAndRevCheckTests.java fails
+ - JDK-8251910: Shenandoah: Handshake threads between weak-roots and reset phases
+ - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured"
+ - JDK-8252292: 8240795 may cause anti-dependence to be missed
+ - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+ - JDK-8252367: Undo JDK-8245000: Windows GDI functions don't support large pages
+ - JDK-8252368: Undo JDK-8245002: Windows GDI functions don't support NUMA interleaving
+ - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
+ - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option
+ - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent
+ - JDK-8253222: Shenandoah: unused AlwaysTrueClosure after JDK-8246591
+ - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues()
+ - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify
+ - JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+ - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+ - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads
+ - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp
+ - JDK-8254560: Shenandoah: Concurrent Strong Roots logging is incorrect
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8250756: Added Entrust Root Certification Authority - G4 certificate
+========================================================================
+The Entrust root certificate has been added to the cacerts truststore:
+
+Alias Name: entrustrootcag4
+Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
+
+JDK-8250860: Added 3 SSL Corporation Root CA Certificates
+=========================================================
+The following root certificates have been added to the cacerts truststore for the SSL Corporation:
+
+Alias Name: sslrootrsaca
+Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrootevrsaca
+Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrooteccca
+Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
diff --git a/SOURCES/TestCryptoLevel.java b/SOURCES/TestCryptoLevel.java
new file mode 100644
index 0000000..b32b7ae
--- /dev/null
+++ b/SOURCES/TestCryptoLevel.java
@@ -0,0 +1,72 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+ Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+ public static void main(String[] args)
+ throws NoSuchFieldException, ClassNotFoundException,
+ IllegalAccessException, InvocationTargetException
+ {
+ Class cls = null;
+ Method def = null, exempt = null;
+
+ try
+ {
+ cls = Class.forName("javax.crypto.JceSecurity");
+ }
+ catch (ClassNotFoundException ex)
+ {
+ System.err.println("Running a non-Sun JDK.");
+ System.exit(0);
+ }
+ try
+ {
+ def = cls.getDeclaredMethod("getDefaultPolicy");
+ exempt = cls.getDeclaredMethod("getExemptPolicy");
+ }
+ catch (NoSuchMethodException ex)
+ {
+ System.err.println("Running IcedTea with the original crypto patch.");
+ System.exit(0);
+ }
+ def.setAccessible(true);
+ exempt.setAccessible(true);
+ PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+ PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+ Class apCls = Class.forName("javax.crypto.CryptoAllPermission");
+ Field apField = apCls.getDeclaredField("INSTANCE");
+ apField.setAccessible(true);
+ Permission allPerms = (Permission) apField.get(null);
+ if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+ {
+ System.err.println("Running with the unlimited policy.");
+ System.exit(0);
+ }
+ else
+ {
+ System.err.println("WARNING: Running with a restricted crypto policy.");
+ System.exit(-1);
+ }
+ }
+}
diff --git a/SOURCES/TestECDSA.java b/SOURCES/TestECDSA.java
new file mode 100644
index 0000000..6eb9cb2
--- /dev/null
+++ b/SOURCES/TestECDSA.java
@@ -0,0 +1,49 @@
+/* TestECDSA -- Ensure ECDSA signatures are working.
+ Copyright (C) 2016 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+
+/**
+ * @test
+ */
+public class TestECDSA {
+
+ public static void main(String[] args) throws Exception {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+ KeyPair key = keyGen.generateKeyPair();
+
+ byte[] data = "This is a string to sign".getBytes("UTF-8");
+
+ Signature dsa = Signature.getInstance("NONEwithECDSA");
+ dsa.initSign(key.getPrivate());
+ dsa.update(data);
+ byte[] sig = dsa.sign();
+ System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
+
+ Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
+ dsaCheck.initVerify(key.getPublic());
+ dsaCheck.update(data);
+ boolean success = dsaCheck.verify(sig);
+ if (!success) {
+ throw new RuntimeException("Test failed. Signature verification error");
+ }
+ System.out.println("Test passed.");
+ }
+}
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
new file mode 100644
index 0000000..06a0b07
--- /dev/null
+++ b/SOURCES/TestSecurityProperties.java
@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+ // JDK 11
+ private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+ // JDK 8
+ private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+ public static void main(String[] args) {
+ Properties jdkProps = new Properties();
+ loadProperties(jdkProps);
+ for (Object key: jdkProps.keySet()) {
+ String sKey = (String)key;
+ String securityVal = Security.getProperty(sKey);
+ String jdkSecVal = jdkProps.getProperty(sKey);
+ if (!securityVal.equals(jdkSecVal)) {
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ sKey + "'" + " but got value '" + securityVal + "'";
+ throw new RuntimeException("Test failed! " + msg);
+ } else {
+ System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ }
+ }
+ System.out.println("TestSecurityProperties PASSED!");
+ }
+
+ private static void loadProperties(Properties props) {
+ String javaVersion = System.getProperty("java.version");
+ System.out.println("Debug: Java version is " + javaVersion);
+ String propsFile = JDK_PROPS_FILE_JDK_11;
+ if (javaVersion.startsWith("1.8.0")) {
+ propsFile = JDK_PROPS_FILE_JDK_8;
+ }
+ try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+}
diff --git a/SOURCES/jconsole.desktop.in b/SOURCES/jconsole.desktop.in
new file mode 100644
index 0000000..a8917c1
--- /dev/null
+++ b/SOURCES/jconsole.desktop.in
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@
+Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@
+Exec=@JAVA_HOME@/jconsole
+Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0
diff --git a/SOURCES/nss.cfg.in b/SOURCES/nss.cfg.in
new file mode 100644
index 0000000..377a39c
--- /dev/null
+++ b/SOURCES/nss.cfg.in
@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
new file mode 100644
index 0000000..ead27be
--- /dev/null
+++ b/SOURCES/nss.fips.cfg.in
@@ -0,0 +1,6 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = @NSS_SECMOD@
+nssDbMode = readOnly
+nssModule = fips
+
diff --git a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
new file mode 100644
index 0000000..4efbe9a
--- /dev/null
+++ b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
@@ -0,0 +1,88 @@
+
+# HG changeset patch
+# User andrew
+# Date 1478057514 0
+# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
+# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
+PR3183: Support Fedora/RHEL system crypto policy
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
+@@ -43,6 +43,9 @@
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ * Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+@@ -52,6 +55,10 @@
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
++ /* System property file*/
++ private static final String SYSTEM_PROPERTIES =
++ "/etc/crypto-policies/back-ends/java.config";
++
+ /* The java.security properties */
+ private static Properties props;
+
+@@ -93,6 +100,7 @@
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -114,6 +122,31 @@
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ SYSTEM_PROPERTIES);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ SYSTEM_PROPERTIES);
++ e.printStackTrace();
++ }
++ }
++ }
++
++ if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+
+ String extraPropFile = System.getProperty
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
+--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
+@@ -276,6 +276,13 @@
+ security.overridePropertiesFile=true
+
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #
diff --git a/SOURCES/pr3695-toggle_system_crypto_policy.patch b/SOURCES/pr3695-toggle_system_crypto_policy.patch
new file mode 100644
index 0000000..3799237
--- /dev/null
+++ b/SOURCES/pr3695-toggle_system_crypto_policy.patch
@@ -0,0 +1,78 @@
+# HG changeset patch
+# User andrew
+# Date 1545198926 0
+# Wed Dec 19 05:55:26 2018 +0000
+# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
+# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
+PR3695: Allow use of system crypto policy to be disabled by the user
+Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
+
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -125,31 +125,6 @@
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
+-
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
+- loadedProps = true;
+-
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- SYSTEM_PROPERTIES);
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- SYSTEM_PROPERTIES);
+- e.printStackTrace();
+- }
+- }
+- }
+-
+- if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+
+ String extraPropFile = System.getProperty
+@@ -215,6 +190,33 @@
+ }
+ }
+
++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
++ if (disableSystemProps == null &&
++ "true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ SYSTEM_PROPERTIES);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ SYSTEM_PROPERTIES);
++ e.printStackTrace();
++ }
++ }
++ }
++
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
new file mode 100644
index 0000000..e999c7e
--- /dev/null
+++ b/SOURCES/remove-intree-libraries.sh
@@ -0,0 +1,157 @@
+#!/bin/sh
+
+# Arguments:
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+ echo "$0 (MINIMAL|FULL)";
+ exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${ZIP_SRC}
+
+# Minimal is limited to just zlib so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+fi
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..3042186
--- /dev/null
+++ b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,16 @@
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+ toolkit = new HeadlessToolkit(toolkit);
+ }
+ if (!GraphicsEnvironment.isHeadless()) {
+- loadAssistiveTechnologies();
++ try {
++ loadAssistiveTechnologies();
++ } catch (AWTError error) {
++ // ignore silently
++ }
+ }
+ }
+ return toolkit;
diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..7be1fae
--- /dev/null
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,12 @@
+diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
+index 534bdae5a16..2df2b59cbf6 100644
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
+ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # A list of preferred providers for specific algorithms. These providers will
diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # Determines whether this properties file can be appended to
diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch
new file mode 100644
index 0000000..80cd91c
--- /dev/null
+++ b/SOURCES/rh1655466-global_crypto_and_fips.patch
@@ -0,0 +1,205 @@
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -196,26 +196,8 @@
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+-
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
++ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+-
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- SYSTEM_PROPERTIES);
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- SYSTEM_PROPERTIES);
+- e.printStackTrace();
+- }
+ }
+ }
+
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+--- /dev/null
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,151 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.nio.file.Files;
++import java.nio.file.Path;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++import java.util.function.Consumer;
++import java.util.regex.Matcher;
++import java.util.regex.Pattern;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static final String CRYPTO_POLICIES_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/config";
++
++ private static final class SecurityProviderInfo {
++ int number;
++ String key;
++ String value;
++ SecurityProviderInfo(int number, String key, String value) {
++ this.number = number;
++ this.key = key;
++ this.value = value;
++ }
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configure(Properties props) {
++ boolean loadedProps = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ loadedProps = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ loadedProps = false;
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ loadedProps = true;
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /*
++ * FIPS is enabled only if crypto-policies are set to "FIPS"
++ * and the com.redhat.fips property is true.
++ */
++ private static boolean enableFips() throws Exception {
++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++ if (fipsEnabled) {
++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
++ return pattern.matcher(cryptoPoliciesConfig).find();
++ } else {
++ return false;
++ }
++ }
++}
+diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
+--- openjdk.orig/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -87,6 +87,14 @@
+ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
++# Security providers used when global crypto-policies are set to FIPS.
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=SunJSSE
++
++#
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+ # Entries containing errors (parsing, etc) will be ignored. Use the
diff --git a/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
new file mode 100644
index 0000000..5e2b254
--- /dev/null
+++ b/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@@ -0,0 +1,13 @@
+--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100
++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100
+@@ -48,8 +48,8 @@
+
+ private final static String PROP_NAME = "sun.security.smartcardio.library";
+
+- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
++ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
+ private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+
+ PlatformPCSC() {
diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch
new file mode 100644
index 0000000..88f5e5a
--- /dev/null
+++ b/SOURCES/rh1750419-redhat_alt_java.patch
@@ -0,0 +1,117 @@
+diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
+index 700ddefda49..2882de68eb2 100644
+--- openjdk.orig/make/modules/java.base/Launcher.gmk
++++ openjdk/make/modules/java.base/Launcher.gmk
+@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
+ OPTIMIZATION := HIGH, \
+ ))
+
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++ OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(call isTargetOs, windows), true)
+ $(eval $(call SetupBuildLauncher, javaw, \
+ CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
+new file mode 100644
+index 00000000000..697df2898ac
+--- /dev/null
++++ openjdk/src/java.base/share/native/launcher/alt_main.h
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL 52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL 53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS 0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED 0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++ if ( prctl(PR_SET_SPECULATION_CTRL,
++ PR_SPEC_STORE_BYPASS,
++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++ return;
++ }
++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
+index b734fe2ba78..79dc8307650 100644
+--- openjdk.orig/src/java.base/share/native/launcher/main.c
++++ openjdk/src/java.base/share/native/launcher/main.c
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+
diff --git a/SOURCES/rh1818909-fips_default_keystore_type.patch b/SOURCES/rh1818909-fips_default_keystore_type.patch
new file mode 100644
index 0000000..ff34f3e
--- /dev/null
+++ b/SOURCES/rh1818909-fips_default_keystore_type.patch
@@ -0,0 +1,52 @@
+diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
+@@ -123,6 +123,33 @@
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
+--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
+@@ -299,6 +299,11 @@
+ keystore.type=pkcs12
+
+ #
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
++#
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+ # When set to 'true', both JKS and PKCS12 keystore types support loading
diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
new file mode 100644
index 0000000..8dcd9a8
--- /dev/null
+++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
@@ -0,0 +1,318 @@
+diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index f9baf8c9742..60fa75cab45 100644
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -1,11 +1,13 @@
+ /*
+- * Copyright (c) 2019, Red Hat, Inc.
++ * Copyright (c) 2019, 2020, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation.
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+@@ -34,10 +36,10 @@ import java.nio.file.Path;
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.function.Consumer;
+-import java.util.regex.Matcher;
+ import java.util.regex.Pattern;
+
++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
++import jdk.internal.access.SharedSecrets;
+ import sun.security.util.Debug;
+
+ /**
+@@ -47,7 +49,7 @@ import sun.security.util.Debug;
+ *
+ */
+
+-class SystemConfigurator {
++final class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -61,15 +63,16 @@ class SystemConfigurator {
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+- private static final class SecurityProviderInfo {
+- int number;
+- String key;
+- String value;
+- SecurityProviderInfo(int number, String key, String value) {
+- this.number = number;
+- this.key = key;
+- this.value = value;
+- }
++ private static boolean systemFipsEnabled = false;
++
++ static {
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ });
+ }
+
+ /*
+@@ -128,9 +131,9 @@ class SystemConfigurator {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+- // If keystore.type is PKCS11, javax.net.ssl.keyStore
+- // must be "NONE". See JDK-8238264.
+- System.setProperty("javax.net.ssl.keyStore", "NONE");
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+@@ -144,12 +147,13 @@ class SystemConfigurator {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+- System.getProperty("javax.net.ssl.keyStore", ""));
++ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
+ loadedProps = true;
++ systemFipsEnabled = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+@@ -160,13 +164,30 @@ class SystemConfigurator {
+ return loadedProps;
+ }
+
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+- if (fipsEnabled) {
++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++ if (shouldEnable) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..a31e93ec02e
+--- /dev/null
++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.access;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++}
+diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+index f6d3638c3dd..5a2c9eb0c46 100644
+--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+@@ -81,6 +81,7 @@ public class SharedSecrets {
+ private static JavaSecuritySpecAccess javaSecuritySpecAccess;
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
+ private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
+ javaUtilCollectionAccess = juca;
+@@ -442,4 +443,12 @@ public class SharedSecrets {
+ MethodHandles.lookup().ensureInitialized(c);
+ } catch (IllegalAccessException e) {}
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+index 6ffdfeda18d..775b185fb06 100644
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -32,6 +32,7 @@ import java.security.cert.*;
+ import java.util.*;
+ import java.util.concurrent.locks.ReentrantLock;
+ import javax.net.ssl.*;
++import jdk.internal.access.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+ private static final List serverDefaultCipherSuites;
+
+ static {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10,
+- ProtocolVersion.SSL30,
+- ProtocolVersion.SSL20Hello
+- );
+-
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10,
++ ProtocolVersion.SSL30,
++ ProtocolVersion.SSL20Hello
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+
+ supportedCipherSuites = getApplicableSupportedCipherSuites(
+ supportedProtocols);
+@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+ ProtocolVersion[] candidates;
+ if (refactored.isEmpty()) {
+ // Client and server use the same default protocols.
+- candidates = new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- };
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ candidates = new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ } else {
++ candidates = new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ } else {
+ // Use the customized TLS protocols.
+ candidates =
+diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+index 894e26dfad8..8b16378b96b 100644
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+@@ -27,6 +27,8 @@ package sun.security.ssl;
+
+ import java.security.*;
+ import java.util.*;
++
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+
+ /**
+@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
+ ps("SSLContext", "TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
+- ps("SSLContext", "TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ ps("SSLContext", "TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ }
+ ps("SSLContext", "TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext",
+ List.of("SSL"), null);
diff --git a/SOURCES/rh1915071-always_initialise_configurator_access.patch b/SOURCES/rh1915071-always_initialise_configurator_access.patch
new file mode 100644
index 0000000..513fbbf
--- /dev/null
+++ b/SOURCES/rh1915071-always_initialise_configurator_access.patch
@@ -0,0 +1,70 @@
+diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+index f1633afb627..ce32c939253 100644
+--- openjdk/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@ import java.net.URL;
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -74,6 +75,15 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -194,9 +204,8 @@ public final class Security {
+ }
+
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+- if (disableSystemProps == null &&
+- "true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+ }
+diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 60fa75cab45..10b54aa4ce4 100644
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -38,8 +38,6 @@ import java.util.Map.Entry;
+ import java.util.Properties;
+ import java.util.regex.Pattern;
+
+-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+-import jdk.internal.access.SharedSecrets;
+ import sun.security.util.Debug;
+
+ /**
+@@ -65,16 +63,6 @@ final class SystemConfigurator {
+
+ private static boolean systemFipsEnabled = false;
+
+- static {
+- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+- new JavaSecuritySystemConfiguratorAccess() {
+- @Override
+- public boolean isSystemFipsEnabled() {
+- return SystemConfigurator.isSystemFipsEnabled();
+- }
+- });
+- }
+-
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
diff --git a/SOURCES/rh1929465-dont_define_unused_throwioexception.patch b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch
new file mode 100644
index 0000000..eba090f
--- /dev/null
+++ b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch
@@ -0,0 +1,69 @@
+commit 90e344e7d4987af610fa0054c92d18fe1c2edd41
+Author: Andrew Hughes
+Date: Sat Aug 28 01:15:28 2021 +0100
+
+ RH1929465: Don't define unused throwIOException function when using NSS detection
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 6f4656bfcb6..38919d6bb0f 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -34,14 +34,34 @@
+
+ #include "java_security_SystemConfigurator.h"
+
+-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+ #define MSG_MAX_SIZE 96
+
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+
+-static void throwIOException(JNIEnv *env, const char *msg);
+-static void dbgPrint(JNIEnv *env, const char* msg);
++// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
++#ifndef SYSCONF_NSS
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++#endif
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
+
+ /*
+ * Class: java_security_SystemConfigurator
+@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+
+ #endif // SYSCONF_NSS
+ }
+-
+-static void throwIOException(JNIEnv *env, const char *msg)
+-{
+- jclass cls = (*env)->FindClass(env, "java/io/IOException");
+- if (cls != 0)
+- (*env)->ThrowNew(env, cls, msg);
+-}
+-
+-static void dbgPrint(JNIEnv *env, const char* msg)
+-{
+- jstring jMsg;
+- if (debugObj != NULL) {
+- jMsg = (*env)->NewStringUTF(env, msg);
+- CHECK_NULL(jMsg);
+- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+- }
+-}
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection.patch b/SOURCES/rh1929465-improve_system_FIPS_detection.patch
new file mode 100644
index 0000000..4dfd1d4
--- /dev/null
+++ b/SOURCES/rh1929465-improve_system_FIPS_detection.patch
@@ -0,0 +1,428 @@
+diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4
+new file mode 100644
+index 00000000000..b2b1c1787da
+--- /dev/null
++++ openjdk/make/autoconf/lib-sysconf.m4
+@@ -0,0 +1,84 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation. Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
+index a65d91ee974..a8f054c1397 100644
+--- openjdk/make/autoconf/libraries.m4
++++ openjdk/make/autoconf/libraries.m4
+@@ -33,6 +33,7 @@ m4_include([lib-std.m4])
+ m4_include([lib-x11.m4])
+ m4_include([lib-fontconfig.m4])
+ m4_include([lib-tests.m4])
++m4_include([lib-sysconf.m4])
+
+ ################################################################################
+ # Determine which libraries are needed for this configuration
+@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
+ LIB_TESTS_SETUP_GTEST
++ LIB_SETUP_SYSCONF_LIBS
+
+ BASIC_JDKLIB_LIBS=""
+ if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
+diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
+index 29445c8c24f..9b1b512a34a 100644
+--- openjdk/make/autoconf/spec.gmk.in
++++ openjdk/make/autoconf/spec.gmk.in
+@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk
+index 5658ff342e5..cb7a56852f7 100644
+--- openjdk/make/modules/java.base/Lib.gmk
++++ openjdk/make/modules/java.base/Lib.gmk
+@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+new file mode 100644
+index 00000000000..6f4656bfcb6
+--- /dev/null
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -0,0 +1,168 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include
++#include
++#include
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++#define MSG_MAX_SIZE 96
++
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void throwIOException(JNIEnv *env, const char *msg);
++static void dbgPrint(JNIEnv *env, const char* msg);
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++#ifdef SYSCONF_NSS
++
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = SECMOD_GetSystemFIPSEnabled();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " SECMOD_GetSystemFIPSEnabled return value");
++ }
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++
++#else // SYSCONF_NSS
++
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " read character");
++ }
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++
++#endif // SYSCONF_NSS
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
+diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 10b54aa4ce4..6aa1419dfd0 100644
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2019, 2020, Red Hat, Inc.
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+@@ -30,13 +30,9 @@ import java.io.BufferedInputStream;
+ import java.io.FileInputStream;
+ import java.io.IOException;
+
+-import java.nio.file.Files;
+-import java.nio.file.Path;
+-
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.regex.Pattern;
+
+ import sun.security.util.Debug;
+
+@@ -58,11 +54,23 @@ final class SystemConfigurator {
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+- private static final String CRYPTO_POLICIES_CONFIG =
+- CRYPTO_POLICIES_BASE_DIR + "/config";
+-
+ private static boolean systemFipsEnabled = false;
+
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ @SuppressWarnings("removal")
++ var dummy = AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+@@ -170,16 +178,34 @@ final class SystemConfigurator {
+ }
+
+ /*
+- * FIPS is enabled only if crypto-policies are set to "FIPS"
+- * and the com.redhat.fips property is true.
++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
++ * system property is true (default) and the system is in FIPS mode.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+- return pattern.matcher(cryptoPoliciesConfig).find();
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ shouldEnable = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + shouldEnable);
++ }
++ return shouldEnable;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
+ } else {
+ return false;
+ }
diff --git a/SOURCES/rh1995150-disable_non-fips_crypto.patch b/SOURCES/rh1995150-disable_non-fips_crypto.patch
new file mode 100644
index 0000000..b3d0ae7
--- /dev/null
+++ b/SOURCES/rh1995150-disable_non-fips_crypto.patch
@@ -0,0 +1,596 @@
+diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 9d4a794de1a..39e69362458 100644
+--- openjdk/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -151,6 +151,7 @@ module java.base {
+ java.management,
+ java.naming,
+ java.rmi,
++ jdk.crypto.ec,
+ jdk.jartool,
+ jdk.jlink,
+ jdk.net,
+diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+index 912cad59714..c5e13c98bd9 100644
+--- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+@@ -30,6 +30,7 @@ import java.net.*;
+ import java.util.*;
+ import java.security.*;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.util.SecurityProviderConstants;
+@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ public final class SunEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ // the default algo used by SecureRandom class for new SecureRandom() calls
+ public static final String DEF_SECURE_RANDOM_ALGO;
+
+@@ -94,147 +99,149 @@ public final class SunEntries {
+ // common attribute map
+ HashMap attrs = new HashMap<>(3);
+
+- /*
+- * SecureRandom engines
+- */
+- attrs.put("ThreadSafe", "true");
+- if (NativePRNG.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNG",
+- "sun.security.provider.NativePRNG", attrs);
+- }
+- if (NativePRNG.Blocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGBlocking",
+- "sun.security.provider.NativePRNG$Blocking", attrs);
+- }
+- if (NativePRNG.NonBlocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGNonBlocking",
+- "sun.security.provider.NativePRNG$NonBlocking", attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * SecureRandom engines
++ */
++ attrs.put("ThreadSafe", "true");
++ if (NativePRNG.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNG",
++ "sun.security.provider.NativePRNG", attrs);
++ }
++ if (NativePRNG.Blocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGBlocking",
++ "sun.security.provider.NativePRNG$Blocking", attrs);
++ }
++ if (NativePRNG.NonBlocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGNonBlocking",
++ "sun.security.provider.NativePRNG$NonBlocking", attrs);
++ }
++ attrs.put("ImplementedIn", "Software");
++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
++ add(p, "SecureRandom", "SHA1PRNG",
++ "sun.security.provider.SecureRandom", attrs);
++
++ /*
++ * Signature engines
++ */
++ attrs.clear();
++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
++ "|java.security.interfaces.DSAPrivateKey";
++ attrs.put("SupportedKeyClasses", dsaKeyClasses);
++ attrs.put("ImplementedIn", "Software");
++
++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
++
++ addWithAlias(p, "Signature", "SHA1withDSA",
++ "sun.security.provider.DSA$SHA1withDSA", attrs);
++ addWithAlias(p, "Signature", "NONEwithDSA",
++ "sun.security.provider.DSA$RawDSA", attrs);
++
++ // for DSA signatures with 224/256-bit digests
++ attrs.put("KeySize", "2048");
++
++ addWithAlias(p, "Signature", "SHA224withDSA",
++ "sun.security.provider.DSA$SHA224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA256withDSA",
++ "sun.security.provider.DSA$SHA256withDSA", attrs);
++
++ addWithAlias(p, "Signature", "SHA3-224withDSA",
++ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-256withDSA",
++ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
++
++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
++
++ addWithAlias(p, "Signature", "SHA384withDSA",
++ "sun.security.provider.DSA$SHA384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA512withDSA",
++ "sun.security.provider.DSA$SHA512withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-384withDSA",
++ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-512withDSA",
++ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
++
++ attrs.remove("KeySize");
++
++ add(p, "Signature", "SHA1withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
++ add(p, "Signature", "NONEwithDSAinP1363Format",
++ "sun.security.provider.DSA$RawDSAinP1363Format");
++ add(p, "Signature", "SHA224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
++ add(p, "Signature", "SHA256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
++ add(p, "Signature", "SHA384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
++ add(p, "Signature", "SHA512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
++ add(p, "Signature", "SHA3-224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
++ add(p, "Signature", "SHA3-256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
++ add(p, "Signature", "SHA3-384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
++ add(p, "Signature", "SHA3-512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
++ /*
++ * Key Pair Generator engines
++ */
++ attrs.clear();
++ attrs.put("ImplementedIn", "Software");
++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
++
++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++
++ /*
++ * Algorithm Parameter Generator engines
++ */
++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
++ "sun.security.provider.DSAParameterGenerator", attrs);
++ attrs.remove("KeySize");
++
++ /*
++ * Algorithm Parameter engines
++ */
++ addWithAlias(p, "AlgorithmParameters", "DSA",
++ "sun.security.provider.DSAParameters", attrs);
++
++ /*
++ * Key factories
++ */
++ addWithAlias(p, "KeyFactory", "DSA",
++ "sun.security.provider.DSAKeyFactory", attrs);
++
++ /*
++ * Digest engines
++ */
++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
++ attrs);
++
++ addWithAlias(p, "MessageDigest", "SHA-224",
++ "sun.security.provider.SHA2$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-256",
++ "sun.security.provider.SHA2$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-384",
++ "sun.security.provider.SHA5$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512",
++ "sun.security.provider.SHA5$SHA512", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/224",
++ "sun.security.provider.SHA5$SHA512_224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/256",
++ "sun.security.provider.SHA5$SHA512_256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-224",
++ "sun.security.provider.SHA3$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-256",
++ "sun.security.provider.SHA3$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-384",
++ "sun.security.provider.SHA3$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-512",
++ "sun.security.provider.SHA3$SHA512", attrs);
+ }
+- attrs.put("ImplementedIn", "Software");
+- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+- add(p, "SecureRandom", "SHA1PRNG",
+- "sun.security.provider.SecureRandom", attrs);
+-
+- /*
+- * Signature engines
+- */
+- attrs.clear();
+- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+- "|java.security.interfaces.DSAPrivateKey";
+- attrs.put("SupportedKeyClasses", dsaKeyClasses);
+- attrs.put("ImplementedIn", "Software");
+-
+- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+-
+- addWithAlias(p, "Signature", "SHA1withDSA",
+- "sun.security.provider.DSA$SHA1withDSA", attrs);
+- addWithAlias(p, "Signature", "NONEwithDSA",
+- "sun.security.provider.DSA$RawDSA", attrs);
+-
+- // for DSA signatures with 224/256-bit digests
+- attrs.put("KeySize", "2048");
+-
+- addWithAlias(p, "Signature", "SHA224withDSA",
+- "sun.security.provider.DSA$SHA224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA256withDSA",
+- "sun.security.provider.DSA$SHA256withDSA", attrs);
+-
+- addWithAlias(p, "Signature", "SHA3-224withDSA",
+- "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-256withDSA",
+- "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+-
+- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+-
+- addWithAlias(p, "Signature", "SHA384withDSA",
+- "sun.security.provider.DSA$SHA384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA512withDSA",
+- "sun.security.provider.DSA$SHA512withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-384withDSA",
+- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-512withDSA",
+- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+-
+- attrs.remove("KeySize");
+-
+- add(p, "Signature", "SHA1withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+- add(p, "Signature", "NONEwithDSAinP1363Format",
+- "sun.security.provider.DSA$RawDSAinP1363Format");
+- add(p, "Signature", "SHA224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+- add(p, "Signature", "SHA256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+- add(p, "Signature", "SHA384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+- add(p, "Signature", "SHA512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+- add(p, "Signature", "SHA3-224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+- add(p, "Signature", "SHA3-256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+- add(p, "Signature", "SHA3-384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+- add(p, "Signature", "SHA3-512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+- /*
+- * Key Pair Generator engines
+- */
+- attrs.clear();
+- attrs.put("ImplementedIn", "Software");
+- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+-
+- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
+-
+- /*
+- * Algorithm Parameter Generator engines
+- */
+- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+- "sun.security.provider.DSAParameterGenerator", attrs);
+- attrs.remove("KeySize");
+-
+- /*
+- * Algorithm Parameter engines
+- */
+- addWithAlias(p, "AlgorithmParameters", "DSA",
+- "sun.security.provider.DSAParameters", attrs);
+-
+- /*
+- * Key factories
+- */
+- addWithAlias(p, "KeyFactory", "DSA",
+- "sun.security.provider.DSAKeyFactory", attrs);
+-
+- /*
+- * Digest engines
+- */
+- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+- attrs);
+-
+- addWithAlias(p, "MessageDigest", "SHA-224",
+- "sun.security.provider.SHA2$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-256",
+- "sun.security.provider.SHA2$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-384",
+- "sun.security.provider.SHA5$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512",
+- "sun.security.provider.SHA5$SHA512", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/224",
+- "sun.security.provider.SHA5$SHA512_224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/256",
+- "sun.security.provider.SHA5$SHA512_256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-224",
+- "sun.security.provider.SHA3$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-256",
+- "sun.security.provider.SHA3$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-384",
+- "sun.security.provider.SHA3$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-512",
+- "sun.security.provider.SHA3$SHA512", attrs);
+
+ /*
+ * Certificates
+diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 8c9e4f9dbe6..9eeb3013e0d 100644
+--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+
+ private static final long serialVersionUID = -2279741672933606418L;
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private static class ProviderServiceA extends ProviderService {
+ ProviderServiceA(Provider p, String type, String algo, String cn,
+ HashMap attrs) {
+@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
+
+ putXDHEntries();
+ putEdDSAEntries();
+-
+- /*
+- * Signature engines
+- */
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+- null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$RawinP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA1withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+- putService(new ProviderService(this, "Signature",
+- "SHA3-224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+- /*
+- * Key Pair Generator engine
+- */
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EC", "sun.security.ec.ECKeyPairGenerator",
+- List.of("EllipticCurve"), ATTRS));
+-
+- /*
+- * Key Agreement engine
+- */
+- putService(new ProviderService(this, "KeyAgreement",
+- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ if (!systemFipsEnabled) {
++ /*
++ * Signature engines
++ */
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++ null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$RawinP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA1withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++ putService(new ProviderService(this, "Signature",
++ "SHA3-224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++ /*
++ * Key Pair Generator engine
++ */
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EC", "sun.security.ec.ECKeyPairGenerator",
++ List.of("EllipticCurve"), ATTRS));
++
++ /*
++ * Key Agreement engine
++ */
++ putService(new ProviderService(this, "KeyAgreement",
++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ }
+ }
+
+ private void putXDHEntries() {
+@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+ "X448", "sun.security.ec.XDHKeyFactory.X448",
+ ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "KeyAgreement",
+- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X448", "sun.security.ec.XDHKeyAgreement.X448",
+- ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++ ATTRS));
++
++ putService(new ProviderService(this, "KeyAgreement",
++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X448", "sun.security.ec.XDHKeyAgreement.X448",
++ ATTRS));
++ }
+ }
+
+ private void putEdDSAEntries() {
+@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+ putService(new ProviderServiceA(this, "KeyFactory",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ }
+
+ }
+ }
diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch
new file mode 100644
index 0000000..7622622
--- /dev/null
+++ b/SOURCES/rh1996182-extend_security_policy.patch
@@ -0,0 +1,18 @@
+commit bfd7c5dae9c15266799cb885b8c60199217b65b9
+Author: Andrew Hughes
+Date: Mon Aug 30 16:14:14 2021 +0100
+
+ RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
+
+diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
+index 8356e56367b..23925f048be 100644
+--- openjdk.orig/src/java.base/share/lib/security/default.policy
++++ openjdk/src/java.base/share/lib/security/default.policy
+@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.com.sun.crypto.provider";
++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.sun.security.*";
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
new file mode 100644
index 0000000..475c521
--- /dev/null
+++ b/SOURCES/rh1996182-login_to_nss_software_token.patch
@@ -0,0 +1,65 @@
+commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
+Author: Martin Balao
+Date: Sat Aug 28 00:35:44 2021 +0100
+
+ RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 39e69362458..aeb5fc2eb46 100644
+--- openjdk.orig/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -151,6 +151,7 @@ module java.base {
+ java.management,
+ java.naming,
+ java.rmi,
++ jdk.crypto.cryptoki,
+ jdk.crypto.ec,
+ jdk.jartool,
+ jdk.jlink,
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 112b639aa96..5d3963ea893 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
+
+ import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.misc.InnocuousThread;
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
new file mode 100644
index 0000000..1b706a1
--- /dev/null
+++ b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+ /* and fill it in */
+ dst_ptr = icc_data;
+ for (seq_no = first; seq_no < last; seq_no++) {
+- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ unsigned int length =
+ icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+
diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec
new file mode 100644
index 0000000..ed96b3c
--- /dev/null
+++ b/SPECS/java-17-openjdk.spec
@@ -0,0 +1,2873 @@
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-17-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+#
+# Only produce a debug build on x86_64:
+# $ fedpkg local --without release
+#
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# With LTO flags enabled, debuginfo checks fail for some reason. Disable
+# LTO for a passing build. This really needs to be looked at.
+%define _lto_cflags %{nil}
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on with full debugging on
+%global fastdebug_on with minimal debugging on
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global for_fastdebug_on for packages with minimal debugging on
+%global for_debug for packages with debugging on
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build debug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{debug_arches} %{arm}
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
+# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
+%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libsvml.so)
+%global svml_arches x86_64
+
+# By default, we build a debug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable both builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%ifarch %{bootstrap_arches}
+%global bootstrap_build 1
+%else
+%global bootstrap_build 1
+%endif
+
+%if %{bootstrap_build}
+%global release_targets bootcycle-images docs-zip
+%else
+%global release_targets images docs-zip
+%endif
+# No docs nor bootcycle for debug builds
+%global debug_targets images
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%endif
+
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _build_cpu
+%ifarch x86_64
+%global archinstall amd64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%endif
+%ifarch ia64
+%global archinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%endif
+%ifnarch %{jit_arches}
+%global archinstall %{_arch}
+%endif
+
+
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 17
+%global interimver 0
+%global updatever 0
+%global patchver 0
+# If you bump featurever, you must bump also vendor_version_string
+# Used via new version scheme. JDK 17 was
+# GA'ed in September 2021 => 21.9
+%global vendor_version_string 21.9
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver 17
+# We don't add any LTS designator for STS packages (this package).
+# Neither for Fedora nor EPEL which would have %%{rhel} macro defined.
+ %global lts_designator ""
+ %global lts_designator_zip ""
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 3.15.0
+
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{origin}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 33
+%global rpmrelease 5
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver %{featurever}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 0
+%if %{is_ga}
+%global build_type GA
+%global expected_ea_designator ""
+%global ea_designator_zip ""
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global expected_ea_designator ea
+%global ea_designator_zip -%{expected_ea_designator}
+%global extraver .%{expected_ea_designator}
+%global eaprefix 0.
+%endif
+
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for any debug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific sub-dir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinguish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka build_cpu as architecture specific directory name.
+%global tapsetroot /usr/share/systemtap
+%global tapsetdirttapset %{tapsetroot}/tapset/
+%global tapsetdir %{tapsetdirttapset}/%{_build_cpu}
+%endif
+
+# not-duplicated scriptlets for normal/debug packages
+%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+
+
+%define post_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+exit 0
+}
+
+
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+%endif
+
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+alternatives \\
+ --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\
+ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
+ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
+ --slave %{_mandir}/man1/java.1$ext java.1$ext \\
+ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
+ %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
+ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
+ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
+
+for X in %{origin} %{javaver} ; do
+ alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+done
+
+update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+# see pretrans where this file is declared
+# also see that pretrans is only for non-debug
+if [ ! "%{?1}" == %{debug_suffix} ]; then
+ if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
+ sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}}
+ fi
+fi
+
+exit 0
+}
+
+%define postun_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+
+%define postun_headless() %{expand:
+ alternatives --remove java %{jrebindir -- %{?1}}/java
+ alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}}
+}
+
+%define posttrans_script() %{expand:
+%{update_desktop_icons}
+}
+
+%define post_devel() %{expand:
+
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+alternatives \\
+ --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\
+ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
+ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
+%ifarch %{sa_arches}
+ --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
+%endif
+ --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
+ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
+ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
+ --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
+ --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
+ --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
+ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
+ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
+ --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
+ --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
+ --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
+ --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
+ --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
+ --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
+ --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\
+ --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
+ --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
+ --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
+ --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
+ --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
+ --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
+ --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
+ %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
+ %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
+ %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
+ %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
+ %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+ %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
+ %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
+ %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
+ %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
+ %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
+ %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
+ %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\
+ %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
+ %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
+ %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
+ %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
+ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
+ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
+
+for X in %{origin} %{javaver} ; do
+ alternatives \\
+ --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+done
+
+update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+exit 0
+}
+
+%define postun_devel() %{expand:
+ alternatives --remove javac %{sdkbindir -- %{?1}}/javac
+ alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+%define posttrans_devel() %{expand:
+%{update_desktop_icons}
+}
+
+%define post_javadoc() %{expand:
+
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+alternatives \\
+ --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\
+ $PRIORITY --family %{name}
+exit 0
+}
+
+%define postun_javadoc() %{expand:
+ alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api
+exit 0
+}
+
+%define post_javadoc_zip() %{expand:
+
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+alternatives \\
+ --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\
+ $PRIORITY --family %{name}
+exit 0
+}
+
+%define postun_javadoc_zip() %{expand:
+ alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+exit 0
+}
+
+%define files_jre() %{expand:
+%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
+}
+
+
+%define files_jre_headless() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
+%dir %{_sysconfdir}/.java/.systemPrefs
+%dir %{_sysconfdir}/.java
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}
+%{_jvmdir}/%{sdkdir -- %{?1}}/release
+%{_jvmdir}/%{jrelnk -- %{?1}}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
+%ifarch %{jit_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
+%ifarch %{svml_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
+%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
+%ifarch %{share_arches}
+%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
+%endif
+%dir %{etcjavasubdir}
+%dir %{etcjavadir -- %{?1}}
+%dir %{etcjavadir -- %{?1}}/lib
+%dir %{etcjavadir -- %{?1}}/lib/security
+%{etcjavadir -- %{?1}}/lib/security/cacerts
+%dir %{etcjavadir -- %{?1}}/conf
+%dir %{etcjavadir -- %{?1}}/conf/sdp
+%dir %{etcjavadir -- %{?1}}/conf/management
+%dir %{etcjavadir -- %{?1}}/conf/security
+%dir %{etcjavadir -- %{?1}}/conf/security/policy
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
+ %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
+# these are config templates, thus not config-noreplace
+%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
+%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/conf
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/java
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_jvmdir}/jre
+%ghost %{_bindir}/keytool
+%ghost %{_bindir}/pack200
+%ghost %{_bindir}/rmid
+%ghost %{_bindir}/rmiregistry
+%ghost %{_bindir}/unpack200
+%ghost %{_jvmdir}/jre-%{origin}
+%ghost %{_jvmdir}/jre-%{javaver}
+%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
+%endif
+%endif
+}
+
+%define files_devel() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
+%{_jvmdir}/%{sdkdir -- %{?1}}/include
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
+%if %{with_systemtap}
+%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
+%endif
+%{_datadir}/applications/*jconsole%{?1}.desktop
+%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
+
+%if %{with_systemtap}
+%dir %{tapsetroot}
+%dir %{tapsetdirttapset}
+%dir %{tapsetdir}
+%{tapsetdir}/*%{_arch}%{?1}.stp
+%endif
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/javac
+%ghost %{_jvmdir}/java
+%ghost %{_jvmdir}/%{alt_java_name}
+%ghost %{_bindir}/jlink
+%ghost %{_bindir}/jmod
+%ghost %{_bindir}/jhsdb
+%ghost %{_bindir}/jar
+%ghost %{_bindir}/jarsigner
+%ghost %{_bindir}/javadoc
+%ghost %{_bindir}/javap
+%ghost %{_bindir}/jcmd
+%ghost %{_bindir}/jconsole
+%ghost %{_bindir}/jdb
+%ghost %{_bindir}/jdeps
+%ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jimage
+%ghost %{_bindir}/jinfo
+%ghost %{_bindir}/jmap
+%ghost %{_bindir}/jps
+%ghost %{_bindir}/jrunscript
+%ghost %{_bindir}/jshell
+%ghost %{_bindir}/jstack
+%ghost %{_bindir}/jstat
+%ghost %{_bindir}/jstatd
+%ghost %{_bindir}/serialver
+%ghost %{_jvmdir}/java-%{origin}
+%ghost %{_jvmdir}/java-%{javaver}
+%ghost %{_jvmdir}/java-%{javaver}-%{origin}
+%endif
+%endif
+}
+
+%define files_jmods() %{expand:
+%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
+}
+
+%define files_demo() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/demo
+%{_jvmdir}/%{sdkdir -- %{?1}}/sample
+}
+
+%define files_src() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
+}
+
+%define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+}
+
+%define files_javadoc() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java
+%endif
+%endif
+}
+
+%define files_javadoc_zip() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java-zip
+%endif
+%endif
+}
+
+# x86 is not supported by OpenJDK 17
+ExcludeArch: %{ix86}
+
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+Requires: fontconfig%{?_isa}
+Requires: xorg-x11-fonts-Type1
+# Require libXcomposite explicitly since it's only dynamically loaded
+# at runtime. Fixes screenshot issues. See JDK-8150954.
+Requires: libXcomposite%{?_isa}
+# Requires rest of java
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# for java-X-openjdk package's desktop binding
+Recommends: gtk3%{?_isa}
+
+Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_headless_rpo() %{expand:
+# Require /etc/pki/java/cacerts
+Requires: ca-certificates
+# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
+Requires: javapackages-filesystem
+# Require zone-info data provided by tzdata-java sub-package
+Requires: tzdata-java >= 2015d
+# for support of kernel stream control
+# libsctp.so.1 is being `dlopen`ed on demand
+Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
+# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
+# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
+# considered as regression
+Requires: copy-jdk-configs >= 3.3
+OrderWithRequires: copy-jdk-configs
+%endif
+# for printing support
+Requires: cups-libs
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+# for optional support of kernel stream control, card reader and printing bindings
+Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_devel_rpo() %{expand:
+# Requires base package
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage devel provides
+Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_static_libs_rpo() %{expand:
+Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+}
+
+%define java_jmods_rpo() %{expand:
+# Requires devel package
+# as jmods are bytecode, they should be OK without any _isa
+Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_demo_rpo() %{expand:
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_javadoc_rpo() %{expand:
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install javadoc alternative
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall javadoc alternative
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage javadoc provides
+Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_src_rpo() %{expand:
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage sources provides
+Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+
+Name: java-%{javaver}-%{origin}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch: 1
+Summary: %{origin_nice} %{featurever} Runtime Environment
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+
+
+# to regenerate source0 (jdk) run update_package.sh
+# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
+Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
+#Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (3.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# nss configuration file
+Source11: nss.cfg.in
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# NSS via SunPKCS11 Provider (disabled comment
+# due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# enable build of speculative store bypass hardened alt-java
+Patch600: rh1750419-redhat_alt_java.patch
+
+# Ignore AWTError when assistive technologies are loaded
+Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+# Restrict access to java-atk-wrapper classes
+Patch2: rh1648644-java_access_bridge_privileged_security.patch
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# Follow system wide crypto policy RHBZ#1249083
+Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+# PR3695: Allow use of system crypto policy to be disabled by the user
+Patch5: pr3695-toggle_system_crypto_policy.patch
+# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
+Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+# FIPS support patches
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+Patch1001: rh1655466-global_crypto_and_fips.patch
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+Patch1002: rh1818909-fips_default_keystore_type.patch
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+Patch1007: rh1915071-always_initialise_configurator_access.patch
+# RH1929465: Improve system FIPS detection
+Patch1008: rh1929465-improve_system_FIPS_detection.patch
+Patch1011: rh1929465-dont_define_unused_throwioexception.patch
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+Patch1009: rh1995150-disable_non-fips_crypto.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1010: rh1996182-login_to_nss_software_token.patch
+Patch1012: rh1996182-extend_security_policy.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirements for setting up the nss.cfg and FIPS support
+BuildRequires: nss-devel >= 3.53
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+BuildRequires: javapackages-filesystem
+BuildRequires: java-17-openjdk-devel
+# Zero-assembler build requirement
+%ifnarch %{jit_arches}
+BuildRequires: libffi-devel
+%endif
+BuildRequires: tzdata-java >= 2015d
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+Group: Development/Languages
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package headless
+Summary: %{origin_nice} %{featurever} Headless Runtime Environment
+
+%{java_headless_rpo %{nil}}
+
+%description headless
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%endif
+
+%if %{include_debug_build}
+%package headless-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+
+%{java_headless_rpo -- %{debug_suffix_unquoted}}
+
+%description headless-slowdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package headless-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+Group: Development/Languages
+
+%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description headless-fastdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
+Group: Development/Tools
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} development tools .
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package jmods
+Summary: JMods for %{origin_nice} %{featurever}
+
+%{java_jmods_rpo %{nil}}
+
+%description jmods
+The JMods for %{origin_nice} %{featurever}.
+%endif
+
+%if %{include_debug_build}
+%package jmods-slowdebug
+Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
+
+%{java_jmods_rpo -- %{debug_suffix_unquoted}}
+
+%description jmods-slowdebug
+The JMods for %{origin_nice} %{featurever}.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package jmods-fastdebug
+Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
+Group: Development/Tools
+
+%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description jmods-fastdebug
+The JMods for %{origin_nice} %{featurever}.
+%{fastdebug_warning}
+%endif
+
+
+%if %{include_normal_build}
+%package demo
+Summary: %{origin_nice} %{featurever} Demos
+
+%{java_demo_rpo %{nil}}
+
+%description demo
+The %{origin_nice} %{featurever} demos.
+%endif
+
+%if %{include_debug_build}
+%package demo-slowdebug
+Summary: %{origin_nice} %{featurever} Demos %{debug_on}
+
+%{java_demo_rpo -- %{debug_suffix_unquoted}}
+
+%description demo-slowdebug
+The %{origin_nice} %{featurever} demos.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package demo-fastdebug
+Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
+Group: Development/Languages
+
+%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description demo-fastdebug
+The %{origin_nice} %{featurever} demos.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package src
+Summary: %{origin_nice} %{featurever} Source Bundle
+
+%{java_src_rpo %{nil}}
+
+%description src
+The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
+class library source code for use by IDE indexers and debuggers.
+%endif
+
+%if %{include_debug_build}
+%package src-slowdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
+
+%{java_src_rpo -- %{debug_suffix_unquoted}}
+
+%description src-slowdebug
+The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_debug}.
+%endif
+
+%if %{include_fastdebug_build}
+%package src-fastdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
+Group: Development/Languages
+
+%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description src-fastdebug
+The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
+%endif
+
+
+%if %{include_normal_build}
+%package javadoc
+Summary: %{origin_nice} %{featurever} API documentation
+Requires: javapackages-filesystem
+Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo %{nil}}
+
+%description javadoc
+The %{origin_nice} %{featurever} API documentation.
+%endif
+
+%if %{include_normal_build}
+%package javadoc-zip
+Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
+Requires: javapackages-filesystem
+Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling
+
+%{java_javadoc_rpo %{nil}}
+
+%description javadoc-zip
+The %{origin_nice} %{featurever} API documentation compressed in a single archive.
+%endif
+
+%prep
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+else
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+else
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+fi
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+
+# Patch the JDK
+pushd %{top_level_dir_name}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+popd # openjdk
+
+%patch1000
+%patch600
+%patch1001
+%patch1002
+%patch1004
+%patch1007
+%patch1008
+%patch1009
+%patch1010
+%patch1011
+%patch1012
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:%{version}-%{release}.%{_arch}.stp:g"`
+ sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+ sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.1 > $OUTPUT_FILE
+%else
+ sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE
+%endif
+ sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
+ sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+ done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+for suffix in %{build_loop} ; do
+for file in %{SOURCE9}; do
+ FILE=`basename $file | sed -e s:\.in$::g`
+ EXT="${FILE##*.}"
+ NAME="${FILE%.*}"
+ OUTPUT_FILE=$NAME$suffix.$EXT
+ sed -e "s:@JAVA_HOME@:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
+ sed -i -e "s:@JRE_HOME@:%{jrebindir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@ARCH@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_MAJOR_VERSION@:%{featurever}:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
+done
+done
+
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
+
+%build
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+export EXTRA_CFLAGS
+
+for suffix in %{build_loop} ; do
+if [ "x$suffix" = "x" ] ; then
+ debugbuild=release
+else
+ # change --something to something
+ debugbuild=`echo $suffix | sed "s/-//g"`
+fi
+
+for loop in %{main_suffix} %{staticlibs_loop} ; do
+
+if test "x${loop}" = "x%{main_suffix}" ; then
+ # Copy the source tree so we can remove all in-tree libraries
+ cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+ # Remove all libraries that are linked
+ sh %{SOURCE12} %{top_level_dir_name} full
+ # Variable used by configure and hs_err hook on build failures
+ link_opt="system"
+ # Debug builds don't need same targets as release for
+ # build speed-up
+ maketargets="%{release_targets}"
+ if echo $debugbuild | grep -q "debug" ; then
+ maketargets="%{debug_targets}"
+ fi
+else
+ # Variable used by configure and hs_err hook on build failures
+ link_opt="bundled"
+ # Static library cycle only builds the static libraries
+ maketargets="%{static_libs_target}"
+fi
+
+top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}}
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
+ echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
+ exit 17
+fi
+
+mkdir -p ${top_dir_abs_build_path}
+pushd ${top_dir_abs_build_path}
+
+bash ${top_dir_abs_src_path}/configure \
+%ifnarch %{jit_arches}
+ --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+ --with-jobs=1 \
+%endif
+ --with-version-build=%{buildver} \
+ --with-version-pre="${EA_DESIGNATOR}" \
+ --with-version-opt=%{lts_designator} \
+ --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-name="Red Hat, Inc." \
+ --with-vendor-url="https://www.redhat.com/" \
+ --with-vendor-bug-url="%{bugs}" \
+ --with-vendor-vm-bug-url="%{bugs}" \
+ --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \
+ --with-debug-level=$debugbuild \
+ --with-native-debug-symbols=internal \
+ --enable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=system \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=dynamic \
+ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+ --with-extra-cflags="$EXTRA_CFLAGS" \
+ --with-extra-ldflags="%{ourldflags}" \
+ --with-num-cores="$NUM_PROC" \
+ --with-source-date="${SOURCE_DATE_EPOCH}" \
+ --disable-javac-server \
+%ifarch %{zgc_arches}
+ --with-jvm-features=zgc \
+%endif
+ --disable-warnings-as-errors
+
+make \
+ LOG=trace \
+ WARNINGS_ARE_ERRORS="-Wno-error" \
+ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
+ $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
+
+popd >& /dev/null
+
+# Restore original source tree if we modified it by removing full in-tree sources
+if [ -d %{top_level_dir_name_backup} ] ; then
+ rm -rf %{top_level_dir_name}
+ mv %{top_level_dir_name_backup} %{top_level_dir_name}
+fi
+
+done # end of main / staticlibs loop
+
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+
+# the build (erroneously) removes read permissions from some jars
+# this is a regression in OpenJDK 7 (our compiler):
+# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \;
+
+# Build screws up permissions on binaries
+# https://bugs.openjdk.java.net/browse/JDK-8173610
+find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \;
+find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \;
+
+# Install nss.cfg right away as we will be using the JRE above
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# Install nss.cfg right away as we will be using the JRE above
+install -m 644 nss.cfg $JAVA_HOME/conf/security/
+
+# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
+
+# Use system-wide tzdata
+rm $JAVA_HOME/lib/tzdb.dat
+ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
+
+# Create fake alt-java as a placeholder for future alt-java
+pushd ${JAVA_HOME}
+# add alt-java man page
+echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+popd
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) can be disabled
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+%endif
+
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # If this is the empty library, libsyslookup.so, of the foreign function and memory
+ # API incubation module (JEP 412), skip the debuginfo check as this seems unreliable
+ # on s390x. It's not very useful for other arches either, so skip unconditionally.
+ if [ "`basename $lib`" = "libsyslookup.so" ]; then
+ echo "Skipping debuginfo check for empty library 'libsyslookup.so'"
+ continue
+ fi
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" <
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
+-- if copy-jdk-configs is in transaction, it installs in pretrans to temp
+-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is
+-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
+-- whether copy-jdk-configs is installed or not. If so, then configs are copied
+-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
+local posix = require "posix"
+
+if (os.getenv("debug") == "true") then
+ debug = true;
+ print("cjc: in spec debug is on")
+else
+ debug = false;
+end
+
+SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
+SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
+
+local stat1 = posix.stat(SOURCE1, "type");
+local stat2 = posix.stat(SOURCE2, "type");
+
+ if (stat1 ~= nil) then
+ if (debug) then
+ print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
+ end;
+ package.path = package.path .. ";" .. SOURCE1
+else
+ if (stat2 ~= nil) then
+ if (debug) then
+ print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
+ end;
+ package.path = package.path .. ";" .. SOURCE2
+ else
+ if (debug) then
+ print(SOURCE1 .." does NOT exists")
+ print(SOURCE2 .." does NOT exists")
+ print("No config files will be copied")
+ end
+ return
+ end
+end
+-- run content of included file with fake args
+arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+require "copy_jdk_configs.lua"
+
+%post
+%{post_script %{nil}}
+
+%post headless
+%{post_headless %{nil}}
+
+%postun
+%{postun_script %{nil}}
+
+%postun headless
+%{postun_headless %{nil}}
+
+%posttrans
+%{posttrans_script %{nil}}
+
+%post devel
+%{post_devel %{nil}}
+
+%postun devel
+%{postun_devel %{nil}}
+
+%posttrans devel
+%{posttrans_devel %{nil}}
+
+%post javadoc
+%{post_javadoc %{nil}}
+
+%postun javadoc
+%{postun_javadoc %{nil}}
+
+%post javadoc-zip
+%{post_javadoc_zip %{nil}}
+
+%postun javadoc-zip
+%{postun_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%post slowdebug
+%{post_script -- %{debug_suffix_unquoted}}
+
+%post headless-slowdebug
+%{post_headless -- %{debug_suffix_unquoted}}
+
+%postun slowdebug
+%{postun_script -- %{debug_suffix_unquoted}}
+
+%postun headless-slowdebug
+%{postun_headless -- %{debug_suffix_unquoted}}
+
+%posttrans slowdebug
+%{posttrans_script -- %{debug_suffix_unquoted}}
+
+%post devel-slowdebug
+%{post_devel -- %{debug_suffix_unquoted}}
+
+%postun devel-slowdebug
+%{postun_devel -- %{debug_suffix_unquoted}}
+
+%posttrans devel-slowdebug
+%{posttrans_devel -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%post fastdebug
+%{post_script -- %{fastdebug_suffix_unquoted}}
+
+%post headless-fastdebug
+%{post_headless -- %{fastdebug_suffix_unquoted}}
+
+%postun fastdebug
+%{postun_script -- %{fastdebug_suffix_unquoted}}
+
+%postun headless-fastdebug
+%{postun_headless -- %{fastdebug_suffix_unquoted}}
+
+%posttrans fastdebug
+%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+
+%post devel-fastdebug
+%{post_devel -- %{fastdebug_suffix_unquoted}}
+
+%postun devel-fastdebug
+%{postun_devel -- %{fastdebug_suffix_unquoted}}
+
+%posttrans devel-fastdebug
+%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%if %{include_normal_build}
+%files
+# main package builds always
+%{files_jre %{nil}}
+%else
+%files
+# placeholder
+%endif
+
+
+%if %{include_normal_build}
+%files headless
+# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
+%{files_jre_headless %{nil}}
+
+%files devel
+%{files_devel %{nil}}
+
+%if %{include_staticlibs}
+%files static-libs
+%{files_static_libs %{nil}}
+%endif
+
+%files jmods
+%{files_jmods %{nil}}
+
+%files demo
+%{files_demo %{nil}}
+
+%files src
+%{files_src %{nil}}
+
+%files javadoc
+%{files_javadoc %{nil}}
+
+# This puts a huge documentation file in /usr/share
+# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
+# same for debug variant
+%files javadoc-zip
+%{files_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%files slowdebug
+%{files_jre -- %{debug_suffix_unquoted}}
+
+%files headless-slowdebug
+%{files_jre_headless -- %{debug_suffix_unquoted}}
+
+%files devel-slowdebug
+%{files_devel -- %{debug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{files_static_libs -- %{debug_suffix_unquoted}}
+%endif
+
+%files jmods-slowdebug
+%{files_jmods -- %{debug_suffix_unquoted}}
+
+%files demo-slowdebug
+%{files_demo -- %{debug_suffix_unquoted}}
+
+%files src-slowdebug
+%{files_src -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%files fastdebug
+%{files_jre -- %{fastdebug_suffix_unquoted}}
+
+%files headless-fastdebug
+%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
+
+%files devel-fastdebug
+%{files_devel -- %{fastdebug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{files_static_libs -- %{fastdebug_suffix_unquoted}}
+%endif
+
+%files jmods-fastdebug
+%{files_jmods -- %{fastdebug_suffix_unquoted}}
+
+%files demo-fastdebug
+%{files_demo -- %{fastdebug_suffix_unquoted}}
+
+%files src-fastdebug
+%{files_src -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%changelog
+* Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
+- Resolves: rhbz#1996182
+
+* Sat Aug 28 2021 Andrew Hughes - 1:17.0.0.0.33-0.4.ea
+- Fix unused function compiler warning found in systemconf.c
+- Related: rhbz#1995150
+
+* Sat Aug 28 2021 Martin Balao - 1:17.0.0.0.33-0.4.ea
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1996182
+
+* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.3.ea
+- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
+- Resolves: rhbz#1995150
+
+* Fri Aug 27 2021 Andrew Hughes - 1:17.0.0.0.33-0.2.ea
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Related: rhbz#1995150
+
+* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.2.ea
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.1.ea
+- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
+- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
+- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
+- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
+- Disable FIPS mode support unless com.redhat.fips is set to "true".
+- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
+- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
+- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Martin Balao - 1:17.0.0.0.33-0.1.ea
+- Support the FIPS mode crypto policy (RH1655466)
+- Use appropriate keystore types when in FIPS mode (RH1818909)
+- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
+- Related: rhbz#1995150
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.0.ea
+- Update to jdk-17+33, including JDWP fix and July 2021 CPU
+- Resolves: rhbz#1959487
+
+* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.26-0.5.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.4.ea
+- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Severin Gehwolf - 1:17.0.0.0.26-0.3.ea
+- Re-enable TestSecurityProperties after inclusion of PR3695
+- Resolves: rhbz#1959487
+
+* Wed Aug 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.3.ea
+- Add PR3695 to allow the system crypto policy to be turned off
+- Resolves: rhbz#1959487
+
+* Wed Jul 14 2021 Andrew Hughes - 1:17.0.0.0.26-0.2.ea
+- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
+- Resolves: rhbz#1959487
+
+* Wed Jul 14 2021 Severin Gehwolf - 1:17.0.0.0.26-0.2.ea
+- Update buildjdkver to 17 so as to build with itself
+- Resolves: rhbz#1959487
+
+* Tue Jul 13 2021 Jiri Vanek - 1:17.0.0.0.26-0.1.ea
+- Add gating support
+- Resolves: rhbz#1959487
+
+* Mon Jun 21 2021 Andrew Hughes - 1:17.0.0.0.26-0.0.ea
+- Rename as java-17-openjdk and bootstrap using boot JDK in local sources
+- Exclude x86 as this is not supported by OpenJDK 17
+- Resolves: rhbz#1959487
+
+* Fri Jun 11 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.0.ea.rolling
+- update sources to jdk 17.0.0+26
+- set is_ga to 0, as this is early access build
+- change vendor_version_string
+- change path to the version-numbers.conf
+- removed rmid binary from files and from slaves
+- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407
+- add lib/libsyslookup.so to files
+- renamed lib/security/blacklisted.certs to lib/security/blocked.certs
+- add lib/libsvml.so for intel
+- skip debuginfo check for libsyslookup.so on s390x
+
+* Thu Apr 29 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling
+- adapted to debug handling in newer cjc
+- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution
+- Disable copy-jdk-configs for Flatpak builds
+
+* Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling
+- update to 16.0.1+9 april cpu tag
+- dropped jdk8259949-allow_cf-protection_on_x86.patch
+
+* Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling
+- Perform static library build on a separate source tree with bundled image libraries
+- Make static library build optional
+- Based on initial work by Severin Gehwolf
+
+* Tue Mar 09 2021 Jiri Vanek - 1:16.0.0.0.36-1.rolling
+- fixed suggests of wrong pcsc-lite-devel%{?_isa} to correct pcsc-lite-libs%{?_isa}
+- bumped buildjdkver to build by itself - 16
+
+* Fri Feb 19 2021 Andrew Hughes - 1:16.0.0.0.36-0.rolling
+- Update to jdk-16.0.0.0+36
+- Update tarball generation script to use git following OpenJDK's move to github
+- Update tarball generation script to use PR3823 which handles JDK-8235710 changes
+- Use upstream default for version-pre rather than setting it to "ea" or ""
+- Drop libsunec.so which is no longer generated, thanks to JDK-8235710
+- Drop unnecessary compiler flags, dating back to work on GCC 6 & 10
+- Adapt RH1750419 alt-java patch to still apply after some variable re-naming in the makefiles
+- Update filever to remove any trailing zeros, as in the OpenJDK build, and use for source filename
+- Use system harfbuzz now this is supported.
+- Pass SOURCE_DATE_EPOCH to build for reproducible builds
+
+* Fri Feb 19 2021 Stephan Bergmann - 1:15.0.2.0.7-1.rolling
+- Hardcode /usr/sbin/alternatives for Flatpak builds
+
+* Tue Jan 26 2021 Fedora Release Engineering - 1:15.0.2.0.7-0.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Andrew Hughes - 1:15.0.2.0.7-0.rolling
+- Update to jdk-15.0.2.0+7
+- Add release notes for 15.0.1.0 & 15.0.2.0
+- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
+- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags.
+- Cleanup debug package descriptions and version number placement.
+- Remove unused patch files.
+
+* Tue Jan 19 2021 Andrew Hughes - 1:15.0.1.9-10.rolling
+- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
+
+* Tue Dec 22 2020 Jiri Vanek - 1:15.0.1.9-9.rolling
+- fixed missing condition for fastdebug packages being counted as debug ones
+
+* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-8.rolling
+- removed lib-style provides for fastdebug_suffix_unquoted
+
+* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling
+- many cosmetic changes taken from more maintained jdk11
+- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
+ instead of various hardcoded ifarches
+- updated systemtap
+- added requires excludes for debug pkgs
+- removed redundant logic around jsa files
+- added runtime requires of lksctp-tools and libXcomposite%
+- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies
+- s390x excluded form fastdebug build
+
+* Thu Dec 17 2020 Andrew Hughes - 1:15.0.1.9-5.rolling
+- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
+- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
+- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
+
+* Wed Dec 9 2020 Jiri Vanek - 1:15.0.1.9-4.rolling
+- moved wrongly placed licenses to accompany other ones
+- this bad placement was killng parallel-installability and thus having bad impact to leapp if used
+
+* Tue Dec 01 2020 Jiri Vanek - 1:15.0.1.9-3.rolling
+- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
+- no longer copying of java->alt-java as it is created by patch600
+
+* Mon Nov 23 2020 Jiri Vanek - 1:15.0.1.9-2.rolling
+- Create a copy of java as alt-java with alternatives and man pages
+- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
+
+* Sun Oct 25 2020 Petra Alice Mikova - 1:15.0.1.9-1.rolling
+- updated to October CPU 2020 sources
+
+* Thu Oct 22 2020 Severin Gehwolf - 1:15.0.0.36-4.rolling
+- Fix directory ownership of -static-libs sub-package.
+
+* Fri Oct 09 2020 Jiri Vanek - 1:15.0.0.36-3.rolling
+- Build static-libs-image and add resulting files via -static-libs sub-package.
+- Disable stripping of debug symbols for static libraries part of the -static-libs sub-package.
+- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard.
+- Update static-libs packaging to new layout
+
+* Mon Sep 21 2020 Petra Alice Mikova - 1:15.0.0.36-2.rolling
+- Add support for fastdebug builds on 64 bit architectures
+
+* Tue Sep 15 2020 Severin Gehwolf - 1:15.0.0.36-1.rolling
+- Remove EA designation
+- Re-generate sources with PR3803 patch
+
+* Mon Aug 31 2020 Petra Alice Mikova - 1:15.0.0.36-0.1.ea.rolling
+- Update to jdk 15.0.0.36 tag
+- Modify rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+- Update vendor version string to 20.9
+- jjs removed from packaging after JEP 372: Nashorn removal
+- rmic removed from packaging after JDK-8225319
+
+* Mon Jul 27 2020 Severin Gehwolf - 1:14.0.2.12-2.rolling
+- Disable LTO so as to pass debuginfo check
+
+* Wed Jul 22 2020 Petra Alice Mikova - 1:14.0.2.12-1.rolling
+- update to jdk 14.0.2.12 CPU version
+- remove upstreamed patch jdk8237879-make_4_3_build_fixes.patch
+- remove upstreamed patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h.patch
+- remove upstreamed patch jdk8243059-build_fails_when_with_vendor_contains_comma.patch
+
+* Thu Jul 09 2020 Andrew Hughes - 1:14.0.1.7-4.rolling
+- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds.
+- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk.
+
+* Thu May 14 2020 Petra Alice Mikova - 1:14.0.1.7-3.rolling
+- introduce patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h to fix build issues in rawhide
+- rename and reorganize patch sections
+
+* Thu Apr 23 2020 Severin Gehwolf - 1:14.0.1.7-2.rolling
+- Fix vendor version to 20.3 (from 19.9)
+
+* Fri Apr 17 2020 Petra Alice Mikova - 1:14.0.1.7-1.rolling
+- April security update
+- uploaded new src tarball
+
+* Wed Apr 08 2020 Jiri Vanek - 1:14.0.0.36-4.rolling
+- set vendor property and vendor urls
+- made urls to be preconfigured by os
+
+* Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling
+- Remove s390x workaround flags for GCC 10
+- bump buildjdkver to 14
+- uploaded new src tarball
+
+* Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling
+- removed a whitespace causing fail of postinstall script
+- removed backslashes at the end of alternatives command
+
+* Fri Mar 13 2020 Petra Alice Mikova - 1:14.0.0.36-1.rolling
+- update to jdk 14+36 ga build
+- remove JDK-8224851 patch, as OpenJDK 14 already contains it
+- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library
+- added listings for jpackage binary, manpages and added slave records to alternatives
+
+* Thu Mar 12 2020 Petra Alice Mikova - 1:13.0.2.8-4.rolling
+- add patch for build issues with make 4.3
+
+* Thu Feb 27 2020 Severin Gehwolf - 1:13.0.2.8-3.rolling
+- add workaround for issues with build with GCC10 on s390x (see RHBZ#1799531)
+- fix issues with build with GCC10: JDK-8224851, -fcommon switch
+
+* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling
+- Add JDK-8224851 patch to resolve aarch64 issues
+
+* Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling
+- fix Release, as it was broken by last rpmdev-bumpspec
+
+* Wed Jan 29 2020 Fedora Release Engineering - 1:13.0.2.8-1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 17 2020 Petra Alice Mikova - 1:13.0.2.8-1.rolling
+- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+- updated sources to the 13.0.2+8 tag
+
+* Fri Oct 25 2019 Petra Alice Mikova - 1:13.0.1.9-2.rolling
+- Fixed hardcoded major version in jdk13u to macro
+- added jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
+- added jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
+
+* Mon Oct 21 2019 Petra Alice Mikova - 1:13.0.1.9-1.rolling
+- Updated to October 2019 CPU sources
+
+* Wed Oct 16 2019 Petra Alice Mikova - 1:13.0.0.33-3.rolling
+- synced up generate tarball script with other OpenJDK packages
+- dropped pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch from the sources
+- regenerated sources with the updated script
+
+* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling
+- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it.
+
+* Wed Oct 02 2019 Andrew John Hughes - 1:13.0.0.33-3.rolling
+- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
+- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
+- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
+- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
+
+* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling
+- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively.
+
+* Tue Oct 01 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling
+- Don't produce javadoc/javadoc-zip sub packages for the
+ debug variant build.
+- Don't perform a bootcycle build for the debug variant build.
+
+* Mon Sep 30 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling
+- Fix vendor version as JDK 13 has been GA'ed September 2019: 19.3 => 19.9
+
+* Wed Aug 14 2019 Petra Alice Mikova - 1:13.0.0.33-1.rolling
+- updated to 13+33 sources
+- added two manpages to file listings (jfr, jaotc)
+- set is_ga to 1 to match build from jdk.java.net
+
+* Fri Jul 26 2019 Severin Gehwolf - 1:13.0.0.28-0.2.ea.rolling
+- Fix bootjdkver macro. It attempted to build with jdk 12, which is
+ no longer available in rawhide (it's 13 instead).
+- Fix Release as rpmdev-bumpspec doesn't do it correctly.
+
+* Thu Jul 25 2019 Fedora Release Engineering - 1:13.0.0.28-0.1.ea.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 09 2019 Petra Alice Mikova - 1:13.0.0.28-0.1.ea.rolling
+- updated to jdk 13
+- adapted pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch
+- adapted rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+- fixed file listings
+- included https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/49:
+- Include 'ea' designator in Release when appropriate
+- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately
+
+* Tue May 21 2019 Petra Alice Mikova - 1:12.0.1.12-2.rolling
+- fixed requires/provides for the non-system JDK case (backport of RHBZ#1702324)
+
+* Thu Apr 18 2019 Petra Mikova - 1:12.0.1.12-1.rolling
+- updated sources to current CPU release
+
+* Thu Apr 04 2019 Petra Mikova - 1:12.0.0.33-4.rolling
+- added slave for jfr binary in devel package
+
+* Thu Mar 21 2019 Petra Mikova - 1:12.0.0.33-3.rolling
+- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs.
+- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc
+- removed LTS string from LTS designator, because epel builds get identified as rhel and JDK 12 is not LTS
+- removed duplicated dependency on lksctp-tools
+
+* Wed Mar 20 2019 Peter Robinson 1:12.0.0.33-2.ea.1.rolling
+- Drop chkconfig dep, 1.7 shipped in f24
+
+* Thu Mar 07 2019 Petra Mikova - 1:12.0.0.33-1.ea.1.rolling
+- bumped sources to jdk12+33
+
+* Mon Feb 11 2019 Severin Gehwolf - 1:12.0.0.30-1.ea.1.rolling
+- Only build 'bootcycle-images docs' target and 'images docs' targets, respectively.
+
+* Fri Feb 01 2019 Fedora Release Engineering - 1:12.0.0.25-0.ea.1.rolling.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec 21 2018 Jiri Vanek - 1:12.0.0.25-0.ea.1.rolling
+- bumped sources to jdk12. Crypto list synced.
+- adapted patches to usptream (removed are upstreamed)
+- removed fixed upstreamed patch6, jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch:
+- renamed patch5, pr1983-rh1565658-..._sunec_provider_jdk11.patch to pr1983-rh1565658-..._sunec_provider_jdk12.patch
+- adapted patch5, pr1983-rh1565658 to jdk12 (libraries.m4 and /Lib-jdk.crypto.ec.gmk)
+- removed patch8, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
+- removed patch9, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
+- removed patch10, jdk8210647-rh1632174. Is rummored to be in upstream
+- removed patch11, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
+- removed patch12, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
+- removed patch584, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- removed patch585, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+- set build jdk to jdk11; buildjdkver set to 11
+- todo, revisit _privatelibs and slaves, discuse patch10, more?
+- now building with --no-print-directory to workaround JDK8215213
+- renamed original of docs zip to jdk-major+build
+- check shenandaoh with -XX:+UnlockExperimentalVMOptions
+- libjli moved from lib/libjli to lib
+- added lib/jspawnhelper and bin/jfr and conf/sdp/sdp.conf.template
+- added explanation to the --no-print-directory
+- re-added lts_designator_zip macro
+- added patch6 for rh1673833-remove_removal_of_wformat_during_test_compilation.patch
+
+* Wed Dec 5 2018 Jiri Vanek - 1:11.0.1.13-10.rolling
+- for non debug supackages, ghosted all masters and slaves (rhbz1649776)
+- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic
+- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides
+
+* Tue Dec 04 2018 Severin Gehwolf - 1:11.0.1.13-9
+- Added %%global _find_debuginfo_opts -g
+- Resolves: RHBZ#1520879 (Detailed NMT issue)
+
+* Fri Nov 30 2018 Jiri Vanek - 1:11.0.1.13-8
+- added rolling suffix to release (before dist) to prevent conflict with java-11-openjdk which now have same major version
+
+* Mon Nov 12 2018 Jiri Vanek - 1:11.0.1.13-6
+- fixed tck failures of arraycopy and process exec with shenandoah on
+- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch
+
+* Wed Nov 07 2018 Jiri Vanek - 1:11.0.1.13-5
+- headless' suggests of cups, replaced by Requires of cups-libs
+
+* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3
+- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+
+* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3
+- Use upstream's version of Aarch64 intrinsics disable patch:
+ - Removed:
+ RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
+ RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+ - Superceded by:
+ jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2
+- Use LTS designator in version output for RHEL.
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-1
+- Update to October 2018 CPU release, 11.0.1+13.
+
+* Wed Oct 17 2018 Severin Gehwolf - 1:11.0.0.28-2
+- Use --with-vendor-version-string=18.9 so as to show original
+ GA date for the JDK.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.0.28-1
+- Identify as GA version and no longer as early access (EA).
+- JDK 11 has been released for GA on 2018-09-25.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9
+- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
+ RHBZ-1624122.
+- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libjsig.
+- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- Reinstate filtering of opt flags coming from redhat-rpm-config.
+
+* Thu Sep 27 2018 Jiri Vanek - 1:11.0.ea.28-8
+- removed version less provides
+- javadocdir moved to arched dir as it is no longer noarch
+
+* Thu Sep 20 2018 Severin Gehwolf - 1:11.0.ea.28-6
+- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch,
+ so as to disable log math intrinsic on aarch64. Work-around for
+ JDK-8210858
+
+* Thu Sep 13 2018 Severin Gehwolf - 1:11.0.ea.28-5
+- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch,
+ so as to disable dsin/dcos math intrinsics on aarch64. Work-around for
+ JDK-8210461.
+
+* Wed Sep 12 2018 Severin Gehwolf - 1:11.0.ea.22-6
+- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- No longer filter -O flags from C flags coming from
+ redhat-rpm-config.
+
+* Mon Sep 10 2018 Jiri Vanek - 1:11.0.ea.28-4
+- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x
+
+* Fri Sep 7 2018 Severin Gehwolf - 1:11.0.ea.28-3
+- Enable ZGC on x86_64.
+
+* Tue Sep 4 2018 Jiri Vanek - 1:11.0.ea.28-2
+- jfr/*jfc files listed for all arches
+- lib/classlist do not exists s390, ifarch-ed via jit_arches out
+
+* Fri Aug 31 2018 Severin Gehwolf - 1:11.0.ea.28-1
+- Update to latest upstream build jdk11+28, the first release
+ candidate.
+
+* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8
+- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
+ as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
+
+* Thu Aug 23 2018 Jiri Vanek - 1:11.0.ea.22-6
+- dissabled accessibility, fixed provides for main package's debug variant
+
+* Mon Jul 30 2018 Jiri Vanek - 1:11.0.ea.22-5
+- now buildrequires javapackages-filesystem as the issue with macros should be fixed
+
+* Wed Jul 18 2018 Jiri Vanek - 1:11.0.ea.22-2
+- changed to build by itself instead of by jdk10
+
+* Tue Jul 17 2018 Jiri Vanek - 1:11.0.ea.22-1
+- added Recommends gtk3 for main package
+- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped)
+- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package
+- see RHBZ1598152
+- added trick to catch hs_err files (sgehwolf)
+- updated to shenandaoh-jdk-11+22
+
+* Sat Jul 07 2018 Jiri Vanek - 1:11.0.ea.20-1
+- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch
+- improved a bit generate_source_tarball.sh to serve also for systemtap
+- thus deleted generate_tapsets.sh
+- simplified and cleared update_package.sh
+- moved to single source jdk - from shenandoah/jdk11
+- bumped to latest jdk11+20
+- adapted PR2126 to jdk11+20
+- adapted handling of systemtap sources to new style
+- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory)
+- shortened summaries and descriptions to around 80 chars
+- Hunspell spell checked
+- license fixed to correct jdk11 (sgehwolf)
+- more correct handling of internal libraries (sgehwolf)
+- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815)
+- added test for shenandaoh GC presence where expected
+- Removed workaround for broken aarch64 slowdebug build
+- Removed all defattrs
+- Removed no longer necessary cleanup of diz and debuginfo files
+
+* Fri Jun 22 2018 Jiri Vanek - 1:11.0.ea.19-1
+- updated sources to jdk-11+19
+- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit
+- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit
+
+* Thu Jun 14 2018 Severin Gehwolf - 1:11.0.ea.16-5
+- Revert rename: java-11-openjdk => java-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-4
+- Add aarch64 to aot_arches.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-3
+- Rename to package java-11-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-2
+- Disable Aarch64 slowdebug build (see JDK-8204331).
+- s390x doesn't have the SA even though it's a JIT arch.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-1
+- Initial version of JDK 11 ea based on tag jdk-11+16.
+- Removed patches no longer needed or upstream:
+ sorted-diff.patch (see JDK-8198844)
+ JDK-8201788-bootcycle-images-jobs.patch
+ JDK-8201509-s390-atomic_store.patch
+ JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11)
+ JDK-8193802-npe-jar-getVersionMap.patch
+- Updated and renamed patches:
+ java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch
+- Updated patches for JDK 11:
+ pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Tue Jun 12 2018 Severin Gehwolf - 1:10.0.1.10-9
+- Use proper private_libs expression for filtering requires/provides.
+
+* Fri Jun 08 2018 Severin Gehwolf - 1:10.0.1.10-8
+- Bump release and rebuild for fixed gdb. See RHBZ#1589118.
+
+* Mon Jun 04 2018 Jiri Vanek - 1:10.0.1.10-7
+- quoted sed expressions, changed possibly confusing # by @
+- added vendor(origin) into icons
+- removed last trace of relative symlinks
+- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem
+
+* Thu May 17 2018 Severin Gehwolf - 1:10.0.1.10-5
+- Move to javapackages-filesystem for directory ownership.
+ Resolves RHBZ#1500288
+
+* Mon Apr 30 2018 Severin Gehwolf - 1:10.0.1.10-4
+- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix
+ RHBZ#1557375.
+
+* Mon Apr 23 2018 Severin Gehwolf - 1:10.0.1.10-3
+- Inject build flags properly. See RHBZ#1571359
+- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch
+ since libjsig.so doesn't get linker flags injected properly.
+
+* Fri Apr 20 2018 Severin Gehwolf - 1:10.0.1.10-2
+- Removed unneeded patches:
+ PStack-808293.patch
+ multiple-pkcs11-library-init.patch
+ ppc_stack_overflow_fix.patch
+- Added patches for s390 Zero builds:
+ JDK-8201495-s390-java-opts.patch
+ JDK-8201509-s390-atomic_store.patch
+- Renamed patches for clarity:
+ aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch
+ systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+ bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch
+ system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1
+- updated to security update 1
+- jexec unlinked from path
+- used java-openjdk as boot jdk
+- aligned provides/requires
+- renamed zip javadoc
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12
+- Enable basic EC ciphers test in %%check.
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11
+- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.
+- Resolves RHBZ#1565658
+
+* Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10
+- jexec linked to path
+
+* Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9
+- subpackage(s) replaced by sub-package(s) and other cosmetic changes
+
+* Tue Apr 03 2018 Jiri Vanek - 1:10.0.0.46-8
+- removed accessibility sub-packages
+- kept applied patch and properties files
+- debug sub-packages renamed to slowdebug
+
+* Fri Feb 23 2018 Jiri Vanek - 1:10.0.0.46-1
+- initial load