diff --git a/.java-21-openjdk.checksum b/.java-21-openjdk.checksum
index 54495baf385b08cfc246a8116667929d5c223345..3f5325242a24e0615aa01fb08ca8ce19bd62b438 100644
--- a/.java-21-openjdk.checksum
+++ b/.java-21-openjdk.checksum
@@ -1 +1 @@
-Direct Git Import
+4e546e384601feac2e6384b01e5762032334f9c93ce28c7d548dfc0cfd0ecdb7
diff --git a/.java-21-openjdk.metadata b/.java-21-openjdk.metadata
index f06b19a1e58e284352d6c45279a6de63e3f177fc..0f744174208d508eef84d6b6ec14edc539a31a24 100644
--- a/.java-21-openjdk.metadata
+++ b/.java-21-openjdk.metadata
@@ -1 +1,2 @@
+9ca965b81c935859350dff694ef13c4eae2e1b8dee2b423988f998ab51795f57 SOURCES/openjdk-21.0.2+13.tar.xz
d8a785cc9cc71745c17ecb9e5f0f919e7776b2f21584634f1eb71e4c7e813d6f SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/SOURCES/README.md b/SOURCES/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..cf5e2198d8f06f17211288659197d4241e894cea
--- /dev/null
+++ b/SOURCES/README.md
@@ -0,0 +1,39 @@
+OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform.
+
+For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream
+release page for OpenJDK 21 and the preceding interim releases:
+
+* 18: https://openjdk.java.net/projects/jdk/18/
+* 19: https://openjdk.java.net/projects/jdk/19/
+* 20: https://openjdk.java.net/projects/jdk/20/
+* 21: https://openjdk.java.net/projects/jdk/21/
+
+# Rebuilding the OpenJDK package
+
+The OpenJDK packages are now created from a single build which is then
+packaged for different major versions of Red Hat Enterprise Linux
+(RHEL). This allows the OpenJDK team to focus their efforts on the
+development and testing of this single build, rather than having
+multiple builds which only differ by the platform they were built on.
+
+This does make rebuilding the package slightly more complicated than a
+normal package. Modifications should be made to the
+`java-21-openjdk-portable.specfile` file, which can be found with this
+README file in the source RPM or installed in the documentation tree
+by the `java-21-openjdk-headless` RPM.
+
+Once the modified `java-21-openjdk-portable` RPMs are built, they
+should be installed and will produce a number of tarballs in the
+`/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be
+built, which will use these tarballs to create the usual RPMs found in
+RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the
+desired final RPMs are produced.
+
+Note that the `java-21-openjdk.spec` file has a hard requirement on
+the exact version of java-21-openjdk-portable to use, so this will
+need to be modified if the version or rpmrelease values are changed in
+`java-21-openjdk-portable.specfile`.
+
+To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
+builds may be disabled using `--without fastdebug` and `--without
+slowdebug`.
diff --git a/SOURCES/alt-java.c b/SOURCES/alt-java.c
new file mode 100644
index 0000000000000000000000000000000000000000..644d002ae9ba2fe5a2115757747fbf454f783e0e
--- /dev/null
+++ b/SOURCES/alt-java.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2023 Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Red Hat designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Red Hat in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+#include <errno.h>
+#include <libgen.h>
+#include <linux/limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() {
+#if defined(__linux__) && defined(__x86_64__)
+ // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it
+ // if ( prctl(PR_SET_SPECULATION_CTRL,
+ // PR_SPEC_STORE_BYPASS,
+ // PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ // return;
+ // }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+#else
+#warning alt-java requested but SSB mitigation not available on this platform.
+#endif
+}
+
+int main(int argc, char **argv) {
+ set_speculation();
+
+ char our_name[PATH_MAX], java_name[PATH_MAX];
+ ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1);
+ if (len < 0) {
+ perror("I can't find myself");
+ exit(2);
+ }
+
+ our_name[len] = '\0'; // readlink(2) doesn't append a null byte
+ char *path = dirname(our_name);
+ strncpy(java_name, path, PATH_MAX - 1);
+
+ size_t remaining_bytes = PATH_MAX - strlen(path) - 1;
+ strncat(java_name, "/java", remaining_bytes);
+
+ execv(java_name, argv);
+ fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno));
+
+ exit(1);
+}
+
diff --git a/SOURCES/fips-21u-75ffdc48eda.patch b/SOURCES/fips-21u-75ffdc48eda.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8413fe1ac84ab87b468a0b286ff22819e86eccdf
--- /dev/null
+++ b/SOURCES/fips-21u-75ffdc48eda.patch
@@ -0,0 +1,4233 @@
+diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4
+index 5f4b22bb27f..1ca9f5b8ffe 100644
+--- a/make/autoconf/build-aux/pkg.m4
++++ b/make/autoconf/build-aux/pkg.m4
+@@ -179,3 +179,19 @@ else
+ ifelse([$3], , :, [$3])
+ fi[]dnl
+ ])# PKG_CHECK_MODULES
++
++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
++dnl -------------------------------------------
++dnl Since: 0.28
++dnl
++dnl Retrieves the value of the pkg-config variable for the given module.
++AC_DEFUN([PKG_CHECK_VAR],
++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
++
++_PKG_CONFIG([$1], [variable="][$3]["], [$2])
++AS_VAR_COPY([$1], [pkg_cv_][$1])
++
++AS_VAR_IF([$1], [""], [$5], [$4])dnl
++])dnl PKG_CHECK_VAR
+diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
+new file mode 100644
+index 00000000000..f48fc7f7e80
+--- /dev/null
++++ b/make/autoconf/lib-sysconf.m4
+@@ -0,0 +1,87 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation. Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++ AC_MSG_CHECKING([for NSS library directory])
++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])])
++
++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++ AC_SUBST(NSS_LIBDIR)
++])
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+index a1fc81564b1..ebad69d9dcf 100644
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -35,6 +35,7 @@ m4_include([lib-std.m4])
+ m4_include([lib-x11.m4])
+
+ m4_include([lib-tests.m4])
++m4_include([lib-sysconf.m4])
+
+ ################################################################################
+ # Determine which libraries are needed for this configuration
+@@ -134,6 +135,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_X11
+
+ LIB_TESTS_SETUP_GTEST
++ LIB_SETUP_SYSCONF_LIBS
+
+ BASIC_JDKLIB_LIBS=""
+ BASIC_JDKLIB_LIBS_TARGET=""
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+index 0f85917814e..9419562b654 100644
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -867,6 +867,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++NSS_LIBDIR:=@NSS_LIBDIR@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk
+index 9e5cfe2d0fc..434ade8e182 100644
+--- a/make/modules/java.base/Gendata.gmk
++++ b/make/modules/java.base/Gendata.gmk
+@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST
+ TARGETS += $(GENDATA_JAVA_SECURITY)
+
+ ################################################################################
++
++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in
++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg
++
++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC)
++ $(call LogInfo, Generating nss.fips.cfg)
++ $(call MakeTargetDir)
++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \
++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \
++ )
++
++TARGETS += $(GENDATA_NSS_FIPS_CFG)
++
++################################################################################
+diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
+index 1e0f66726d0..59fe923f2c5 100644
+--- a/make/modules/java.base/Lib.gmk
++++ b/make/modules/java.base/Lib.gmk
+@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++))
++
++TARGETS += $(BUILD_LIBSYSTEMCONF)
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+index 10093137151..b023c63ae58 100644
+--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+@@ -31,6 +31,7 @@ import java.security.SecureRandom;
+ import java.security.PrivilegedAction;
+ import java.util.HashMap;
+ import java.util.List;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.util.SecurityProviderConstants.*;
+
+@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*;
+
+ public final class SunJCE extends Provider {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ @java.io.Serial
+ private static final long serialVersionUID = 6812507587804302833L;
+
+@@ -147,298 +152,299 @@ public final class SunJCE extends Provider {
+ void putEntries() {
+ // reuse attribute map and reset before each reuse
+ HashMap<String, String> attrs = new HashMap<>(3);
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
+- + "|OAEPWITHMD5ANDMGF1PADDING"
+- + "|OAEPWITHSHA1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-256ANDMGF1PADDING"
+- + "|OAEPWITHSHA-384ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
+- attrs.put("SupportedKeyClasses",
+- "java.security.interfaces.RSAPublicKey" +
+- "|java.security.interfaces.RSAPrivateKey");
+- ps("Cipher", "RSA",
+- "com.sun.crypto.provider.RSACipher", null, attrs);
+-
+- // common block cipher modes, pads
+- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
+- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
+- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
+- final String BLOCK_MODES128 = BLOCK_MODES +
+- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
+- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
+- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DES",
+- "com.sun.crypto.provider.DESCipher", null, attrs);
+- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
+- attrs);
+- ps("Cipher", "Blowfish",
+- "com.sun.crypto.provider.BlowfishCipher", null, attrs);
+-
+- ps("Cipher", "RC2",
+- "com.sun.crypto.provider.RC2Cipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES128);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES",
+- "com.sun.crypto.provider.AESCipher$General", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_128/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_128/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_128/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_192/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_192/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_192/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_256/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_256/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_256/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "GCM");
+- attrs.put("SupportedKeyFormats", "RAW");
+-
+- ps("Cipher", "AES/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
+- attrs);
+- psA("Cipher", "AES_128/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES128",
+- attrs);
+- psA("Cipher", "AES_192/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES192",
+- attrs);
+- psA("Cipher", "AES_256/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES256",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "CBC");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DESedeWrap",
+- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "ARCFOUR",
+- "com.sun.crypto.provider.ARCFOURCipher", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "ChaCha20",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
+- null, attrs);
+- psA("Cipher", "ChaCha20-Poly1305",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
+- attrs);
+-
+- // PBES1
+- psA("Cipher", "PBEWithMD5AndDES",
+- "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
+- null);
+- ps("Cipher", "PBEWithMD5AndTripleDES",
+- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
+- psA("Cipher", "PBEWithSHA1AndDESede",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_40",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_128",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC4_40",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
+- null);
+-
+- psA("Cipher", "PBEWithSHA1AndRC4_128",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
+- null);
+-
+- // PBES2
+- ps("Cipher", "PBEWithHmacSHA1AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128");
+-
+-
+- ps("Cipher", "PBEWithHmacSHA1AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256");
+-
+- /*
+- * Key(pair) Generator engines
+- */
+- ps("KeyGenerator", "DES",
+- "com.sun.crypto.provider.DESKeyGenerator");
+- psA("KeyGenerator", "DESede",
+- "com.sun.crypto.provider.DESedeKeyGenerator",
+- null);
+- ps("KeyGenerator", "Blowfish",
+- "com.sun.crypto.provider.BlowfishKeyGenerator");
+- psA("KeyGenerator", "AES",
+- "com.sun.crypto.provider.AESKeyGenerator",
+- null);
+- ps("KeyGenerator", "RC2",
+- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
+- psA("KeyGenerator", "ARCFOUR",
+- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
+- null);
+- ps("KeyGenerator", "ChaCha20",
+- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
+- ps("KeyGenerator", "HmacMD5",
+- "com.sun.crypto.provider.HmacMD5KeyGenerator");
+-
+- psA("KeyGenerator", "HmacSHA1",
+- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
+- psA("KeyGenerator", "HmacSHA224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
+- null);
+- psA("KeyGenerator", "HmacSHA256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
+- null);
+- psA("KeyGenerator", "HmacSHA384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
+- null);
+- psA("KeyGenerator", "HmacSHA512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
+- null);
+- psA("KeyGenerator", "HmacSHA512/224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
+- null);
+- psA("KeyGenerator", "HmacSHA512/256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
+- null);
+-
+- psA("KeyGenerator", "HmacSHA3-224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
+- null);
+- psA("KeyGenerator", "HmacSHA3-256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
+- null);
+- psA("KeyGenerator", "HmacSHA3-384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
+- null);
+- psA("KeyGenerator", "HmacSHA3-512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
+- null);
+-
+- psA("KeyPairGenerator", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyPairGenerator",
+- null);
++ if (!systemFipsEnabled) {
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
++ + "|OAEPWITHMD5ANDMGF1PADDING"
++ + "|OAEPWITHSHA1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-256ANDMGF1PADDING"
++ + "|OAEPWITHSHA-384ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
++ attrs.put("SupportedKeyClasses",
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey");
++ ps("Cipher", "RSA",
++ "com.sun.crypto.provider.RSACipher", null, attrs);
++
++ // common block cipher modes, pads
++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
++ final String BLOCK_MODES128 = BLOCK_MODES +
++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DES",
++ "com.sun.crypto.provider.DESCipher", null, attrs);
++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
++ attrs);
++ ps("Cipher", "Blowfish",
++ "com.sun.crypto.provider.BlowfishCipher", null, attrs);
++
++ ps("Cipher", "RC2",
++ "com.sun.crypto.provider.RC2Cipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES128);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES",
++ "com.sun.crypto.provider.AESCipher$General", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_128/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_128/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_128/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_192/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_192/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_192/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_256/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_256/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_256/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "GCM");
++ attrs.put("SupportedKeyFormats", "RAW");
++
++ ps("Cipher", "AES/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
++ attrs);
++ psA("Cipher", "AES_128/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES128",
++ attrs);
++ psA("Cipher", "AES_192/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES192",
++ attrs);
++ psA("Cipher", "AES_256/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES256",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "CBC");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DESedeWrap",
++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "ARCFOUR",
++ "com.sun.crypto.provider.ARCFOURCipher", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "ChaCha20",
++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
++ null, attrs);
++ psA("Cipher", "ChaCha20-Poly1305",
++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
++ attrs);
++
++ // PBES1
++ psA("Cipher", "PBEWithMD5AndDES",
++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
++ null);
++ ps("Cipher", "PBEWithMD5AndTripleDES",
++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
++ psA("Cipher", "PBEWithSHA1AndDESede",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_40",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_128",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC4_40",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
++ null);
++
++ psA("Cipher", "PBEWithSHA1AndRC4_128",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
++ null);
++
++ // PBES2
++ ps("Cipher", "PBEWithHmacSHA1AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA1AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256");
++
++ /*
++ * Key(pair) Generator engines
++ */
++ ps("KeyGenerator", "DES",
++ "com.sun.crypto.provider.DESKeyGenerator");
++ psA("KeyGenerator", "DESede",
++ "com.sun.crypto.provider.DESedeKeyGenerator",
++ null);
++ ps("KeyGenerator", "Blowfish",
++ "com.sun.crypto.provider.BlowfishKeyGenerator");
++ psA("KeyGenerator", "AES",
++ "com.sun.crypto.provider.AESKeyGenerator",
++ null);
++ ps("KeyGenerator", "RC2",
++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
++ psA("KeyGenerator", "ARCFOUR",
++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
++ null);
++ ps("KeyGenerator", "ChaCha20",
++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
++ ps("KeyGenerator", "HmacMD5",
++ "com.sun.crypto.provider.HmacMD5KeyGenerator");
++
++ psA("KeyGenerator", "HmacSHA1",
++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
++ psA("KeyGenerator", "HmacSHA224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
++ null);
++ psA("KeyGenerator", "HmacSHA256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
++ null);
++ psA("KeyGenerator", "HmacSHA384",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
++ null);
++ psA("KeyGenerator", "HmacSHA512",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
++ null);
++ psA("KeyGenerator", "HmacSHA512/224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
++ null);
++ psA("KeyGenerator", "HmacSHA512/256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
++ null);
++
++ psA("KeyGenerator", "HmacSHA3-224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
++ null);
++ psA("KeyGenerator", "HmacSHA3-256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
++ null);
++ psA("KeyGenerator", "HmacSHA3-384",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
++ null);
++ psA("KeyGenerator", "HmacSHA3-512",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
++ null);
++
++ psA("KeyPairGenerator", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyPairGenerator",
++ null);
++ }
+
+ /*
+ * Algorithm parameter generation engines
+@@ -447,15 +453,17 @@ public final class SunJCE extends Provider {
+ "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator",
+ null);
+
+- /*
+- * Key Agreement engines
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
+- "|javax.crypto.interfaces.DHPrivateKey");
+- psA("KeyAgreement", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyAgreement",
+- attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * Key Agreement engines
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
++ "|javax.crypto.interfaces.DHPrivateKey");
++ psA("KeyAgreement", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyAgreement",
++ attrs);
++ }
+
+ /*
+ * Algorithm Parameter engines
+@@ -625,10 +633,10 @@ public final class SunJCE extends Provider {
+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
+
+ ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128");
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128");
+
+ ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128");
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128");
+
+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
+@@ -651,136 +659,137 @@ public final class SunJCE extends Provider {
+ ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256",
+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256");
+
+- // PBKDF2
+- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
+- null);
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256");
+-
+- /*
+- * MAC
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
+- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
+- attrs);
+- psA("Mac", "HmacSHA224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
+- psA("Mac", "HmacSHA256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
+- psA("Mac", "HmacSHA384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
+- psA("Mac", "HmacSHA512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
+- psA("Mac", "HmacSHA512/224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
+- psA("Mac", "HmacSHA512/256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
+- psA("Mac", "HmacSHA3-224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
+- psA("Mac", "HmacSHA3-256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
+- psA("Mac", "HmacSHA3-384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
+- psA("Mac", "HmacSHA3-512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
+-
+- ps("Mac", "HmacPBESHA1",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
+- null, attrs);
+- ps("Mac", "HmacPBESHA224",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA256",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
+- null, attrs);
+- ps("Mac", "HmacPBESHA384",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/224",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/256",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
+- null, attrs);
+-
+-
+- // PBMAC1
+- ps("Mac", "PBEWithHmacSHA1",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
+- ps("Mac", "PBEWithHmacSHA224",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
+- ps("Mac", "PBEWithHmacSHA256",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
+- ps("Mac", "PBEWithHmacSHA384",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
+- ps("Mac", "PBEWithHmacSHA512",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
+- ps("Mac", "PBEWithHmacSHA512/224",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs);
+- ps("Mac", "PBEWithHmacSHA512/256",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs);
+-
+- ps("Mac", "SslMacMD5",
+- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
+- ps("Mac", "SslMacSHA1",
+- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
+-
+- /*
+- * KeyStore
+- */
+- ps("KeyStore", "JCEKS",
+- "com.sun.crypto.provider.JceKeyStore");
+-
+- /*
+- * KEMs
+- */
+- attrs.clear();
+- attrs.put("ImplementedIn", "Software");
+- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" +
+- "|java.security.interfaces.XECKey");
+- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs);
+-
+- /*
+- * SSL/TLS mechanisms
+- *
+- * These are strictly internal implementations and may
+- * be changed at any time. These names were chosen
+- * because PKCS11/SunPKCS11 does not yet have TLS1.2
+- * mechanisms, and it will cause calls to come here.
+- */
+- ps("KeyGenerator", "SunTlsPrf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V10");
+- ps("KeyGenerator", "SunTls12Prf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V12");
+-
+- ps("KeyGenerator", "SunTlsMasterSecret",
+- "com.sun.crypto.provider.TlsMasterSecretGenerator",
+- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
+- null);
+-
+- ps("KeyGenerator", "SunTlsKeyMaterial",
+- "com.sun.crypto.provider.TlsKeyMaterialGenerator",
+- List.of("SunTls12KeyMaterial"), null);
+-
+- ps("KeyGenerator", "SunTlsRsaPremasterSecret",
+- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
+- List.of("SunTls12RsaPremasterSecret"), null);
++ if (!systemFipsEnabled) {
++ // PBKDF2
++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
++ null);
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256");
++
++ /*
++ * MAC
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
++ attrs);
++ psA("Mac", "HmacSHA224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
++ psA("Mac", "HmacSHA256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
++ psA("Mac", "HmacSHA384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
++ psA("Mac", "HmacSHA512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
++ psA("Mac", "HmacSHA512/224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
++ psA("Mac", "HmacSHA512/256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
++ psA("Mac", "HmacSHA3-224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
++ psA("Mac", "HmacSHA3-256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
++ psA("Mac", "HmacSHA3-384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
++ psA("Mac", "HmacSHA3-512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
++
++ ps("Mac", "HmacPBESHA1",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
++ null, attrs);
++ ps("Mac", "HmacPBESHA224",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA256",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
++ null, attrs);
++ ps("Mac", "HmacPBESHA384",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/224",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/256",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
++ null, attrs);
++
++ // PBMAC1
++ ps("Mac", "PBEWithHmacSHA1",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
++ ps("Mac", "PBEWithHmacSHA224",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
++ ps("Mac", "PBEWithHmacSHA256",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
++ ps("Mac", "PBEWithHmacSHA384",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
++ ps("Mac", "PBEWithHmacSHA512",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
++ ps("Mac", "PBEWithHmacSHA512/224",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs);
++ ps("Mac", "PBEWithHmacSHA512/256",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs);
++
++ ps("Mac", "SslMacMD5",
++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
++ ps("Mac", "SslMacSHA1",
++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
++
++ /*
++ * KeyStore
++ */
++ ps("KeyStore", "JCEKS",
++ "com.sun.crypto.provider.JceKeyStore");
++
++ /*
++ * KEMs
++ */
++ attrs.clear();
++ attrs.put("ImplementedIn", "Software");
++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" +
++ "|java.security.interfaces.XECKey");
++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs);
++
++ /*
++ * SSL/TLS mechanisms
++ *
++ * These are strictly internal implementations and may
++ * be changed at any time. These names were chosen
++ * because PKCS11/SunPKCS11 does not yet have TLS1.2
++ * mechanisms, and it will cause calls to come here.
++ */
++ ps("KeyGenerator", "SunTlsPrf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V10");
++ ps("KeyGenerator", "SunTls12Prf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V12");
++
++ ps("KeyGenerator", "SunTlsMasterSecret",
++ "com.sun.crypto.provider.TlsMasterSecretGenerator",
++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
++ null);
++
++ ps("KeyGenerator", "SunTlsKeyMaterial",
++ "com.sun.crypto.provider.TlsKeyMaterialGenerator",
++ List.of("SunTls12KeyMaterial"), null);
++
++ ps("KeyGenerator", "SunTlsRsaPremasterSecret",
++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
++ List.of("SunTls12RsaPremasterSecret"), null);
++ }
+ }
+
+ // Return the instance of this class or create one if needed.
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index 671529f71a1..af632936921 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -34,6 +34,7 @@ import java.net.URL;
+ import jdk.internal.access.JavaSecurityPropertiesAccess;
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -58,6 +59,11 @@ import sun.security.jca.*;
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -75,6 +81,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -96,6 +115,7 @@ public final class Security {
+ private static void initialize() {
+ props = new Properties();
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -116,6 +136,61 @@ public final class Security {
+ }
+ loadProps(null, extraPropFile, overrideAll);
+ }
++
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ if (systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
++
+ initialSecurityProperties = (Properties) props.clone();
+ if (sdebug != null) {
+ for (String key : props.stringPropertyNames()) {
+@@ -126,7 +201,7 @@ public final class Security {
+
+ }
+
+- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
+ InputStream is = null;
+ try {
+ if (masterFile != null && masterFile.exists()) {
+diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..9d26a54f5d4
+--- /dev/null
++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,232 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ @SuppressWarnings("removal")
++ var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false);
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry<Object, Object> e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws Exception {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..3f3caac64dc
+--- /dev/null
++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.access;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+index 919d758a6e3..b1e5fbaf84a 100644
+--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+@@ -43,6 +43,7 @@ import java.io.PrintStream;
+ import java.io.PrintWriter;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -90,6 +91,7 @@ public class SharedSecrets {
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
+ private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
+ private static JavaTemplateAccess javaTemplateAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
+ javaUtilCollectionAccess = juca;
+@@ -537,4 +539,15 @@ public class SharedSecrets {
+ MethodHandles.lookup().ensureInitialized(c);
+ } catch (IllegalAccessException e) {}
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
+index 06b141dcf22..e8cbf7f15d7 100644
+--- a/src/java.base/share/classes/module-info.java
++++ b/src/java.base/share/classes/module-info.java
+@@ -158,6 +158,7 @@ module java.base {
+ java.naming,
+ java.rmi,
+ jdk.charsets,
++ jdk.crypto.ec,
+ jdk.jartool,
+ jdk.jlink,
+ jdk.jfr,
+diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java
+index f036a411f1d..1e9de933bd9 100644
+--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java
++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.LinkedHashSet;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.action.GetBooleanAction;
+
+@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ public final class SunEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ // the default algo used by SecureRandom class for new SecureRandom() calls
+ public static final String DEF_SECURE_RANDOM_ALGO;
+
+@@ -102,89 +107,92 @@ public final class SunEntries {
+ // common attribute map
+ HashMap<String, String> attrs = new HashMap<>(3);
+
+- /*
+- * SecureRandom engines
+- */
+- attrs.put("ThreadSafe", "true");
+- if (NativePRNG.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNG",
+- "sun.security.provider.NativePRNG", attrs);
+- }
+- if (NativePRNG.Blocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGBlocking",
+- "sun.security.provider.NativePRNG$Blocking", attrs);
+- }
+- if (NativePRNG.NonBlocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGNonBlocking",
+- "sun.security.provider.NativePRNG$NonBlocking", attrs);
+- }
+- attrs.put("ImplementedIn", "Software");
+- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+- add(p, "SecureRandom", "SHA1PRNG",
+- "sun.security.provider.SecureRandom", attrs);
+-
+- /*
+- * Signature engines
+- */
+- attrs.clear();
+- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+- "|java.security.interfaces.DSAPrivateKey";
+- attrs.put("SupportedKeyClasses", dsaKeyClasses);
+- attrs.put("ImplementedIn", "Software");
+-
+- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+-
+- addWithAlias(p, "Signature", "SHA1withDSA",
+- "sun.security.provider.DSA$SHA1withDSA", attrs);
+- addWithAlias(p, "Signature", "NONEwithDSA",
+- "sun.security.provider.DSA$RawDSA", attrs);
+-
+- // for DSA signatures with 224/256-bit digests
+- attrs.put("KeySize", "2048");
+-
+- addWithAlias(p, "Signature", "SHA224withDSA",
+- "sun.security.provider.DSA$SHA224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA256withDSA",
+- "sun.security.provider.DSA$SHA256withDSA", attrs);
+-
+- addWithAlias(p, "Signature", "SHA3-224withDSA",
+- "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-256withDSA",
+- "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+-
+- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+-
+- addWithAlias(p, "Signature", "SHA384withDSA",
+- "sun.security.provider.DSA$SHA384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA512withDSA",
+- "sun.security.provider.DSA$SHA512withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-384withDSA",
+- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-512withDSA",
+- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * SecureRandom engines
++ */
++ attrs.put("ThreadSafe", "true");
++ if (NativePRNG.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNG",
++ "sun.security.provider.NativePRNG", attrs);
++ }
++ if (NativePRNG.Blocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGBlocking",
++ "sun.security.provider.NativePRNG$Blocking", attrs);
++ }
++ if (NativePRNG.NonBlocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGNonBlocking",
++ "sun.security.provider.NativePRNG$NonBlocking", attrs);
++ }
++ attrs.put("ImplementedIn", "Software");
++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
++ add(p, "SecureRandom", "SHA1PRNG",
++ "sun.security.provider.SecureRandom", attrs);
+
+- attrs.remove("KeySize");
++ /*
++ * Signature engines
++ */
++ attrs.clear();
++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
++ "|java.security.interfaces.DSAPrivateKey";
++ attrs.put("SupportedKeyClasses", dsaKeyClasses);
++ attrs.put("ImplementedIn", "Software");
++
++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
++
++ addWithAlias(p, "Signature", "SHA1withDSA",
++ "sun.security.provider.DSA$SHA1withDSA", attrs);
++ addWithAlias(p, "Signature", "NONEwithDSA",
++ "sun.security.provider.DSA$RawDSA", attrs);
++
++ // for DSA signatures with 224/256-bit digests
++ attrs.put("KeySize", "2048");
++
++ addWithAlias(p, "Signature", "SHA224withDSA",
++ "sun.security.provider.DSA$SHA224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA256withDSA",
++ "sun.security.provider.DSA$SHA256withDSA", attrs);
++
++ addWithAlias(p, "Signature", "SHA3-224withDSA",
++ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-256withDSA",
++ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
++
++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
++
++ addWithAlias(p, "Signature", "SHA384withDSA",
++ "sun.security.provider.DSA$SHA384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA512withDSA",
++ "sun.security.provider.DSA$SHA512withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-384withDSA",
++ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-512withDSA",
++ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
++
++ attrs.remove("KeySize");
++
++ add(p, "Signature", "SHA1withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
++ add(p, "Signature", "NONEwithDSAinP1363Format",
++ "sun.security.provider.DSA$RawDSAinP1363Format");
++ add(p, "Signature", "SHA224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
++ add(p, "Signature", "SHA256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
++ add(p, "Signature", "SHA384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
++ add(p, "Signature", "SHA512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
++ add(p, "Signature", "SHA3-224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
++ add(p, "Signature", "SHA3-256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
++ add(p, "Signature", "SHA3-384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
++ add(p, "Signature", "SHA3-512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+
+- add(p, "Signature", "SHA1withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+- add(p, "Signature", "NONEwithDSAinP1363Format",
+- "sun.security.provider.DSA$RawDSAinP1363Format");
+- add(p, "Signature", "SHA224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+- add(p, "Signature", "SHA256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+- add(p, "Signature", "SHA384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+- add(p, "Signature", "SHA512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+- add(p, "Signature", "SHA3-224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+- add(p, "Signature", "SHA3-256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+- add(p, "Signature", "SHA3-384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+- add(p, "Signature", "SHA3-512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
++ }
+
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+@@ -196,9 +204,11 @@ public final class SunEntries {
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+
+- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++ if (!systemFipsEnabled) {
++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++ }
+
+ /*
+ * Algorithm Parameter Generator engines
+@@ -213,44 +223,46 @@ public final class SunEntries {
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
+
+- /*
+- * Key factories
+- */
+- addWithAlias(p, "KeyFactory", "DSA",
+- "sun.security.provider.DSAKeyFactory", attrs);
+- addWithAlias(p, "KeyFactory", "HSS/LMS",
+- "sun.security.provider.HSS$KeyFactoryImpl", attrs);
+-
+- /*
+- * Digest engines
+- */
+- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2",
+- attrs);
+- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5",
+- attrs);
+- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+- attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * Key factories
++ */
++ addWithAlias(p, "KeyFactory", "DSA",
++ "sun.security.provider.DSAKeyFactory", attrs);
++ addWithAlias(p, "KeyFactory", "HSS/LMS",
++ "sun.security.provider.HSS$KeyFactoryImpl", attrs);
+
+- addWithAlias(p, "MessageDigest", "SHA-224",
+- "sun.security.provider.SHA2$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-256",
+- "sun.security.provider.SHA2$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-384",
+- "sun.security.provider.SHA5$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512",
+- "sun.security.provider.SHA5$SHA512", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/224",
+- "sun.security.provider.SHA5$SHA512_224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/256",
+- "sun.security.provider.SHA5$SHA512_256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-224",
+- "sun.security.provider.SHA3$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-256",
+- "sun.security.provider.SHA3$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-384",
+- "sun.security.provider.SHA3$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-512",
+- "sun.security.provider.SHA3$SHA512", attrs);
++ /*
++ * Digest engines
++ */
++ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2",
++ attrs);
++ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5",
++ attrs);
++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
++ attrs);
++
++ addWithAlias(p, "MessageDigest", "SHA-224",
++ "sun.security.provider.SHA2$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-256",
++ "sun.security.provider.SHA2$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-384",
++ "sun.security.provider.SHA5$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512",
++ "sun.security.provider.SHA5$SHA512", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/224",
++ "sun.security.provider.SHA5$SHA512_224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/256",
++ "sun.security.provider.SHA5$SHA512_256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-224",
++ "sun.security.provider.SHA3$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-256",
++ "sun.security.provider.SHA3$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-384",
++ "sun.security.provider.SHA3$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-512",
++ "sun.security.provider.SHA3$SHA512", attrs);
++ }
+
+ /*
+ * Certificates
+diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+index 539ef1e8ee8..435f57e3ff2 100644
+--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+@@ -27,6 +27,7 @@ package sun.security.rsa;
+
+ import java.util.*;
+ import java.security.Provider;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ /**
+@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+ */
+ public final class SunRsaSignEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private void add(Provider p, String type, String algo, String cn,
+ List<String> aliases, HashMap<String, String> attrs) {
+ services.add(new Provider.Service(p, type, algo, cn,
+@@ -63,42 +68,49 @@ public final class SunRsaSignEntries {
+ add(p, "KeyFactory", "RSA",
+ "sun.security.rsa.RSAKeyFactory$Legacy",
+ getAliases("PKCS1"), null);
+- add(p, "KeyPairGenerator", "RSA",
+- "sun.security.rsa.RSAKeyPairGenerator$Legacy",
+- getAliases("PKCS1"), null);
+- addA(p, "Signature", "MD2withRSA",
+- "sun.security.rsa.RSASignature$MD2withRSA", attrs);
+- addA(p, "Signature", "MD5withRSA",
+- "sun.security.rsa.RSASignature$MD5withRSA", attrs);
+- addA(p, "Signature", "SHA1withRSA",
+- "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
+- addA(p, "Signature", "SHA224withRSA",
+- "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
+- addA(p, "Signature", "SHA256withRSA",
+- "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
+- addA(p, "Signature", "SHA384withRSA",
+- "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
+- addA(p, "Signature", "SHA512withRSA",
+- "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
+- addA(p, "Signature", "SHA512/224withRSA",
+- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
+- addA(p, "Signature", "SHA512/256withRSA",
+- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-224withRSA",
+- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
+- addA(p, "Signature", "SHA3-256withRSA",
+- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-384withRSA",
+- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
+- addA(p, "Signature", "SHA3-512withRSA",
+- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++
++ if (!systemFipsEnabled) {
++ add(p, "KeyPairGenerator", "RSA",
++ "sun.security.rsa.RSAKeyPairGenerator$Legacy",
++ getAliases("PKCS1"), null);
++ addA(p, "Signature", "MD2withRSA",
++ "sun.security.rsa.RSASignature$MD2withRSA", attrs);
++ addA(p, "Signature", "MD5withRSA",
++ "sun.security.rsa.RSASignature$MD5withRSA", attrs);
++ addA(p, "Signature", "SHA1withRSA",
++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
++ addA(p, "Signature", "SHA224withRSA",
++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
++ addA(p, "Signature", "SHA256withRSA",
++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
++ addA(p, "Signature", "SHA384withRSA",
++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
++ addA(p, "Signature", "SHA512withRSA",
++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
++ addA(p, "Signature", "SHA512/224withRSA",
++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
++ addA(p, "Signature", "SHA512/256withRSA",
++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-224withRSA",
++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
++ addA(p, "Signature", "SHA3-256withRSA",
++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-384withRSA",
++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
++ addA(p, "Signature", "SHA3-512withRSA",
++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++ }
+
+ addA(p, "KeyFactory", "RSASSA-PSS",
+ "sun.security.rsa.RSAKeyFactory$PSS", attrs);
+- addA(p, "KeyPairGenerator", "RSASSA-PSS",
+- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
+- addA(p, "Signature", "RSASSA-PSS",
+- "sun.security.rsa.RSAPSSSignature", attrs);
++
++ if (!systemFipsEnabled) {
++ addA(p, "KeyPairGenerator", "RSASSA-PSS",
++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
++ addA(p, "Signature", "RSASSA-PSS",
++ "sun.security.rsa.RSAPSSSignature", attrs);
++ }
++
+ addA(p, "AlgorithmParameters", "RSASSA-PSS",
+ "sun.security.rsa.PSSParameters", null);
+ }
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index 5149edba0e5..8227d650a03 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -85,6 +85,17 @@ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=SunJSSE
++fips.provider.5=SunJCE
++fips.provider.6=SunRsaSign
++fips.provider.7=XMLDSig
++
+ #
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=pkcs12
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=pkcs12
++
++#
++# Location of the NSS DB keystore (PKCS11) in FIPS mode.
++#
++# The syntax for this property is identical to the 'nssSecmodDirectory'
++# attribute available in the SunPKCS11 NSS configuration file. Use the
++# 'sql:' prefix to refer to an SQLite DB.
++#
++# If the system property fips.nssdb.path is also specified, it supersedes
++# the security property value defined here.
++#
++# Note: the default value for this property points to an NSS DB that might be
++# readable by multiple operating system users and unsuitable to store keys.
++#
++fips.nssdb.path=sql:/etc/pki/nssdb
++
++#
++# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
++#
++# Values must take any of the following forms:
++# 1) pin:<value>
++# Value: clear text PIN value.
++# 2) env:<value>
++# Value: environment variable containing the PIN value.
++# 3) file:<value>
++# Value: path to a file containing the PIN value in its first
++# line.
++#
++# If the system property fips.nssdb.pin is also specified, it supersedes
++# the security property value defined here.
++#
++# When used as a system property, UTF-8 encoded values are valid. When
++# used as a security property (such as in this file), encode non-Basic
++# Latin Unicode characters with \uXXXX.
++#
++fips.nssdb.pin=pin:
++
+ #
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+@@ -332,6 +384,13 @@ package.definition=sun.misc.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
+new file mode 100644
+index 00000000000..55bbba98b7a
+--- /dev/null
++++ b/src/java.base/share/conf/security/nss.fips.cfg.in
+@@ -0,0 +1,8 @@
++name = NSS-FIPS
++nssLibraryDirectory = @NSS_LIBDIR@
++nssSecmodDirectory = ${fips.nssdb.path}
++nssDbMode = readWrite
++nssModule = fips
++
++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
++
+diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
+index 86d45147709..22fd8675503 100644
+--- a/src/java.base/share/lib/security/default.policy
++++ b/src/java.base/share/lib/security/default.policy
+@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" {
+ grant codeBase "jrt:/jdk.crypto.ec" {
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.sun.security.*";
++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
+ permission java.lang.RuntimePermission "loadLibrary.sunec";
+ permission java.security.SecurityPermission "putProviderProperty.SunEC";
+ permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write";
++ permission java.util.PropertyPermission "fips.nssdb.pin", "read";
+ permission java.security.SecurityPermission "putProviderProperty.*";
+ permission java.security.SecurityPermission "clearProviderProperties.*";
+ permission java.security.SecurityPermission "removeProviderProperty.*";
+diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c
+new file mode 100644
+index 00000000000..ddf9befe5bc
+--- /dev/null
++++ b/src/java.base/share/native/libsystemconf/systemconf.c
+@@ -0,0 +1,236 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <jni.h>
++#include <jni_util.h>
++#include "jvm_md.h"
++#include <stdio.h>
++
++#ifdef LINUX
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#else
++#include <dlfcn.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
++
++#else // !LINUX
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ return JNI_FALSE;
++}
++
++#endif
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..48d6d656a28
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,457 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.security.interfaces.RSAPrivateCrtKey;
++import java.security.interfaces.RSAPrivateKey;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.spec.SecretKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAPrivateCrtKeyImpl;
++import sun.security.rsa.RSAUtil;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static volatile P11Key importerKey = null;
++ private static SecretKeySpec exporterKey = null;
++ private static volatile P11Key exporterKeyP11 = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ // Do not take the exporterKeyLock with the importerKeyLock held.
++ private static final ReentrantLock exporterKeyLock = new ReentrantLock();
++ private static volatile CK_MECHANISM importerKeyMechanism = null;
++ private static volatile CK_MECHANISM exporterKeyMechanism = null;
++ private static Cipher importerCipher = null;
++ private static Cipher exporterCipher = null;
++
++ private static volatile Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
++ }
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ importerKeyLock.lock();
++ try {
++ // No need to reset the cipher object because no multi-part
++ // operations are performed.
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ } finally {
++ importerKeyLock.unlock();
++ }
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject,
++ long keyClass, long keyType, Map<Long, CK_ATTRIBUTE> sensitiveAttrs)
++ throws PKCS11Exception {
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be exported in" +
++ " system FIPS mode.");
++ }
++ if (exporterKeyP11 == null) {
++ try {
++ exporterKeyLock.lock();
++ if (exporterKeyP11 == null) {
++ if (exporterKeyMechanism == null) {
++ // Exporter Key creation has not been tried yet. Try it.
++ createExporterKey(token);
++ }
++ if (exporterKeyP11 == null || exporterCipher == null) {
++ if (debug != null) {
++ debug.println("Exporter Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key exporter");
++ }
++ if (debug != null) {
++ debug.println("Exporter Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ exporterKeyLock.unlock();
++ }
++ }
++ long exporterKeyID = exporterKeyP11.getKeyID();
++ try {
++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession,
++ exporterKeyMechanism, exporterKeyID, hObject);
++ byte[] plainExportedKey = null;
++ exporterKeyLock.lock();
++ try {
++ // No need to reset the cipher object because no multi-part
++ // operations are performed.
++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes);
++ } finally {
++ exporterKeyLock.unlock();
++ }
++ if (keyClass == CKO_PRIVATE_KEY) {
++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey);
++ } else if (keyClass == CKO_SECRET_KEY) {
++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey;
++ } else {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key exporter");
++ }
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ } finally {
++ exporterKeyP11.releaseKeyID();
++ }
++ }
++
++ private static void exportPrivateKey(
++ Map<Long, CK_ATTRIBUTE> sensitiveAttrs, long keyType,
++ byte[] plainExportedKey) throws Throwable {
++ if (keyType == CKK_RSA) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey);
++ CK_ATTRIBUTE attr;
++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
++ }
++ if (rsaPKey instanceof RSAPrivateCrtKey) {
++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey;
++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) {
++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray();
++ }
++ } else {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
++ CKA_PRIVATE_EXPONENT);
++ }
++ } else if (keyType == CKK_DSA) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue =
++ new sun.security.provider.DSAPrivateKey(plainExportedKey)
++ .getX().toByteArray();
++ } else if (keyType == CKK_EC) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue =
++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey)
++ .getS().toByteArray();
++ } else {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " unsupported CKO_PRIVATE_KEY key type: " + keyType);
++ }
++ }
++
++ private static void checkAttrs(Map<Long, CK_ATTRIBUTE> sensitiveAttrs,
++ String keyName, long... validAttrs)
++ throws PKCS11Exception {
++ int sensitiveAttrsCount = sensitiveAttrs.size();
++ if (sensitiveAttrsCount <= validAttrs.length) {
++ int validAttrsCount = 0;
++ for (long validAttr : validAttrs) {
++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++;
++ }
++ if (validAttrsCount == sensitiveAttrsCount) return;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " invalid attribute types for a " + keyName + " key object");
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec(
++ (byte[])importerKeyMechanism.pParameter), null);
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ if (debug != null) {
++ debug.println("Error generating the Importer Key");
++ }
++ }
++ }
++
++ private static void createExporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Exporter Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ byte[] exporterKeyRaw = new byte[32];
++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw);
++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES");
++ try {
++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES");
++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey));
++ if (exporterKeyP11 != null) {
++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey,
++ new IvParameterSpec(
++ (byte[])exporterKeyMechanism.pParameter), null);
++ }
++ } catch (Throwable t) {
++ // best effort
++ exporterKey = null;
++ exporterKeyP11 = null;
++ exporterCipher = null;
++ // exporterKeyMechanism value is kept initialized to indicate that
++ // Exporter Key creation has been tried and failed.
++ if (debug != null) {
++ debug.println("Error generating the Exporter Key");
++ }
++ }
++ }
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
+new file mode 100644
+index 00000000000..f8d505ca815
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
+@@ -0,0 +1,149 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.io.BufferedReader;
++import java.io.ByteArrayInputStream;
++import java.io.InputStream;
++import java.io.InputStreamReader;
++import java.io.IOException;
++import java.nio.charset.StandardCharsets;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.nio.file.Paths;
++import java.nio.file.StandardOpenOption;
++import java.security.ProviderException;
++
++import javax.security.auth.callback.Callback;
++import javax.security.auth.callback.CallbackHandler;
++import javax.security.auth.callback.PasswordCallback;
++import javax.security.auth.callback.UnsupportedCallbackException;
++
++import sun.security.util.Debug;
++import sun.security.util.SecurityProperties;
++
++final class FIPSTokenLoginHandler implements CallbackHandler {
++
++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
++
++ private static final Debug debug = Debug.getInstance("sunpkcs11");
++
++ public void handle(Callback[] callbacks)
++ throws IOException, UnsupportedCallbackException {
++ if (!(callbacks[0] instanceof PasswordCallback)) {
++ throw new UnsupportedCallbackException(callbacks[0]);
++ }
++ PasswordCallback pc = (PasswordCallback)callbacks[0];
++ pc.setPassword(getFipsNssdbPin());
++ }
++
++ private static char[] getFipsNssdbPin() throws ProviderException {
++ if (debug != null) {
++ debug.println("FIPS: Reading NSS DB PIN for token...");
++ }
++ String pinProp = SecurityProperties
++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
++ if (pinProp != null && !pinProp.isEmpty()) {
++ String[] pinPropParts = pinProp.split(":", 2);
++ if (pinPropParts.length < 2) {
++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
++ " property value.");
++ }
++ String prefix = pinPropParts[0].toLowerCase();
++ String value = pinPropParts[1];
++ String pin = null;
++ if (prefix.equals("env")) {
++ if (debug != null) {
++ debug.println("FIPS: PIN value from the '" + value +
++ "' environment variable.");
++ }
++ pin = System.getenv(value);
++ } else if (prefix.equals("file")) {
++ if (debug != null) {
++ debug.println("FIPS: PIN value from the '" + value +
++ "' file.");
++ }
++ pin = getPinFromFile(Paths.get(value));
++ } else if (prefix.equals("pin")) {
++ if (debug != null) {
++ debug.println("FIPS: PIN value from the " +
++ FIPS_NSSDB_PIN_PROP + " property.");
++ }
++ pin = value;
++ } else {
++ throw new ProviderException("Unsupported prefix for " +
++ FIPS_NSSDB_PIN_PROP + ".");
++ }
++ if (pin != null && !pin.isEmpty()) {
++ if (debug != null) {
++ debug.println("FIPS: non-empty PIN.");
++ }
++ /*
++ * C_Login in libj2pkcs11 receives the PIN in a char[] and
++ * discards the upper byte of each char, before passing
++ * the value to the NSS Software Token. However, the
++ * NSS Software Token accepts any UTF-8 PIN value. Thus,
++ * expand the PIN here to account for later truncation.
++ */
++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
++ char[] pinChar = new char[pinUtf8.length];
++ for (int i = 0; i < pinChar.length; i++) {
++ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
++ }
++ return pinChar;
++ }
++ }
++ if (debug != null) {
++ debug.println("FIPS: empty PIN.");
++ }
++ return null;
++ }
++
++ /*
++ * This method extracts the token PIN from the first line of a password
++ * file in the same way as NSS modutil. See for example the -newpwfile
++ * argument used to change the password for an NSS DB.
++ */
++ private static String getPinFromFile(Path f) throws ProviderException {
++ try (InputStream is =
++ Files.newInputStream(f, StandardOpenOption.READ)) {
++ /*
++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
++ * reads up to 4096 bytes. In addition, the NSS Software Token
++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
++ * in nss/lib/softoken/pkcs11i.h).
++ */
++ BufferedReader in =
++ new BufferedReader(new InputStreamReader(
++ new ByteArrayInputStream(is.readNBytes(4096)),
++ StandardCharsets.UTF_8));
++ return in.readLine();
++ } catch (IOException ioe) {
++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
++ " from the '" + f + "' file.", ioe);
++ }
++ }
++}
+\ No newline at end of file
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+index 6b26297b1b4..7ee5e07756c 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+@@ -37,6 +37,8 @@ import javax.crypto.*;
+ import javax.crypto.interfaces.*;
+ import javax.crypto.spec.*;
+
++import jdk.internal.access.SharedSecrets;
++
+ import sun.security.rsa.RSAUtil.KeyType;
+ import sun.security.rsa.RSAPublicKeyImpl;
+ import sun.security.rsa.RSAPrivateCrtKeyImpl;
+@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length {
+ @Serial
+ private static final long serialVersionUID = -2575874101938349339L;
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ private static final String PUBLIC = "public";
+ private static final String PRIVATE = "private";
+ private static final String SECRET = "secret";
+@@ -401,8 +406,10 @@ abstract class P11Key implements Key, Length {
+ new CK_ATTRIBUTE(CKA_EXTRACTABLE),
+ });
+
+- boolean keySensitive = (attrs[0].getBoolean() ||
+- attrs[1].getBoolean() || !attrs[2].getBoolean());
++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH");
++ boolean keySensitive = (!exportable &&
++ (attrs[0].getBoolean() ||
++ attrs[1].getBoolean() || !attrs[2].getBoolean()));
+
+ return switch (algorithm) {
+ case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm,
+@@ -454,7 +461,8 @@ abstract class P11Key implements Key, Length {
+
+ public String getFormat() {
+ token.ensureValid();
+- if (sensitive || !extractable || (isNSS && tokenObject)) {
++ if (!plainKeySupportEnabled &&
++ (sensitive || !extractable || (isNSS && tokenObject))) {
+ return null;
+ } else {
+ return "RAW";
+@@ -1624,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference<P11Key> {
+ this.clear();
+ }
+ }
+-
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 5cd6828d293..bae49c4e8a9 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
+
+ import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.misc.InnocuousThread;
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
++import sun.security.util.SecurityProperties;
+ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ import sun.security.pkcs11.Secmod.*;
+@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider {
+ @Serial
+ private static final long serialVersionUID = -1354835039035306505L;
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ private static final MethodHandle fipsExportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ MethodHandle fipsExportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ fipsExportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "exportKey",
++ MethodType.methodType(void.class, SunPKCS11.class,
++ long.class, long.class,
++ long.class, long.class, Map.class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer-exporter" +
++ " initialization failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ fipsExportKey = fipsExportKeyTmp;
++ }
++
++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
++
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+ // the PKCS11 object through which we make the native calls
+ @SuppressWarnings("serial") // Type of field is not Serializable;
+@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
+ @Override
+ public SunPKCS11 run() throws Exception {
++ if (systemFipsEnabled) {
++ /*
++ * The nssSecmodDirectory attribute in the SunPKCS11
++ * NSS configuration file takes the value of the
++ * fips.nssdb.path System property after expansion.
++ * Security properties expansion is unsupported.
++ */
++ String nssdbPath =
++ SecurityProperties.privilegedGetOverridable(
++ FIPS_NSSDB_PATH_PROP);
++ if (System.getSecurityManager() != null) {
++ AccessController.doPrivileged(
++ (PrivilegedAction<Void>) () -> {
++ System.setProperty(
++ FIPS_NSSDB_PATH_PROP,
++ nssdbPath);
++ return null;
++ });
++ } else {
++ System.setProperty(
++ FIPS_NSSDB_PATH_PROP, nssdbPath);
++ }
++ }
+ return new SunPKCS11(new Config(newConfigName));
+ }
+ });
+@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ MethodHandle fipsKeyExporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ fipsKeyExporter = MethodHandles.insertArguments(
++ fipsExportKey, 0, this);
++ }
+ try {
+- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs,
+- config.getOmitInitialize());
++ tmpPKCS11 = PKCS11.getInstance(
++ library, functionList, initArgs,
++ config.getOmitInitialize(), fipsKeyImporter,
++ fipsKeyExporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider {
+ } else {
+ initArgs.flags = 0;
+ }
+- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs,
+- config.getOmitInitialize());
++ tmpPKCS11 = PKCS11.getInstance(library,
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter,
++ fipsKeyExporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider {
+ }
+
+ @Override
++ @SuppressWarnings("removal")
+ public Object newInstance(Object param)
+ throws NoSuchAlgorithmException {
+ if (!token.isValid()) {
+ throw new NoSuchAlgorithmException("Token has been removed");
+ }
++ if (systemFipsEnabled && !token.fipsLoggedIn &&
++ !getType().equals("KeyStore")) {
++ /*
++ * The NSS Software Token in FIPS 140-2 mode requires a
++ * user login for most operations. See sftk_fipsCheck
++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
++ * service, let the caller perform the login with
++ * KeyStore::load. Keytool, for example, does this to pass a
++ * PIN from either the -srcstorepass or -deststorepass
++ * argument. In case of a non-KeyStore service, perform the
++ * login now with the PIN available in the fips.nssdb.pin
++ * property.
++ */
++ try {
++ if (System.getSecurityManager() != null) {
++ try {
++ AccessController.doPrivileged(
++ (PrivilegedExceptionAction<Void>) () -> {
++ token.ensureLoggedIn(null);
++ return null;
++ });
++ } catch (PrivilegedActionException pae) {
++ Exception e = pae.getException();
++ if (e instanceof LoginException le) {
++ throw le;
++ } else if (e instanceof PKCS11Exception p11e) {
++ throw p11e;
++ } else {
++ throw new RuntimeException(e);
++ }
++ }
++ } else {
++ token.ensureLoggedIn(null);
++ }
++ } catch (PKCS11Exception | LoginException e) {
++ throw new ProviderException("FIPS: error during the Token" +
++ " login required for the " + getType() +
++ " service.", e);
++ }
++ }
+ try {
+ return newInstance0(param);
+ } catch (PKCS11Exception e) {
+@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider {
+ try {
+ session = token.getOpSession();
+ p11.C_Logout(session.id());
++ if (systemFipsEnabled) {
++ token.fipsLoggedIn = false;
++ }
+ if (debug != null) {
+ debug.println("logout succeeded");
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+index 3378409ca1c..7602a92a252 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+@@ -33,6 +33,7 @@ import java.lang.ref.*;
+ import java.security.*;
+ import javax.security.auth.login.LoginException;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.jca.JCAUtil;
+
+ import sun.security.pkcs11.wrapper.*;
+@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
+ */
+ final class Token implements Serializable {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+ // need to be serializable to allow SecureRandom to be serialized
+ @Serial
+ private static final long serialVersionUID = 2541527649100571747L;
+@@ -125,6 +129,10 @@ final class Token implements Serializable {
+ // flag indicating whether we are logged in
+ private volatile boolean loggedIn;
+
++ // Flag indicating the login status for the NSS Software Token in FIPS mode.
++ // This Token is never asynchronously removed. Used from SunPKCS11.
++ volatile boolean fipsLoggedIn;
++
+ // time we last checked login status
+ private long lastLoginCheck;
+
+@@ -242,7 +250,12 @@ final class Token implements Serializable {
+ // call provider.login() if not
+ void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
+ if (!isLoggedIn(session)) {
+- provider.login(null, null);
++ if (systemFipsEnabled) {
++ provider.login(null, new FIPSTokenLoginHandler());
++ fipsLoggedIn = true;
++ } else {
++ provider.login(null, null);
++ }
+ }
+ }
+
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 4b06daaf264..55e14945469 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -174,18 +177,43 @@ public class PKCS11 {
+ return version;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter,
++ MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null &&
++ fipsKeyExporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(PKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ FIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.PKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ SynchronizedFIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public synchronized void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++ MethodHandle fipsKeyExporter, long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ Map<Long, CK_ATTRIBUTE> sensitiveAttrs = new HashMap<>();
++ List<CK_ATTRIBUTE> nonSensitiveAttrs = new LinkedList<>();
++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++ sensitiveAttrs, nonSensitiveAttrs);
++ try {
++ if (sensitiveAttrs.size() > 0) {
++ long keyClass = -1L;
++ long keyType = -1L;
++ try {
++ // Secret and private keys have both class and type
++ // attributes, so we can query them at once.
++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++ new CK_ATTRIBUTE(CKA_CLASS),
++ new CK_ATTRIBUTE(CKA_KEY_TYPE),
++ };
++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++ keyClass = queryAttrs[0].getLong();
++ keyType = queryAttrs[1].getLong();
++ } catch (PKCS11Exception e) {
++ // If the query fails, the object is neither a secret nor a
++ // private key. As this case won't be handled with the FIPS
++ // Key Exporter, we keep keyClass initialized to -1L.
++ }
++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++ sensitiveAttrs);
++ if (nonSensitiveAttrs.size() > 0) {
++ CK_ATTRIBUTE[] pNonSensitiveAttrs =
++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++ int i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ pNonSensitiveAttrs[i++] = nonSensAttr;
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject,
++ pNonSensitiveAttrs);
++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++ // update the reference on the previous CK_ATTRIBUTEs
++ i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++ }
++ }
++ return;
++ }
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++ Map<Long, CK_ATTRIBUTE> sensitiveAttrs,
++ List<CK_ATTRIBUTE> nonSensitiveAttrs) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ long type = attr.type;
++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++ type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++ type == CKA_COEFFICIENT) {
++ sensitiveAttrs.put(type, attr);
++ } else {
++ nonSensitiveAttrs.add(attr);
++ }
++ }
++ }
++}
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+index 920422376f8..6aa308fa5f8 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception {
+ return res;
+ }
+
++ /**
++ * Constructor taking the error code from the RV enum and
++ * extra info for error message.
++ */
++ public PKCS11Exception(RV errorEnum, String extraInfo) {
++ this(errorEnum.value, extraInfo);
++ }
++
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) and
+ * extra info for error message.
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 7f8c4dba002..e65b11fc3ee 100644
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -34,6 +34,7 @@ import java.security.ProviderException;
+ import java.util.HashMap;
+ import java.util.List;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+ import sun.security.ec.ed.EdDSASignature;
+@@ -50,6 +51,10 @@ public final class SunEC extends Provider {
+
+ private static final long serialVersionUID = -2279741672933606418L;
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private static class ProviderServiceA extends ProviderService {
+ ProviderServiceA(Provider p, String type, String algo, String cn,
+ HashMap<String, String> attrs) {
+@@ -240,83 +245,85 @@ public final class SunEC extends Provider {
+ putXDHEntries();
+ putEdDSAEntries();
+
+- /*
+- * Signature engines
+- */
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+- null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$RawinP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA1withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+- putService(new ProviderService(this, "Signature",
+- "SHA3-224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+- /*
+- * Key Pair Generator engine
+- */
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS));
+-
+- /*
+- * Key Agreement engine
+- */
+- putService(new ProviderService(this, "KeyAgreement",
+- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ if (!systemFipsEnabled) {
++ /*
++ * Signature engines
++ */
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++ null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$RawinP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA1withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++ putService(new ProviderService(this, "Signature",
++ "SHA3-224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++ /*
++ * Key Pair Generator engine
++ */
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS));
++
++ /*
++ * Key Agreement engine
++ */
++ putService(new ProviderService(this, "KeyAgreement",
++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ }
+ }
+
+ private void putXDHEntries() {
+@@ -333,23 +340,25 @@ public final class SunEC extends Provider {
+ "X448", "sun.security.ec.XDHKeyFactory.X448",
+ ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "KeyAgreement",
+- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X448", "sun.security.ec.XDHKeyAgreement.X448",
+- ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++ ATTRS));
++
++ putService(new ProviderService(this, "KeyAgreement",
++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X448", "sun.security.ec.XDHKeyAgreement.X448",
++ ATTRS));
++ }
+ }
+
+ private void putEdDSAEntries() {
+@@ -364,21 +373,23 @@ public final class SunEC extends Provider {
+ putService(new ProviderServiceA(this, "KeyFactory",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ }
+
+ }
+ }
+diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+new file mode 100644
+index 00000000000..ce01c655eb8
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+@@ -0,0 +1,349 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Method;
++import java.nio.charset.StandardCharsets;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.security.KeyStore;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Arrays;
++import java.util.function.Consumer;
++import java.util.List;
++import javax.crypto.Cipher;
++import javax.crypto.spec.SecretKeySpec;
++
++import jdk.test.lib.process.Proc;
++import jdk.test.lib.util.FileUtils;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary
++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used
++ * for a successful login into an NSS DB. Some additional unitary testing
++ * is then performed. This test depends on NSS modutil and must be run in
++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available).
++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open
++ * @library /test/lib
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=600 NssdbPin
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class NssdbPin {
++
++ // Public properties and names
++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS";
++ private static final String NSSDB_TOKEN_NAME =
++ "NSS FIPS 140-2 Certificate DB";
++
++ // Data to be tested
++ private static final String[] PINS_TO_TEST =
++ new String[] {
++ "",
++ "1234567890abcdef1234567890ABCDEF\uA4F7"
++ };
++ private static enum PropType { SYSTEM, SECURITY }
++ private static enum LoginType { IMPLICIT, EXPLICIT }
++
++ // Internal test fields
++ private static final boolean DEBUG = true;
++ private static class TestContext {
++ String pin;
++ PropType propType;
++ Path workspace;
++ String nssdbPath;
++ Path nssdbPinFile;
++ LoginType loginType;
++ TestContext(String pin, Path workspace) {
++ this.pin = pin;
++ this.workspace = workspace;
++ this.nssdbPath = "sql:" + workspace;
++ this.loginType = LoginType.IMPLICIT;
++ }
++ }
++
++ public static void main(String[] args) throws Throwable {
++ if (args.length == 3) {
++ // Executed by a child process.
++ mainChild(args[0], args[1], LoginType.valueOf(args[2]));
++ } else if (args.length == 0) {
++ // Executed by the parent process.
++ mainLauncher();
++ // Test defaults
++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT);
++ System.out.println("TEST PASS - OK");
++ } else {
++ throw new Exception("Unexpected number of arguments.");
++ }
++ }
++
++ private static void mainChild(String expectedPath, String expectedPin,
++ LoginType loginType) throws Throwable {
++ if (DEBUG) {
++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP,
++ FIPS_NSSDB_PIN_PROP)) {
++ System.out.println(prop + " (System): " +
++ System.getProperty(prop));
++ System.out.println(prop + " (Security): " +
++ Security.getProperty(prop));
++ }
++ }
++
++ /*
++ * Functional cross-test against an NSS DB generated by modutil
++ * with the same PIN. Check that we can perform a crypto operation
++ * that requires a login. The login might be explicit or implicit.
++ */
++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME);
++ if (DEBUG) {
++ System.out.println(FIPS_PROVIDER_NAME + ": " + p);
++ }
++ if (p == null) {
++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed.");
++ }
++ if (DEBUG) {
++ System.out.println("Login type: " + loginType);
++ }
++ if (loginType == LoginType.EXPLICIT) {
++ // Do the expansion to account for truncation, so C_Login in
++ // the NSS Software Token gets a UTF-8 encoded PIN.
++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8);
++ char[] pinChar = new char[pinUtf8.length];
++ for (int i = 0; i < pinChar.length; i++) {
++ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
++ }
++ KeyStore.getInstance("PKCS11", p).load(null, pinChar);
++ if (DEBUG) {
++ System.out.println("Explicit login succeeded.");
++ }
++ }
++ if (DEBUG) {
++ System.out.println("Trying a crypto operation...");
++ }
++ final int blockSize = 16;
++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p);
++ cipher.init(Cipher.ENCRYPT_MODE,
++ new SecretKeySpec(new byte[blockSize], "AES"));
++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) {
++ throw new Exception("Could not perform a crypto operation.");
++ }
++ if (DEBUG) {
++ if (loginType == LoginType.IMPLICIT) {
++ System.out.println("Implicit login succeeded.");
++ }
++ System.out.println("Crypto operation after login succeeded.");
++ }
++
++ if (loginType == LoginType.IMPLICIT) {
++ /*
++ * Additional unitary testing. Expected to succeed at this point.
++ */
++ if (DEBUG) {
++ System.out.println("Trying unitary test...");
++ }
++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP);
++ if (DEBUG) {
++ System.out.println("Path value (as a System property): " +
++ sysPathProp);
++ }
++ if (!expectedPath.equals(sysPathProp)) {
++ throw new Exception("Path is different than expected: " +
++ sysPathProp + " (actual) vs " + expectedPath +
++ " (expected).");
++ }
++ Class<?> c = Class
++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler");
++ Method m = c.getDeclaredMethod("getFipsNssdbPin");
++ m.setAccessible(true);
++ String pin = null;
++ char[] pinChar = (char[]) m.invoke(c);
++ if (pinChar != null) {
++ byte[] pinUtf8 = new byte[pinChar.length];
++ for (int i = 0; i < pinUtf8.length; i++) {
++ pinUtf8[i] = (byte) pinChar[i];
++ }
++ pin = new String(pinUtf8, StandardCharsets.UTF_8);
++ }
++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) ||
++ expectedPin.isEmpty() && pin != null) {
++ throw new Exception("PIN is different than expected: '" + pin +
++ "' (actual) vs '" + expectedPin + "' (expected).");
++ }
++ if (DEBUG) {
++ System.out.println("PIN value: " + pin);
++ System.out.println("Unitary test succeeded.");
++ }
++ }
++ }
++
++ private static void mainLauncher() throws Throwable {
++ for (String pin : PINS_TO_TEST) {
++ Path workspace = Files.createTempDirectory(null);
++ try {
++ TestContext ctx = new TestContext(pin, workspace);
++ createNSSDB(ctx);
++ {
++ ctx.loginType = LoginType.IMPLICIT;
++ for (PropType propType : PropType.values()) {
++ ctx.propType = propType;
++ pinLauncher(ctx);
++ envLauncher(ctx);
++ fileLauncher(ctx);
++ }
++ }
++ explicitLoginLauncher(ctx);
++ } finally {
++ FileUtils.deleteFileTreeWithRetry(workspace);
++ }
++ }
++ }
++
++ private static void pinLauncher(TestContext ctx) throws Throwable {
++ launchTest(p -> {}, "pin:" + ctx.pin, ctx);
++ }
++
++ private static void envLauncher(TestContext ctx) throws Throwable {
++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR";
++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin),
++ "env:" + NSSDB_PIN_ENV_VAR, ctx);
++ }
++
++ private static void fileLauncher(TestContext ctx) throws Throwable {
++ // The file containing the PIN (ctx.nssdbPinFile) was created by the
++ // generatePinFile method, called from createNSSDB.
++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx);
++ }
++
++ private static void explicitLoginLauncher(TestContext ctx)
++ throws Throwable {
++ ctx.loginType = LoginType.EXPLICIT;
++ ctx.propType = PropType.SYSTEM;
++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx);
++ }
++
++ private static void launchTest(Consumer<Proc> procCb, String pinPropVal,
++ TestContext ctx) throws Throwable {
++ if (DEBUG) {
++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP +
++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP +
++ "=" + pinPropVal);
++ }
++ Proc p = Proc.create(NssdbPin.class.getName())
++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name());
++ if (ctx.propType == PropType.SYSTEM) {
++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++ // Make sure that Security properties defaults are not used.
++ p.secprop(FIPS_NSSDB_PATH_PROP, "");
++ p.secprop(FIPS_NSSDB_PIN_PROP, "");
++ } else if (ctx.propType == PropType.SECURITY) {
++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++ pinPropVal = escapeForPropsFile(pinPropVal);
++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++ } else {
++ throw new Exception("Unsupported property type.");
++ }
++ if (DEBUG) {
++ p.inheritIO();
++ p.prop("java.security.debug", "sunpkcs11");
++ p.debug(NssdbPin.class.getName());
++
++ // Need the launched process to connect to a debugger?
++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" +
++ // "transport=dt_socket,address=localhost:8000,suspend=y");
++ } else {
++ p.nodump();
++ }
++ procCb.accept(p);
++ p.start().waitFor(0);
++ }
++
++ private static String escapeForPropsFile(String str) throws Throwable {
++ StringBuffer sb = new StringBuffer();
++ for (int i = 0; i < str.length(); i++) {
++ int cp = str.codePointAt(i);
++ if (Character.UnicodeBlock.of(cp)
++ == Character.UnicodeBlock.BASIC_LATIN) {
++ sb.append(Character.toChars(cp));
++ } else {
++ sb.append("\\u").append(String.format("%04X", cp));
++ }
++ }
++ return sb.toString();
++ }
++
++ private static void createNSSDB(TestContext ctx) throws Throwable {
++ ProcessBuilder pb = getModutilPB(ctx, "-create");
++ if (DEBUG) {
++ System.out.println("Creating an NSS DB in " + ctx.workspace +
++ "...");
++ System.out.println("cmd: " + String.join(" ", pb.command()));
++ }
++ if (pb.start().waitFor() != 0) {
++ throw new Exception("NSS DB creation failed.");
++ }
++ generatePinFile(ctx);
++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME,
++ "-newpwfile", ctx.nssdbPinFile.toString());
++ if (DEBUG) {
++ System.out.println("NSS DB created.");
++ System.out.println("Changing NSS DB PIN...");
++ System.out.println("cmd: " + String.join(" ", pb.command()));
++ }
++ if (pb.start().waitFor() != 0) {
++ throw new Exception("NSS DB PIN change failed.");
++ }
++ if (DEBUG) {
++ System.out.println("NSS DB PIN changed.");
++ }
++ }
++
++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args)
++ throws Throwable {
++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force");
++ List<String> pbCommand = pb.command();
++ if (args != null) {
++ pbCommand.addAll(Arrays.asList(args));
++ }
++ pbCommand.add("-dbdir");
++ pbCommand.add(ctx.nssdbPath);
++ if (DEBUG) {
++ pb.inheritIO();
++ } else {
++ pb.redirectError(ProcessBuilder.Redirect.INHERIT);
++ }
++ return pb;
++ }
++
++ private static void generatePinFile(TestContext ctx) throws Throwable {
++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null);
++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() +
++ "2nd line with garbage");
++ }
++}
+diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+new file mode 100644
+index 00000000000..87f1ad04505
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+@@ -0,0 +1,77 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.security.Provider;
++import java.security.Security;
++
++/*
++ * @test
++ * @bug 9999999
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=30 VerifyMissingAttributes
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class VerifyMissingAttributes {
++
++ private static final String[] svcAlgImplementedIn = {
++ "AlgorithmParameterGenerator.DSA",
++ "AlgorithmParameters.DSA",
++ "CertificateFactory.X.509",
++ "KeyStore.JKS",
++ "KeyStore.CaseExactJKS",
++ "KeyStore.DKS",
++ "CertStore.Collection",
++ "CertStore.com.sun.security.IndexedCollection"
++ };
++
++ public static void main(String[] args) throws Throwable {
++ Provider sunProvider = Security.getProvider("SUN");
++ for (String svcAlg : svcAlgImplementedIn) {
++ String filter = svcAlg + " ImplementedIn:Software";
++ doQuery(sunProvider, filter);
++ }
++ if (Double.parseDouble(
++ System.getProperty("java.specification.version")) >= 17) {
++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" +
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey";
++ doQuery(Security.getProvider("SunRsaSign"), filter);
++ }
++ System.out.println("TEST PASS - OK");
++ }
++
++ private static void doQuery(Provider expectedProvider, String filter)
++ throws Exception {
++ if (expectedProvider == null) {
++ throw new Exception("Provider not found.");
++ }
++ Provider[] providers = Security.getProviders(filter);
++ if (providers == null || providers.length != 1 ||
++ providers[0] != expectedProvider) {
++ throw new Exception("Failure retrieving the provider with this" +
++ " query: " + filter);
++ }
++ }
++}
diff --git a/SOURCES/java-21-openjdk-portable.specfile b/SOURCES/java-21-openjdk-portable.specfile
new file mode 100644
index 0000000000000000000000000000000000000000..23f5b8e9b558d56d53dd4dba127d35ec01d2c196
--- /dev/null
+++ b/SOURCES/java-21-openjdk-portable.specfile
@@ -0,0 +1,2110 @@
+# debug_package %%{nil} is portable-jdks specific
+%define debug_package %{nil}
+
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-21-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-21-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
+
+# This is RHEL 7 specific as it doesn't seem to have the
+# __brp_strip_static_archive macro.
+%define __os_install_post %{nil}
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific
+# However, it does segfault on the Zero assembler port, so currently JIT only
+%global share_arches %{jit_arches}
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libsvml.so)
+%global svml_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+# s390x fails on RHEL 7 so we exclude it there
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches}
+%else
+%global gdb_arches %{jit_arches} %{zero_arches}
+%endif
+
+# By default, we build a slowdebug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# The static libraries are produced under the same configuration as the main
+# build for portables, as we expect in-tree libraries to be used throughout.
+# If system libraries are enabled, the static libraries will also use them
+# which may cause issues.
+%global bootstrap_targets images %{static_libs_target} legacy-jre-image
+%global release_targets images docs-zip %{static_libs_target} legacy-jre-image
+# No docs nor bootcycle for debug builds
+%global debug_targets images %{static_libs_target} legacy-jre-image
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# DTS toolset to use to provide gcc & binutils
+%global dtsversion 10
+
+# Disable LTO as this causes build failures at the moment.
+# See RHBZ#1861401
+%define _lto_cflags %{nil}
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 21
+%global interimver 0
+%global updatever 2
+%global patchver 0
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver %{featurever}
+# We don't add any LTS designator for STS packages (Fedora and EPEL).
+# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
+%if 0%{?rhel} && !0%{?epel}
+ %global lts_designator "LTS"
+ %global lts_designator_zip -%{lts_designator}
+%else
+ %global lts_designator ""
+ %global lts_designator_zip ""
+%endif
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+# This will only work where the bootstrap JDK is the same major version
+# as the JDK being built
+%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease})
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 75ffdc48eda
+# Define JDK versions
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver %{featurever}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{vcstag}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 13
+%global rpmrelease 1
+#%%global tagsuffix %%{nil}
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 1
+%if %{is_ga}
+%global build_type GA
+%global ea_designator ""
+%global ea_designator_zip %{nil}
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
+%global altjavaoutputdir install/altjava.install
+%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+# portable only declarations
+%global jreimage jre
+%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g")
+%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g")
+%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.static-libs;g")
+%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz}
+%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz}
+%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz}
+%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}}
+%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}}
+# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on
+# top of the JDK archive
+%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}}
+%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g")
+%define docportablearchive() %{docportablename}.tar.xz
+%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g")
+%define miscportablearchive() %{miscportablename}.tar.xz
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for slowdebug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+# VM variant being built
+%ifarch %{zero_arches}
+%global vm_variant zero
+%else
+%global vm_variant server
+%endif
+
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+# Portables have no repo (requires/provides), but these are awesome for orientation in spec
+# Also scriptlets are happily missing and files are handled old fashion
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+}
+
+%define java_devel_rpo() %{expand:
+}
+
+%define java_static_libs_rpo() %{expand:
+}
+
+%define java_unstripped_rpo() %{expand:
+}
+
+%define java_docs_rpo() %{expand:
+}
+
+%define java_misc_rpo() %{expand:
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+# Define the architectures on which we build
+ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64
+# Define the OS this package is built on
+%global pkgos rhel7
+
+Name: java-%{javaver}-%{origin}-portable%{?pkgos:-%{pkgos}}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch: 1
+
+# portables have grown out of its component, moving back to java-x-vendor
+# this expression, when declared as global, filled component with java-x-vendor portable
+%define component %(echo %{name} | sed "s;-portable%{?pkgos:-%{pkgos}};;g")
+
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition
+# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+
+# The source tarball, generated using generate_source_tarball.sh
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+# Disabled in portables
+#Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# Source code for alt-java
+Source11: alt-java.c
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Follow system wide crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+# RH1996182: Login to the NSS software token in FIPS mode
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+# RH2021263: Resolve outstanding FIPS issues
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
+# RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
+# OJ1357: Fix issue on FIPS with a SecurityManager in place
+# RH2134669: Add missing attributes when registering services in FIPS mode.
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+# RH1940064: Enable XML Signature provider in FIPS mode
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+Patch1001: fips-%{featurever}u-%{fipsver}.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+
+# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
+# PR: https://github.com/openjdk/jdk/pull/15409
+Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
+
+# Currently empty
+
+#############################################
+#
+# OpenJDK patches which missed last update
+#
+#############################################
+
+#############################################
+#
+# Portable build specific patches
+#
+#############################################
+
+# Currently empty
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: file
+BuildRequires: fontconfig-devel
+BuildRequires: devtoolset-%{dtsversion}-gcc
+BuildRequires: devtoolset-%{dtsversion}-gcc-c++
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.fips.cfg
+BuildRequires: nss-devel
+# Requirement for system security property test
+# N/A for portable. RHEL7 doesn't provide them
+#BuildRequires: crypto-policies
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+# to pack portable tarballs
+BuildRequires: tar
+BuildRequires: unzip
+BuildRequires: javapackages-tools
+BuildRequires: java-%{buildjdkver}-%{origin}%{?pkgos:-%{pkgos}}-devel
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# 2023c required as of JDK-8305113
+BuildRequires: tzdata-java >= 2023c
+# cacerts build requirement in portable mode
+BuildRequires: ca-certificates
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/legal/freetype.md
+Provides: bundled(freetype) = 2.13.0
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 8.2.2
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.15.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.40
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment portable edition
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Tools
+%endif
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} runtime environment and development tools - portable edition
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package unstripped
+Summary: The %{origin_nice} %{featurever} runtime environment.
+
+%{java_unstripped_rpo %{nil}}
+
+%description unstripped
+The %{origin_nice} %{featurever} runtime environment.
+
+%endif
+
+%package docs
+Summary: %{origin_nice} %{featurever} API documentation
+
+%{java_docs_rpo %{nil}}
+
+%description docs
+The %{origin_nice} %{featurever} API documentation.
+
+%package misc
+Summary: %{origin_nice} %{featurever} miscellany
+
+%{java_misc_rpo %{nil}}
+
+%description misc
+The %{origin_nice} %{featurever} miscellany.
+
+%prep
+
+echo "Preparing %{oj_vendor_version}"
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?_build_cpu:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{_build_cpu}"
+%else
+ %{error:Unrecognised architecture %{_build_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+else
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+else
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+fi
+
+%if %{with fresh_libjvm} && ! %{build_hotspot_first}
+echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch"
+echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}"
+%endif
+
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+
+%if %{system_libs}
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+%endif
+
+# Patch the JDK
+pushd %{top_level_dir_name}
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# Patches in need of upstreaming
+%patch6 -p1
+popd # openjdk
+
+
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ exit 17
+fi
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file
+ done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# Portables do not have desktop integration
+
+%build
+
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
+
+echo "Building %{SOURCE11}"
+mkdir -p %{altjavaoutputdir}
+gcc ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
+
+echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+function buildjdk() {
+ local outputdir=${1}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
+ local link_opt=${5}
+ local debug_symbols=${6}
+
+ local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+ local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+ # This must be set using the global, so that the
+ # static libraries still use a dynamic stdc++lib
+ if [ "x%{link_type}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
+ echo "Using output directory: ${outputdir}";
+ echo "Checking build JDK ${buildjdk} is operational..."
+ ${buildjdk}/bin/java -version
+ echo "Using make targets: ${maketargets}"
+ echo "Using debuglevel: ${debuglevel}"
+ echo "Using link_opt: ${link_opt}"
+ echo "Using debug_symbols: ${debug_symbols}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+ mkdir -p ${outputdir}
+ pushd ${outputdir}
+
+ # Note: zlib and freetype use %{link_type}
+ # rather than ${link_opt} as the system versions
+ # are always used in a system_libs build, even
+ # for the static library build
+ scl enable devtoolset-%{dtsversion} "bash ${top_dir_abs_src_path}/configure \
+%ifarch %{zero_arches}
+ --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+ --with-jobs=1 \
+%endif
+ --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts` \
+ --with-version-build=%{buildver} \
+ --with-version-pre=\"%{ea_designator}\" \
+ --with-version-opt=\"%{lts_designator}\" \
+ --with-vendor-version-string=\"%{oj_vendor_version}\" \
+ --with-vendor-name=\"%{oj_vendor}\" \
+ --with-vendor-url=\"%{oj_vendor_url}\" \
+ --with-vendor-bug-url=\"%{oj_vendor_bug_url}\" \
+ --with-vendor-vm-bug-url=\"%{oj_vendor_bug_url}\" \
+ --with-boot-jdk=${buildjdk} \
+ --with-debug-level=${debuglevel} \
+ --with-native-debug-symbols="${debug_symbols}" \
+ --disable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=%{link_type} \
+ --with-freetype=%{link_type} \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=${libc_link_opt} \
+ --with-extra-cxxflags=\"$EXTRA_CPP_FLAGS\" \
+ --with-extra-cflags=\"$EXTRA_CFLAGS\" \
+ --with-extra-ldflags=\"%{ourldflags}\" \
+ --with-num-cores=\"$NUM_PROC\" \
+ --with-source-date=\"${SOURCE_DATE_EPOCH}\" \
+ --disable-javac-server \
+%ifarch %{zgc_arches}
+ --with-jvm-features=zgc \
+%endif
+ --disable-warnings-as-errors"
+
+ cat spec.gmk
+ scl enable devtoolset-%{dtsversion} "make LOG=trace $maketargets || \
+ ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false )"
+ popd
+}
+
+function stripjdk() {
+ local outputdir=${1}
+ local jdkimagepath=${outputdir}/images/%{jdkimage}
+ local jreimagepath=${outputdir}/images/%{jreimage}
+ local jmodimagepath=${outputdir}/images/jmods
+ local supportdir=${outputdir}/support
+
+ if [ "x$suffix" = "x" ] ; then
+ # Keep the unstripped version for consumption by RHEL RPMs
+ cp -a ${jdkimagepath}{,.unstripped}
+
+ # Strip the files
+ for file in $(find ${jdkimagepath} ${jreimagepath} ${supportdir} -type f) ; do
+ if file ${file} | grep -q 'ELF'; then
+ noextfile=${file/.so/};
+ scl enable devtoolset-%{dtsversion} "objcopy --only-keep-debug ${file} ${noextfile}.debuginfo";
+ scl enable devtoolset-%{dtsversion} "objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file}";
+ scl enable devtoolset-%{dtsversion} "strip -g ${file}";
+ fi
+ done
+
+ # Rebuild jmod files against the stripped binaries
+ if [ ! -d ${supportdir} ] ; then
+ echo "Support directory missing.";
+ exit 15
+ fi
+ for cmd in $(find ${supportdir} -name '*.jmod_exec.cmdline') ; do
+ pre=${cmd/_exec/_pre};
+ post=${cmd/_exec/_post};
+ jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##')
+ echo "Rebuilding ${jmod} against stripped binaries...";
+ if [ -e ${pre} ] ; then
+ echo "Executing ${pre}...";
+ cat ${pre} | sh -s ;
+ fi
+ echo "Executing ${cmd}...";
+ cat ${cmd} | sh -s ;
+ if [ -e ${post} ] ; then
+ echo "Executing ${post}...";
+ cat ${post} | sh -s ;
+ fi
+ done
+ rm -rf ${jdkimagepath}/jmods
+ cp -a ${jmodimagepath} ${jdkimagepath}
+ fi
+}
+
+function installjdk() {
+ local outputdir=${1}
+ local installdir=${2}
+ local jdkimagepath=${installdir}/images/%{jdkimage}
+ local jreimagepath=${installdir}/images/%{jreimage}
+ local unstripped=${jdkimagepath}.unstripped
+
+ echo "Installing build from ${outputdir} to ${installdir}..."
+ mkdir -p ${installdir}
+ echo "Installing images..."
+ mv ${outputdir}/images ${installdir}
+ if [ -d ${outputdir}/bundles ] ; then
+ echo "Installing bundles...";
+ mv ${outputdir}/bundles ${installdir} ;
+ fi
+
+%if !%{with artifacts}
+ echo "Removing output directory...";
+ rm -rf ${outputdir}
+%endif
+
+ # legacy-jre-image target does not install any man pages for the JRE
+ # We copy the jdk man directory and then remove pages for binaries that
+ # don't exist in the JRE
+ cp -a ${jdkimagepath}/man ${jreimagepath}
+ for manpage in $(find ${jreimagepath}/man -name '*.1'); do
+ filename=$(basename ${manpage});
+ binary=${filename/.1/};
+ if [ ! -f ${jreimagepath}/bin/${binary} ] ; then
+ echo "Removing ${manpage} from JRE for which no binary ${binary} exists";
+ rm -f ${manpage};
+ fi;
+ done
+
+ for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do
+
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install local files which are distributed with the JDK
+ install -m 644 %{SOURCE10} ${imagepath}
+
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+
+ # Print release information
+ cat ${imagepath}/release
+ fi
+ done
+}
+
+function genchecksum() {
+ local checkedfile=${1}
+
+ checkdir=$(dirname ${1})
+ checkfile=$(basename ${1})
+
+ echo "Generating checksum for ${checkfile} in ${checkdir}..."
+ pushd ${checkdir}
+ sha256sum ${checkfile} > ${checkfile}.sha256sum
+ sha256sum --check ${checkfile}.sha256sum
+ popd
+}
+
+function packagejdk() {
+ local imagesdir=$(pwd)/${1}/images
+ local docdir=$(pwd)/${1}/images/docs
+ local bundledir=$(pwd)/${1}/bundles
+ local packagesdir=$(pwd)/${2}
+ local srcdir=$(pwd)/%{top_level_dir_name}
+ local tapsetdir=$(pwd)/tapset
+ local altjavadir=$(pwd)/${3}
+
+ echo "Packaging build from ${imagesdir} to ${packagesdir}..."
+ mkdir -p ${packagesdir}
+ pushd ${imagesdir}
+
+ if [ "x$suffix" = "x" ] ; then
+ nameSuffix=""
+ else
+ nameSuffix=`echo "$suffix"| sed s/-/./`
+ fi
+
+ jdkname=%{jdkportablename -- "$nameSuffix"}
+ jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"}
+ jrename=%{jreportablename -- "$nameSuffix"}
+ jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
+ staticname=%{staticlibsportablename -- "$nameSuffix"}
+ staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
+ debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
+ unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
+ # We only use docs for the release build
+ docname=%{docportablename}
+ docarchive=${packagesdir}/%{docportablearchive}
+ built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+ # These are from the source tree so no debug variants
+ miscname=%{miscportablename}
+ miscarchive=${packagesdir}/%{miscportablearchive}
+
+ if [ "x$suffix" = "x" ] ; then
+ # Keep the unstripped version for consumption by RHEL RPMs
+ mv %{jdkimage}.unstripped ${jdkname}
+ tar -cJf ${unstrippedarchive} ${jdkname}
+ genchecksum ${unstrippedarchive}
+ mv ${jdkname} %{jdkimage}.unstripped
+ fi
+
+ # Rename directories for packaging
+ mv %{jdkimage} ${jdkname}
+ mv %{jreimage} ${jrename}
+
+ # Release images have external debug symbols
+ if [ "x$suffix" = "x" ] ; then
+ tar -cJf ${debugarchive} $(find ${jdkname} -name \*.debuginfo)
+ genchecksum ${debugarchive}
+
+ mkdir ${docname}
+ mv ${docdir} ${docname}
+ mv ${bundledir}/${built_doc_archive} ${docname}
+ tar -cJf ${docarchive} ${docname}
+ genchecksum ${docarchive}
+
+ mkdir ${miscname}
+ for s in 16 24 32 48 ; do
+ cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname}
+ done
+%if %{with_systemtap}
+ cp -a ${tapsetdir}* ${miscname}
+%endif
+ cp -av ${altjavadir}/%{alt_java_name} ${miscname}
+ tar -cJf ${miscarchive} ${miscname}
+ genchecksum ${miscarchive}
+ fi
+
+ tar -cJf ${jdkarchive} --exclude='**.debuginfo' ${jdkname}
+ genchecksum ${jdkarchive}
+
+ tar -cJf ${jrearchive} --exclude='**.debuginfo' ${jrename}
+ genchecksum ${jrearchive}
+
+%if %{include_staticlibs}
+ # Static libraries (needed for building graal vm with native image)
+ # Tar as overlay. Transform to the JDK name, since we just want to "add"
+ # static libraries to that folder
+ tar -cJf ${staticarchive} \
+ --transform "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
+ genchecksum ${staticarchive}
+%endif
+
+ # Revert directory renaming so testing will run
+ # TODO: testing should run on the packaged JDK
+ mv ${jdkname} %{jdkimage}
+ mv ${jrename} %{jreimage}
+
+ popd #images
+
+}
+
+%if %{build_hotspot_first}
+ # Build a fresh libjvm.so first and use it to bootstrap
+ cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+ systemjdk=$(pwd)/newboot
+ buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal"
+ mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant}
+%else
+ systemjdk=%{bootjdk}
+%endif
+
+for suffix in %{build_loop} ; do
+
+ if [ "x$suffix" = "x" ] ; then
+ debugbuild=release
+ else
+ # change --something to something
+ debugbuild=`echo $suffix | sed "s/-//g"`
+ fi
+ # We build with internal debug symbols and do
+ # our own stripping for one version of the
+ # release build
+ debug_symbols=internal
+
+ builddir=%{buildoutputdir -- ${suffix}}
+ bootbuilddir=boot${builddir}
+ installdir=%{installoutputdir -- ${suffix}}
+ bootinstalldir=boot${installdir}
+ packagesdir=%{packageoutputdir -- ${suffix}}
+
+ link_opt="%{link_type}"
+%if %{system_libs}
+ # Copy the source tree so we can remove all in-tree libraries
+ cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+ # Remove all libraries that are linked
+ sh %{SOURCE12} %{top_level_dir_name} full
+%endif
+ # Debug builds don't need same targets as release for
+ # build speed-up. We also avoid bootstrapping these
+ # slower builds.
+ if echo $debugbuild | grep -q "debug" ; then
+ maketargets="%{debug_targets}"
+ run_bootstrap=false
+ else
+ maketargets="%{release_targets}"
+ run_bootstrap=%{bootstrap_build}
+ fi
+ if ${run_bootstrap} ; then
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols}
+ installjdk ${bootbuilddir} ${bootinstalldir}
+ buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+ stripjdk ${builddir}
+ installjdk ${builddir} ${installdir}
+ %{!?with_artifacts:rm -rf ${bootinstalldir}}
+ else
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+ stripjdk ${builddir}
+ installjdk ${builddir} ${installdir}
+ fi
+ packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir}
+
+%if %{system_libs}
+ # Restore original source tree we modified by removing full in-tree sources
+ rm -rf %{top_level_dir_name}
+ mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path
+top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# Pre-test setup
+
+# System security properties are disabled by default on portable.
+# Turn on system security properties
+#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+#${JAVA_HOME}/conf/security/java.security
+
+# Check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+# Specific to portable:System security properties to be off by default
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+# set_speculation function exists in both cases, so check for prctl call
+%ifarch %{ssbd_arches}
+nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl
+%else
+if ! nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi
+%endif
+
+%if ! 0%{?flatpak}
+# Check translations are available for new timezones (during flatpak builds, the
+# tzdb.dat used by this test is not where the test expects it, so this is
+# disabled for flatpak builds)
+# Disable test until we are on the latest JDK
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+%endif
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+ls -l $STATIC_LIBS_HOME
+ls -l $STATIC_LIBS_HOME/lib
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c
+%endif
+
+# Release builds strip the debug symbols into external .debuginfo files
+if [ "x$suffix" = "x" ] ; then
+ so_suffix="debuginfo"
+else
+ so_suffix="so"
+fi
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp and .S files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
+handle SIGSEGV pass nostop noprint
+handle SIGILL pass nostop noprint
+set breakpoint pending on
+break javaCalls.cpp:58
+commands 1
+backtrace
+quit
+end
+run -version
+EOF
+%ifarch %{gdb_arches}
+grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
+%endif
+
+# Check src.zip has all sources. See RHBZ#1130490
+unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
+
+# Check class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
+
+# Check generated class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+
+# build cycles check
+done
+
+%install
+
+for suffix in %{build_loop} ; do
+
+ packagesdir=%{packageoutputdir -- ${suffix}}
+
+ if [ "x$suffix" == "x" ] ; then
+ nameSuffix=""
+ else
+ nameSuffix=`echo "$suffix"| sed s/-/./`
+ fi
+
+ # These definitions should match those in installjdk
+ jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"}
+ jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
+ staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
+ debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
+ unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
+
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+
+ mv ${jdkarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ${jdkarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ${jrearchive} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ${jrearchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+
+%if %{include_staticlibs}
+ mv ${staticarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ${staticarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+%endif
+
+ if [ "x$suffix" = "x" ] ; then
+ mv ${debugarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ${debugarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ${unstrippedarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ${unstrippedarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+ fi
+done
+
+# These definitions should match those in installjdk
+# Install outside the loop as there are no debug variants
+docarchive=${packagesdir}/%{docportablearchive}
+miscarchive=${packagesdir}/%{miscportablearchive}
+
+mv ${docarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+mv ${docarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+mv ${miscarchive} $RPM_BUILD_ROOT%{_jvmdir}/
+mv ${miscarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+
+# To show sha in the build log
+for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do
+ ls -l $file ;
+ cat $file ;
+done
+
+%if %{include_normal_build}
+
+%files
+# main package builds always
+%{_jvmdir}/%{jreportablearchive -- %%{nil}}
+%{_jvmdir}/%{jreportablearchive -- %%{nil}}.sha256sum
+%else
+%files
+# placeholder
+%endif
+
+%files devel
+%{_jvmdir}/%{jdkportablearchive -- %%{nil}}
+%{_jvmdir}/%{jdkportablearchive -- .debuginfo}
+%{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum
+%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum
+
+%if %{include_staticlibs}
+%files static-libs
+%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}
+%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}.sha256sum
+%endif
+
+%files unstripped
+%{_jvmdir}/%{jdkportablearchive -- .unstripped}
+%{_jvmdir}/%{jdkportablearchive -- .unstripped}.sha256sum
+
+%if %{include_debug_build}
+
+%files slowdebug
+%{_jvmdir}/%{jreportablearchive -- .slowdebug}
+%{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum
+
+%files devel-slowdebug
+%{_jvmdir}/%{jdkportablearchive -- .slowdebug}
+%{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum
+
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}
+%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum
+%endif
+
+%endif
+
+%if %{include_fastdebug_build}
+
+%files fastdebug
+%{_jvmdir}/%{jreportablearchive -- .fastdebug}
+%{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum
+
+%files devel-fastdebug
+%{_jvmdir}/%{jdkportablearchive -- .fastdebug}
+%{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum
+
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}
+%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum
+%endif
+
+%endif
+
+%files docs
+%{_jvmdir}/%{docportablearchive}
+%{_jvmdir}/%{docportablearchive}.sha256sum
+
+%files misc
+%{_jvmdir}/%{miscportablearchive}
+%{_jvmdir}/%{miscportablearchive}.sha256sum
+
+%changelog
+* Tue Jan 09 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.2.0.13-1
+- Update to jdk-21.0.2+13 (GA)
+- Update release notes to 21.0.2+13
+- Drop no longer needed local patch to fix versioning
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Mon Jan 08 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.2.0.12-1
+- Update to jdk-21.0.2+12 (GA)
+- Update release notes to 21.0.2+12
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Sat Jan 06 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.2.0.11-1
+- Update to jdk-21.0.2+11 (GA)
+- Update release notes to 21.0.2+11
+- Bump libpng version to 1.6.40 following JDK-8316030
+- Bump HarfBuzz version to 8.2.2 following JDK-8313643
+- Drop local JDK-8311630 patch which is now upstream
+- Locally patch versioning to be 21.0.2 released on 2014-01-16
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Mon Nov 06 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.1.0.12-2
+- Include JDK-8311630 patch to implement Foreign Function & Memory preview API on s390x
+
+* Sun Oct 29 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.1.0.12-1
+- Update to jdk-21.0.1.0+12 (GA)
+- Update release notes to 21.0.1.0+12
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng)
+- Sync generate_tarball.sh with 11u & 17u version
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Fix upstream release URL for OpenJDK source
+- Update buildjdkver to match the featurever
+- Re-enable SystemTap support and perform only substitutions possible without final NVR available
+- Fix typo which stops the EA designator being included in the build
+- Include tapsets in the miscellaneous tarball
+- Drop unused globals for tapset installation
+- Rebuild jmods using the stripped binaries in release builds
+- Make sure the unstripped JDK is customised by the installjdk function
+
+* Sat Oct 28 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1
+- Update to jdk-21.0.0+35
+- Update release notes to 21.0.0+35
+- Update documentation (README.md)
+- Update system crypto policy & FIPS patch from new fips-21u tree
+- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal
+- Drop fakefeaturever now it is no longer needed
+- Hardcode buildjdkver while the build JDK is not yet 21
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Use upstream release URL for OpenJDK source
+- Re-enable tzdata tests now we are on the latest JDK and things are back in sync
+- Fix trailing '.' in tarball name
+- Use rpmrelease in vendor version to avoid inclusion of dist tag
+- Replace alt-java patch with a binary separate from the JDK
+- Drop stale patches that are of little use any more:
+- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
+- * No accessibility subpackage to warrant RH1648242 patch any more
+- * No use of system libjpeg turbo to warrant RH649512 patch any more
+- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
+
+* Sat Oct 28 2023 Petra Alice Mikova <pmikova@redhat.com> - 1:21.0.0.0.35-1
+- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798
+- Related: rhbz#2192749
+
+* Fri Oct 27 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:20.0.2.0.9-1.1
+- Update to jdk-20.0.2+9
+- Update release notes to 20.0.2+9
+- Update system crypto policy & FIPS patch from new fips-20u tree
+- Update generate_tarball.sh ICEDTEA_VERSION
+- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit)
+- Related: rhbz#2192749
+
+* Fri Oct 27 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.0.0.36-1
+- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream
+- Adapted rh1750419-redhat_alt_java.patch
+- Related: rhbz#2192749
+
+* Fri Oct 27 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.1.0.10-1
+- Update to jdk-19.0.2 release
+- Update release notes to 19.0.2
+- Rebase FIPS patches from fips-19u branch
+- Remove references to sample directory removed by JDK-8284999
+- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag
+- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases
+- Related: rhbz#2192749
+
+* Tue Oct 24 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.2.0.9-1
+- Update to jdk-18.0.2 release
+- Update release notes to actually reflect OpenJDK 18
+- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory
+- Rebase FIPS patches from fips-18u branch
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built
+- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21
+- Switch bootjdkver to java-21-openjdk
+- Disable tzdata tests until we are on the latest JDK and things are back in sync
+- Drop bootstrap JDKs and use the java-21-openjdk-rhel7 build
+- Related: rhbz#2192749
+
+* Tue Oct 24 2023 Petra Alice Mikova <pmikova@redhat.com> - 1:18.0.0.0.37-1
+- Update to ea version of jdk18
+- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+* Tue Aug 22 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.7.0.7-2
+- Define architectures we build on to avoid those without DTS 10 (e.g. s390)
+
+* Tue Aug 22 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.7.0.7-2
+- Switch to DTS 10
+- Related: rhbz#2192749
+
+* Mon May 15 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.7.0.7-2
+- Create java-21-openjdk-portable package based on java-17-openjdk-portable
+- Related: rhbz#2192749
+
+* Thu Apr 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.7.0.7-1
+- Update to jdk-17.0.7.0+7
+- Update release notes to 17.0.7.0+7
+- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
+- Reintroduce generate_source_tarball.sh from RHEL 9
+- Update generate_tarball.sh to add support for passing a boot JDK to the configure run
+- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
+- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
+- Update FIPS support against 17.0.7+6 and bring in latest changes:
+- * RH2134669: Add missing attributes when registering services in FIPS mode.
+- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+- * RH1940064: Enable XML Signature provider in FIPS mode
+- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
+- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
+- Resolves: rhbz#2185182
+- Resolves: rhbz#2134669
+- Resolves: rhbz#1940064
+- Resolves: rhbz#2173781
+
+* Tue Feb 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-6
+- Add docs, icons and samples to the portable output
+- Make sure generated checksums work and don't include full path
+- The docs directory is a subdirectory of images, so remove confusing separate copying
+
+* Wed Feb 15 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-5
+- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build
+- Restore compiler flags to those used in RHEL
+- Drop unused static library patch
+- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago
+
+* Tue Feb 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-4
+- Separate JDK packaging into a separate function
+- Use variables to make it clearer what is going on
+- Use a package output directory as we do for building and installing
+- Workaround missing manpage directory in the JRE image
+
+* Sun Feb 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-3
+- Adapt the portable build to use the same system library handling as RHEL builds
+
+* Sat Jan 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-3
+- Add missing release note for JDK-8295687
+- Resolves: rhbz#2160111
+
+* Fri Jan 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-2
+- Update FIPS support to bring in latest changes
+- * Add nss.fips.cfg support to OpenJDK tree
+- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+- * Remove forgotten dead code from RH2020290 and RH2104724
+- * OJ1357: Fix issue on FIPS with a SecurityManager in place
+- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
+- Resolves: rhbz#2118493
+
+* Fri Jan 13 2023 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.6.0.10-2
+- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
+- Related: rhbz#2160111
+
+* Wed Jan 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.10-1
+- Update to jdk-17.0.6.0+10
+- Update release notes to 17.0.6.0+10
+- Re-enable EA upstream status check now it is being actively maintained.
+- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
+- Drop JDK-8275535 local patch now this has been accepted and backported upstream
+- Drop local copy of JDK-8293834 now this is upstream
+- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
+- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
+- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. **
+- Resolves: rhbz#2160111
+
+* Sat Oct 15 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-2
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- Related: rhbz#2160111
+
+* Thu Oct 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-1
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- * This tarball is embargoed until 2022-10-18 @ 1pm PT. *
+- Resolves: rhbz#2133695
+
+* Fri Sep 02 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
+- Update FIPS support to bring in latest changes
+- * RH2023467: Enable FIPS keys export
+- * RH2104724: Avoid import/export of DH private keys
+- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+- * Build the systemconf library on all platforms
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- Resolves: rhbz#2123579
+- Resolves: rhbz#2123580
+- Resolves: rhbz#2123581
+- Resolves: rhbz#2123583
+- Resolves: rhbz#2123584
+
+* Sun Aug 21 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.1.1-1
+- Added a missing change to portable NEWS file from upstream.
+
+* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-1
+- Update to jdk-17.0.4.1+1
+- Update release notes to 17.0.4.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119532
+
+* Mon Jul 18 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.8-1
+- Commented out: fipsver f8142a23d0a which was from rhel-9-main
+- Picked 17.0.4+8 GA tag from rhel-9.0.0
+- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0
+
+* Mon Jul 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-1
+- Update to jdk-17.0.4.0+8 (GA)
+- Update release notes to 17.0.4.0+8
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. **
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Related: rhbz#2084779
+
+* Tue Jul 12 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.1.ea
+- Tweaked line to print release information for portable
+
+* Tue Jul 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.1-0.1.ea
+- Update to jdk-17.0.4.0+1
+- Update release notes to 17.0.4.0+1
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+- Related: rhbz#2084218
+
+* Thu Jun 30 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.3.0.7-8
+- Comment line for portable: System security properties to be off by default
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-8
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102433
+
+* Wed Jun 29 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.3.0.7-7
+- System security properties are disabled by default on portable.
+- Commented out lines which are not applicable for portable.
+
+* Wed Jun 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-7
+- Update FIPS support to bring in latest changes
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099844
+- Resolves: rhbz#2100677
+
+* Tue Jun 28 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.3.0.7-6
+- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch
+
+* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
+- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- RH2023467: Enable FIPS keys export
+- RH2094027: SunEC runtime permission for FIPS
+- Resolves: rhbz#2029657
+- Resolves: rhbz#2096117
+
+* Wed May 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-5
+- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build
+
+* Tue May 24 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.3.0.7-4
+- to pass aqa, fixing genuie failure in :
+- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions
+- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions
+- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch
+- this, properly named, patch must go to all our jdk17 builds, and to the fips repo
+
+* Thu May 19 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.3.0.7-3
+- to pass aqa:
+- removed copy system tzdb in favour of in-tree
+- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch
+- This is not intended to release untill we decide proper steps
+
+* Thu May 19 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.3.0.7-2
+- Include BOOT_JDK for s390x for portable
+- BOOT_JDK downlaoded form hydra as
+ java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz
+ and renamed
+- Added cosmetic changes to bypass a failure for s390x
+
+* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+7
+- Remove JDK-8284548 and JDK-8284920 they are upstreamed now
+- Resolves: rhbz#2073579
+
+* Sat Apr 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.6-3
+- Add JDK-8284920 fix for XPath regression
+- Related: rhbz#2073575
+
+* Fri Apr 15 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.6-2
+- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit
+- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476
+- Related: rhbz#2073575
+
+* Mon Apr 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.6-1
+- April 2022 security update to jdk 17.0.3+6
+- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408)
+- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga
+- Update release notes to 17.0.3.0+6
+- Add missing README.md and generate_source_tarball.sh
+- Introduce tests/tests.yml, based on the one in java-11-openjdk
+- JDK-8283911 patch no longer needed now we're GA...
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. **
+- Resolves: rhbz#2073575
+
+* Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
+- Update to jdk-17.0.3.0+5
+- Update release notes to 17.0.3.0+5
+- Resolves: rhbz#2050460
+
+* Tue Mar 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.1-0.1.ea
+- Update to jdk-17.0.3.0+1
+- Update release notes to 17.0.3.0+1
+- Switch to EA mode for 17.0.3 pre-release builds.
+- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
+- Related: rhbz#2050456
+
+* Mon Feb 28 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.2.0.8-10
+- Update icedtea_sync.sh with suitable message for portable
+
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-10
+- Restructure the build so a minimal initial build is then used for the final build (with docs)
+- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Handle Fedora in distro conditionals that currently only pertain to RHEL.
+- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
+- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
+- Need to support noarch for creating source RPMs for non-scratch builds.
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
+- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Resolves: rhbz#2022822
+
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-9
+- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+- Correction to previous changelog entry
+- Resolves: rhbz#2052070
+
+* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-8
+- Detect NSS at runtime for FIPS detection
+- Resolves: rhbz#2051605
+
+* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053521
+
+* Tue Feb 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
+- Minor cosmetic improvements to make spec more comparable between variants
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
+- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-4
+- Extend LTS check to exclude EPEL.
+- Related: rhbz#2022822
+
+* Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-3
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+
+* Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Related: rhbz#2039366
+
+* Wed Jan 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1
+- January 2022 security update to jdk 17.0.2+8
+- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
+- Resolves: rhbz#2039366
+- Minor change to the OUTPUT_FILE value to separate the name from the version with '-'
+
+* Mon Nov 29 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.1.0.12-3
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+ secmod.db file as part of nss
+- Resolves: rhbz#2023537
+
+* Tue Oct 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-2
+- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
+- October CPU update to jdk 17.0.1+12
+- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Add patch to allow plain key import.
+
+* Mon Oct 25 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-5
+- cacerts symlink is resolved before passed to configure
+- https://issues.redhat.com/browse/OPENJDK-487
+- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS
+-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss
+-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started
+
+* Thu Sep 30 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.35-4
+- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7
diff --git a/SOURCES/jdk8009550-rh910107-fail_to_load_pcsc_library.patch b/SOURCES/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9213937036360d1fccb5b68c5ca6d128e352bf47
--- /dev/null
+++ b/SOURCES/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
@@ -0,0 +1,125 @@
+commit d0523302416bc6507696f20d1068f16427bcf6b8
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date: Thu Aug 24 01:23:49 2023 +0100
+
+ 8009550: PlatformPCSC should load versioned so
+
+diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java
+index bff273c6548..e5a6b288ff8 100644
+--- a/src/java.base/share/classes/sun/security/util/Debug.java
++++ b/src/java.base/share/classes/sun/security/util/Debug.java
+@@ -81,6 +81,7 @@ public static void Help()
+ System.err.println("logincontext login context results");
+ System.err.println("jca JCA engine class debugging");
+ System.err.println("keystore KeyStore debugging");
++ System.err.println("pcsc Smartcard library debugging");
+ System.err.println("policy loading and granting");
+ System.err.println("provider security provider debugging");
+ System.err.println("pkcs11 PKCS11 session manager debugging");
+diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+index bacff32efbc..d9f605ada1e 100644
+--- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
++++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+@@ -1,5 +1,6 @@
+ /*
+ * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2023, Red Hat Inc. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+@@ -46,8 +47,13 @@ class PlatformPCSC {
+
+ private static final String PROP_NAME = "sun.security.smartcardio.library";
+
+- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++ private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so",
++ "/usr/local/$LIBISA/libpcsclite.so",
++ "/usr/lib/$ARCH-linux-gnu/libpcsclite.so",
++ "/usr/lib/arm-linux-gnueabi/libpcsclite.so",
++ "/usr/lib/arm-linux-gnueabihf/libpcsclite.so",
++ "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" };
++ private static final String[] LIB_SUFFIXES = { ".1", ".0", "" };
+ private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+
+ PlatformPCSC() {
+@@ -73,23 +79,38 @@ public Throwable run() {
+ });
+
+ // expand $LIBISA to the system specific directory name for libraries
++ // expand $ARCH to the Debian system architecture in use
+ private static String expand(String lib) {
+ int k = lib.indexOf("$LIBISA");
+- if (k == -1) {
+- return lib;
++ if (k != -1) {
++ String libDir;
++ if ("64".equals(System.getProperty("sun.arch.data.model"))) {
++ // assume Linux convention
++ libDir = "lib64";
++ } else {
++ // must be 32-bit
++ libDir = "lib";
++ }
++ lib = lib.replace("$LIBISA", libDir);
+ }
+- String s1 = lib.substring(0, k);
+- String s2 = lib.substring(k + 7);
+- String libDir;
+- if ("64".equals(System.getProperty("sun.arch.data.model"))) {
+- // assume Linux convention
+- libDir = "lib64";
+- } else {
+- // must be 32-bit
+- libDir = "lib";
++
++ k = lib.indexOf("$ARCH");
++ if (k != -1) {
++ String arch = System.getProperty("os.arch");
++ lib = lib.replace("$ARCH", getDebianArchitecture(arch));
+ }
+- String s = s1 + libDir + s2;
+- return s;
++
++ return lib;
++ }
++
++ private static String getDebianArchitecture(String jdkArch) {
++ return switch (jdkArch) {
++ case "amd64" -> "x86_64";
++ case "ppc" -> "powerpc";
++ case "ppc64" -> "powerpc64";
++ case "ppc64le" -> "powerpc64le";
++ default -> jdkArch;
++ };
+ }
+
+ private static String getLibraryName() throws IOException {
+@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException {
+ if (lib.length() != 0) {
+ return lib;
+ }
+- lib = expand(LIB1);
+- if (new File(lib).isFile()) {
+- // if LIB1 exists, use that
+- return lib;
+- }
+- lib = expand(LIB2);
+- if (new File(lib).isFile()) {
+- // if LIB2 exists, use that
+- return lib;
++
++ for (String template : LIB_TEMPLATES) {
++ for (String suffix : LIB_SUFFIXES) {
++ lib = expand(template) + suffix;
++ if (debug != null) {
++ debug.println("Looking for " + lib);
++ }
++ if (new File(lib).isFile()) {
++ // if library exists, use that
++ return lib;
++ }
++ }
+ }
+
+ // As of macos 11, framework libraries have been removed from the file
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
new file mode 100644
index 0000000000000000000000000000000000000000..25c2fc8d6b6223c0442a41adb51230244589d1a1
--- /dev/null
+++ b/SOURCES/remove-intree-libraries.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+# Arguments: <JDK TREE> <MINIMAL|FULL>
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+ echo "$0 <JDK_TREE> (MINIMAL|FULL)";
+ exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib & freetype having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+ echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
+
+# Minimal is limited to just zlib and freetype so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+fi
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/SPECS/java-21-openjdk.spec b/SPECS/java-21-openjdk.spec
index 535188793a10664546b314be518a6d287bd43cc6..de0556b5aafd4d0343333c83a8d0bbc09549647e 100644
--- a/SPECS/java-21-openjdk.spec
+++ b/SPECS/java-21-openjdk.spec
@@ -1,3 +1,8 @@
+# To rebuild this RPM, you must first rebuild the portable
+# RPM using the java-21-openjdk-portable.specfile, install
+# it and then adjust portablerelease and portablesuffix
+# to match the new portable.
+
# RPM conditionals so as to be able to dynamically produce
# slowdebug/release builds. See:
# http://rpm.org/user_doc/conditional_builds.html
@@ -21,6 +26,8 @@
%bcond_without release
# Enable static library builds by default.
%bcond_without staticlibs
+# Build with system libraries
+%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@@ -30,14 +37,24 @@
%global include_staticlibs 0
%endif
-#placeholder - used in regexes, otherwise for no use in portables
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
%global freetype_lib |libfreetype[.]so.*
+%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
%global _find_debuginfo_opts -g
+# With LTO flags enabled, debuginfo checks fail for some reason. Disable
+# LTO for a passing build. This really needs to be looked at.
+%define _lto_cflags %{nil}
# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
@@ -46,14 +63,10 @@
# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
%global debug_suffix_unquoted -slowdebug
%global fastdebug_suffix_unquoted -fastdebug
-%global main_suffix_unquoted -main
-%global staticlibs_suffix_unquoted -staticlibs
# quoted one for shell operations
%global debug_suffix "%{debug_suffix_unquoted}"
%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
%global normal_suffix ""
-%global main_suffix "%{main_suffix_unquoted}"
-%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
@@ -107,12 +120,15 @@
%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
# Set of architectures which use the Zero assembler port (!jit_arches)
%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
# Set of architectures which support SystemTap tapsets
%global systemtap_arches %{jit_arches}
# Set of architectures with a Ahead-Of-Time (AOT) compiler
%global aot_arches x86_64 %{aarch64}
# Set of architectures which support the serviceability agent
%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific
# However, it does segfault on the Zero assembler port, so currently JIT only
%global share_arches %{jit_arches}
@@ -122,15 +138,10 @@
%global zgc_arches x86_64
# Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64
-# Set of architectures for which java has short vector math library (libsvml.so)
+# Set of architectures for which java has short vector math library (libjsvml.so)
%global svml_arches x86_64
# Set of architectures where we verify backtraces with gdb
-# s390x fails on RHEL 7 so we exclude it there
-%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
-%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches}
-%else
%global gdb_arches %{jit_arches} %{zero_arches}
-%endif
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
@@ -177,10 +188,14 @@
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
-%if %{include_staticlibs}
-%global staticlibs_loop %{staticlibs_suffix}
+%if 0%{?flatpak}
+%global bootstrap_build false
%else
-%global staticlibs_loop %{nil}
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
%endif
%if %{include_staticlibs}
@@ -196,21 +211,25 @@
# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
%global debug_symbols internal
-# VM variant being built
-%ifarch %{zero_arches}
-%global vm_variant zero
-%else
-%global vm_variant server
-%endif
+# unlike portables,the rpms have to use static_libs_target very dynamically
+%global bootstrap_targets images
+%global release_targets images docs-zip
+# No docs nor bootcycle for debug builds
+%global debug_targets images
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
# debugedit tool for rewriting ELF file paths
-%global debugedit %( if [ -f "%{_rpmconfigdir}/debugedit" ]; then echo "%{_rpmconfigdir}/debugedit" ; else echo "/usr/bin/debugedit"; fi )
+%global debugedit %{_rpmconfigdir}/debugedit
-# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
-# the initialization must be here. Later the pkg-config have buggy behavior
-# looks like openjdk RPM specific bug
-# Always set this so the nss.cfg file is not broken
-%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
# In some cases, the arch used by the JDK does
# not match _arch.
@@ -283,7 +302,6 @@
%global interimver 0
%global updatever 2
%global patchver 0
-
# We don't add any LTS designator for STS packages (Fedora and EPEL).
# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
%if 0%{?rhel} && !0%{?epel}
@@ -313,10 +331,12 @@
%endif
%endif
%endif
-%global oj_vendor_version (Red_Hat-%{version}-%{release})
+%global oj_vendor_version (Red_Hat-%{version}-%{portablerelease})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 75ffdc48eda
# Define JDK versions
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
%global javaver %{featurever}
@@ -332,6 +352,11 @@
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 13
%global rpmrelease 1
+# Settings used by the portable build
+%global portablerelease 1
+%global portablesuffix el7_9
+%global portablebuilddir /builddir/build/BUILD
+
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -370,11 +395,8 @@
# images directories from upstream build
%global jdkimage jdk
%global static_libs_image static-libs
-# installation directory for static libraries
-%global static_libs_root lib/static
-%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
-%global static_libs_install_dir %{static_libs_arch_dir}/glibc
-
+# output dir stub
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
# main id and dir of this jdk
@@ -384,7 +406,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|lible[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@@ -400,6 +422,12 @@
%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
%endif
+# VM variant being built
+%ifarch %{zero_arches}
+%global vm_variant zero
+%else
+%global vm_variant server
+%endif
%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
@@ -411,20 +439,15 @@
%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
%global alt_java_name alt-java
-%global generated_sources_name generated_sources
%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
-# For flatpack builds hard-code dependency paths,
-# otherwise use relative paths.
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
%if 0%{?flatpak}
%global alternatives_requires /usr/sbin/alternatives
-%global javazidir /usr/share/javazi-1.8
-%global portablejvmdir /usr/lib/jvm
%else
%global alternatives_requires %{_sbindir}/alternatives
-%global javazidir %{_datadir}/javazi-1.8
-%global portablejvmdir %{_jvmdir}
%endif
%global family %{name}.%{_arch}
@@ -444,13 +467,6 @@
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
-# x86 is no longer supported
-%if 0%{?java_arches:1}
-ExclusiveArch: %{java_arches}
-%else
-ExcludeArch: %{ix86}
-%endif
-
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
@@ -795,7 +811,8 @@ exit 0
%define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
-%{_jvmdir}/%{sdkdir -- %{?1}}/NEWS
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile
%dir %{_sysconfdir}/.java/.systemPrefs
%dir %{_sysconfdir}/.java
%dir %{_jvmdir}/%{sdkdir -- %{?1}}
@@ -818,7 +835,6 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
@@ -828,7 +844,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@@ -883,7 +901,6 @@ exit 0
%dir %{etcjavadir -- %{?1}}/lib
%dir %{etcjavadir -- %{?1}}/lib/security
%{etcjavadir -- %{?1}}/lib/security/cacerts
-%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
%dir %{etcjavadir -- %{?1}}/conf
%dir %{etcjavadir -- %{?1}}/conf/sdp
%dir %{etcjavadir -- %{?1}}/conf/management
@@ -902,16 +919,16 @@ exit 0
%{etcjavadir -- %{?1}}/conf/security/policy/README.txt
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
# This is a config template, thus not config-noreplace
%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/jaxp.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/jaxp.properties
%{_jvmdir}/%{sdkdir -- %{?1}}/conf
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
%if %is_system_jdk
@@ -921,10 +938,7 @@ exit 0
%ghost %{_bindir}/%{alt_java_name}
%ghost %{_bindir}/jcmd
%ghost %{_bindir}/keytool
-%ghost %{_bindir}/pack200
-%ghost %{_bindir}/rmid
%ghost %{_bindir}/rmiregistry
-%ghost %{_bindir}/unpack200
%ghost %{_jvmdir}/jre-%{origin}
%ghost %{_jvmdir}/jre-%{javaver}
%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
@@ -981,24 +995,23 @@ exit 0
%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap}
%dir %{tapsetroot}
@@ -1010,7 +1023,6 @@ exit 0
%if %{is_release_build -- %{?1}}
%ghost %{_bindir}/javac
%ghost %{_jvmdir}/java
-%ghost %{_jvmdir}/%{alt_java_name}
%ghost %{_bindir}/jlink
%ghost %{_bindir}/jmod
%ghost %{_bindir}/jhsdb
@@ -1022,15 +1034,18 @@ exit 0
%ghost %{_bindir}/jdb
%ghost %{_bindir}/jdeps
%ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jfr
%ghost %{_bindir}/jimage
%ghost %{_bindir}/jinfo
%ghost %{_bindir}/jmap
%ghost %{_bindir}/jps
+%ghost %{_bindir}/jpackage
%ghost %{_bindir}/jrunscript
%ghost %{_bindir}/jshell
%ghost %{_bindir}/jstack
%ghost %{_bindir}/jstat
%ghost %{_bindir}/jstatd
+%ghost %{_bindir}/jwebserver
%ghost %{_bindir}/serialver
%ghost %{_jvmdir}/java-%{origin}
%ghost %{_jvmdir}/java-%{javaver}
@@ -1051,15 +1066,13 @@ exit 0
%define files_src() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
-%{_jvmdir}/%{sdkdir -- %{?1}}/full_sources
-%{_jvmdir}/%{sdkdir -- %{?1}}/%{generated_sources_name}
}
%define files_static_libs() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
-%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
}
%define files_javadoc() %{expand:
@@ -1088,6 +1101,9 @@ exit 0
%endif
}
+# x86 is not supported by OpenJDK 17
+ExcludeArch: %{ix86}
+
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
Requires: fontconfig%{?_isa}
@@ -1124,8 +1140,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-# 2022g required as of JDK-8297804
-Requires: tzdata-java >= 2022g
+# 2023c required as of JDK-8305113
+Requires: tzdata-java >= 2023c
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1246,14 +1262,16 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
# Prevent brp-java-repack-jars from being run
%global __jar_repack 0
+# Define the OS the portable JDK is built on
+%global pkgos rhel7
+# Define the root name of the portable packages
+%global pkgnameroot java-%{featurever}-%{origin}-portable%{?pkgos:-%{pkgos}}
-%global portable_name %{name}-portable
-# the version must match, but sometmes we need to more precise, so including release
-%global portable_version %{version}-1
-
-Name: java-21-%{origin}
+Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# Equivalent for the portable build
+%global prelease %{?eaprefix}%{portablerelease}%{?extraver}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -1288,6 +1306,9 @@ Group: Development/Languages
License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
URL: http://openjdk.java.net/
+# The source tarball, generated using generate_source_tarball.sh
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
+
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
# Systemtap tapsets. Zipped up to keep it small.
@@ -1296,6 +1317,12 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz
# Desktop files. Adapted from IcedTea
Source9: jconsole.desktop.in
+# Source code for alt-java
+Source11: alt-java.c
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
# Ensure we aren't using the limited crypto policy
Source13: TestCryptoLevel.java
@@ -1311,66 +1338,166 @@ Source16: CheckVendor.java
# Ensure translations are available for new timezones
Source18: TestTranslations.java
-BuildRequires: %{portable_name}-sources >= %{portable_version}
-BuildRequires: %{portable_name}-misc >= %{portable_version}
-BuildRequires: %{portable_name}-docs >= %{portable_version}
+# Include portable spec and instructions on how to rebuild
+Source19: README.md
+Source20: java-%{featurever}-openjdk-portable.specfile
+
+# Setup variables to reference correct sources
+%global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz
+%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz
+%global docszip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz
+%global misczip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz
+%global slowdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz
+%global slowdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.slowdebug.static-libs.%{_arch}.tar.xz
+%global fastdebugzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz
+%global fastdebugstaticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.fastdebug.static-libs.%{_arch}.tar.xz
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Follow system wide crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+# RH1996182: Login to the NSS software token in FIPS mode
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+# RH2021263: Resolve outstanding FIPS issues
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
+# RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
+# OJ1357: Fix issue on FIPS with a SecurityManager in place
+# RH2134669: Add missing attributes when registering services in FIPS mode.
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+# RH1940064: Enable XML Signature provider in FIPS mode
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+Patch1001: fips-%{featurever}u-%{fipsver}.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
-%if %{include_normal_build}
-BuildRequires: %{portable_name}-unstripped >= %{portable_version}
-%if %{include_staticlibs}
-BuildRequires: %{portable_name}-static-libs >= %{portable_version}
-%endif
-%endif
-%if %{include_fastdebug_build}
-BuildRequires: %{portable_name}-devel-fastdebug >= %{portable_version}
-%if %{include_staticlibs}
-BuildRequires: %{portable_name}-static-libs-fastdebug >= %{portable_version}
-%endif
-%endif
-%if %{include_debug_build}
-BuildRequires: %{portable_name}-devel-slowdebug >= %{portable_version}
-%if %{include_staticlibs}
-BuildRequires: %{portable_name}-static-libs-slowdebug >= %{portable_version}
-%endif
-%endif
+# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
+# PR: https://github.com/openjdk/jdk/pull/15409
+Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
+
+# Currently empty
+
+#############################################
+#
+# OpenJDK patches which missed last update
+#
+#############################################
+
+#############################################
+#
+# Portable build specific patches
+#
+#############################################
+# Currently empty
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: gcc-c++
BuildRequires: gdb
-# for modyfying build-id in clashing binaries
-BuildRequires: /usr/bin/gcc
-BuildRequires: /usr/bin/objcopy
-BuildRequires: /usr/bin/readelf
-# Requirement for setting and nss.fips.cfg
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.fips.cfg
BuildRequires: nss-devel
# Requirement for system security property test
BuildRequires: crypto-policies
BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
-BuildRequires: unzip
BuildRequires: javapackages-filesystem
-# ?
-BuildRequires: tzdata-java >= 2022g
+%if %{include_normal_build}
+BuildRequires: %{pkgnameroot}-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-static-libs = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+%endif
+%if %{include_fastdebug_build}
+BuildRequires: %{pkgnameroot}-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-static-libs-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+%endif
+%if %{include_debug_build}
+BuildRequires: %{pkgnameroot}-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-static-libs-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+%endif
+BuildRequires: %{pkgnameroot}-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+BuildRequires: %{pkgnameroot}-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix}
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# 2023c required as of JDK-8305113
+BuildRequires: tzdata-java >= 2023c
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
%if %{with_systemtap}
BuildRequires: systemtap-sdt-devel
%endif
+BuildRequires: make
-# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.1
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/legal/freetype.md
+Provides: bundled(freetype) = 2.13.0
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 4.4.1
+Provides: bundled(harfbuzz) = 8.2.2
# Version in src/java.desktop/share/native/liblcms/lcms2.h
-Provides: bundled(lcms2) = 2.12.0
+Provides: bundled(lcms2) = 2.15.0
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.37
-# We link statically against libstdc++ to increase portability
-BuildRequires: libstdc++-static
+Provides: bundled(libpng) = 1.6.40
+%endif
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
@@ -1483,7 +1610,7 @@ Group: Development/Tools
%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
%description devel-fastdebug
-The %{origin_nice} %{featurever} development tools.
+The %{origin_nice} %{featurever} development tools .
%{fastdebug_warning}
%endif
@@ -1680,8 +1807,16 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%endif
%prep
+
echo "Preparing %{oj_vendor_version}"
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
+%else
+ %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
echo "include_normal_build is %{include_normal_build}"
else
@@ -1705,7 +1840,7 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ
exit 14
fi
-%setup -q -c -n %{uniquesuffix ""} -T
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
prioritylength=`expr length %{priority}`
if [ $prioritylength -ne 8 ] ; then
@@ -1713,57 +1848,41 @@ if [ $prioritylength -ne 8 ] ; then
exit 14
fi
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable.sources.noarch.tar.xz
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable*.misc.%{_arch}.tar.xz
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable*.docs.%{_arch}.tar.xz
+# OpenJDK patches
-%if %{include_normal_build}
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable.unstripped.jdk.%{_arch}.tar.xz
-%if %{include_staticlibs}
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable.static-libs.%{_arch}.tar.xz
-%endif
-%endif
-%if %{include_fastdebug_build}
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable.fastdebug.jdk.%{_arch}.tar.xz
-%if %{include_staticlibs}
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable.fastdebug.static-libs.%{_arch}.tar.xz
-%endif
-%endif
-%if %{include_debug_build}
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable.slowdebug.jdk.%{_arch}.tar.xz
-%if %{include_staticlibs}
-tar -xf %{portablejvmdir}/%{compatiblename}*%{version}*portable.slowdebug.static-libs.%{_arch}.tar.xz
-%endif
+%if %{system_libs}
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
%endif
-# Extract systemtap tapsets
-%if %{with_systemtap}
-tar --strip-components=1 -x -I xz -f %{SOURCE8}
-%if %{include_debug_build}
-cp -r tapset tapset%{debug_suffix}
-%endif
-%if %{include_fastdebug_build}
-cp -r tapset tapset%{fastdebug_suffix}
-%endif
+# Patch the JDK
+pushd %{top_level_dir_name}
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# Patches in need of upstreaming
+%patch6 -p1
+popd # openjdk
-for suffix in %{build_loop} ; do
- for file in "tapset"$suffix/*.in; do
- OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
- sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
- sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
-# TODO find out which architectures other than i686 have a client vm
-%ifarch %{ix86}
- sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
-%else
- sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
-%endif
- sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
- sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
- sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
- done
-done
-# systemtap tapsets ends
-%endif
+
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ exit 17
+fi
# Prepare desktop files
# The _X_ syntax indicates variables that are replaced by make upstream
@@ -1783,125 +1902,196 @@ done
done
%build
-# we need to symlink sources to expected location, so debuginfo strip can locate debugsources
-src_image=`ls -d %{compatiblename}*%{version}*portable.sources.noarch`
-misc_image=`ls -d %{compatiblename}*%{version}*portable.misc.%{_arch}`
-cp -rf $misc_image/%{generated_sources_name}/%{vcstag}/ $src_image # it would be nice to remove them once debugsources are generated:(
-ln -s $src_image/%{vcstag} %{vcstag}
-mkdir build
-pushd build
- cp -r ../$misc_image/%{generated_sources_name}/jdk%{featurever}.build* .
-popd
-doc_image=`ls -d %{compatiblename}*%{version}*portable.docs.%{_arch}`
-# in addition the builddir must match the builddir of the portables, including release
-# be aware, even os may be different, especially with buildonce, repack everywhere
-# so deducting it from installed deps
-portablenvr=`echo ${misc_image} | sed "s/portable.*.misc.//"`
-portablebuilddir=/builddir/build/BUILD
+
+function customisejdk() {
+ local imagepath=${1}
+
+ if [ -d ${imagepath} ] ; then
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
+ # Use system-wide tzdata
+ rm ${imagepath}/lib/tzdb.dat
+ ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+ fi
+}
+
+mkdir -p $(dirname %{installoutputdir})
+
+docdir=%{installoutputdir -- "-docs"}
+tar -xJf %{docszip}
+mv java-%{featurever}-openjdk*.docs.* ${docdir}
+
+miscdir=%{installoutputdir -- "-misc"}
+tar -xJf %{misczip}
+mv java-%{featurever}-openjdk*.misc.* ${miscdir}
+
+for suffix in %{build_loop} ; do
+
+ if [ "x$suffix" = "x" ] ; then
+ jdkzip=%{releasezip}
+ staticlibzip=%{staticlibzip}
+ elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then
+ jdkzip=%{fastdebugzip}
+ staticlibzip=%{fastdebugstaticlibzip}
+ else # slowdebug
+ jdkzip=%{slowdebugzip}
+ staticlibzip=%{slowdebugstaticlibzip}
+ fi
+
+ installdir=%{installoutputdir -- ${suffix}}
+
+ # TODO: should verify checksums when using packages from buildroot
+ tar -xJf ${jdkzip}
+ tar -xJf ${staticlibzip}
+ mv java-%{featurever}-openjdk* ${installdir}
+
# Fix build paths in ELF files so it looks like we built them
- for file in $(find `pwd` -type f | grep -v -e "$src_image" -e "$doc_image") ; do
+ portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}"
+ for file in $(find ${installdir} -type f) ; do
if file ${file} | grep -q 'ELF'; then
- %{debugedit} -b "${portablebuilddir}/${portablenvr}" -d "$(pwd)" -n "${file}"
+ %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
fi
done
-%install
-function installjdk() {
- local imagepath=${1}
+ # Set tapset variables to match this build
+%if %{with_systemtap}
+ for file in ${miscdir}/tapset${suffix}/*.in; do
+ OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+ sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/%{vm_variant}/libjvm.so:g" $file > ${OUTPUT_FILE}
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+ sed -i -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" ${OUTPUT_FILE}
+%else
+ sed -i -e "/@ABS_CLIENT_LIBJVM_SO@/d" ${OUTPUT_FILE}
+%endif
+ sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+ done
+%endif
- if [ -d ${imagepath} ] ; then
- # the build (erroneously) removes read permissions from some jars
- # this is a regression in OpenJDK 7 (our compiler):
- # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
- find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+ # Final setup on the main image
+ customisejdk ${installdir}
- # Build screws up permissions on binaries
- # https://bugs.openjdk.java.net/browse/JDK-8173610
- find ${imagepath} -iname '*.so' -exec chmod +x {} \;
- find ${imagepath}/bin/ -exec chmod +x {} \;
+ # Print release information
+ cat ${installdir}/release
- # Install nss.cfg right away as we will be using the JRE above
- #is already there from portables
- # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
- #is already there from portables
+# build cycles
+done # end of release / debug cycle loop
- # Turn on system security properties
- sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
- ${imagepath}/conf/security/java.security
+%check
- # Use system-wide tzdata
- mv ${imagepath}/lib/tzdb.dat{,.upstream}
- ln -sv %{javazidir}/tzdb.dat ${imagepath}/lib/tzdb.dat
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
- # Rename OpenJDK cacerts database
- mv ${imagepath}/lib/security/cacerts{,.upstream}
- # Install cacerts symlink needed by some apps which hard-code the path
- ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
+export JAVA_HOME=$(pwd)/%{installoutputdir -- ${suffix}}
- # add alt-java man page
- # alt-java man and bianry are here from portables. Or not?
- fi
-}
+# Pre-test setup
-# Checks on debuginfo must be performed before the files are stripped
-# by the RPM installation stage
-function debugcheckjdk() {
- local imagepath=${1}
+# Check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
- if [ -d ${imagepath} ] ; then
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
- so_suffix="so"
- # Check debug symbols are present and can identify code
- find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
- do
- if [ -f "$lib" ] ; then
- echo "Testing $lib for debug symbols"
- # All these tests rely on RPM failing the build if the exit code of any set
- # of piped commands is non-zero.
-
- # Test for .debug_* sections in the shared object. This is the main test
- # Stripped objects will not contain these
- eu-readelf -S "$lib" | grep "] .debug_"
- test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
-
- # Test FILE symbols. These will most likely be removed by anything that
- # manipulates symbol tables because it's generally useless. So a nice test
- # that nothing has messed with symbols
- old_IFS="$IFS"
- IFS=$'\n'
- for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
- do
- # We expect to see .cpp and .S files, except for architectures like aarch64 and
- # s390 where we expect .o and .oS files
- echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
- done
- IFS="$old_IFS"
-
- # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
- if [ "`basename $lib`" = "libjvm.so" ]; then
- eu-readelf -s "$lib" | \
- grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
- fi
-
- # Test that there are no .gnu_debuglink sections pointing to another
- # debuginfo file. There shouldn't be any debuginfo files, so the link makes
- # no sense either
- eu-readelf -S "$lib" | grep 'gnu'
- if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
- echo "bad .gnu_debuglink section."
- eu-readelf -x .gnu_debuglink "$lib"
- false
- fi
- fi
- done
-
- # Make sure gdb can do a backtrace based on line numbers on libjvm.so
- # javaCalls.cpp:58 should map to:
- # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
- # Using line number 1 might cause build problems. See:
- # https://bugzilla.redhat.com/show_bug.cgi?id=1539664
- # https://bugzilla.redhat.com/show_bug.cgi?id=1538767
- gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out
+# Check alt-java launcher has SSB mitigation on supported architectures
+# set_speculation function exists in both cases, so check for prctl call
+alt_java_binary=$RPM_BUILD_ROOT%{jrebindir -- $suffix}/%{alt_java_name}
+%ifarch %{ssbd_arches}
+nm ${alt_java_binary} | grep prctl
+%else
+if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi
+%endif
+
+%if ! 0%{?flatpak}
+# Check translations are available for new timezones (during flatpak builds, the
+# tzdb.dat used by this test is not where the test expects it, so this is
+# disabled for flatpak builds)
+# Disable test until we are on the latest JDK
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+%endif
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc
+readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet4AddressImpl.c
+readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet6AddressImpl.c
+%endif
+
+so_suffix="so"
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
handle SIGSEGV pass nostop noprint
handle SIGILL pass nostop noprint
set breakpoint pending on
@@ -1912,115 +2102,70 @@ quit
end
run -version
EOF
+
%ifarch %{gdb_arches}
- grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
+grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif
- fi
-}
+# Check src.zip has all sources. See RHBZ#1130490
+unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
-for suffix in %{build_loop} ; do
- if [ "x$suffix" = "x" ] ; then
- debugbuild=""
- else
- # change -something to .something
- debugbuild=`echo $suffix | sed "s/-/./g"`
- fi
- # Final setup on the untarred images
- # TODO revisit. jre may be complety useless to unpack and process,
- # as all the files are taken from JDK tarball ans put to packages manually.
- # jre tarball may be usefull for checking integrity of jre and jre headless subpackages
- #for jdkjre in jdk jre ; do
- for jdkjre in jdk ; do
- buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.${jdkjre}*`
- top_dir_abs_main_build_path=$(pwd)/${buildoutputdir}
- installjdk ${top_dir_abs_main_build_path}
- # it may happen, that some library - in original case libjsvml build identically for two jdks
- # it is becasue of our ld/gcc flags - otherwise rpm build enhances each binarry by full path to it
- # if it is hit then this library needs to have build-id repalced - note, that it do not affect dbugability
- clashinglibs=""
-%ifarch %{svml_arches}
- clashinglibs="$clashinglibs lib/libjsvml.so"
-%endif
- for lib in $clashinglibs ; do
- libjsvmlgcchackdir=`mktemp -d`
- pushd $libjsvmlgcchackdir
- libjsvml=${top_dir_abs_main_build_path}/$lib
- ls -l $libjsvml
- echo "#include <stdio.h>" > a.c
- echo "int main(void) { printf(\"$libjsvml\"); }" >> a.c
- gcc a.c -o exe
- readelf -n exe | grep "Build ID"
- readelf -n $libjsvml | grep "Build ID"
- objcopy --dump-section .note.gnu.build-id=id exe
- objcopy --update-section .note.gnu.build-id=id $libjsvml
- readelf -n $libjsvml | grep -i "Build ID"
- popd
- rm -rf $libjsvmlgcchackdir
- done
- # Check debug symbols were built into the dynamic libraries
- if [ $jdkjre == jdk ] ; then
- #jdk only?
- debugcheckjdk ${top_dir_abs_main_build_path}
- fi
- # Print release information
- cat ${top_dir_abs_main_build_path}/release
- done
-# build cycles
-done # end of release / debug cycle loop
+# Check class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
+# Check generated class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+
+# build cycles check
+done
+
+%install
STRIP_KEEP_SYMTAB=libjvm*
for suffix in %{build_loop} ; do
- if [ "x$suffix" = "x" ] ; then
- debugbuild=""
- else
- # change -something to .something
- debugbuild=`echo $suffix | sed "s/-/./g"`
- fi
- buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.jdk*`
- top_dir_abs_main_build_path=$(pwd)/${buildoutputdir}
-%if %{include_staticlibs}
- top_dir_abs_staticlibs_build_path=`ls -d $top_dir_abs_main_build_path/lib/static/*/glibc/`
-%endif
- jdk_image=${top_dir_abs_main_build_path}
- src_image=`echo ${top_dir_abs_main_build_path} | sed "s/portable.*.%{_arch}/portable.sources.noarch/"`
- misc_image=`echo ${top_dir_abs_main_build_path} | sed "s/portable.*.%{_arch}/portable.misc.%{_arch}/"`
- docs_image=`echo ${top_dir_abs_main_build_path} | sed "s/portable.*.%{_arch}/portable.docs.%{_arch}/"`
-# Install the jdk
-mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
-
-# Install icons
-for s in 16 24 32 48 ; do
- install -D -p -m 644 \
- ${src_image}/%{vcstag}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
- $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
-done
+jdk_image=$(pwd)/%{installoutputdir -- ${suffix}}
+# Should match same definitions in build section
+docdir=$(pwd)/%{installoutputdir -- "-docs"}
+miscdir=$(pwd)/%{installoutputdir -- "-misc"}
+# Install release notes and rebuild instructions
+commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
+install -d -m 755 ${commondocdir}
+mv ${jdk_image}/NEWS ${commondocdir}
+cp -a %{SOURCE19} %{SOURCE20} ${commondocdir}
+# Install the jdk
+mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
-cp -a ${src_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/full_sources
-cp -a ${misc_image}/%{generated_sources_name} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
-cp -a ${misc_image}/alt-java $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/bin
-
-pushd ${jdk_image}
+# Install %{alt_java_name} binary
+install -D -p -m 755 ${miscdir}/%{alt_java_name} $RPM_BUILD_ROOT%{jrebindir -- $suffix}
%if %{with_systemtap}
# Install systemtap support files
install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset
- # note, that uniquesuffix is in BUILD dir in this case
- cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+ cp -a ${miscdir}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
tapsetFiles=`ls *.stp`
popd
install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
for name in $tapsetFiles ; do
targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
- ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
+ ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
done
%endif
+ # Remove empty cacerts database
+ rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
+ # Install cacerts symlink needed by some apps which hard-code the path
+ pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security
+ ln -sf /etc/pki/java/cacerts .
+ popd
+
# Install version-ed symlinks
pushd $RPM_BUILD_ROOT%{_jvmdir}
ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
@@ -2028,42 +2173,38 @@ pushd ${jdk_image}
# Install man pages
install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1
+ pushd ${jdk_image}
for manpage in man/man1/*
do
# Convert man pages to UTF8 encoding
iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp
mv -f $manpage.tmp $manpage
- install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename $manpage .1)-%{uniquesuffix -- $suffix}.1
+ install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \
+ $manpage .1)-%{uniquesuffix -- $suffix}.1
done
# Remove man pages from jdk image
rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
-
-popd
-
-# Install static libs artefacts
-%if %{include_staticlibs}
-mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
-cp -a ${top_dir_abs_staticlibs_build_path}/*.a $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
-%endif
+ popd
if ! echo $suffix | grep -q "debug" ; then
- # Install Javadoc documentation
- install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
- install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
- built_doc_archive=$(basename $(ls ${docs_image}/jdk*docs.zip))
- cp -a ${docs_image}/${built_doc_archive} \
- $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
- pushd $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
- unzip ${docs_image}/${built_doc_archive}
- popd
+ # Install Javadoc documentation
+ install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
+ cp -a ${docdir}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+ built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+ cp -a ${docdir}/${built_doc_archive} \
+ $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/
+ touch $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
fi
-# Install release notes
-commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
-install -d -m 755 ${commondocdir}
-cp -a ${top_dir_abs_main_build_path}/NEWS ${commondocdir}
+# Install icons and menu entries
+for s in 16 24 32 48 ; do
+ install -D -p -m 644 \
+ ${miscdir}/java-icon${s}.png \
+ $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
+done
# Install desktop files
+# TODO: provide desktop files via portable
install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps}
for e in jconsole$suffix ; do
desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \
@@ -2080,14 +2221,13 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
- ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf
+ ln -s %{etcjavadir -- $suffix}/conf ./conf
popd
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
- ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security
+ ln -s %{etcjavadir -- $suffix}/lib/security ./security
popd
# end moving files to /etc
-#TODO this is done also i portables and in install jdk. But hard to say where the operation will hapen at the end
# stabilize permissions
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
@@ -2096,82 +2236,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
# end, dual install
done
-%check
-
-# We test debug first as it will give better diagnostics on a crash
-for suffix in %{build_loop} ; do
-
-# Tests in the check stage are performed on the installed image
-# rpmbuild operates as follows: build -> install -> test
-export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
-
-#check Shenandoah is enabled
-%if %{use_shenandoah_hotspot}
-$JAVA_HOME/bin/java -XX:+UseShenandoahGC -version
-%endif
-
-# Check unlimited policy has been used
-$JAVA_HOME/bin/javac -d . %{SOURCE13}
-$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
-
-# Check ECC is working
-$JAVA_HOME/bin/javac -d . %{SOURCE14}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-
-# Check system crypto (policy) is active and can be disabled
-# Test takes a single argument - true or false - to state whether system
-# security properties are enabled or not.
-$JAVA_HOME/bin/javac -d . %{SOURCE15}
-export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
-export SEC_DEBUG="-Djava.security.debug=properties"
-$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
-$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
-
-# Check java launcher has no SSB mitigation
-if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
-
-# Check alt-java launcher has SSB mitigation on supported architectures
-# set_speculation function exists in both cases, so check for prctl call
-%ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep prctl
-%else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep prctl ; then true ; else false; fi
-%endif
-
-# Check correct vendor values have been set
-$JAVA_HOME/bin/javac -d . %{SOURCE16}
-#TODO skipped vendor check. It now points to PORTABLE version of jdk.
-#$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
-
-# Check translations are available for new timezones
-$JAVA_HOME/bin/javac -d . %{SOURCE18}
-#TODO doublecheck tzdata handling
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE || echo "TZDATA no longer can be synced with system, because we repack"
-$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR || echo "TZDATA no longer can be synced with system, because we repack"
-
-%if %{include_staticlibs}
-# Check debug symbols in static libraries (smoke test)
-export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
-readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet4AddressImpl.c
-readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet6AddressImpl.c
-%endif
-
-# Check src.zip has all sources. See RHBZ#1130490
-$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
-
-# Check class files include useful debugging information
-$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
-$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
-$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
-
-# Check generated class files include useful debugging information
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
-$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
-
-# build cycles check
-done
-
%if %{include_normal_build}
# intentionally only for non-debug
%pretrans headless -p <lua>
@@ -2416,966 +2480,135 @@ cjc.mainProgram(args)
%endif
%changelog
-* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:21.0.2.0.13-1.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jan 20 2024 Jiri Vanek <jvanek@redhat.com> - 1:21.0.2.0.13-1
-* forked from java-latest-openjdk
-
-* Sat Jan 20 2024 Jiri Vanek <jvanek@redhat.com> - 1:21.0.2.0.13-1
+* Tue Jan 09 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.2.0.13-1
- Update to jdk-21.0.2+13 (GA)
-
-* Sat Dec 16 2023 Jiri Vanek <jvanek@redhat.com> - 1:21.0.1.0.12-4.rolling
-* using generated sources from portables for final debuginfo
-
-* Sat Dec 09 2023 Jiri Vanek <jvanek@redhat.com> - 1:21.0.1.0.12-3.rolling
-- proeprly filing debugsources pkg
- by addedd symlinks restructuring the structure for original build sources
-- according to logs, some are still missing
- probably generated during the build, and thus not existing in prep,
- when the sources subpkg is created after patching
-
-* Wed Nov 22 2023 Jiri Vanek <jvanek@redhat.com> - 1:21.0.1.0.12-2.rolling
-- added setup and thus enabled debuginfo strip
-- note, that debugsources are now empty. Symlink from full sourcess to build/jdk21.build or build/vcstag is needed
-
-* Wed Nov 22 2023 Jiri Vanek <jvanek@redhat.com> - 1:21.0.1.0.12-1.rolling
-- updated to OpenJDK 21.0.1 (2023-10-17)
-
-* Fri Sep 29 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 1:21.0.0.0.35-3.rolling
-- Fix flatpak build by handling different installation prefixes of package dependencies
-
-* Tue Sep 19 2023 Jiri Vanek <jvanek@redhat.com> - 1:21.0.0.0.35-2.rolling
-- adapted to new path in sources
-- repacked alt-java from misc subpkg
-- adapted alt-java to grep correctly prctl
-- removed no longer prepared nss.cfg
-
-* Tue Aug 29 2023 Jiri Vanek <jvanek@redhat.com> - 1:21.0.0.0.35-1.rolling
-- updated to jdk 21
-
-* Mon Aug 07 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.2.0.9-2.rolling
-- updated to July security update 20.0.2.9 portables
-
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:20.0.1.0.9-8.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu May 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:20.0.1.0.9-8.rolling
+- Sync the copy of the portable specfile with the latest update
+- Bump libpng version to 1.6.40 following JDK-8316030
+- Bump HarfBuzz version to 8.2.2 following JDK-8313643
+- Drop local JDK-8311630 patch which is now upstream
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+- Resolves: RHEL-20998
+
+* Mon Nov 06 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.1.0.12-3
+- Include JDK-8311630 patch to implement Foreign Function & Memory preview API on s390x
+- Sync the copy of the portable specfile with the latest update
+- Resolves: RHEL-16386
+
+* Mon Oct 30 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.1.0.12-2
+- Switch to using portable binaries built on RHEL 7
+- Sync the copy of the portable specfile with the RHEL 7 version
+- Related: RHEL-12997
+
+* Fri Oct 27 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.1.0.12-1
+- Update to jdk-21.0.1.0+12 (GA)
+- Update release notes to 21.0.1.0+12
+- Sync the copy of the portable specfile with the latest update
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng)
+- Sync generate_tarball.sh with 11u & 17u version
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Fix upstream release URL for OpenJDK source
- Following JDK-8005165, class data sharing can be enabled on all JIT architectures
-
-* Wed May 10 2023 Severin Gehwolf <sgehwolf@redhat.com> - 1:20.0.1.0.9-6.rolling
+- Use tapsets from the misc tarball
+- Introduce 'prelease' for the portable release versioning, to handle EA builds
+- Make sure root installation directory is created first
+- Use in-place substitution for all but the first of the tapset changes
+- Synchronise runtime and buildtime tzdata requirements
+- Remove ghosts for binaries not in java-21-openjdk (pack200, rmid, unpack200)
+- Add missing jfr, jpackage and jwebserver alternative ghosts
+- Move jcmd to the headless package
+- Revert alt-java binary location to being within the JDK tree
+- Resolves: RHEL-12997
+- Resolves: RHEL-14954
+- Resolves: RHEL-14962
+- Resolves: RHEL-14958
+- Related: RHEL-14946
+- Resolves: RHEL-14959
+- Resolves: RHEL-14948
+
+* Fri Oct 27 2023 Jiri Vanek <jvanek@redhat.com> - 1:21.0.1.0.12-1
+- Exclude classes_nocoops.jsa on i686 and arm32
+- Related: RHEL-14946
+
+* Fri Oct 27 2023 Severin Gehwolf <sgehwolf@redhat.com> - 1:21.0.1.0.12-1
- Fix packaging of CDS archives
-
-* Fri Apr 28 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.1.0.9-6.rolling
-- faking build-id in libjsvml.so
-
-* Fri Apr 28 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.1.0.9-5.rolling
-- returned news
-
-* Fri Apr 28 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.1.0.9-4.rolling
-- now expecting the exact version in portbale filename
-
-* Fri Apr 28 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.1.0.9-3.rolling
-- updated to 20.0.1.0.9 underlying portables
-
-* Wed Apr 19 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.0.0.36-3.rolling
-- using icons from source package
-- providing full sources via src package
-- requiring exact version.reelase of portables
-- returned libsystemconf.so
-
-* Mon Apr 03 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.0.0.36-1.rolling
-- bumed to jdk20
-- removed no loger existing libsystemconf.so
-- commented out usage if Source15 TestSecurityProperties.java test, as honoring of
--- system crypto policies comes from fips aptch which is not yet adapted
-
-* Mon Jan 30 2023 Jiri Vanek <jvanek@redhat.com> - 1:19.0.2.0.7-5.rolling
-- Using icons whcih are now part of the portble tarball
-
-* Mon Jan 30 2023 Jiri Vanek <jvanek@redhat.com> - 1:19.0.2.0.7-4.rolling
-- repacked bits are now requested in exact version
-
-* Mon Jan 30 2023 Petra Alice Mikova <pmikova@redhat.com> - 1:19.0.2.0.7-3.rolling
-- return libfreetype.so binary to resolve requires problems
-- remove BuildRequires: java-21-openjdk
-
-* Thu Jan 26 2023 Jiri Vanek <jvanek@redhat.com> - 1:19.0.2.0.7-2.rolling
-- repacked portables
-- todo icons
-- disabled tzdata tests - todo, resolve
-- left some duplicated "final tunings"
-- todo, lost alt java manpage.. probably already in portables
-- TODO conslut this clean up - javdoc, freetype and NEWS
-- todo, debuginfo
-
-* Thu Jan 26 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.2.0.7-1.rolling
+- Resolves: RHEL-14946
+
+* Thu Aug 24 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-2
+- Update documentation (README.md)
+- Replace alt-java patch with a binary separate from the JDK
+- Drop stale patches that are of little use any more:
+- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
+- * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more
+- * No use of system libjpeg turbo to warrant RH649512 patch any more
+- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
+- Adapt alt-java test to new binary where there is always a set_speculation function
+- Related: RHEL-12997
+
+* Mon Aug 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1
+- Update to jdk-21.0.0+35
+- Update system crypto policy & FIPS patch from new fips-21u tree
+- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal
+- Drop fakefeaturever now it is no longer needed
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Use upstream release URL for OpenJDK source
+- Re-enable tzdata tests now we are on the latest JDK and things are back in sync
+- Install jaxp.properties introduced by JDK-8303530
+- Install lible.so introduced by JDK-8306983
+- Related: RHEL-12997
+
+* Mon Aug 21 2023 Petra Alice Mikova <pmikova@redhat.com> - 1:21.0.0.0.35-1
+- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798
+- Related: RHEL-12997
+
+* Wed Aug 16 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:20.0.0.0.36-1
+- Update to jdk-20.0.2+9
+- Update release notes to 20.0.2+9
+- Update system crypto policy & FIPS patch from new fips-20u tree
+- Update generate_tarball.sh ICEDTEA_VERSION
+- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit)
+- Related: RHEL-12997
+
+* Wed Aug 16 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.0.0.36-1
+- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream
+- Adapted rh1750419-redhat_alt_java.patch
+- Related: RHEL-12997
+
+* Tue Aug 15 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.1.0.10-1
- Update to jdk-19.0.2 release
- Update release notes to 19.0.2
-- Drop JDK-8293834 (CLDR update for Kyiv) which is now upstream
-- Drop JDK-8294357 (tzdata2022d), JDK-8295173 (tzdata2022e) & JDK-8296108 (tzdata2022f) local patches which are now upstream
-- Drop JDK-8296715 (CLDR update for 2022f) which is now upstream
-- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag
-- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:19.0.1.0.10-3.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Fri Dec 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.1.0.10-3.rolling
-- Update in-tree tzdata & CLDR to 2022g with JDK-8296108, JDK-8296715 & JDK-8297804
-- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
-
-* Wed Dec 07 2022 Stephan Bergmann <sbergman@redhat.com> - 1:19.0.1.0.10-3.rolling
-- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
-
-* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.1.0.10-2.rolling
-- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
-- Update CLDR data with Europe/Kyiv (JDK-8293834)
-- Drop JDK-8292223 patch which we found to be unnecessary
-- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
-
-* Thu Oct 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.1.0.10-1.rolling
-- Update to jdk-19.0.1 release
-- Update release notes to 19.0.1
-
-* Wed Sep 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.0.0.36-3.rolling
-- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
-- Remove freetype sources along with zlib sources
-
-* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.0.0.36-2.rolling
-- Switch buildjdkver back to being featurever, now java-19-openjdk is available in the buildroot
-
-* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.0.0.36-2.rolling
-- Switch to static builds, reducing system dependencies and making build more portable
-
-* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:19.0.0.0.36-1.rolling
-- Update to RC version of OpenJDK 19
-- Update release notes to 19.0.0
- Rebase FIPS patches from fips-19u branch
-- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
-- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
-- Add test to ensure timezones can be translated
- Remove references to sample directory removed by JDK-8284999
+- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag
+- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases
+- Related: RHEL-12997
-* Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.2.0.9-1.rolling
+* Thu Aug 10 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.2.0.9-1
- Update to jdk-18.0.2 release
-- Update release notes to 18.0.2
-- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
-- Exclude x86 where java_arches is undefined, in order to unbreak build
-
-* Fri Jul 22 2022 Jiri Vanek <gnu.andrew@redhat.com> - 1:18.0.1.1.2-8.rolling
-- moved to build only on %%{java_arches}
--- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
-- reverted :
--- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
--- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
--- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
--- Replaced binaries and .so files with bash-stubs on i686
-- added ExclusiveArch: %%{java_arches}
--- this now excludes i686
--- this is safely backport-able to older fedoras, as the macro was backported properly (with i686 included)
-- https://bugzilla.redhat.com/show_bug.cgi?id=2104125
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:18.0.1.1.2-7.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Tue Jul 19 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.1.2-7.rolling
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-
-* Sun Jul 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.1.2-6.rolling
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-
-* Wed Jul 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.1.2-5.rolling
-- Explicitly require crypto-policies during build and runtime for system security properties
-
-* Wed Jul 13 2022 Jiri Vanek <jvanek@redhat.com> - 1:18.0.1.1.2-4.rolling.
-- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
-
-* Wed Jul 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.1.2-3.rolling
-- Make use of the vendor version string to store our version & release rather than an upstream release date
-
-* Tue Jul 12 2022 FeRD (Frank Dana) <ferdnyc@gmail.com> - 1:18.0.1.1.2-2.rolling
-- Add javaver- and origin-specific javadoc and javadoczip alternatives.
-
-* Mon Jul 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.1.2-1.rolling
-- Update to jdk-18.0.1.1 interim release
-- Update release notes to actually reflect OpenJDK 18 and subsequent releases 18.0.1 & 18.0.1.1
-- Print release file during build, which should now include a correct SOURCE value from .src-rev
-- Update tarball script with IcedTea GitHub URL and .src-rev generation
-- Include script to generate bug list for release notes
-- Update tzdata requirement to 2022a to match JDK-8283350
-
-* Sat Jul 09 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:18.0.1.0.10-8.rolling
-- Fix issue where CheckVendor.java test erroneously passes when it should fail.
-- Add proper quoting so '&' is not treated as a special character by the shell.
-
-* Sat Jul 09 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.0.10-8.rolling
-- Include a test in the RPM to check the build has the correct vendor information.
-
-* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.0.10-7.rolling
-- Fix whitespace in spec file
-
-* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.0.10-7.rolling
-- Sequence spec file sections as they are run by rpmbuild (build, install then test)
-
-* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.0.10-7.rolling
-- Turn on system security properties as part of the build's install section
-- Move cacerts replacement to install section and retain original of this and tzdb.dat
-- Run tests on the installed image, rather than the build image
-- Introduce variables to refer to the static library installation directories
-- Use relative symlinks so they work within the image
-- Run debug symbols check during build stage, before the install strips them
-
-* Thu Jul 07 2022 Stephan Bergmann <sbergman@redhat.com> - 1:18.0.1.0.10-6.rolling
-- Fix flatpak builds by exempting them from bootstrap
-
-* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:18.0.1.0.10-5.rolling
-- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
-
-* Thu Jun 30 2022 Stephan Bergmann <sbergman@redhat.com> - 1:18.0.1.0.10-4.rolling
-- Fix flatpak builds (catering for their uncompressed manual pages)
-
-* Fri Jun 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.0.10-3.rolling
-- Update FIPS support to bring in latest changes
-- * RH2023467: Enable FIPS keys export
-- * RH2094027: SunEC runtime permission for FIPS
-- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-- * RH2090378: Revert to disabling system security properties and FIPS mode support together
-- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
-- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
-- Improve security properties test to check both enabled and disabled behaviour
-- Run security properties test with property debugging on
-- Minor sync-ups with java-17-openjdk spec file
-
-* Wed May 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.1.0.10-2.rolling
-- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build
-
-* Wed Apr 27 2022 Jiri Vanek <jvanek@redhat.com> - 1:18.0.1.0.10-1.rolling.
-- updated to CPU jdk-18.0.1+10 sources
-
-* Wed Apr 06 2022 Jiri Vanek <jvanek@redhat.com> - 1:18.0.0.0.37-4.rolling
-- Remove hardcoded /usr/lib/jvm by %%{_jvmdir} to make rpmlint happy
-
-* Wed Mar 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.0.0.37-3.rolling
-- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built
-
-* Mon Mar 21 2022 Jiri Vanek <jvanek@redhat.com> - 1:18.0.0.0.37-2.rolling
-- replaced tabs by sets of spaces to make rpmlint happy
-- set build jdk to 18
-- as ga is 1, set vendor_version_string to 22.3
-
-* Wed Mar 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:18.0.0.0.37-1.rolling
-- Update to RC version of OpenJDK 18
- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory
-- Disable HotSpot-only pre-build which is incompatible with the boot JDK being a different major version to that being built
-- Rebase FIPS patches from fips-18u branch and simplify by using a single patch from that repository
-- Detect NSS at runtime for FIPS detection
-- Turn off build-time NSS linking and go back to an explicit Requires on NSS
-- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+- Rebase FIPS patches from fips-18u branch
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Drop now unused fresh_libjvm, build_hotspot_first, bootjdk and buildjdkver variables, as we don't build a JDK here
+- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21
+- Disable tzdata tests until we are on the latest JDK and things are back in sync
+- Use empty nss.fips.cfg until it is again available via the FIPS patch
+- Related: RHEL-12997
+
+* Thu Aug 10 2023 Petra Alice Mikova <pmikova@redhat.com> - 1:18.0.2.0.9-1
+- Update to ea version of jdk18
+- Add new slave jwebserver and corresponding manpage
+- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+- Related: RHEL-12997
+
+* Thu Aug 10 2023 FeRD (Frank Dana) <ferdnyc@gmail.com> - 1:18.0.2.0.9-1
+- Add javaver- and origin-specific javadoc and javadoczip alternatives.
+- Related: RHEL-12997
-* Wed Mar 16 2022 Petra Alice Mikova <pmikova@redhat.com> - 1:18.0.0.0.37-1.rolling
-- update to ea version of jdk18
-- add new slave jwebserver and corresponding manpage
-- adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-
-* Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
-- Reinstate JIT builds on x86_32.
-- Add JDK-8282004 to fix missing CALL effects on x86_32.
-
-* Mon Feb 07 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-4
-- Re-enable gdb backtrace check.
-- Resolves RHBZ#2041970
-
-* Fri Feb 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-3
-- Temporarily move x86 to use Zero in order to get a working build
-- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
-- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
-- Explicitly list JIT architectures rather than relying on those with slowdebug builds
-- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
-
-* Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2.rolling
-- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
-- Need to support noarch for creating source RPMs for non-scratch builds.
-
-* Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1.rolling
-- January 2022 security update to jdk 17.0.2+8
-- Extend LTS check to exclude EPEL.
-- Rename libsvml.so to libjsvml.so following JDK-8276025
-- Remove JDK-8276572 patch which is now upstream.
-- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
-
-* Mon Jan 24 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-1.rolling
-- Set LTS designator.
-
-* Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-16.rolling
-- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:17.0.1.0.12-15.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-15.rolling
-- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
-- Disable on x86, x86_64, ppc64le & s390x while these are broken in rawhide.
-
-* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-14.rolling
-- Fix FIPS issues in native code and with initialisation of java.security.Security
-
-* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-13.rolling
-- Storing and restoring alterntives during update manually
-- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
--- The move of alternatives creation to posttrans to fix:
--- Bug 1200302 - dnf reinstall breaks alternatives
--- Had caused the alternatives to be removed, and then created again,
--- instead of being added, and then removing the old, and thus persisting
--- the selection in family
--- Thus this fix, is storing the family of manually selected master, and if
--- stored, then it is restoring the family of the master
-
-* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-12.rolling
-- Family extracted to globals
-
-* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-11.rolling
-- javadoc-zip got its own provides next to plain javadoc ones
-
-* Thu Dec 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-10.rolling
-- replaced tabs by sets of spaces to make rpmlint happy
-
-* Mon Nov 29 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-9.rolling
-- Handle Fedora in distro conditionals that currently only pertain to RHEL.
-
-* Fri Nov 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-8.rolling
-- Patch syslookup.c so it actually has some code to be compiled into libsyslookup
-- Related: rhbz#2013846
-
-* Wed Nov 03 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.1.0.12-7.rolling
-- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
- secmod.db file as part of nss
+* Tue Aug 08 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.7.0.7-4
+- Add files missed by centpkg import.
+- Related: rhbz#2192748
-* Wed Nov 03 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-6.rolling
-- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
-
-* Thu Oct 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-5.rolling
-- Sync desktop files with upstream IcedTea release 3.15.0 using new script
-
-* Tue Oct 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-4.rolling
-- Restructure the build so a minimal initial build is then used for the final build (with docs)
-- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
-
-* Tue Oct 26 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.1.0.12-3.rolling
-- Minor cosmetic improvements to make spec more comparable between variants
-
-* Thu Oct 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.1.0.12-2.rolling
-- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
-- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
-
-* Wed Oct 20 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.1.0.12-1.rolling
-- October CPU update to jdk 17.0.1+12
-- dropped commented-out source line
-
-* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-5.rolling
-- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
-
-* Sun Oct 10 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-5.rolling
-- Add patch to allow plain key import.
-
-* Thu Sep 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-4.rolling
-- Fix unused function compiler warning found in systemconf.c
-- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
-
-* Thu Sep 30 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-4.rolling
-- Add patch to login to the NSS software token when in FIPS mode.
-
-* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-3.rolling
-- Update release notes to document the major changes between OpenJDK 11 & 17.
-
-* Thu Sep 16 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.35-2.rolling
-- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
-
-* Tue Sep 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.35-1.rolling
-- Update to jdk-17+35, also known as jdk-17-ga.
-- Switch to GA mode.
-
-* Wed Sep 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.3.ea.rolling
-- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
-- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
-
-* Wed Sep 08 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.3.ea.rolling
-- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
-
-* Mon Sep 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.2.ea.rolling
-- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
-- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
-- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
-- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
-- Disable FIPS mode support unless com.redhat.fips is set to "true".
-- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
-- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
-- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
-
-* Mon Sep 06 2021 Martin Balao <mbalao@redhat.com> - 1:17.0.0.0.33-0.2.ea.rolling
-- Support the FIPS mode crypto policy (RH1655466)
-- Use appropriate keystore types when in FIPS mode (RH1818909)
-- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
-
-* Mon Aug 30 2021 Jiri Vanek <jvanek@redhat.com> - 1:17.0.0.0.33-0.1.ea.rolling
-- alternatives creation moved to posttrans
-- Thus fixing the old reisntall issue:
-- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
-- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
-
-* Fri Jul 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.33-0.0.ea.rolling
-- Update to jdk-17+33, including JDWP fix and July 2021 CPU
-- Resolves: rhbz#1972529
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:17.0.0.0.26-0.4.ea.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.4.ea.rolling
-- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
-- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
-
-* Mon Jun 28 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.3.ea.rolling
-- fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again
-- Resolves: rhbz#1971120
-
-* Thu Jun 24 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.2.ea.rolling
-- Re-enable TestSecurityProperties after inclusion of PR3695
-
-* Thu Jun 24 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.0.0.26-0.2.ea.rolling
-- Add PR3695 to allow the system crypto policy to be turned off
-
-* Thu Jun 24 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.0.0.26-0.1.ea.rolling
-- Update buildjdkver to 17 so as to build with itself
-
-* Fri Jun 11 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:17.0.0.0.26-0.0.ea.rolling
-- update sources to jdk 17.0.0+26
-- set is_ga to 0, as this is early access build
-- change vendor_version_string
-- change path to the version-numbers.conf
-- removed rmid binary from files and from slaves
-- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407
-- add lib/libsyslookup.so to files
-- renamed lib/security/blacklisted.certs to lib/security/blocked.certs
-- add lib/libsvml.so for intel
-- skip debuginfo check for libsyslookup.so on s390x
-
-* Fri May 07 2021 Jiri Vanek <jvanek@redhat.com> -1:16.0.1.0.9-3.rolling
-- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
-
-* Thu Apr 29 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.1.0.9-2.rolling
-- adapted to newst cjc to fix issue with rpm 4.17
-- Disable copy-jdk-configs for Flatpak builds
-
-* Sun Apr 25 2021 Petra Alice Mikova <pmikova@redhat.com> - 1:16.0.1.0.9-1.rolling
-- update to 16.0.1+9 april cpu tag
-- dropped jdk8259949-allow_cf-protection_on_x86.patch
-
-* Thu Mar 11 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:16.0.0.0.36-2.rolling
-- Perform static library build on a separate source tree with bundled image libraries
-- Make static library build optional
-- Based on initial work by Severin Gehwolf
-
-* Tue Mar 09 2021 Jiri Vanek <jvanek@redhat.com> - 1:16.0.0.0.36-1.rolling
-- fixed suggests of wrong pcsc-lite-devel%{?_isa} to correct pcsc-lite-libs%{?_isa}
-- bumped buildjdkver to build by itself - 16
-
-* Fri Feb 19 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:16.0.0.0.36-0.rolling
-- Update to jdk-16.0.0.0+36
-- Update tarball generation script to use git following OpenJDK's move to github
-- Update tarball generation script to use PR3823 which handles JDK-8235710 changes
-- Use upstream default for version-pre rather than setting it to "ea" or ""
-- Drop libsunec.so which is no longer generated, thanks to JDK-8235710
-- Drop unnecessary compiler flags, dating back to work on GCC 6 & 10
-- Adapt RH1750419 alt-java patch to still apply after some variable re-naming in the makefiles
-- Update filever to remove any trailing zeros, as in the OpenJDK build, and use for source filename
-- Use system harfbuzz now this is supported.
-- Pass SOURCE_DATE_EPOCH to build for reproducible builds
-
-* Fri Feb 19 2021 Stephan Bergmann <sbergman@redhat.com> - 1:15.0.2.0.7-1.rolling
-- Hardcode /usr/sbin/alternatives for Flatpak builds
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:15.0.2.0.7-0.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Fri Jan 22 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:15.0.2.0.7-0.rolling
-- Update to jdk-15.0.2.0+7
-- Add release notes for 15.0.1.0 & 15.0.2.0
-- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
-- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags.
-- Cleanup debug package descriptions and version number placement.
-- Remove unused patch files.
-
-* Tue Jan 19 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:15.0.1.9-10.rolling
-- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
-
-* Tue Dec 22 2020 Jiri Vanek <jvanek@redhat.com> - 1:15.0.1.9-9.rolling
-- fixed missing condition for fastdebug packages being counted as debug ones
-
-* Sat Dec 19 2020 Jiri Vanek <jvanek@redhat.com> - 1:15.0.1.9-8.rolling
-- removed lib-style provides for fastdebug_suffix_unquoted
-
-* Sat Dec 19 2020 Jiri Vanek <jvanek@redhat.com> - 1:15.0.1.9-6.rolling
-- many cosmetic changes taken from more maintained jdk11
-- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
- instead of various hardcoded ifarches
-- updated systemtap
-- added requires excludes for debug pkgs
-- removed redundant logic around jsa files
-- added runtime requires of lksctp-tools and libXcomposite%
-- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies
-- s390x excluded form fastdebug build
-
-* Thu Dec 17 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:15.0.1.9-5.rolling
-- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
-- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
-- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
-
-* Wed Dec 9 2020 Jiri Vanek <jvanek@redhat.com> - 1:15.0.1.9-4.rolling
-- moved wrongly placed licenses to accompany other ones
-- this bad placement was killng parallel-installability and thus having bad impact to leapp if used
-
-* Tue Dec 01 2020 Jiri Vanek <jvanek@redhat.com> - 1:15.0.1.9-3.rolling
-- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
-- no longer copying of java->alt-java as it is created by patch600
-
-* Mon Nov 23 2020 Jiri Vanek <jvanek@redhat.com> - 1:15.0.1.9-2.rolling
-- Create a copy of java as alt-java with alternatives and man pages
-- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
-
-* Sun Oct 25 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:15.0.1.9-1.rolling
-- updated to October CPU 2020 sources
-
-* Thu Oct 22 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:15.0.0.36-4.rolling
-- Fix directory ownership of -static-libs sub-package.
-
-* Fri Oct 09 2020 Jiri Vanek <jvanek@redhat.com> - 1:15.0.0.36-3.rolling
-- Build static-libs-image and add resulting files via -static-libs sub-package.
-- Disable stripping of debug symbols for static libraries part of the -static-libs sub-package.
-- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard.
-- Update static-libs packaging to new layout
-
-* Mon Sep 21 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:15.0.0.36-2.rolling
-- Add support for fastdebug builds on 64 bit architectures
-
-* Tue Sep 15 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:15.0.0.36-1.rolling
-- Remove EA designation
-- Re-generate sources with PR3803 patch
-
-* Mon Aug 31 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:15.0.0.36-0.1.ea.rolling
-- Update to jdk 15.0.0.36 tag
-- Modify rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-- Update vendor version string to 20.9
-- jjs removed from packaging after JEP 372: Nashorn removal
-- rmic removed from packaging after JDK-8225319
-
-* Mon Jul 27 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:14.0.2.12-2.rolling
-- Disable LTO so as to pass debuginfo check
-
-* Wed Jul 22 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:14.0.2.12-1.rolling
-- update to jdk 14.0.2.12 CPU version
-- remove upstreamed patch jdk8237879-make_4_3_build_fixes.patch
-- remove upstreamed patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h.patch
-- remove upstreamed patch jdk8243059-build_fails_when_with_vendor_contains_comma.patch
-
-* Thu Jul 09 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:14.0.1.7-4.rolling
-- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds.
-- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk.
-
-* Thu May 14 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:14.0.1.7-3.rolling
-- introduce patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h to fix build issues in rawhide
-- rename and reorganize patch sections
-
-* Thu Apr 23 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:14.0.1.7-2.rolling
-- Fix vendor version to 20.3 (from 19.9)
-
-* Fri Apr 17 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:14.0.1.7-1.rolling
-- April security update
-- uploaded new src tarball
-
-* Wed Apr 08 2020 Jiri Vanek <jvanek@redhat.com> - 1:14.0.0.36-4.rolling
-- set vendor property and vendor urls
-- made urls to be preconfigured by os
-
-* Tue Mar 24 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:14.0.0.36-3.rolling
-- Remove s390x workaround flags for GCC 10
-- bump buildjdkver to 14
-- uploaded new src tarball
-
-* Mon Mar 23 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:14.0.0.36-2.rolling
-- removed a whitespace causing fail of postinstall script
-- removed backslashes at the end of alternatives command
-
-* Fri Mar 13 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:14.0.0.36-1.rolling
-- update to jdk 14+36 ga build
-- remove JDK-8224851 patch, as OpenJDK 14 already contains it
-- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library
-- added listings for jpackage binary, manpages and added slave records to alternatives
-
-* Thu Mar 12 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.2.8-4.rolling
-- add patch for build issues with make 4.3
-
-* Thu Feb 27 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:13.0.2.8-3.rolling
-- add workaround for issues with build with GCC10 on s390x (see RHBZ#1799531)
-- fix issues with build with GCC10: JDK-8224851, -fcommon switch
-
-* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling
-- Add JDK-8224851 patch to resolve aarch64 issues
-
-* Tue Feb 04 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.2.8-2.rolling
-- fix Release, as it was broken by last rpmdev-bumpspec
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:13.0.2.8-1.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Jan 17 2020 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.2.8-1.rolling
-- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
-- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
-- updated sources to the 13.0.2+8 tag
-
-* Fri Oct 25 2019 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.1.9-2.rolling
-- Fixed hardcoded major version in jdk13u to macro
-- added jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
-- added jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
-
-* Mon Oct 21 2019 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.1.9-1.rolling
-- Updated to October 2019 CPU sources
-
-* Wed Oct 16 2019 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.0.33-3.rolling
-- synced up generate tarball script with other OpenJDK packages
-- dropped pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch from the sources
-- regenerated sources with the updated script
-
-* Wed Oct 02 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:13.0.0.33-3.rolling
-- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it.
-
-* Wed Oct 02 2019 Andrew John Hughes <gnu.andrew@redhat.com> - 1:13.0.0.33-3.rolling
-- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
-- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
-- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
-- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
-
-* Wed Oct 02 2019 Andrew Hughes <gnu.andrew@redhat.com> - 1:13.0.0.33-3.rolling
-- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively.
-
-* Tue Oct 01 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:13.0.0.33-2.rolling
-- Don't produce javadoc/javadoc-zip sub packages for the
- debug variant build.
-- Don't perform a bootcycle build for the debug variant build.
-
-* Mon Sep 30 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:13.0.0.33-2.rolling
-- Fix vendor version as JDK 13 has been GA'ed September 2019: 19.3 => 19.9
-
-* Wed Aug 14 2019 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.0.33-1.rolling
-- updated to 13+33 sources
-- added two manpages to file listings (jfr, jaotc)
-- set is_ga to 1 to match build from jdk.java.net
-
-* Fri Jul 26 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:13.0.0.28-0.2.ea.rolling
-- Fix bootjdkver macro. It attempted to build with jdk 12, which is
- no longer available in rawhide (it's 13 instead).
-- Fix Release as rpmdev-bumpspec doesn't do it correctly.
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:13.0.0.28-0.1.ea.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Tue Jul 09 2019 Petra Alice Mikova <pmikova@redhat.com> - 1:13.0.0.28-0.1.ea.rolling
-- updated to jdk 13
-- adapted pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch
-- adapted rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-- fixed file listings
-- included https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/49:
-- Include 'ea' designator in Release when appropriate
-- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately
-
-* Tue May 21 2019 Petra Alice Mikova <pmikova@redhat.com> - 1:12.0.1.12-2.rolling
-- fixed requires/provides for the non-system JDK case (backport of RHBZ#1702324)
-
-* Thu Apr 18 2019 Petra Mikova <pmikova@redhat.com> - 1:12.0.1.12-1.rolling
-- updated sources to current CPU release
-
-* Thu Apr 04 2019 Petra Mikova <pmikova@redhat.com> - 1:12.0.0.33-4.rolling
-- added slave for jfr binary in devel package
-
-* Thu Mar 21 2019 Petra Mikova <pmikova@redhat.com> - 1:12.0.0.33-3.rolling
-- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs.
-- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc
-- removed LTS string from LTS designator, because epel builds get identified as rhel and JDK 12 is not LTS
-- removed duplicated dependency on lksctp-tools
-
-* Wed Mar 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 1:12.0.0.33-2.ea.1.rolling
-- Drop chkconfig dep, 1.7 shipped in f24
-
-* Thu Mar 07 2019 Petra Mikova <pmikova@redhat.com> - 1:12.0.0.33-1.ea.1.rolling
-- bumped sources to jdk12+33
-
-* Mon Feb 11 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:12.0.0.30-1.ea.1.rolling
-- Only build 'bootcycle-images docs' target and 'images docs' targets, respectively.
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:12.0.0.25-0.ea.1.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Dec 21 2018 Jiri Vanek <jvanek@redhat.com> - 1:12.0.0.25-0.ea.1.rolling
-- bumped sources to jdk12. Crypto list synced.
-- adapted patches to usptream (removed are upstreamed)
-- removed fixed upstreamed patch6, jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch:
-- renamed patch5, pr1983-rh1565658-..._sunec_provider_jdk11.patch to pr1983-rh1565658-..._sunec_provider_jdk12.patch
-- adapted patch5, pr1983-rh1565658 to jdk12 (libraries.m4 and /Lib-jdk.crypto.ec.gmk)
-- removed patch8, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
-- removed patch9, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
-- removed patch10, jdk8210647-rh1632174. Is rummored to be in upstream
-- removed patch11, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
-- removed patch12, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
-- removed patch584, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
-- removed patch585, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
-- set build jdk to jdk11; buildjdkver set to 11
-- todo, revisit _privatelibs and slaves, discuse patch10, more?
-- now building with --no-print-directory to workaround JDK8215213
-- renamed original of docs zip to jdk-major+build
-- check shenandaoh with -XX:+UnlockExperimentalVMOptions
-- libjli moved from lib/libjli to lib
-- added lib/jspawnhelper and bin/jfr and conf/sdp/sdp.conf.template
-- added explanation to the --no-print-directory
-- re-added lts_designator_zip macro
-- added patch6 for rh1673833-remove_removal_of_wformat_during_test_compilation.patch
-
-* Wed Dec 5 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.1.13-10.rolling
-- for non debug supackages, ghosted all masters and slaves (rhbz1649776)
-- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic
-- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides
-
-* Tue Dec 04 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.1.13-9
-- Added %%global _find_debuginfo_opts -g
-- Resolves: RHBZ#1520879 (Detailed NMT issue)
-
-* Fri Nov 30 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.1.13-8
-- added rolling suffix to release (before dist) to prevent conflict with java-11-openjdk which now have same major version
-
-* Mon Nov 12 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.1.13-6
-- fixed tck failures of arraycopy and process exec with shenandoah on
-- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch
-
-* Wed Nov 07 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.1.13-5
-- headless' suggests of cups, replaced by Requires of cups-libs
-
-* Thu Nov 01 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.1.13-3
-- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
-
-* Mon Oct 29 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.1.13-3
-- Use upstream's version of Aarch64 intrinsics disable patch:
- - Removed:
- RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
- RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
- - Superceded by:
- jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
-
-* Thu Oct 18 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.1.13-2
-- Use LTS designator in version output for RHEL.
-
-* Thu Oct 18 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.1.13-1
-- Update to October 2018 CPU release, 11.0.1+13.
-
-* Wed Oct 17 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.0.28-2
-- Use --with-vendor-version-string=18.9 so as to show original
- GA date for the JDK.
-
-* Fri Sep 28 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.0.28-1
-- Identify as GA version and no longer as early access (EA).
-- JDK 11 has been released for GA on 2018-09-25.
-
-* Fri Sep 28 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.28-9
-- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
- RHBZ-1624122.
-- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
- optimize compilation of fdlibm library.
-- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
- as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
-- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
- optimize compilation of libsaproc (extra c flags won't override
- optimization).
-- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
- optimize compilation of libjsig.
-- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
- optimize compilation of vmStructs.cpp (part of libjvm.so).
-- Reinstate filtering of opt flags coming from redhat-rpm-config.
-
-* Thu Sep 27 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.28-8
-- removed version less provides
-- javadocdir moved to arched dir as it is no longer noarch
-
-* Thu Sep 20 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.28-6
-- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch,
- so as to disable log math intrinsic on aarch64. Work-around for
- JDK-8210858
-
-* Thu Sep 13 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.28-5
-- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch,
- so as to disable dsin/dcos math intrinsics on aarch64. Work-around for
- JDK-8210461.
-
-* Wed Sep 12 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.22-6
-- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to
- optimize compilation of fdlibm library.
-- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so
- as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
-- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to
- optimize compilation of libsaproc (extra c flags won't override
- optimization).
-- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to
- optimize compilation of vmStructs.cpp (part of libjvm.so).
-- No longer filter -O flags from C flags coming from
- redhat-rpm-config.
-
-* Mon Sep 10 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.28-4
-- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x
-
-* Fri Sep 7 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.28-3
-- Enable ZGC on x86_64.
-
-* Tue Sep 4 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.28-2
-- jfr/*jfc files listed for all arches
-- lib/classlist do not exists s390, ifarch-ed via jit_arches out
-
-* Fri Aug 31 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.28-1
-- Update to latest upstream build jdk11+28, the first release
- candidate.
-
-* Wed Aug 29 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.22-8
-- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
- as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
-
-* Thu Aug 23 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.22-6
-- dissabled accessibility, fixed provides for main package's debug variant
-
-* Mon Jul 30 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.22-5
-- now buildrequires javapackages-filesystem as the issue with macros should be fixed
-
-* Wed Jul 18 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.22-2
-- changed to build by itself instead of by jdk10
-
-* Tue Jul 17 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.22-1
-- added Recommends gtk3 for main package
-- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped)
-- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package
-- see RHBZ1598152
-- added trick to catch hs_err files (sgehwolf)
-- updated to shenandaoh-jdk-11+22
-
-* Sat Jul 07 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.20-1
-- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch
-- improved a bit generate_source_tarball.sh to serve also for systemtap
-- thus deleted generate_tapsets.sh
-- simplified and cleared update_package.sh
-- moved to single source jdk - from shenandoah/jdk11
-- bumped to latest jdk11+20
-- adapted PR2126 to jdk11+20
-- adapted handling of systemtap sources to new style
-- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory)
-- shortened summaries and descriptions to around 80 chars
-- Hunspell spell checked
-- license fixed to correct jdk11 (sgehwolf)
-- more correct handling of internal libraries (sgehwolf)
-- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815)
-- added test for shenandaoh GC presence where expected
-- Removed workaround for broken aarch64 slowdebug build
-- Removed all defattrs
-- Removed no longer necessary cleanup of diz and debuginfo files
-
-* Fri Jun 22 2018 Jiri Vanek <jvanek@redhat.com> - 1:11.0.ea.19-1
-- updated sources to jdk-11+19
-- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit
-- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit
-
-* Thu Jun 14 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.16-5
-- Revert rename: java-11-openjdk => java-openjdk.
-
-* Wed Jun 13 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.16-4
-- Add aarch64 to aot_arches.
-
-* Wed Jun 13 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.16-3
-- Rename to package java-11-openjdk.
-
-* Wed Jun 13 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.16-2
-- Disable Aarch64 slowdebug build (see JDK-8204331).
-- s390x doesn't have the SA even though it's a JIT arch.
-
-* Wed Jun 13 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.ea.16-1
-- Initial version of JDK 11 ea based on tag jdk-11+16.
-- Removed patches no longer needed or upstream:
- sorted-diff.patch (see JDK-8198844)
- JDK-8201788-bootcycle-images-jobs.patch
- JDK-8201509-s390-atomic_store.patch
- JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11)
- JDK-8193802-npe-jar-getVersionMap.patch
-- Updated and renamed patches:
- java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch
-- Updated patches for JDK 11:
- pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
-
-* Tue Jun 12 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.1.10-9
-- Use proper private_libs expression for filtering requires/provides.
-
-* Fri Jun 08 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.1.10-8
-- Bump release and rebuild for fixed gdb. See RHBZ#1589118.
-
-* Mon Jun 04 2018 Jiri Vanek <jvanek@redhat.com> - 1:10.0.1.10-7
-- quoted sed expressions, changed possibly confusing # by @
-- added vendor(origin) into icons
-- removed last trace of relative symlinks
-- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem
-
-* Thu May 17 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.1.10-5
-- Move to javapackages-filesystem for directory ownership.
- Resolves RHBZ#1500288
-
-* Mon Apr 30 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.1.10-4
-- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix
- RHBZ#1557375.
-
-* Mon Apr 23 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.1.10-3
-- Inject build flags properly. See RHBZ#1571359
-- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch
- since libjsig.so doesn't get linker flags injected properly.
-
-* Fri Apr 20 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.1.10-2
-- Removed unneeded patches:
- PStack-808293.patch
- multiple-pkcs11-library-init.patch
- ppc_stack_overflow_fix.patch
-- Added patches for s390 Zero builds:
- JDK-8201495-s390-java-opts.patch
- JDK-8201509-s390-atomic_store.patch
-- Renamed patches for clarity:
- aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch
- systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
- bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch
- system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
-
-* Fri Apr 20 2018 Jiri Vanek <jvanek@redhat.com> - 1:10.0.1.10-1
-- updated to security update 1
-- jexec unlinked from path
-- used java-openjdk as boot jdk
-- aligned provides/requires
-- renamed zip javadoc
-
-* Tue Apr 10 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.0.46-12
-- Enable basic EC ciphers test in %%check.
-
-* Tue Apr 10 2018 Severin Gehwolf <sgehwolf@redhat.com> - 1:10.0.0.46-11
-- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.
-- Resolves RHBZ#1565658
-
-* Mon Apr 09 2018 Jiri Vanek <jvanek@redhat.com> - 1:10.0.0.46-10
-- jexec linked to path
-
-* Fri Apr 06 2018 Jiri Vanek <jvanek@redhat.com> - 1:10.0.0.46-9
-- subpackage(s) replaced by sub-package(s) and other cosmetic changes
-
-* Tue Apr 03 2018 Jiri Vanek <jvanek@redhat.com> - 1:10.0.0.46-8
-- removed accessibility sub-packages
-- kept applied patch and properties files
-- debug sub-packages renamed to slowdebug
-
-* Fri Feb 23 2018 Jiri Vanek <jvanek@redhat.com> - 1:10.0.0.46-1
-- initial load
+* Fri Aug 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.7.0.7-3
+- Create java-21-openjdk package based on java-17-openjdk
+- Related: rhbz#2192748