diff --git a/NEWS b/NEWS deleted file mode 100644 index 5a69f0d..0000000 --- a/NEWS +++ /dev/null @@ -1,2222 +0,0 @@ -Key: - -JDK-X - https://bugs.openjdk.java.net/browse/JDK-X -CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY - -New in release OpenJDK 17.0.6 (2023-01-17): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1706 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html - -* CVEs - - CVE-2023-21835 - - CVE-2023-21843 -* Security fixes - - JDK-8286070: Improve UTF8 representation - - JDK-8286496: Improve Thread labels - - JDK-8287411: Enhance DTLS performance - - JDK-8288516: Enhance font creation - - JDK-8289350: Better media supports - - JDK-8293554: Enhanced DH Key Exchanges - - JDK-8293598: Enhance InetAddress address handling - - JDK-8293717: Objective view of ObjectView - - JDK-8293734: Improve BMP image handling - - JDK-8293742: Better Banking of Sounds - - JDK-8295687: Better BMP bounds -* Other changes - - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows - - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails - - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails - - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails - - JDK-8029633: Raw inner class constructor ref should not perform diamond inference - - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails - - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled - - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails - - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java - - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java - - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout - - JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails - - JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...' - - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop" - - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs - - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos - - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos - - JDK-8244670: convert clhsdb "whatis" command from javascript to java - - JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives. - - JDK-8255439: System Tray icons get corrupted when Windows scaling changes - - JDK-8256811: Delayed/missed jdwp class unloading events - - JDK-8257722: Improve "keytool -printcert -jarfile" output - - JDK-8262721: Add Tests to verify single iteration loops are properly optimized - - JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation - - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint - - JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al - - JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java - - JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow" - - JDK-8268276: Base64 Decoding optimization for x86 using AVX-512 - - JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out - - JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" - - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs - - JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512 - - JDK-8269571: NMT should print total malloc bytes and invocation count - - JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m) - - JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter - - JDK-8270155: ARM32: Improve register dump in hs_err - - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction - - JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns. - - JDK-8270947: AArch64: C1: use zero_words to initialize all objects - - JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts - - JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah - - JDK-8271956: AArch64: C1 build failed after JDK-8270947 - - JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" - - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 - - JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag - - JDK-8272776: NullPointerException not reported - - JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947 - - JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains - - JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java - - JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 - - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints - - JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long - - JDK-8273459: Update code segment alignment to 64 bytes - - JDK-8273497: building.md should link to both md and html - - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 - - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 - - JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction - - JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled - - JDK-8273881: Metaspace: test repeated deallocations - - JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java - - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI - - JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high - - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS - - JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java - - JDK-8274527: Minimal VM build fails after JDK-8273459 - - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening - - JDK-8274903: Zero: Support AsyncGetCallTrace - - JDK-8275170: Some jtreg sound tests should be marked with sound keyword - - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList - - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked - - JDK-8275569: Add linux-aarch64 to test-make profiles - - JDK-8276108: Wrong instruction generation in aarch64 backend - - JDK-8276904: Optional.toString() is unnecessarily expensive - - JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM" - - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64 - - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64 - - JDK-8277358: Accelerate CRC32-C - - JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check - - JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64 - - JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64 - - JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64 - - JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size - - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode - - JDK-8277928: Fix compilation on macosx-aarch64 after 8276108 - - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" - - JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing) - - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore - - JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" - - JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out - - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC - - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails - - JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines - - JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes - - JDK-8280234: AArch64 "core" variant does not build after JDK-8270947 - - JDK-8280391: NMT: Correct NMT tag on CollectedHeap - - JDK-8280511: AArch64: Combine shift and negate to a single instruction - - JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered - - JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object - - JDK-8280872: Reorder code cache segments to improve code density - - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR - - JDK-8280948: Write a regression test for JDK-4659800 - - JDK-8281296: Create a regression test for JDK-4515999 - - JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points - - JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores - - JDK-8282276: Problem list failing two Robot Screen Capture tests - - JDK-8282347: AARCH64: Untaken branch in has_negatives stub - - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired - - JDK-8282402: Create a regression test for JDK-4666101 - - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template - - JDK-8282528: AArch64: Incorrect replicate2L_zero rule - - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary - - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1 - - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure - - JDK-8282777: Create a Regression test for JDK-4515031 - - JDK-8282857: Create a regression test for JDK-4702690 - - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 - - JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup - - JDK-8283298: Make CodeCacheSegmentSize a product flag - - JDK-8283337: Posix signal handler modification warning triggering incorrectly - - JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32 - - JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name - - JDK-8283999: Update JMH devkit to 1.35 - - JDK-8284533: Improve InterpreterCodelet data footprint - - JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction" - - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox - - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X - - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation - - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" - - JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently - - JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot - - JDK-8285093: Introduce UTIL_ARG_WITH - - JDK-8285305: Create an automated test for JDK-4495286 - - JDK-8285373: Create an automated test for JDK-4702233 - - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" - - JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java - - JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java - - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox - - JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment - - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" - - JDK-8286172: Create an automated test for JDK-4516019 - - JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3" - - JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable - - JDK-8286452: The array length of testSmallConstArray should be small and const - - JDK-8286460: Remove dependence on JAR filename in CDS tests - - JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2 - - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 - - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray - - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows - - JDK-8286872: Refactor add/modify notification icon (TrayIcon) - - JDK-8287011: Improve container information - - JDK-8287076: Document.normalizeDocument() produces different results - - JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance - - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path - - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative - - JDK-8287740: NSAccessibilityShowMenuAction not working for text editors - - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile - - JDK-8288132: Update test artifacts in QuoVadis CA interop tests - - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces - - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable - - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding - - JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name - - JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support - - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output - - JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented - - JDK-8289301: P11Cipher should not throw out of bounds exception during padding - - JDK-8289524: Add JFR JIT restart event - - JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException - - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https - - JDK-8290207: Missing notice in dom.md - - JDK-8290209: jcup.md missing additional text - - JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier() - - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 - - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure - - JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes - - JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS - - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" - - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize - - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses - - JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false" - - JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM - - JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false - - JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 - - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) - - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 - - JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath - - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region - - JDK-8292083: Detected container memory limit may exceed physical machine memory - - JDK-8292158: AES-CTR cipher state corruption with AVX-512 - - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out - - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory - - JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle - - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update - - JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library - - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free - - JDK-8292816: GPL Classpath exception missing from assemblyprefix.h - - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures - - JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading - - JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java - - JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6 - - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform - - JDK-8292903: enhance round_up_power_of_2 assertion output - - JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking - - JDK-8293044: C1: Missing access check on non-accessible class - - JDK-8293232: Fix race condition in pkcs11 SessionManager - - JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if - - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present - - JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint - - JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx - - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts - - JDK-8293550: Optionally add get-task-allow entitlement to macos binaries - - JDK-8293578: Duplicate ldc generated by javac - - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" - - JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details - - JDK-8293672: Update freetype md file - - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present - - JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception - - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation - - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent - - JDK-8293826: Closed test fails after JDK-8276108 on aarch64 - - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening - - JDK-8293834: Update CLDR data following tzdata 2022c update - - JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum - - JDK-8293965: Code signing warnings after JDK-8293550 - - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - - JDK-8294307: ISO 4217 Amendment 173 Update - - JDK-8294310: compare.sh fails on macos after JDK-8293550 - - JDK-8294357: (tz) Update Timezone Data to 2022d - - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode - - JDK-8294740: Add cgroups keyword to TestDockerBasic.java - - JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md - - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator - - JDK-8295173: (tz) Update Timezone Data to 2022e - - JDK-8295288: Some vm_flags tests associate with a wrong BugID - - JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests - - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp - - JDK-8295419: JFR: Change name of jdk.JitRestart - - JDK-8295429: Update harfbuzz md file - - JDK-8295469: S390X: Optimized builds are broken - - JDK-8295554: Move the "sizecalc.h" to the correct location - - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - - JDK-8295714: GHA ::set-output is deprecated and will be removed - - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor - - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 - - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - - JDK-8296108: (tz) Update Timezone Data to 2022f - - JDK-8296239: ISO 4217 Amendment 174 Update - - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation - - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - - JDK-8296715: CLDR v42 update for tzdata 2022f - - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect - - JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds - - JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value - - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 - - JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes - - JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool - - JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField - - JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod - - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used - - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again - - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java - - JDK-8297309: Memory leak in ShenandoahFullGC - - JDK-8297481: Create a regression test for JDK-4424517 - - JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation - - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run - - JDK-8297656: AArch64: Enable AES/GCM Intrinsics - - JDK-8297804: (tz) Update Timezone Data to 2022g - - JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6 - - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java - -Notes on individual issues: -=========================== - -client-libs/javax.imageio: - -JDK-8295687: Better BMP bounds -============================== -Loading a linked ICC profile within a BMP image is now disabled by -default. To re-enable it, set the new system property -`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property -replaces the old property, -`sun.imageio.plugins.bmp.disableLinkedProfiles`. - -client-libs/javax.sound: - -JDK-8293742: Better Banking of Sounds -===================================== -Previously, the SoundbankReader implementation, -`com.sun.media.sound.JARSoundbankReader`, would download a JAR -soundbank from a URL. This behaviour is now disabled by default. To -re-enable it, set the new system property `jdk.sound.jarsoundbank` to -`true`. - -security-libs/java.security: - -JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set -========================================================================================================== -Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to -hold principals and credentials so that it rejected null -values. Attempts to call add(null), contains(null) or remove(null) -were changed to throw a NullPointerException. - -However, the logout() methods in the LoginModule implementations -within the JDK were not updated to check for null values, which may -occur in the event of a failed login. As a result, a logout() call may -throw a NullPointerException. - -The LoginModule implementations have now been updated with such checks -and an implementation note added to the specification to suggest that -the same change is made in third party modules. Developers of third -party modules are advised to verify that their logout() method does not -throw a NullPointerException. - -security-libs/javax.net.ssl: - -JDK-8287411: Enhance DTLS performance -===================================== -The JDK now exchanges DTLS cookies for all handshakes, new and -resumed. The previous behaviour can be re-enabled by setting the new -system property `jdk.tls.enableDtlsResumeCookie` to `false`. - -New in release OpenJDK 17.0.5 (2022-10-18): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1705 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html - -* Security fixes - - JDK-8282252: Improve BigInteger/Decimal validation - - JDK-8285662: Better permission resolution - - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions - - JDK-8286511: Improve macro allocation - - JDK-8286519: Better memory handling - - JDK-8286526, CVE-2022-21619: Improve NTLM support - - JDK-8286910, CVE-2022-21624: Improve JNDI lookups - - JDK-8286918, CVE-2022-21628: Better HttpServer service - - JDK-8287446: Enhance icon presentations - - JDK-8288508: Enhance ECDSA usage - - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage - - JDK-8289853: Update HarfBuzz to 4.4.1 - - JDK-8290334: Update FreeType to 2.12.1 -* Other changes - - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider - - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 - - JDK-7131823: bug in GIFImageReader - - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac - - JDK-8028265: Add legacy tz tests to OpenJDK - - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed - - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails - - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java - - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! - - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" - - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test. - - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values - - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch - - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues - - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. - - JDK-8227651: Tests fail with SSLProtocolException: Input record too big - - JDK-8240903: Add test to check that jmod hashes are reproducible - - JDK-8254318: Remove .hgtags - - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline - - JDK-8256844: Make NMT late-initializable - - JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom" - - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class - - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. - - JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled" - - JDK-8269039: Disable SHA-1 Signed JARs - - JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr - - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections - - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java - - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest - - JDK-8271344: Windows product version issue - - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 - - JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData - - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals - - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null] - - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades) - - JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts - - JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 - - JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms - - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] - - JDK-8274597: Some of the dnd tests time out and fail intermittently - - JDK-8274856: Failing jpackage tests with fastdebug/release build - - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test - - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled - - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold - - JDK-8276837: [macos]: Error when signing the additional launcher - - JDK-8277429: Conflicting jpackage static library name - - JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged" - - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable - - JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript - - JDK-8278311: Debian packaging doesn't work - - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS - - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS - - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4 - - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0 - - JDK-8279622: C2: miscompilation of map pattern as a vector reduction - - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl - - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound - - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed - - JDK-8280863: Update build README to reflect that MSYS2 is supported - - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method - - JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism - - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix - - JDK-8281181: Do not use CPU Shares to compute active processor count - - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 - - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) - - JDK-8281535: Create a regression test for JDK-4670051 - - JDK-8281569: Create tests for Frame.setMinimumSize() method - - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting - - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button - - JDK-8281745: Create a regression test for JDK-4514331 - - JDK-8281988: Create a regression test for JDK-4618767 - - JDK-8282007: Assorted enhancements to jpackage testing framework - - JDK-8282046: Create a regression test for JDK-8000326 - - JDK-8282214: Upgrade JQuery to version 3.6.0 - - JDK-8282234: Create a regression test for JDK-4532513 - - JDK-8282280: Update Xerces to Version 2.12.2 - - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access - - JDK-8282343: Create a regression test for JDK-4518432 - - JDK-8282351: jpackage does not work if class file has `$$` in the name on windows - - JDK-8282407: Missing ')' in MacResources.properties - - JDK-8282467: add extra diagnostics for JDK-8268184 - - JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler - - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 - - JDK-8282548: Create a regression test for JDK-4330998 - - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc - - JDK-8282640: Create a test for JDK-4740761 - - JDK-8282778: Create a regression test for JDK-4699544 - - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 - - JDK-8282860: Write a regression test for JDK-4164779 - - JDK-8282933: Create a test for JDK-4529616 - - JDK-8282936: Write a regression test for JDK-4615365 - - JDK-8282937: Write a regression test for JDK-4820080 - - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions - - JDK-8283015: Create a test for JDK-4715496 - - JDK-8283087: Create a test or JDK-4715503 - - JDK-8283245: Create a test for JDK-4670319 - - JDK-8283277: ISO 4217 Amendment 171 Update - - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) - - JDK-8283457: [macos] libpng build failures with Xcode13.3 - - JDK-8283493: Create an automated regression test for RFE 4231298 - - JDK-8283507: Create a regression test for RFE 4287690 - - JDK-8283562: JDK-8282306 breaks gtests on zero - - JDK-8283597: [REDO] Invalid generic signature for redefined classes - - JDK-8283621: Write a regression test for CCC4400728 - - JDK-8283623: Create an automated regression test for JDK-4525475 - - JDK-8283624: Create an automated regression test for RFE-4390885 - - JDK-8283712: Create a manual test framework class - - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows - - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test - - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee - - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode - - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 - - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS - - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt - - JDK-8284077: Create an automated test for JDK-4170173 - - JDK-8284294: Create an automated regression test for RFE 4138746 - - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph - - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 - - JDK-8284521: Write an automated regression test for RFE 4371575 - - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception - - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest - - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset - - JDK-8284686: Interval of < 1 ms disables ExecutionSample events - - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice - - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 - - JDK-8284898: Enhance PassFailJFrame - - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization - - JDK-8284950: CgroupV1 detection code should consider memory.swappiness - - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment - - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist - - JDK-8285081: Improve XPath operators count accuracy - - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java - - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity - - JDK-8285380: Fix typos in security - - JDK-8285398: Cache the results of constraint checks - - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test - - JDK-8285693: Create an automated test for JDK-4702199 - - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null - - JDK-8285730: unify _WIN32_WINNT settings - - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 - - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities - - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java - - JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe - - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure - - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 - - JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes - - JDK-8286277: CDS VerifyError when calling clone() on object array - - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache - - JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45] - - JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage - - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled - - JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect - - JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis - - JDK-8286869: unify os::dir_is_empty across posix platforms - - JDK-8286870: Memory leak with RepeatCompilation - - JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5 - - JDK-8287073: NPE from CgroupV2Subsystem.getInstance() - - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn - - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller - - JDK-8287113: JFR: Periodic task thread uses period for method sampling events - - JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host - - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event - - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver - - JDK-8287366: Improve test failure reporting in GHA - - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number - - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node - - JDK-8287463: JFR: Disable TestDevNull.java on Windows - - JDK-8287663: Add a regression test for JDK-8287073 - - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run - - JDK-8287724: Fix various issues with msys2 - - JDK-8287735: Provide separate event category for dll operations - - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete - - JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag - - JDK-8287895: Some langtools tests fail on msys2 - - JDK-8287896: PropertiesTest.sh fail on msys2 - - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows - - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests - - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier - - JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs - - JDK-8288003: log events for os::dll_unload - - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic - - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes - - JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds - - JDK-8288467: remove memory_operand assert for spilled instructions - - JDK-8288499: Restore cancel-in-progress in GHA - - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... - - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp - - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small - - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 - - JDK-8288992: AArch64: CMN should be handled the same way as CMP - - JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible - - JDK-8289147: unify os::infinite_sleep on posix platforms - - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion - - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java - - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc - - JDK-8289486: Improve XSLT XPath operators count efficiency - - JDK-8289549: ISO 4217 Amendment 172 Update - - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl - - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun - - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad - - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter - - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 - - JDK-8289910: unify os::message_box across posix platforms - - JDK-8290000: Bump macOS GitHub actions to macOS 11 - - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown - - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers - - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" - - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle - - JDK-8290456: remove os::print_statistics() - - JDK-8291595: [17u] Delete files missed in backport of 8269039 - - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr - - JDK-8292579: (tz) Update Timezone Data to 2022c - - JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5 - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable -=========================================================================== -Two system properties have been added which control the keep alive -behavior of HttpURLConnection in the case where the server does not -specify a keep alive time. Two properties are defined for controlling -connections to servers and proxies separately. They are: - -* `http.keepAlive.time.server` -* `http.keepAlive.time.proxy` - -respectively. More information about them can be found on the -Networking Properties page: -https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html. - -security-libs/javax.crypto: - -JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location -===================================================================================== -The Windows KeyStore support in the SunMSCAPI provider has been -expanded to include access to the local machine location. The new -keystore types are: - -* "Windows-MY-LOCALMACHINE" -* "Windows-ROOT-LOCALMACHINE" - -The following keystore types were also added, allowing developers to -make it clear they map to the current user: - -* "Windows-MY-CURRENTUSER" (same as "Windows-MY") -* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") - -hotspot/runtime: - -JDK-8281181: CPU Shares Ignored When Computing Active Processor Count -===================================================================== -Previous JDK releases used an incorrect interpretation of the Linux -cgroups parameter "cpu.shares". This might cause the JVM to use fewer -CPUs than available, leading to an under utilization of CPU resources -when the JVM is used inside a container. - -Starting from this JDK release, by default, the JVM no longer -considers "cpu.shares" when deciding the number of threads to be used -by the various thread pools. The `-XX:+UseContainerCpuShares` -command-line option can be used to revert to the previous -behavior. This option is deprecated and may be removed in a future JDK -release. - -security-libs/java.security: - -JDK-8269039: Disabled SHA-1 Signed JARs -======================================= -JARs signed with SHA-1 algorithms are now restricted by default and -treated as if they were unsigned. This applies to the algorithms used -to digest, sign, and optionally timestamp the JAR. It also applies to -the signature and digest algorithms of the certificates in the -certificate chain of the code signer and the Timestamp Authority, and -any CRLs or OCSP responses that are used to verify if those -certificates have been revoked. These restrictions also apply to -signed JCE providers. - -To reduce the compatibility risk for JARs that have been previously -timestamped, there is one exception to this policy: - -- Any JAR signed with SHA-1 algorithms and timestamped prior to - January 01, 2019 will not be restricted. - -This exception may be removed in a future JDK release. To determine if -your signed JARs are affected by this change, run: - -$ jarsigner -verify -verbose -certs` - -on the signed JAR, and look for instances of "SHA1" or "SHA-1" and -"disabled" and a warning that the JAR will be treated as unsigned in -the output. - -For example: - - Signed by "CN="Signer"" - Digest algorithm: SHA-1 (disabled) - Signature algorithm: SHA1withRSA (disabled), 2048-bit key - - WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: - - jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 - -JARs affected by these new restrictions should be replaced or -re-signed with stronger algorithms. - -Users can, *at their own risk*, remove these restrictions by modifying -the `java.security` configuration file (or override it by using the -`java.security.properties` system property) and removing "SHA1 usage -SignedJAR & denyAfter 2019-01-01" from the -`jdk.certpath.disabledAlgorithms` security property and "SHA1 -denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security -property. - -New in release OpenJDK 17.0.4.1 (2022-08-16): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk17041 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.1.txt - -* Other changes - - JDK-8292258: Bump update version for OpenJDK: jdk-17.0.4.1 - - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large - -Notes on individual issues: -=========================== - -hotspot/compiler: - -JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM -============================================================ -Fixes a regression in the C2 JIT compiler which caused the Java -Runtime to crash unpredictably. - -New in release OpenJDK 17.0.4 (2022-07-19): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1704 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt - -* Security fixes - - JDK-8272243: Improve DER parsing - - JDK-8272249: Better properties of loaded Properties - - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions - - JDK-8277608: Address IP Addressing - - JDK-8281859, CVE-2022-21540: Improve class compilation - - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations - - JDK-8283190: Improve MIDI processing - - JDK-8284370: Improve zlib usage - - JDK-8285407, CVE-2022-34169: Improve Xalan supports -* Other changes - - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn - - JDK-8181571: printing to CUPS fails on mac sandbox app - - JDK-8193682: Infinite loop in ZipOutputStream.close() - - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use - - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test - - JDK-8214733: runtime/8176717/TestInheritFD.java timed out - - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel - - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled - - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode - - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR - - JDK-8255266: Update Public Suffix List to 3c213aa - - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers - - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests - - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure - - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well - - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL" - - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL - - JDK-8267163: Rename anonymous loader tests to hidden loader tests - - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo - - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout - - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) - - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum - - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest - - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs - - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM - - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform - - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message - - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support - - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java - - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree - - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output - - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled - - JDK-8270797: ShortECDSA.java test is not complete - - JDK-8270837: fix typos in test TestSigParse.java - - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom - - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack - - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code - - JDK-8271302: Regex Test Refresh - - JDK-8272146: Disable Fibonacci test on memory constrained systems - - JDK-8272168: some hotspot runtime/logging tests don't check exit code - - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty - - JDK-8272358: Some tests may fail when executed with other locales than the US - - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests - - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302 - - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case - - JDK-8274172: Convert JavadocTester to use NIO - - JDK-8274233: Minor cleanup for ToolBox - - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun - - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines - - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend - - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image - - JDK-8274751: Drag And Drop hangs on Windows - - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed - - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS - - JDK-8274983: C1 optimizes the invocation of private interface methods - - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows - - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert - - JDK-8275745: Reproducible copyright headers - - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers - - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt - - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win) - - JDK-8276657: XSLT compiler tries to define a class with empty name - - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC - - JDK-8276825: hotspot/runtime/SelectionResolution test errors - - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java - - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary - - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations - - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics - - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive - - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND - - JDK-8277123: jdeps does not report some exceptions correctly - - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories - - JDK-8277166: Data race in jdeps VersionHelper - - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread - - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch - - JDK-8277893: Arraycopy stress tests - - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP - - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge - - JDK-8278014: [vectorapi] Remove test run script - - JDK-8278065: Refactor subclassAudits to use ClassValue - - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method - - JDK-8278472: Invalid value set to CANDIDATEFORM structure - - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" - - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15 - - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date - - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() - - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86 - - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs - - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler - - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638 - - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC - - JDK-8279219: [REDO] C2 crash when allocating array of size too large - - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display - - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! - - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM - - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked - - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism - - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64 - - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java - - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment - - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking - - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores - - JDK-8279668: x86: AVX2 versions of vpxor should be asserted - - JDK-8279822: CI: Constant pool entries in error state are not supported - - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled - - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region - - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos - - JDK-8279958: Provide configure hints for Alpine/apk package managers - - JDK-8280004: DCmdArgument::parse_value() should handle NULL input - - JDK-8280041: Retry loop issues in java.io.ClassCache - - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN - - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized - - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang - - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS - - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor - - JDK-8280600: C2: assert(!had_error) failed: bad dominance - - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. - - JDK-8280799: ะก2: assert(false) failed: cyclic dependency prevents range check elimination - - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs - - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint - - JDK-8280940: gtest os.release_multi_mappings_vm is racy - - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range - - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y - - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly - - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64 - - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter - - JDK-8281262: Windows builds in different directories are not fully reproducible - - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly - - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info - - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths - - JDK-8281318: Improve jfr/event/allocation tests reliability - - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working - - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor - - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants - - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/ - - JDK-8281615: Deadlock caused by jdwp agent - - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions - - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature - - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 - - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling - - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder - - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway - - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 - - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test - - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads - - JDK-8282225: GHA: Allow one concurrent run per PR only - - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers - - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive - - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert - - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 - - JDK-8282345: handle latest VS2022 in abstract_vm_version - - JDK-8282382: Report glibc malloc tunables in error reports - - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale - - JDK-8282444: Module finder incorrectly assumes default file system path-separator character - - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 - - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output - - JDK-8282551: Properly initialize L32X64MixRandom state - - JDK-8282583: Update BCEL md to include the copyright notice - - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes - - JDK-8282592: C2: assert(false) failed: graph should be schedulable - - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() - - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap - - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows - - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value - - JDK-8283017: GHA: Workflows break with update release versions - - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails - - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c - - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing - - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize - - JDK-8283315: jrt-fs.jar not always deterministically built - - JDK-8283323: libharfbuzz optimization level results in extreme build times - - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled - - JDK-8283350: (tz) Update Timezone Data to 2022a - - JDK-8283408: Fix a C2 crash when filling arrays with unsafe - - JDK-8283422: Create a new test for JDK-8254790 - - JDK-8283451: C2: assert(_base == Long) failed: Not a Long - - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak - - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info - - JDK-8283641: Large value for CompileThresholdScaling causes assert - - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM - - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate - - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo - - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c - - JDK-8284094: Memory leak in invoker_completeInvokeRequest() - - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 - - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer - - JDK-8284437: Building from different users/workspace is not always deterministic - - JDK-8284458: CodeHeapState::aggregate() leaks blob_name - - JDK-8284507: GHA: Only check test results if testing was not skipped - - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler - - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member - - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 - - JDK-8284620: CodeBuffer may leak _overflow_arena - - JDK-8284622: Update versions of some Github Actions used in JDK workflow - - JDK-8284661: Reproducible assembly builds without relative linking - - JDK-8284754: print more interesting env variables in hs_err and VM.info - - JDK-8284758: [linux] improve print_container_info - - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping - - JDK-8284866: Add test to JDK-8273056 - - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java - - JDK-8284992: Fix misleading Vector API doc for LSHR operator - - JDK-8285342: Zero build failure with clang due to values not handled in switch - - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() - - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 - - JDK-8285445: cannot open file "NUL:" - - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 - - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java - - JDK-8285686: Update FreeType to 2.12.0 - - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head - - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head - - JDK-8285728: Alpine Linux build fails with busybox tar - - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols - - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine - - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService - - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java - - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc - - JDK-8286198: [linux] Fix process-memory information - - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources - - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause - - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups - - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk - - JDK-8286855: javac error on invalid jar should only print filename - - JDK-8287109: Distrust.java failed with CertificateExpiredException - - JDK-8287119: Add Distrust.java to ProblemList - - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions - - JDK-8287336: GHA: Workflows break on patch versions - - JDK-8287362: FieldAccessWatch testcase failed on AIX platform - - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos -================================================================ -Support has been added for TLS channel binding tokens for -Negotiate/Kerberos authentication over HTTPS through -javax.net.HttpsURLConnection. - -Channel binding tokens are increasingly required as an enhanced form -of security which can mitigate certain kinds of socially engineered, -man in the middle (MITM) attacks. They work by communicating from a -client to a server the client's understanding of the binding between -connection security (as represented by a TLS server cert) and higher -level authentication credentials (such as a username and -password). The server can then detect if the client has been fooled by -a MITM and shutdown the session/connection. - -The feature is controlled through a new system property -`jdk.https.negotiate.cbt` which is described fully at the following -page: - -https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt - -core-libs/java.lang: - -JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder -===================================================================== -ProcessBuilder on Windows is restored to address a regression caused -by JDK-8250568. Previously, an argument to ProcessBuilder that -started with a double-quote and ended with a backslash followed by a -double-quote was passed to a command incorrectly and may cause the -command to fail. For example the argument `"C:\\Program Files\"`, -would be seen by the command with extra double-quotes. This update -restores the long standing behavior that does not treat the backslash -before the final double-quote specially. - - -core-libs/java.util.jar: - -JDK-8278386: Default JDK compressor will be closed when IOException is encountered -================================================================================== -`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods -have been modified to close out the associated default JDK compressor -before propagating a Throwable up the -stack. `ZIPOutputStream.closeEntry()` method has been modified to -close out the associated default JDK compressor before propagating an -IOException, not of type ZipException, up the stack. - -core-libs/java.io: - -JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File -================================================================================================= -The Windows implementation of `java.io.File` allows access to NTFS -Alternate Data Streams (ADS) by default. Such streams have a structure -like โ€œfilename:streamnameโ€. A system property `jdk.io.File.enableADS` -has been added to control this behavior. To disable ADS support in -`java.io.File`, the system property `jdk.io.File.enableADS` should be -set to `false` (case ignored). Stricter path checking however prevents -the use of special devices such as `NUL:` - -New in release OpenJDK 17.0.3 (2022-04-19): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1703 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt - -* Security fixes - - JDK-8269938: Enhance XML processing passes redux - - JDK-8270504, CVE-2022-21426: Better XPath expression handling - - JDK-8272255: Completely handle MIDI files - - JDK-8272261: Improve JFR recording file processing - - JDK-8272588: Enhanced recording parsing - - JDK-8272594: Better record of recordings - - JDK-8274221: More definite BER encodings - - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 - - JDK-8275151, CVE-2022-21443: Improved Object Identification - - JDK-8277227: Better identification of OIDs - - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support - - JDK-8277672, CVE-2022-21434: Better invocation handler handling - - JDK-8278356: Improve file creation - - JDK-8278449: Improve keychain support - - JDK-8278798: Improve supported intrinsic - - JDK-8278805: Enhance BMP image loading - - JDK-8278972, CVE-2022-21496: Improve URL supports - - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo -* Other changes - - JDK-8177814: jdk/editpad is not in jdk TEST.groups - - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 - - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently - - JDK-8225559: assertion error at TransTypes.visitApply - - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful - - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails - - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test - - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1 - - JDK-8251216: Implement MD5 intrinsics on AArch64 - - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" - - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" - - JDK-8263567: gtests don't terminate the VM safely - - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark - - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups - - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it - - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only - - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM - - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file - - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java - - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' - - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error - - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" - - JDK-8270117: Broken jtreg link in "Building the JDK" page - - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor - - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity - - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8271506: Add ResourceHashtable support for deleting selected entries - - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests - - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories - - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates - - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() - - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication - - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code - - JDK-8272600: (test) Use native "sleep" in Basic.java - - JDK-8272866: java.util.random package summary contains incorrect mixing function in table - - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled - - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt - - JDK-8273277: C2: Move conditional negation into rc_predicate - - JDK-8273341: Update Siphash to version 1.0 - - JDK-8273351: bad tag in jdk.random module-info.java - - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 - - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm - - JDK-8273387: remove some unreferenced gtk-related functions - - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests - - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests - - JDK-8273526: Extend the OSContainer API pids controller with pids.current - - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java - - JDK-8273655: content-types.properties files are missing some common types - - JDK-8273682: Upgrade Jline to 3.20.0 - - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time - - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 - - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions - - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 - - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) - - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes - - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches - - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures - - JDK-8274471: Add support for RSASSA-PSS in OCSP Response - - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root - - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake - - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS - - JDK-8274658: ISO 4217 Amendment 170 Update - - JDK-8274714: Incorrect verifier protected access error message - - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 - - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes - - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler - - JDK-8274935: dumptime_table has stale entry - - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime - - JDK-8275586: Zero: Simplify interpreter initialization - - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow - - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault - - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg - - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64 - - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 - - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException - - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock - - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method - - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue - - JDK-8276057: Update JMH devkit to 1.33 - - JDK-8276141: XPathFactory set/getProperty method - - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" - - JDK-8276314: [JVMCI] check alignment of call displacement during code installation - - JDK-8276623: JDK-8275650 accidentally pushed "out" file - - JDK-8276654: element-list order is non deterministic - - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() - - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod - - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content - - JDK-8276841: Add support for Visual Studio 2022 - - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" - - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 - - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 - - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits - - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows - - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for - - JDK-8277383: VM.metaspace optionally show chunk freelist details - - JDK-8277385: Zero: Enable CompactStrings support - - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last - - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop - - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs - - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - - JDK-8277497: Last column cell in the JTable row is read as empty cell - - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." - - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER - - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad - - JDK-8277795: ldap connection timeout not honoured under contention - - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 - - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording - - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 - - JDK-8278016: Add compiler tests to tier{2,3} - - JDK-8278020: ~13% variation in Renaissance-Scrabble - - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation - - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError - - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' - - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx - - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx - - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup - - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux - - JDK-8278185: Custom JRE cannot find non-ASCII named module inside - - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d - - JDK-8278241: Implement JVM SpinPause on linux-aarch64 - - JDK-8278309: [windows] use of uninitialized OSThread::_state - - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output - - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine - - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec - - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT - - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic - - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column - - JDK-8278604: SwingSet2 table demo does not have accessible description set for images - - JDK-8278627: Shenandoah: TestHeapDump test failed - - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 - - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 - - JDK-8278824: Uneven work distribution when scanning heap roots in G1 - - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob - - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 - - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ - - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t - - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 - - JDK-8279124: VM does not handle SIGQUIT during initialization - - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers - - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest - - JDK-8279379: GHA: Print tests that are in error - - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 - - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it - - JDK-8279445: Update JMH devkit to 1.34 - - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms - - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT - - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition - - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also - - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 - - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 - - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks - - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" - - JDK-8280002: jmap -histo may leak stream - - JDK-8280155: [PPC64, s390] frame size checks are not yet correct - - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 - - JDK-8280414: Memory leak in DefaultProxySelector - - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} - - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames - - JDK-8281460: Let ObjectMonitor have its own NMT category - - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX - - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 - - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods - - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException - - JDK-8284920: Incorrect Token type causes XPath expression to return empty result - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8274791: Support for RSASSA-PSS in OCSP Response -==================================================== -An OCSP response signed with the RSASSA-PSS algorithm is now supported. - -New in release OpenJDK 17.0.2 (2022-01-18): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1702 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt - -* Security fixes - - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside - - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization - - JDK-8268488: More valuable DerValues - - JDK-8268494: Better inlining of inlined interfaces - - JDK-8268512: More content for ContentInfo - - JDK-8268813, CVE-2022-21283: Better String matching - - JDK-8269151: Better construction of EncryptedPrivateKeyInfo - - JDK-8269944: Better HTTP transport redux - - JDK-8270386, CVE-2022-21291: Better verification of scan methods - - JDK-8270392, CVE-2022-21293: Improve String constructions - - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps - - JDK-8270492, CVE-2022-21282: Better resolution of URIs - - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management - - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities - - JDK-8270952, CVE-2022-21277: Improve TIFF file handling - - JDK-8271962: Better TrueType font loading - - JDK-8271968: Better canonical naming - - JDK-8271987: Manifest improved manifest entries - - JDK-8272014, CVE-2022-21305: Better array indexing - - JDK-8272026, CVE-2022-21340: Verify Jar Verification - - JDK-8272236, CVE-2022-21341: Improve serial forms for transport - - JDK-8272272: Enhance jcmd communication - - JDK-8272462: Enhance image handling - - JDK-8273290: Enhance sound handling - - JDK-8273756, CVE-2022-21360: Enhance BMP image support - - JDK-8273838, CVE-2022-21365: Enhanced BMP processing - - JDK-8274096, CVE-2022-21366: Improve decoding of image files -* Other changes - - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException - - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing - - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap - - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently - - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream - - JDK-8214761: Bug in parallel Kahan summation implementation - - JDK-8223923: C2: Missing interference with mismatched unsafe accesses - - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir(). - - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name - - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines())) - - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled - - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic - - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol - - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null - - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert - - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream - - JDK-8263375: Support stack watermarks in Zero VM - - JDK-8263773: Reenable German localization for builds at Oracle - - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer - - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer - - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer - - JDK-8264292: Create implementation for NSAccessibilityList protocol peer - - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer - - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer - - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer - - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer - - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer - - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer - - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer - - JDK-8266239: Some duplicated javac command-line options have repeated effect - - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color - - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true - - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl - - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility - - JDK-8267387: Create implementation for NSAccessibilityOutline protocol - - JDK-8267388: Create implementation for NSAccessibilityTable protocol - - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button" - - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs. - - JDK-8268361: Fix the infinite loop in next_line - - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML - - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests - - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler - - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions - - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc - - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type - - JDK-8268893: jcmd to trim the glibc heap - - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition - - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)" - - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783 - - JDK-8269113: Javac throws when compiling switch (null) - - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java - - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException - - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString() - - JDK-8269481: SctpMultiChannel never releases own file descriptor - - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows - - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles - - JDK-8269687: pauth_aarch64.hpp include name is incorrect - - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 - - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts - - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked - - JDK-8270110: Shenandoah: Add test for JDK-8269661 - - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS - - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests - - JDK-8270290: NTLM authentication fails if HEAD request is used - - JDK-8270317: Large Allocation in CipherSuite - - JDK-8270320: JDK-8270110 committed invalid copyright headers - - JDK-8270517: Add Zero support for LoongArch - - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS - - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling - - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file - - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType - - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String - - JDK-8271071: accessibility of a table on macOS lacks cell navigation - - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug - - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h - - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment - - JDK-8271215: Fix data races in G1PeriodicGCTask - - JDK-8271254: javac generates unreachable code when using empty semicolon statement - - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" - - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call - - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes - - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1 - - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop - - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java - - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity - - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling - - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" - - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions - - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop - - JDK-8271605: Update JMH devkit to 1.32 - - JDK-8271718: Crash when during color transformation the color profile is replaced - - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers - - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest - - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used - - JDK-8271868: Warn user when using mac-sign option with unsigned app-image. - - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18 - - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112 - - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64 - - JDK-8272114: Unused _last_state in osThread_windows - - JDK-8272170: Missing memory barrier when checking active state for regions - - JDK-8272305: several hotspot runtime/modules don't check exit codes - - JDK-8272318: Improve performance of HeapDumpAllTest - - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher - - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes - - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions - - JDK-8272345: macos doesn't check `os::set_boot_path()` result - - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0" - - JDK-8272391: Undeleted debug information - - JDK-8272413: Incorrect num of element count calculation for vector cast - - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong - - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272570: C2: crash in PhaseCFG::global_code_motion - - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272639: jpackaged applications using microphone on mac - - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO - - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit - - JDK-8272783: Epsilon: Refactor tests to improve performance - - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests - - JDK-8272838: Move CriticalJNI tests out of tier1 - - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1 - - JDK-8272850: Drop zapping values in the Zap* option descriptions - - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test - - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag - - JDK-8272859: Javadoc external links should only have feature version number in URL - - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups - - JDK-8272970: Parallelize runtime/InvocationTests/ - - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop - - JDK-8273021: C2: Improve Add and Xor ideal optimizations - - JDK-8273026: Slow LoginContext.login() on multi threading application - - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7 - - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert - - JDK-8273176: handle latest VS2019 in abstract_vm_version - - JDK-8273229: Update OS detection code to recognize Windows Server 2022 - - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash - - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit - - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT - - JDK-8273308: PatternMatchTest.java fails on CI - - JDK-8273314: Add tier4 test groups - - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test - - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory - - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods - - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs - - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 - - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size - - JDK-8273361: InfoOptsTest is failing in tier1 - - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero - - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop - - JDK-8273376: Zero: Disable vtable/itableStub gtests - - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP - - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record - - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1} - - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java - - JDK-8273450: Fix the copyright header of SVML files - - JDK-8273451: Remove unreachable return in mutexLocker::wait - - JDK-8273483: Zero: Clear pending JNI exception check in native method handler - - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option - - JDK-8273487: Zero: Handle "zero" variant in runtime tests - - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths - - JDK-8273498: compiler/c2/Test7179138_1.java timed out - - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes - - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure - - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated - - JDK-8273592: Backout JDK-8271868 - - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image. - - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian - - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch - - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests - - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F - - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher - - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease - - JDK-8273695: Safepoint deadlock on VMOperation_lock - - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem - - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly - - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java - - JDK-8273808: Cleanup AddFontsToX11FontPath - - JDK-8273826: Correct Manifest file name and NPE checks - - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out - - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral - - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release() - - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() - - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported - - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds - - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character - - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled - - JDK-8273968: JCK javax_xml tests fail in CI - - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects - - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM - - JDK-8274083: Update testing docs to mention tiered testing - - JDK-8274087: Windows DLL path not set correctly. - - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition - - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC - - JDK-8274215: Remove globalsignr2ca root from 17.0.2 - - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86 - - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp - - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated - - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160 - - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m - - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern - - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" - - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile - - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU - - JDK-8274381: missing CAccessibility definitions in JNI code - - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread - - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API - - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough" - - JDK-8274407: (tz) Update Timezone Data to 2021c - - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl - - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b - - JDK-8274468: TimeZoneTest.java fails with tzdata2021b - - JDK-8274501: c2i entry barriers read int as long on AArch64 - - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected - - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah - - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah - - JDK-8274550: c2i entry barriers read int as long on PPC - - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah - - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test - - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 - - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume. - - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily - - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers - - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform - - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST - - JDK-8274840: Update OS detection code to recognize Windows 11 - - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior - - JDK-8274851: [ppc64] Port zgc to linux on ppc64le - - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155) - - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 - - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register - - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag - - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed - - JDK-8275104: IR framework does not handle client VM builds correctly - - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8275131: Exceptions after a touchpad gesture on macOS - - JDK-8275141: recover corrupted line endings for the version-numbers.conf - - JDK-8275145: file.encoding system property has an incorrect value on Windows - - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges - - JDK-8275302: unexpected compiler error: cast, intersection types and sealed - - JDK-8275426: PretouchTask num_chunks calculation can overflow - - JDK-8275604: Zero: Reformat opclabels_data - - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless - - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem - - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak - - JDK-8275766: (tz) Update Timezone Data to 2021e - - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:] - - JDK-8275811: Incorrect instance to dispose - - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective - - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e - - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings - - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml - - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency - - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance - - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3 - - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly - - JDK-8276112: Inconsistent scalar replacement debug info at safepoints - - JDK-8276122: Change openjdk project in jcheck to jdk-updates - - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme - - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test - - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 - - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point - - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration - - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition - - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 - - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend - - JDK-8276572: Fake libsyslookup.so library causes tooling issues - - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie - - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah - - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager - - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32 - - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1 - - JDK-8276854: Windows GHA builds fail due to broken Cygwin - - JDK-8276864: Update boot JDKs to 17.0.1 in GHA - - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders - - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le - - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes - - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element - - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points - - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest] - - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches - - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE - - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint - - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup - -Notes on individual issues: -=========================== - -core-libs/java.io:serialization: - -JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element -========================================================================================= -`java.util.Vector` is updated to correctly report -`ClassNotFoundException that occurs during deserialization using -`java.io.ObjectInputStream.GetField.get(name, object)` when the class -of an element of the Vector is not found. Without this fix, a -`StreamCorruptedException` is thrown that does not provide information -about the missing class. - -security-libs/java.security: - -JDK-8272535: Removed Google's GlobalSign Root Certificate -========================================================= -The following root certificate from Google has been removed from the -`cacerts` keystore: - -Alias Name: globalsignr2ca [jdk] -Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 - -core-libs/java.io: - -JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows -============================================================================ -The initialization of the `file.encoding` system property on non macOS -platforms has been reverted to align with the behavior on or before -JDK 11. This has been an issue especially on Windows where the system -and user's locales are not the same. - -hotspot/gc: - -JDK-8277533: ZGC: Fixed long Process Non-Strong References times -================================================================ -A bug has been fixed that could cause long "Concurrent Process -Non-Strong References" times with ZGC. The bug blocked the GC from -making significant progress, and caused both latency and throughput -issues for the Java application. - -The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g. - -[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms - -core-libs/java.time: - -JDK-8274857: Update Timezone Data to 2021c -=========================================== -IANA Time Zone Database, on which JDK's Date/Time libraries are based, -has been updated to version 2021c -(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note -that with this update, some of the time zone rules prior to the year -1970 have been modified according to the changes which were introduced -with 2021b. For more detail, refer to the announcement of 2021b -(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) - -New in release OpenJDK 17.0.1 (2021-10-19): -=========================================== -Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt - -* Security fixes - - JDK-8263314: Enhance XML Dsig modes - - JDK-8265167, CVE-2021-35556: Richer Text Editors - - JDK-8265574: Improve handling of sheets - - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - - JDK-8265776: Improve Stream handling for SSL - - JDK-8266097, CVE-2021-35561: Better hashing support - - JDK-8266103: Better specified spec values - - JDK-8266109: More Resilient Classloading - - JDK-8266115: More Manifest Jar Loading - - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - - JDK-8266689, CVE-2021-35567: More Constrained Delegation - - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - - JDK-8267712: Better LDAP reference processing - - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - - JDK-8267735, CVE-2021-35586: Better BMP support - - JDK-8268193: Improve requests of certificates - - JDK-8268199: Correct certificate requests - - JDK-8268205: Enhance DTLS client handshake - - JDK-8268500: Better specified ParameterSpecs - - JDK-8268506: More Manifest Digests - - JDK-8269618, CVE-2021-35603: Better session identification - - JDK-8269624: Enhance method selection support - - JDK-8270398: Enhance canonicalization - - JDK-8270404: Better canonicalization -* Other changes - - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails - - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked - - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations - - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - - JDK-8263531: Remove unused buffer int - - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java - - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms - - JDK-8269297: Bump version numbers for JDK 17.0.1 - - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events - - JDK-8269763: The JEditorPane is blank after JDK-8265167 - - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - - JDK-8269882: stack-use-after-scope in NewObjectA - - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible - - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags - - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations - - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert - - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error - - JDK-8270344: Session resumption errors - - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added - - JDK-8271276: C2: Wrong JVM state used for receiver null check - - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 - - JDK-8271589: fatal error with variable shift count integer rotate operation. - - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java - - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests - - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier - - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails - - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 - - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled - - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed - - JDK-8273358: macOS Monterey does not have the font Times needed by Serif - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8271434: Removed IdenTrust Root Certificate -=============================================== -The following root certificate from IdenTrust has been removed from -the `cacerts` keystore: - -Alias Name: identrustdstx3 [jdk] -Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. - -New in release OpenJDK 17.0.0 (2021-09-14): -=========================================== -The full list of changes in the interim releases from 11u to 17u can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-12.txt - * https://builds.shipilev.net/backports-monitor/release-notes-13.txt - * https://builds.shipilev.net/backports-monitor/release-notes-14.txt - * https://builds.shipilev.net/backports-monitor/release-notes-15.txt - * https://builds.shipilev.net/backports-monitor/release-notes-16.txt - * https://builds.shipilev.net/backports-monitor/release-notes-17.txt - -Major changes are listed below. Some changes may have been backported -to earlier releases following their first appearance in OpenJDK 12 -through to 17. - -NEW FEATURES -============ - -Language Features -================= - -Switch Expressions -================== -https://openjdk.java.net/jeps/325 -https://openjdk.java.net/jeps/354 -https://openjdk.java.net/jeps/361 - -Extend the `switch` statement so that it can be used as either a -statement or an expression, and that both forms can use either a -"traditional" or "simplified" scoping and control flow behavior. Both -forms can use either traditional `case ... :` labels (with fall -through) or new `case ... ->` labels (with no fall through), with a -further new statement for yielding a value from a `switch` -expression. These changes will simplify everyday coding, and also -prepare the way for the use of pattern matching in `switch`. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 12 & 13 and became final in OpenJDK 14. - -Text Blocks -=========== -https://openjdk.java.net/jeps/355 -https://openjdk.java.net/jeps/368 -https://openjdk.java.net/jeps/378 - -Add text blocks to the Java language. A text block is a multi-line -string literal that avoids the need for most escape sequences, -automatically formats the string in a predictable way, and gives the -developer control over format when desired. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 13 & 14 and became final in OpenJDK 15. - -Pattern Matching for instanceof -=============================== -https://openjdk.java.net/jeps/305 -https://openjdk.java.net/jeps/375 -https://openjdk.java.net/jeps/394 -http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html - -Enhance the Java programming language with pattern matching for the -`instanceof` operator. Pattern matching allows common logic in a -program, namely the conditional extraction of components from objects, -to be expressed more concisely and safely. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Records -======= -https://openjdk.java.net/jeps/359 -https://openjdk.java.net/jeps/384 -https://openjdk.java.net/jeps/395 - -Enhance the Java programming language with records. Records provide a -compact syntax for declaring classes which are transparent holders for -shallowly immutable data. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Sealed Classes -============== -https://openjdk.java.net/jeps/360 -https://openjdk.java.net/jeps/397 -https://openjdk.java.net/jeps/409 -https://cr.openjdk.java.net/~briangoetz/amber/datum.html - -Enhance the Java programming language with sealed classes and -interfaces. Sealed classes and interfaces restrict which other classes -or interfaces may extend or implement them. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 15 & 16 and became final in OpenJDK 17. - -Restore Always-Strict Floating-Point Semantics -============================================== -https://openjdk.java.net/jeps/306 - -Make floating-point operations consistently strict, rather than have -both strict floating-point semantics (`strictfp`) and subtly different -default floating-point semantics. This will restore the original -floating-point semantics to the language and VM, matching the -semantics before the introduction of strict and default floating-point -modes in Java SE 1.2. - -Pattern Matching for switch -=========================== -https://openjdk.java.net/jeps/406 - -Enhance the Java programming language with pattern matching for -`switch` expressions and statements, along with extensions to the -language of patterns. Extending pattern matching to `switch` allows an -expression to be tested against a number of patterns, each with a -specific action, so that complex data-oriented queries can be -expressed concisely and safely. - -This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK -17. - -Library Features -================ - -JVM Constants API -================= -https://openjdk.java.net/jeps/334 - -Introduce an API to model nominal descriptions of key class-file and -run-time artifacts, in particular constants that are loadable from the -constant pool. - -Reimplement the Legacy Socket API -================================= -https://openjdk.java.net/jeps/353 - -Replace the underlying implementation used by the `java.net.Socket` -and `java.net.ServerSocket` APIs with a simpler and more modern -implementation that is easy to maintain and debug. The new -implementation will be easy to adapt to work with user-mode threads, -a.k.a. fibers, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). - -JFR Event Streaming -=================== -https://openjdk.java.net/jeps/349 - -Expose JDK Flight Recorder data for continuous monitoring. - -Non-Volatile Mapped Byte Buffers -================================ -https://openjdk.java.net/jeps/352 - -Add new JDK-specific file mapping modes so that the `FileChannel` API -can be used to create `MappedByteBuffer` instances that refer to -non-volatile memory. - -Helpful NullPointerExceptions -============================= -https://openjdk.java.net/jeps/358 - -Improve the usability of `NullPointerException`s generated by the JVM -by describing precisely which variable was `null`. - -Foreign-Memory Access API -========================= -https://openjdk.java.net/jeps/370 -https://openjdk.java.net/jeps/383 -https://openjdk.java.net/jeps/393 - -Introduce an API to allow Java programs to safely and efficiently -access foreign memory outside of the Java heap. - -This was a incubation feature (https://openjdk.java.net/jeps/11) in -OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory -API in OpenJDK 17 (see below). - -Edwards-Curve Digital Signature Algorithm (EdDSA) -================================================= -https://openjdk.java.net/jeps/339 - -Implement cryptographic signatures using the Edwards-Curve Digital -Signature Algorithm (EdDSA) as described by RFC 8032 -(https://tools.ietf.org/html/rfc8032). - -Hidden Classes -============== -https://openjdk.java.net/jeps/371 - -Introduce hidden classes, which are classes that cannot be used -directly by the bytecode of other classes. Hidden classes are intended -for use by frameworks that generate classes at run time and use them -indirectly, via reflection. A hidden class may be defined as a member -of an access control nest (https://openjdk.java.net/jeps/181), and may -be unloaded independently of other classes. - -Reimplement the Legacy DatagramSocket API -========================================= -https://openjdk.java.net/jeps/373 - -Replace the underlying implementations of the -`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with -simpler and more modern implementations that are easy to maintain and -debug. The new implementations will be easy to adapt to work with -virtual threads, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). This is a follow-on to JEP -353 (see above), which already reimplemented the legacy Socket API. - -Vector API -========== -https://openjdk.java.net/jeps/338 -https://openjdk.java.net/jeps/414 - -Provide an initial iteration of an incubator module, -`jdk.incubator.vector`, to express vector computations that reliably -compile at runtime to optimal vector hardware instructions on -supported CPU architectures and thus achieve superior performance to -equivalent scalar computations. - -This is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16. - -Unix-Domain Socket Channels -=========================== -https://openjdk.java.net/jeps/380 - -Add Unix-domain (`AF_UNIX`) socket support to the socket channel and -server-socket channel APIs in the `java.nio.channels` package. Extend -the inherited channel mechanism to support Unix-domain socket channels -and server socket channels. - -Foreign Linker API (Incubator) -============================== -https://openjdk.java.net/jeps/389 - -Introduce an API that offers statically-typed, pure-Java access to -native code. This API, together with the Foreign-Memory API (see -above), will considerably simplify the otherwise error-prone process -of binding to a native library. - -This was an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16, now superseded by the Foreign Function & -Memory API in OpenJDK 17 (see below). - -Strongly Encapsulate JDK Internals by Default -============================================= -https://openjdk.java.net/jeps/396 -https://openjdk.java.net/jeps/403 - -Strongly encapsulate all internal elements of the JDK by default, -except for critical internal APIs such as `sun.misc.Unsafe`. It will -no longer be possible to relax the strong encapsulation of internal -elements via a single command-line option, as was possible in OpenJDK -9 through 16. - -Enhanced Pseudo-Random Number Generators -======================================== -https://openjdk.java.net/jeps/356 - -Provide new interface types and implementations for pseudo-random -number generators (PRNGs), including jumpable PRNGs and an additional -class of splittable PRNG algorithms (LXM). - -Foreign Function & Memory API -============================= -https://openjdk.java.net/jeps/412 - -Introduce an API by which Java programs can interoperate with code and -data outside of the Java runtime. By efficiently invoking foreign -functions (i.e., code outside the JVM), and by safely accessing -foreign memory (i.e., memory not managed by the JVM), the API enables -Java programs to call native libraries and process native data without -the brittleness and danger of JNI. - -This API is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 17, and is an evolution of the Foreign Memory -Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK -16) (see above). - -Context-Specific Deserialization Filters -======================================== -https://openjdk.java.net/jeps/415 - -Allow applications to configure context-specific and -dynamically-selected deserialization filters via a JVM-wide filter -factory that is invoked to select a filter for each individual -deserialization operation. - -Tools -===== - -Packaging Tool -============== -https://openjdk.java.net/jeps/343 -https://openjdk.java.net/jeps/392 - -Provide the `jpackage` tool, for packaging self-contained Java -applications. - -JVM Features -============ - -Shenandoah: A Low-Pause-Time Garbage Collector -============================================== -https://openjdk.java.net/jeps/189 -https://openjdk.java.net/jeps/379 - -Add a new garbage collection (GC) algorithm named Shenandoah which -reduces GC pause times by doing evacuation work concurrently with the -running Java threads. Pause times with Shenandoah are independent of -heap size, meaning you will have the same consistent pause times -whether your heap is 200 MB or 200 GB. - -Shenandoah has been provided in Red Hat builds of OpenJDK 8 since -8u131 in April 2017 and in all 11u builds. - -Upstream, it was introduced in OpenJDK 12 as an experimental feature -and became a production feature in OpenJDK 15. It was backported to -OpenJDK 11 with the 11.0.9 release in October 2020. - -Abortable Mixed Collections for G1 -================================== -https://openjdk.java.net/jeps/344 - -Make G1 mixed collections abortable if they might exceed the pause -target. - -Promptly Return Unused Committed Memory from G1 -=============================================== -https://openjdk.java.net/jeps/346 - -Enhance the G1 garbage collector to automatically return Java heap -memory to the operating system when idle. - -Dynamic CDS Archives -==================== -https://openjdk.java.net/jeps/310 -https://openjdk.java.net/jeps/350 - -Extend application class-data sharing to allow the dynamic archiving -of classes at the end of Java application execution. The archived -classes will include all loaded application classes and library -classes that are not present in the default, base-layer CDS archive. - -ZGC: Uncommit Unused Memory (Experimental) -========================================== -https://openjdk.java.net/jeps/351 - -Enhance ZGC to return unused heap memory to the operating system. - -NUMA-Aware Memory Allocation for G1 -=================================== -https://openjdk.java.net/jeps/345 - -Improve G1 performance on large machines by implementing NUMA-aware -memory allocation. - -ZGC on macOS (Experimental) -=========================== -https://openjdk.java.net/jeps/364 - -Port the ZGC garbage collector to macOS. - -ZGC on Windows (Experimental) -============================= -https://openjdk.java.net/jeps/365 - -Port the ZGC garbage collector to Windows. - -ZGC: A Scalable Low-Latency Garbage Collector (Production) -========================================================== -https://openjdk.java.net/jeps/377 - -Change the Z Garbage Collector from an experimental feature into a -product feature. - -ZGC: Concurrent Thread-Stack Processing -======================================= -https://openjdk.java.net/jeps/376 - -Move ZGC thread-stack processing from safepoints to a concurrent -phase. - -Elastic Metaspace -================= -https://openjdk.java.net/jeps/387 - -Return unused HotSpot class-metadata (i.e., metaspace) memory to the -operating system more promptly, reduce metaspace footprint, and -simplify the metaspace code in order to reduce maintenance costs. - -Ports -===== - -Alpine Linux Port -================= -https://openjdk.java.net/jeps/386 - -Port the JDK to Alpine Linux, and to other Linux distributions that -use musl as their primary C library, on both the x64 and AArch64 -architectures, - -Windows/AArch64 Port -==================== -https://openjdk.java.net/jeps/388 - -Port the JDK to Windows/AArch64. - -New macOS Rendering Pipeline -============================ -https://openjdk.java.net/jeps/382 - -Implement a Java 2D internal rendering pipeline for macOS using the -Apple Metal API as alternative to the existing pipeline, which uses -the deprecated Apple OpenGL API. - -macOS/AArch64 Port -================== -https://openjdk.java.net/jeps/391 - -Port the JDK to macOS/AArch64. - -DEPRECATIONS -============ - -Deprecate the ParallelScavenge + SerialOld GC Combination -========================================================= -https://openjdk.java.net/jeps/366 - -Deprecate the combination of the Parallel Scavenge and Serial Old -garbage collection algorithms. - -Deprecate and Disable Biased Locking -==================================== -https://openjdk.java.net/jeps/374 - -Disable biased locking by default, and deprecate all related -command-line options. - -Warnings for Value-Based Classes -================================ -https://openjdk.java.net/jeps/390 - -Designate the primitive wrapper classes as value-based and deprecate -their constructors for removal, prompting new deprecation -warnings. Provide warnings about improper attempts to synchronize on -instances of any value-based classes in the Java Platform. - -Deprecate the Applet API for Removal -==================================== -https://openjdk.java.net/jeps/398 - -Deprecate the Applet API for removal. It is essentially irrelevant -since all web-browser vendors have either removed support for Java -browser plug-ins or announced plans to do so. - -Deprecate the Security Manager for Removal -========================================== -https://openjdk.java.net/jeps/411 - -Deprecate the Security Manager for removal in a future release. The -Security Manager dates from Java 1.0. It has not been the primary -means of securing client-side Java code for many years, and it has -rarely been used to secure server-side code. To move Java forward, we -intend to deprecate the Security Manager for removal in concert with -the legacy Applet API (see above). . - -REMOVALS -======== - -Remove the Concurrent Mark Sweep (CMS) Garbage Collector -======================================================== -https://openjdk.java.net/jeps/363 - -Remove the Concurrent Mark Sweep (CMS) garbage collector. - -Remove the Pack200 Tools and API -================================ -https://openjdk.java.net/jeps/336 -https://openjdk.java.net/jeps/367 - -Remove the `pack200` and `unpack200` tools, and the `Pack200` API in -the `java.util.jar` package. These tools and API were deprecated for -removal in OpenJDK 11 with the express intent to remove them in a -future release. - -Remove the Nashorn JavaScript Engine -==================================== -https://openjdk.java.net/jeps/372 - -Remove the Nashorn JavaScript script engine and APIs, and the `jjs` -tool. The engine, the APIs, and the tool were deprecated for removal -in OpenJDK 11 with the express intent to remove them in a future -release. - -Remove the Solaris and SPARC Ports -================================== -https://openjdk.java.net/jeps/362 -https://openjdk.java.net/jeps/381 - -Remove the source code and build support for the Solaris/SPARC, -Solaris/x64, and Linux/SPARC ports. These ports were deprecated for -removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). - -Remove RMI Activation -===================== -https://openjdk.java.net/jeps/385 -https://openjdk.java.net/jeps/407 -https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html - -Remove the Remote Method Invocation (RMI) Activation mechanism, while -preserving the rest of RMI. RMI Activation is an obsolete part of RMI -that has been optional since OpenJDK 8 and was deprecated in OpenJDK -15. - -Remove the Experimental AOT and JIT Compiler -============================================ -https://openjdk.java.net/jeps/410 - -Remove the experimental Java-based ahead-of-time (AOT) and -just-in-time (JIT) compiler. This compiler has seen little use since -its introduction and the effort required to maintain it is -significant. Retain the experimental Java-level JVM compiler -interface (JVMCI) so that developers can continue to use -externally-built versions of the compiler for JIT compilation. diff --git a/fips-17u-257d544b594.patch b/fips-17u-257d544b594.patch deleted file mode 100644 index 6c03d6f..0000000 --- a/fips-17u-257d544b594.patch +++ /dev/null @@ -1,5956 +0,0 @@ -diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 -index 5f4b22bb27f..1ca9f5b8ffe 100644 ---- a/make/autoconf/build-aux/pkg.m4 -+++ b/make/autoconf/build-aux/pkg.m4 -@@ -179,3 +179,19 @@ else - ifelse([$3], , :, [$3]) - fi[]dnl - ])# PKG_CHECK_MODULES -+ -+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, -+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -+dnl ------------------------------------------- -+dnl Since: 0.28 -+dnl -+dnl Retrieves the value of the pkg-config variable for the given module. -+AC_DEFUN([PKG_CHECK_VAR], -+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl -+ -+_PKG_CONFIG([$1], [variable="][$3]["], [$2]) -+AS_VAR_COPY([$1], [pkg_cv_][$1]) -+ -+AS_VAR_IF([$1], [""], [$5], [$4])dnl -+])dnl PKG_CHECK_VAR -diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 -new file mode 100644 -index 00000000000..f48fc7f7e80 ---- /dev/null -+++ b/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,87 @@ -+# -+# Copyright (c) 2021, Red Hat, Inc. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. Oracle designates this -+# particular file as subject to the "Classpath" exception as provided -+# by Oracle in the LICENSE file that accompanied this code. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ AC_MSG_CHECKING([for NSS library directory]) -+ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) -+ -+ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+ AC_SUBST(NSS_LIBDIR) -+]) -diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index a65d91ee974..a8f054c1397 100644 ---- a/make/autoconf/libraries.m4 -+++ b/make/autoconf/libraries.m4 -@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) - m4_include([lib-x11.m4]) - m4_include([lib-fontconfig.m4]) - m4_include([lib-tests.m4]) -+m4_include([lib-sysconf.m4]) - - ################################################################################ - # Determine which libraries are needed for this configuration -@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_BUNDLED_LIBS - LIB_SETUP_MISC_LIBS - LIB_TESTS_SETUP_GTEST -+ LIB_SETUP_SYSCONF_LIBS - - BASIC_JDKLIB_LIBS="" - if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then -diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index d557549adb3..1cb44bd2595 100644 ---- a/make/autoconf/spec.gmk.in -+++ b/make/autoconf/spec.gmk.in -@@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+NSS_LIBDIR:=@NSS_LIBDIR@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk -index 4b894eeae4a..51567071aa8 100644 ---- a/make/modules/java.base/Gendata.gmk -+++ b/make/modules/java.base/Gendata.gmk -@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST - TARGETS += $(GENDATA_JAVA_SECURITY) - - ################################################################################ -+ -+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in -+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg -+ -+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) -+ $(call LogInfo, Generating nss.fips.cfg) -+ $(call MakeTargetDir) -+ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ -+ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ -+ ) -+ -+TARGETS += $(GENDATA_NSS_FIPS_CFG) -+ -+################################################################################ -diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 5658ff342e5..c8bc5bde1e1 100644 ---- a/make/modules/java.base/Lib.gmk -+++ b/make/modules/java.base/Lib.gmk -@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) - endif - endif - -+################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+)) -+ -+TARGETS += $(BUILD_LIBSYSTEMCONF) -+ - ################################################################################ - # Create the symbols file for static builds. - -diff --git a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -index 1fd6230d83b..683e3dd3a8d 100644 ---- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -+++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -@@ -25,13 +25,12 @@ - - package com.sun.crypto.provider; - --import java.util.Arrays; -- - import javax.crypto.SecretKey; - import javax.crypto.spec.SecretKeySpec; --import javax.crypto.spec.PBEParameterSpec; -+import javax.crypto.spec.PBEKeySpec; - import java.security.*; - import java.security.spec.*; -+import sun.security.util.PBEUtil; - - /** - * This is an implementation of the HMAC algorithms as defined -@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { - */ - protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- char[] passwdChars; -- byte[] salt = null; -- int iCount = 0; -- if (key instanceof javax.crypto.interfaces.PBEKey) { -- javax.crypto.interfaces.PBEKey pbeKey = -- (javax.crypto.interfaces.PBEKey) key; -- passwdChars = pbeKey.getPassword(); -- salt = pbeKey.getSalt(); // maybe null if unspecified -- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified -- } else if (key instanceof SecretKey) { -- byte[] passwdBytes; -- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || -- (passwdBytes = key.getEncoded()) == null) { -- throw new InvalidKeyException("Missing password"); -- } -- passwdChars = new char[passwdBytes.length]; -- for (int i=0; i attrs = new HashMap<>(3); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -- + "|OAEPWITHMD5ANDMGF1PADDING" -- + "|OAEPWITHSHA1ANDMGF1PADDING" -- + "|OAEPWITHSHA-1ANDMGF1PADDING" -- + "|OAEPWITHSHA-224ANDMGF1PADDING" -- + "|OAEPWITHSHA-256ANDMGF1PADDING" -- + "|OAEPWITHSHA-384ANDMGF1PADDING" -- + "|OAEPWITHSHA-512ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -- ps("Cipher", "RSA", -- "com.sun.crypto.provider.RSACipher", null, attrs); -- -- // common block cipher modes, pads -- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -- final String BLOCK_MODES128 = BLOCK_MODES + -- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DES", -- "com.sun.crypto.provider.DESCipher", null, attrs); -- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -- attrs); -- ps("Cipher", "Blowfish", -- "com.sun.crypto.provider.BlowfishCipher", null, attrs); -- -- ps("Cipher", "RC2", -- "com.sun.crypto.provider.RC2Cipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES128); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES", -- "com.sun.crypto.provider.AESCipher$General", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -- attrs); -- ps("Cipher", "AES/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_128/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_128/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_128/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_128/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_192/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_192/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_192/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_192/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_256/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_256/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_256/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_256/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "GCM"); -- attrs.put("SupportedKeyFormats", "RAW"); -- -- ps("Cipher", "AES/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -- attrs); -- psA("Cipher", "AES_128/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES128", -- attrs); -- psA("Cipher", "AES_192/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES192", -- attrs); -- psA("Cipher", "AES_256/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES256", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "CBC"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DESedeWrap", -- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "ARCFOUR", -- "com.sun.crypto.provider.ARCFOURCipher", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "ChaCha20", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -- null, attrs); -- psA("Cipher", "ChaCha20-Poly1305", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -- attrs); -- -- // PBES1 -- psA("Cipher", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -- null); -- ps("Cipher", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -- psA("Cipher", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -- null); -- psA("Cipher", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -- null); -- -- psA("Cipher", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -- null); -- -- // PBES2 -- ps("Cipher", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -- -- /* -- * Key(pair) Generator engines -- */ -- ps("KeyGenerator", "DES", -- "com.sun.crypto.provider.DESKeyGenerator"); -- psA("KeyGenerator", "DESede", -- "com.sun.crypto.provider.DESedeKeyGenerator", -- null); -- ps("KeyGenerator", "Blowfish", -- "com.sun.crypto.provider.BlowfishKeyGenerator"); -- psA("KeyGenerator", "AES", -- "com.sun.crypto.provider.AESKeyGenerator", -- null); -- ps("KeyGenerator", "RC2", -- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -- psA("KeyGenerator", "ARCFOUR", -- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -- null); -- ps("KeyGenerator", "ChaCha20", -- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -- ps("KeyGenerator", "HmacMD5", -- "com.sun.crypto.provider.HmacMD5KeyGenerator"); -- -- psA("KeyGenerator", "HmacSHA1", -- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -- psA("KeyGenerator", "HmacSHA224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -- null); -- psA("KeyGenerator", "HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -- null); -- psA("KeyGenerator", "HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -- null); -- psA("KeyGenerator", "HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -- null); -- psA("KeyGenerator", "HmacSHA512/224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -- null); -- psA("KeyGenerator", "HmacSHA512/256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -- null); -- -- psA("KeyGenerator", "HmacSHA3-224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -- null); -- psA("KeyGenerator", "HmacSHA3-256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -- null); -- psA("KeyGenerator", "HmacSHA3-384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -- null); -- psA("KeyGenerator", "HmacSHA3-512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -- null); -- -- psA("KeyPairGenerator", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyPairGenerator", -- null); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -+ + "|OAEPWITHMD5ANDMGF1PADDING" -+ + "|OAEPWITHSHA1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-256ANDMGF1PADDING" -+ + "|OAEPWITHSHA-384ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ ps("Cipher", "RSA", -+ "com.sun.crypto.provider.RSACipher", null, attrs); -+ -+ // common block cipher modes, pads -+ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -+ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -+ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -+ final String BLOCK_MODES128 = BLOCK_MODES + -+ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -+ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -+ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DES", -+ "com.sun.crypto.provider.DESCipher", null, attrs); -+ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -+ attrs); -+ ps("Cipher", "Blowfish", -+ "com.sun.crypto.provider.BlowfishCipher", null, attrs); -+ -+ ps("Cipher", "RC2", -+ "com.sun.crypto.provider.RC2Cipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES128); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES", -+ "com.sun.crypto.provider.AESCipher$General", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_128/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_128/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_128/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_192/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_192/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_192/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_256/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_256/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_256/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "GCM"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ -+ ps("Cipher", "AES/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -+ attrs); -+ psA("Cipher", "AES_128/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES128", -+ attrs); -+ psA("Cipher", "AES_192/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES192", -+ attrs); -+ psA("Cipher", "AES_256/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES256", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "CBC"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DESedeWrap", -+ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "ARCFOUR", -+ "com.sun.crypto.provider.ARCFOURCipher", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "ChaCha20", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -+ null, attrs); -+ psA("Cipher", "ChaCha20-Poly1305", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -+ attrs); -+ -+ // PBES1 -+ psA("Cipher", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -+ null); -+ ps("Cipher", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -+ psA("Cipher", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("Cipher", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -+ null); -+ -+ // PBES2 -+ ps("Cipher", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -+ -+ /* -+ * Key(pair) Generator engines -+ */ -+ ps("KeyGenerator", "DES", -+ "com.sun.crypto.provider.DESKeyGenerator"); -+ psA("KeyGenerator", "DESede", -+ "com.sun.crypto.provider.DESedeKeyGenerator", -+ null); -+ ps("KeyGenerator", "Blowfish", -+ "com.sun.crypto.provider.BlowfishKeyGenerator"); -+ psA("KeyGenerator", "AES", -+ "com.sun.crypto.provider.AESKeyGenerator", -+ null); -+ ps("KeyGenerator", "RC2", -+ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -+ psA("KeyGenerator", "ARCFOUR", -+ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -+ null); -+ ps("KeyGenerator", "ChaCha20", -+ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -+ ps("KeyGenerator", "HmacMD5", -+ "com.sun.crypto.provider.HmacMD5KeyGenerator"); -+ -+ psA("KeyGenerator", "HmacSHA1", -+ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -+ psA("KeyGenerator", "HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -+ null); -+ psA("KeyGenerator", "HmacSHA256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -+ null); -+ psA("KeyGenerator", "HmacSHA384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -+ null); -+ psA("KeyGenerator", "HmacSHA512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -+ null); -+ psA("KeyGenerator", "HmacSHA512/224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -+ null); -+ psA("KeyGenerator", "HmacSHA512/256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -+ null); -+ -+ psA("KeyGenerator", "HmacSHA3-224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -+ null); -+ psA("KeyGenerator", "HmacSHA3-256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -+ null); -+ psA("KeyGenerator", "HmacSHA3-384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -+ null); -+ psA("KeyGenerator", "HmacSHA3-512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -+ null); -+ -+ psA("KeyPairGenerator", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyPairGenerator", -+ null); -+ } - - /* - * Algorithm parameter generation engines -@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { - "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", - null); - -- /* -- * Key Agreement engines -- */ -- attrs.clear(); -- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -- "|javax.crypto.interfaces.DHPrivateKey"); -- psA("KeyAgreement", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyAgreement", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key Agreement engines -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -+ "|javax.crypto.interfaces.DHPrivateKey"); -+ psA("KeyAgreement", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyAgreement", -+ attrs); -+ } - - /* - * Algorithm Parameter engines -@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { - ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", - "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); - -- // PBKDF2 -- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -- null); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -- -- /* -- * MAC -- */ -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -- attrs); -- psA("Mac", "HmacSHA224", -- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -- psA("Mac", "HmacSHA256", -- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -- psA("Mac", "HmacSHA384", -- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -- psA("Mac", "HmacSHA512", -- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -- psA("Mac", "HmacSHA512/224", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -- psA("Mac", "HmacSHA512/256", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -- psA("Mac", "HmacSHA3-224", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -- psA("Mac", "HmacSHA3-256", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -- psA("Mac", "HmacSHA3-384", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -- psA("Mac", "HmacSHA3-512", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -- -- ps("Mac", "HmacPBESHA1", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -- null, attrs); -- ps("Mac", "HmacPBESHA224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -- null, attrs); -- ps("Mac", "HmacPBESHA256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -- null, attrs); -- ps("Mac", "HmacPBESHA384", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -- null, attrs); -- ps("Mac", "HmacPBESHA512", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -- null, attrs); -- ps("Mac", "HmacPBESHA512/224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -- null, attrs); -- ps("Mac", "HmacPBESHA512/256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -- null, attrs); -- -- -- // PBMAC1 -- ps("Mac", "PBEWithHmacSHA1", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -- ps("Mac", "PBEWithHmacSHA224", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -- ps("Mac", "PBEWithHmacSHA256", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -- ps("Mac", "PBEWithHmacSHA384", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -- ps("Mac", "PBEWithHmacSHA512", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -- ps("Mac", "SslMacMD5", -- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -- ps("Mac", "SslMacSHA1", -- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -- -- /* -- * KeyStore -- */ -- ps("KeyStore", "JCEKS", -- "com.sun.crypto.provider.JceKeyStore"); -- -- /* -- * SSL/TLS mechanisms -- * -- * These are strictly internal implementations and may -- * be changed at any time. These names were chosen -- * because PKCS11/SunPKCS11 does not yet have TLS1.2 -- * mechanisms, and it will cause calls to come here. -- */ -- ps("KeyGenerator", "SunTlsPrf", -- "com.sun.crypto.provider.TlsPrfGenerator$V10"); -- ps("KeyGenerator", "SunTls12Prf", -- "com.sun.crypto.provider.TlsPrfGenerator$V12"); -- -- ps("KeyGenerator", "SunTlsMasterSecret", -- "com.sun.crypto.provider.TlsMasterSecretGenerator", -- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -- null); -- -- ps("KeyGenerator", "SunTlsKeyMaterial", -- "com.sun.crypto.provider.TlsKeyMaterialGenerator", -- List.of("SunTls12KeyMaterial"), null); -- -- ps("KeyGenerator", "SunTlsRsaPremasterSecret", -- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -- List.of("SunTls12RsaPremasterSecret"), null); -+ if (!systemFipsEnabled) { -+ // PBKDF2 -+ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -+ null); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -+ -+ /* -+ * MAC -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -+ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -+ attrs); -+ psA("Mac", "HmacSHA224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -+ psA("Mac", "HmacSHA256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -+ psA("Mac", "HmacSHA384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -+ psA("Mac", "HmacSHA512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -+ psA("Mac", "HmacSHA512/224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -+ psA("Mac", "HmacSHA512/256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -+ psA("Mac", "HmacSHA3-224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -+ psA("Mac", "HmacSHA3-256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -+ psA("Mac", "HmacSHA3-384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -+ psA("Mac", "HmacSHA3-512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -+ -+ ps("Mac", "HmacPBESHA1", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -+ null, attrs); -+ ps("Mac", "HmacPBESHA224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -+ null, attrs); -+ ps("Mac", "HmacPBESHA384", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -+ null, attrs); -+ -+ -+ // PBMAC1 -+ ps("Mac", "PBEWithHmacSHA1", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -+ ps("Mac", "PBEWithHmacSHA224", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -+ ps("Mac", "PBEWithHmacSHA256", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -+ ps("Mac", "PBEWithHmacSHA384", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -+ ps("Mac", "PBEWithHmacSHA512", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -+ ps("Mac", "SslMacMD5", -+ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -+ ps("Mac", "SslMacSHA1", -+ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -+ -+ /* -+ * KeyStore -+ */ -+ ps("KeyStore", "JCEKS", -+ "com.sun.crypto.provider.JceKeyStore"); -+ -+ /* -+ * SSL/TLS mechanisms -+ * -+ * These are strictly internal implementations and may -+ * be changed at any time. These names were chosen -+ * because PKCS11/SunPKCS11 does not yet have TLS1.2 -+ * mechanisms, and it will cause calls to come here. -+ */ -+ ps("KeyGenerator", "SunTlsPrf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V10"); -+ ps("KeyGenerator", "SunTls12Prf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V12"); -+ -+ ps("KeyGenerator", "SunTlsMasterSecret", -+ "com.sun.crypto.provider.TlsMasterSecretGenerator", -+ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -+ null); -+ -+ ps("KeyGenerator", "SunTlsKeyMaterial", -+ "com.sun.crypto.provider.TlsKeyMaterialGenerator", -+ List.of("SunTls12KeyMaterial"), null); -+ -+ ps("KeyGenerator", "SunTlsRsaPremasterSecret", -+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -+ List.of("SunTls12RsaPremasterSecret"), null); -+ } - } - - // Return the instance of this class or create one if needed. -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index ff2bc942c03..96a3ba4040c 100644 ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -84,6 +106,7 @@ public final class Security { - props = new Properties(); - boolean loadedProps = false; - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -99,6 +122,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -193,6 +217,61 @@ public final class Security { - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - /* -diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..98ffced455b ---- /dev/null -+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,249 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ @SuppressWarnings("removal") -+ var dummy = AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws Exception { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..3f3caac64dc ---- /dev/null -+++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.access; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index f6d3638c3dd..a1ee182d913 100644 ---- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -39,6 +39,7 @@ import java.io.FilePermission; - import java.io.ObjectInputStream; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -81,6 +82,7 @@ public class SharedSecrets { - private static JavaSecuritySpecAccess javaSecuritySpecAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; - private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -442,4 +444,15 @@ public class SharedSecrets { - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index 9faee9cae36..27f43550aa4 100644 ---- a/src/java.base/share/classes/module-info.java -+++ b/src/java.base/share/classes/module-info.java -@@ -152,6 +152,8 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.cryptoki, -+ jdk.crypto.ec, - jdk.jartool, - jdk.jlink, - jdk.net, -diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..709d32912ca 100644 ---- a/src/java.base/share/classes/sun/security/provider/SunEntries.java -+++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -30,6 +30,7 @@ import java.net.*; - import java.util.*; - import java.security.*; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.action.GetPropertyAction; - import sun.security.util.SecurityProviderConstants; -@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - - public final class SunEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - // the default algo used by SecureRandom class for new SecureRandom() calls - public static final String DEF_SECURE_RANDOM_ALGO; - -@@ -94,99 +99,101 @@ public final class SunEntries { - // common attribute map - HashMap attrs = new HashMap<>(3); - -- /* -- * SecureRandom engines -- */ -- attrs.put("ThreadSafe", "true"); -- if (NativePRNG.isAvailable()) { -- add(p, "SecureRandom", "NativePRNG", -- "sun.security.provider.NativePRNG", attrs); -- } -- if (NativePRNG.Blocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGBlocking", -- "sun.security.provider.NativePRNG$Blocking", attrs); -- } -- if (NativePRNG.NonBlocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGNonBlocking", -- "sun.security.provider.NativePRNG$NonBlocking", attrs); -- } -- attrs.put("ImplementedIn", "Software"); -- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -- add(p, "SecureRandom", "SHA1PRNG", -- "sun.security.provider.SecureRandom", attrs); -- -- /* -- * Signature engines -- */ -- attrs.clear(); -- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -- "|java.security.interfaces.DSAPrivateKey"; -- attrs.put("SupportedKeyClasses", dsaKeyClasses); -- attrs.put("ImplementedIn", "Software"); -- -- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -- -- addWithAlias(p, "Signature", "SHA1withDSA", -- "sun.security.provider.DSA$SHA1withDSA", attrs); -- addWithAlias(p, "Signature", "NONEwithDSA", -- "sun.security.provider.DSA$RawDSA", attrs); -- -- // for DSA signatures with 224/256-bit digests -- attrs.put("KeySize", "2048"); -- -- addWithAlias(p, "Signature", "SHA224withDSA", -- "sun.security.provider.DSA$SHA224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA256withDSA", -- "sun.security.provider.DSA$SHA256withDSA", attrs); -- -- addWithAlias(p, "Signature", "SHA3-224withDSA", -- "sun.security.provider.DSA$SHA3_224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-256withDSA", -- "sun.security.provider.DSA$SHA3_256withDSA", attrs); -- -- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -- -- addWithAlias(p, "Signature", "SHA384withDSA", -- "sun.security.provider.DSA$SHA384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA512withDSA", -- "sun.security.provider.DSA$SHA512withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-384withDSA", -- "sun.security.provider.DSA$SHA3_384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-512withDSA", -- "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); -+ if (!systemFipsEnabled) { -+ /* -+ * SecureRandom engines -+ */ -+ attrs.put("ThreadSafe", "true"); -+ if (NativePRNG.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNG", -+ "sun.security.provider.NativePRNG", attrs); -+ } -+ if (NativePRNG.Blocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGBlocking", -+ "sun.security.provider.NativePRNG$Blocking", attrs); -+ } -+ if (NativePRNG.NonBlocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGNonBlocking", -+ "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ } -+ attrs.put("ImplementedIn", "Software"); -+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -+ add(p, "SecureRandom", "SHA1PRNG", -+ "sun.security.provider.SecureRandom", attrs); - -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only -+ /* -+ * Signature engines -+ */ -+ attrs.clear(); -+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -+ "|java.security.interfaces.DSAPrivateKey"; -+ attrs.put("SupportedKeyClasses", dsaKeyClasses); -+ attrs.put("ImplementedIn", "Software"); -+ -+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -+ -+ addWithAlias(p, "Signature", "SHA1withDSA", -+ "sun.security.provider.DSA$SHA1withDSA", attrs); -+ addWithAlias(p, "Signature", "NONEwithDSA", -+ "sun.security.provider.DSA$RawDSA", attrs); -+ -+ // for DSA signatures with 224/256-bit digests -+ attrs.put("KeySize", "2048"); -+ -+ addWithAlias(p, "Signature", "SHA224withDSA", -+ "sun.security.provider.DSA$SHA224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA256withDSA", -+ "sun.security.provider.DSA$SHA256withDSA", attrs); -+ -+ addWithAlias(p, "Signature", "SHA3-224withDSA", -+ "sun.security.provider.DSA$SHA3_224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-256withDSA", -+ "sun.security.provider.DSA$SHA3_256withDSA", attrs); -+ -+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -+ -+ addWithAlias(p, "Signature", "SHA384withDSA", -+ "sun.security.provider.DSA$SHA384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA512withDSA", -+ "sun.security.provider.DSA$SHA512withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-384withDSA", -+ "sun.security.provider.DSA$SHA3_384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-512withDSA", -+ "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ -+ attrs.remove("KeySize"); -+ -+ add(p, "Signature", "SHA1withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -+ add(p, "Signature", "NONEwithDSAinP1363Format", -+ "sun.security.provider.DSA$RawDSAinP1363Format"); -+ add(p, "Signature", "SHA224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -+ add(p, "Signature", "SHA256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -+ add(p, "Signature", "SHA384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -+ add(p, "Signature", "SHA512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only - -- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ } - - /* - * Algorithm Parameter Generator engines -@@ -201,40 +208,42 @@ public final class SunEntries { - addWithAlias(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", attrs); - -- /* -- * Key factories -- */ -- addWithAlias(p, "KeyFactory", "DSA", -- "sun.security.provider.DSAKeyFactory", attrs); -- -- /* -- * Digest engines -- */ -- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ addWithAlias(p, "KeyFactory", "DSA", -+ "sun.security.provider.DSAKeyFactory", attrs); - -- addWithAlias(p, "MessageDigest", "SHA-224", -- "sun.security.provider.SHA2$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-256", -- "sun.security.provider.SHA2$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA-384", -- "sun.security.provider.SHA5$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512", -- "sun.security.provider.SHA5$SHA512", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/224", -- "sun.security.provider.SHA5$SHA512_224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/256", -- "sun.security.provider.SHA5$SHA512_256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-224", -- "sun.security.provider.SHA3$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-256", -- "sun.security.provider.SHA3$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-384", -- "sun.security.provider.SHA3$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-512", -- "sun.security.provider.SHA3$SHA512", attrs); -+ /* -+ * Digest engines -+ */ -+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); -+ -+ addWithAlias(p, "MessageDigest", "SHA-224", -+ "sun.security.provider.SHA2$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-256", -+ "sun.security.provider.SHA2$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-384", -+ "sun.security.provider.SHA5$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512", -+ "sun.security.provider.SHA5$SHA512", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/224", -+ "sun.security.provider.SHA5$SHA512_224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/256", -+ "sun.security.provider.SHA5$SHA512_256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-224", -+ "sun.security.provider.SHA3$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-256", -+ "sun.security.provider.SHA3$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-384", -+ "sun.security.provider.SHA3$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-512", -+ "sun.security.provider.SHA3$SHA512", attrs); -+ } - - /* - * Certificates -diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..225517ac69b 100644 ---- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -+++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -@@ -27,6 +27,7 @@ package sun.security.rsa; - - import java.util.*; - import java.security.Provider; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityProviderConstants.getAliases; - - /** -@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - */ - public final class SunRsaSignEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private void add(Provider p, String type, String algo, String cn, - List aliases, HashMap attrs) { - services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ } - - add(p, "KeyFactory", "RSA", - "sun.security.rsa.RSAKeyFactory$Legacy", - getAliases("PKCS1"), null); -- add(p, "KeyPairGenerator", "RSA", -- "sun.security.rsa.RSAKeyPairGenerator$Legacy", -- getAliases("PKCS1"), null); -- addA(p, "Signature", "MD2withRSA", -- "sun.security.rsa.RSASignature$MD2withRSA", attrs); -- addA(p, "Signature", "MD5withRSA", -- "sun.security.rsa.RSASignature$MD5withRSA", attrs); -- addA(p, "Signature", "SHA1withRSA", -- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -- addA(p, "Signature", "SHA224withRSA", -- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -- addA(p, "Signature", "SHA256withRSA", -- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -- addA(p, "Signature", "SHA384withRSA", -- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -- addA(p, "Signature", "SHA512withRSA", -- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -- addA(p, "Signature", "SHA512/224withRSA", -- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -- addA(p, "Signature", "SHA512/256withRSA", -- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -- addA(p, "Signature", "SHA3-224withRSA", -- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -- addA(p, "Signature", "SHA3-256withRSA", -- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -- addA(p, "Signature", "SHA3-384withRSA", -- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -- addA(p, "Signature", "SHA3-512withRSA", -- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ -+ if (!systemFipsEnabled) { -+ add(p, "KeyPairGenerator", "RSA", -+ "sun.security.rsa.RSAKeyPairGenerator$Legacy", -+ getAliases("PKCS1"), null); -+ addA(p, "Signature", "MD2withRSA", -+ "sun.security.rsa.RSASignature$MD2withRSA", attrs); -+ addA(p, "Signature", "MD5withRSA", -+ "sun.security.rsa.RSASignature$MD5withRSA", attrs); -+ addA(p, "Signature", "SHA1withRSA", -+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -+ addA(p, "Signature", "SHA224withRSA", -+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -+ addA(p, "Signature", "SHA256withRSA", -+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -+ addA(p, "Signature", "SHA384withRSA", -+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -+ addA(p, "Signature", "SHA512withRSA", -+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -+ addA(p, "Signature", "SHA512/224withRSA", -+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -+ addA(p, "Signature", "SHA512/256withRSA", -+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-224withRSA", -+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -+ addA(p, "Signature", "SHA3-256withRSA", -+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-384withRSA", -+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -+ addA(p, "Signature", "SHA3-512withRSA", -+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ } - - addA(p, "KeyFactory", "RSASSA-PSS", - "sun.security.rsa.RSAKeyFactory$PSS", attrs); -- addA(p, "KeyPairGenerator", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -- addA(p, "Signature", "RSASSA-PSS", -- "sun.security.rsa.RSAPSSSignature", attrs); -+ -+ if (!systemFipsEnabled) { -+ addA(p, "KeyPairGenerator", "RSASSA-PSS", -+ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -+ addA(p, "Signature", "RSASSA-PSS", -+ "sun.security.rsa.RSAPSSSignature", attrs); -+ } -+ - addA(p, "AlgorithmParameters", "RSASSA-PSS", - "sun.security.rsa.PSSParameters", null); - } -diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java -new file mode 100644 -index 00000000000..dc8bc72fccb ---- /dev/null -+++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java -@@ -0,0 +1,297 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.util; -+ -+import java.security.AlgorithmParameters; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.InvalidKeyException; -+import java.security.Key; -+import java.security.NoSuchAlgorithmException; -+import java.security.Provider; -+import java.security.SecureRandom; -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidParameterSpecException; -+import java.util.Arrays; -+import javax.crypto.Cipher; -+import javax.crypto.SecretKey; -+import javax.crypto.spec.IvParameterSpec; -+import javax.crypto.spec.PBEKeySpec; -+import javax.crypto.spec.PBEParameterSpec; -+ -+public final class PBEUtil { -+ -+ // Used by SunJCE and SunPKCS11 -+ public final static class PBES2Helper { -+ private int iCount; -+ private byte[] salt; -+ private IvParameterSpec ivSpec; -+ private final int defaultSaltLength; -+ private final int defaultCount; -+ -+ public PBES2Helper(int defaultSaltLength, int defaultCount) { -+ this.defaultSaltLength = defaultSaltLength; -+ this.defaultCount = defaultCount; -+ } -+ -+ public IvParameterSpec getIvSpec() { -+ return ivSpec; -+ } -+ -+ public AlgorithmParameters getAlgorithmParameters( -+ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { -+ AlgorithmParameters params = null; -+ if (salt == null) { -+ // generate random salt and use default iteration count -+ salt = new byte[defaultSaltLength]; -+ random.nextBytes(salt); -+ iCount = defaultCount; -+ } -+ if (ivSpec == null) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } -+ PBEParameterSpec pbeSpec = new PBEParameterSpec( -+ salt, iCount, ivSpec); -+ try { -+ params = (p == null) ? -+ AlgorithmParameters.getInstance(pbeAlgo) : -+ AlgorithmParameters.getInstance(pbeAlgo, p); -+ params.init(pbeSpec); -+ } catch (NoSuchAlgorithmException nsae) { -+ // should never happen -+ throw new RuntimeException("AlgorithmParameters for " -+ + pbeAlgo + " not configured"); -+ } catch (InvalidParameterSpecException ipse) { -+ // should never happen -+ throw new RuntimeException("PBEParameterSpec not supported"); -+ } -+ return params; -+ } -+ -+ public PBEKeySpec getPBEKeySpec( -+ int blkSize, int keyLength, int opmode, Key key, -+ AlgorithmParameterSpec params, SecureRandom random) -+ throws InvalidKeyException, InvalidAlgorithmParameterException { -+ -+ if (key == null) { -+ throw new InvalidKeyException("Null key"); -+ } -+ -+ byte[] passwdBytes = key.getEncoded(); -+ char[] passwdChars = null; -+ PBEKeySpec pbeSpec; -+ try { -+ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( -+ true, 0, "PBE", 0, 3))) { -+ throw new InvalidKeyException("Missing password"); -+ } -+ -+ // TBD: consolidate the salt, ic and IV parameter checks below -+ -+ // Extract salt and iteration count from the key, if present -+ if (key instanceof javax.crypto.interfaces.PBEKey) { -+ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); -+ if (salt != null && salt.length < 8) { -+ throw new InvalidAlgorithmParameterException( -+ "Salt must be at least 8 bytes long"); -+ } -+ iCount = ((javax.crypto.interfaces.PBEKey)key) -+ .getIterationCount(); -+ if (iCount == 0) { -+ iCount = defaultCount; -+ } else if (iCount < 0) { -+ throw new InvalidAlgorithmParameterException( -+ "Iteration count must be a positive number"); -+ } -+ } -+ -+ // Extract salt, iteration count and IV from the params, -+ // if present -+ if (params == null) { -+ if (salt == null) { -+ // generate random salt and use default iteration count -+ salt = new byte[defaultSaltLength]; -+ random.nextBytes(salt); -+ iCount = defaultCount; -+ } -+ if ((opmode == Cipher.ENCRYPT_MODE) || -+ (opmode == Cipher.WRAP_MODE)) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } -+ } else { -+ if (!(params instanceof PBEParameterSpec)) { -+ throw new InvalidAlgorithmParameterException -+ ("Wrong parameter type: PBE expected"); -+ } -+ // salt and iteration count from the params take precedence -+ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); -+ if (specSalt != null && specSalt.length < 8) { -+ throw new InvalidAlgorithmParameterException( -+ "Salt must be at least 8 bytes long"); -+ } -+ salt = specSalt; -+ int specICount = ((PBEParameterSpec) params) -+ .getIterationCount(); -+ if (specICount == 0) { -+ specICount = defaultCount; -+ } else if (specICount < 0) { -+ throw new InvalidAlgorithmParameterException( -+ "Iteration count must be a positive number"); -+ } -+ iCount = specICount; -+ -+ AlgorithmParameterSpec specParams = -+ ((PBEParameterSpec) params).getParameterSpec(); -+ if (specParams != null) { -+ if (specParams instanceof IvParameterSpec) { -+ ivSpec = (IvParameterSpec)specParams; -+ } else { -+ throw new InvalidAlgorithmParameterException( -+ "Wrong parameter type: IV expected"); -+ } -+ } else if ((opmode == Cipher.ENCRYPT_MODE) || -+ (opmode == Cipher.WRAP_MODE)) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } else { -+ throw new InvalidAlgorithmParameterException( -+ "Missing parameter type: IV expected"); -+ } -+ } -+ -+ passwdChars = new char[passwdBytes.length]; -+ for (int i = 0; i < passwdChars.length; i++) -+ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); -+ -+ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); -+ // password char[] was cloned in PBEKeySpec constructor, -+ // so we can zero it out here -+ } finally { -+ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); -+ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); -+ } -+ return pbeSpec; -+ } -+ -+ public static AlgorithmParameterSpec getParameterSpec( -+ AlgorithmParameters params) -+ throws InvalidAlgorithmParameterException { -+ AlgorithmParameterSpec pbeSpec = null; -+ if (params != null) { -+ try { -+ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); -+ } catch (InvalidParameterSpecException ipse) { -+ throw new InvalidAlgorithmParameterException( -+ "Wrong parameter type: PBE expected"); -+ } -+ } -+ return pbeSpec; -+ } -+ } -+ -+ // Used by SunJCE and SunPKCS11 -+ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) -+ throws InvalidKeyException, InvalidAlgorithmParameterException { -+ char[] passwdChars; -+ byte[] salt = null; -+ int iCount = 0; -+ if (key instanceof javax.crypto.interfaces.PBEKey) { -+ javax.crypto.interfaces.PBEKey pbeKey = -+ (javax.crypto.interfaces.PBEKey) key; -+ passwdChars = pbeKey.getPassword(); -+ salt = pbeKey.getSalt(); // maybe null if unspecified -+ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified -+ } else if (key instanceof SecretKey) { -+ byte[] passwdBytes; -+ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || -+ (passwdBytes = key.getEncoded()) == null) { -+ throw new InvalidKeyException("Missing password"); -+ } -+ passwdChars = new char[passwdBytes.length]; -+ for (int i=0; i -+# Value: clear text PIN value. -+# 2) env: -+# Value: environment variable containing the PIN value. -+# 3) file: -+# Value: path to a file containing the PIN value in its first -+# line. -+# -+# If the system property fips.nssdb.pin is also specified, it supersedes -+# the security property value defined here. -+# -+# When used as a system property, UTF-8 encoded values are valid. When -+# used as a security property (such as in this file), encode non-Basic -+# Latin Unicode characters with \uXXXX. -+# -+fips.nssdb.pin=pin: -+ - # - # Controls compatibility mode for JKS and PKCS12 keystore types. - # -@@ -326,6 +377,13 @@ package.definition=sun.misc.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in -new file mode 100644 -index 00000000000..55bbba98b7a ---- /dev/null -+++ b/src/java.base/share/conf/security/nss.fips.cfg.in -@@ -0,0 +1,8 @@ -+name = NSS-FIPS -+nssLibraryDirectory = @NSS_LIBDIR@ -+nssSecmodDirectory = ${fips.nssdb.path} -+nssDbMode = readWrite -+nssModule = fips -+ -+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } -+ -diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index b22f26947af..02bea84e210 100644 ---- a/src/java.base/share/lib/security/default.policy -+++ b/src/java.base/share/lib/security/default.policy -@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { - grant codeBase "jrt:/jdk.crypto.ec" { - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "loadLibrary.sunec"; - permission java.security.SecurityPermission "putProviderProperty.SunEC"; - permission java.security.SecurityPermission "clearProviderProperties.SunEC"; -@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.util.PropertyPermission "os.name", "read"; - permission java.util.PropertyPermission "os.arch", "read"; - permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; -+ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; -+ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; - permission java.security.SecurityPermission "putProviderProperty.*"; - permission java.security.SecurityPermission "clearProviderProperties.*"; - permission java.security.SecurityPermission "removeProviderProperty.*"; -diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..ddf9befe5bc ---- /dev/null -+++ b/src/java.base/share/native/libsystemconf/systemconf.c -@@ -0,0 +1,236 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef LINUX -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} -+ -+#else // !LINUX -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ return JNI_FALSE; -+} -+ -+#endif -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..d3f0bffb821 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,457 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.security.interfaces.RSAPrivateCrtKey; -+import java.security.interfaces.RSAPrivateKey; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.SecretKeyFactory; -+import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import static sun.security.pkcs11.wrapper.PKCS11Exception.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAPrivateCrtKeyImpl; -+import sun.security.rsa.RSAUtil; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static volatile P11Key importerKey = null; -+ private static SecretKeySpec exporterKey = null; -+ private static volatile P11Key exporterKeyP11 = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ // Do not take the exporterKeyLock with the importerKeyLock held. -+ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); -+ private static volatile CK_MECHANISM importerKeyMechanism = null; -+ private static volatile CK_MECHANISM exporterKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ private static Cipher exporterCipher = null; -+ -+ private static volatile Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ importerKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, -+ long keyClass, long keyType, Map sensitiveAttrs) -+ throws PKCS11Exception { -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be exported in" + -+ " system FIPS mode."); -+ } -+ if (exporterKeyP11 == null) { -+ try { -+ exporterKeyLock.lock(); -+ if (exporterKeyP11 == null) { -+ if (exporterKeyMechanism == null) { -+ // Exporter Key creation has not been tried yet. Try it. -+ createExporterKey(token); -+ } -+ if (exporterKeyP11 == null || exporterCipher == null) { -+ if (debug != null) { -+ debug.println("Exporter Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ if (debug != null) { -+ debug.println("Exporter Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ } -+ long exporterKeyID = exporterKeyP11.getKeyID(); -+ try { -+ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, -+ exporterKeyMechanism, exporterKeyID, hObject); -+ byte[] plainExportedKey = null; -+ exporterKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ if (keyClass == CKO_PRIVATE_KEY) { -+ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); -+ } else if (keyClass == CKO_SECRET_KEY) { -+ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ exporterKeyP11.releaseKeyID(); -+ } -+ } -+ -+ private static void exportPrivateKey( -+ Map sensitiveAttrs, long keyType, -+ byte[] plainExportedKey) throws Throwable { -+ if (keyType == CKK_RSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, -+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); -+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( -+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); -+ CK_ATTRIBUTE attr; -+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { -+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); -+ } -+ if (rsaPKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { -+ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); -+ } -+ } else { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT); -+ } -+ } else if (keyType == CKK_DSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ new sun.security.provider.DSAPrivateKey(plainExportedKey) -+ .getX().toByteArray(); -+ } else if (keyType == CKK_EC) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) -+ .getS().toByteArray(); -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " unsupported CKO_PRIVATE_KEY key type: " + keyType); -+ } -+ } -+ -+ private static void checkAttrs(Map sensitiveAttrs, -+ String keyName, long... validAttrs) -+ throws PKCS11Exception { -+ int sensitiveAttrsCount = sensitiveAttrs.size(); -+ if (sensitiveAttrsCount <= validAttrs.length) { -+ int validAttrsCount = 0; -+ for (long validAttr : validAttrs) { -+ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; -+ } -+ if (validAttrsCount == sensitiveAttrsCount) return; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " invalid attribute types for a " + keyName + " key object"); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec( -+ (byte[])importerKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Importer Key"); -+ } -+ } -+ } -+ -+ private static void createExporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Exporter Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ byte[] exporterKeyRaw = new byte[32]; -+ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); -+ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); -+ try { -+ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); -+ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); -+ if (exporterKeyP11 != null) { -+ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, -+ new IvParameterSpec( -+ (byte[])exporterKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ exporterKey = null; -+ exporterKeyP11 = null; -+ exporterCipher = null; -+ // exporterKeyMechanism value is kept initialized to indicate that -+ // Exporter Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Exporter Key"); -+ } -+ } -+ } -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java -new file mode 100644 -index 00000000000..f8d505ca815 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java -@@ -0,0 +1,149 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.io.BufferedReader; -+import java.io.ByteArrayInputStream; -+import java.io.InputStream; -+import java.io.InputStreamReader; -+import java.io.IOException; -+import java.nio.charset.StandardCharsets; -+import java.nio.file.Files; -+import java.nio.file.Path; -+import java.nio.file.Paths; -+import java.nio.file.StandardOpenOption; -+import java.security.ProviderException; -+ -+import javax.security.auth.callback.Callback; -+import javax.security.auth.callback.CallbackHandler; -+import javax.security.auth.callback.PasswordCallback; -+import javax.security.auth.callback.UnsupportedCallbackException; -+ -+import sun.security.util.Debug; -+import sun.security.util.SecurityProperties; -+ -+final class FIPSTokenLoginHandler implements CallbackHandler { -+ -+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; -+ -+ private static final Debug debug = Debug.getInstance("sunpkcs11"); -+ -+ public void handle(Callback[] callbacks) -+ throws IOException, UnsupportedCallbackException { -+ if (!(callbacks[0] instanceof PasswordCallback)) { -+ throw new UnsupportedCallbackException(callbacks[0]); -+ } -+ PasswordCallback pc = (PasswordCallback)callbacks[0]; -+ pc.setPassword(getFipsNssdbPin()); -+ } -+ -+ private static char[] getFipsNssdbPin() throws ProviderException { -+ if (debug != null) { -+ debug.println("FIPS: Reading NSS DB PIN for token..."); -+ } -+ String pinProp = SecurityProperties -+ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); -+ if (pinProp != null && !pinProp.isEmpty()) { -+ String[] pinPropParts = pinProp.split(":", 2); -+ if (pinPropParts.length < 2) { -+ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + -+ " property value."); -+ } -+ String prefix = pinPropParts[0].toLowerCase(); -+ String value = pinPropParts[1]; -+ String pin = null; -+ if (prefix.equals("env")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the '" + value + -+ "' environment variable."); -+ } -+ pin = System.getenv(value); -+ } else if (prefix.equals("file")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the '" + value + -+ "' file."); -+ } -+ pin = getPinFromFile(Paths.get(value)); -+ } else if (prefix.equals("pin")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the " + -+ FIPS_NSSDB_PIN_PROP + " property."); -+ } -+ pin = value; -+ } else { -+ throw new ProviderException("Unsupported prefix for " + -+ FIPS_NSSDB_PIN_PROP + "."); -+ } -+ if (pin != null && !pin.isEmpty()) { -+ if (debug != null) { -+ debug.println("FIPS: non-empty PIN."); -+ } -+ /* -+ * C_Login in libj2pkcs11 receives the PIN in a char[] and -+ * discards the upper byte of each char, before passing -+ * the value to the NSS Software Token. However, the -+ * NSS Software Token accepts any UTF-8 PIN value. Thus, -+ * expand the PIN here to account for later truncation. -+ */ -+ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); -+ char[] pinChar = new char[pinUtf8.length]; -+ for (int i = 0; i < pinChar.length; i++) { -+ pinChar[i] = (char)(pinUtf8[i] & 0xFF); -+ } -+ return pinChar; -+ } -+ } -+ if (debug != null) { -+ debug.println("FIPS: empty PIN."); -+ } -+ return null; -+ } -+ -+ /* -+ * This method extracts the token PIN from the first line of a password -+ * file in the same way as NSS modutil. See for example the -newpwfile -+ * argument used to change the password for an NSS DB. -+ */ -+ private static String getPinFromFile(Path f) throws ProviderException { -+ try (InputStream is = -+ Files.newInputStream(f, StandardOpenOption.READ)) { -+ /* -+ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, -+ * reads up to 4096 bytes. In addition, the NSS Software Token -+ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN -+ * in nss/lib/softoken/pkcs11i.h). -+ */ -+ BufferedReader in = -+ new BufferedReader(new InputStreamReader( -+ new ByteArrayInputStream(is.readNBytes(4096)), -+ StandardCharsets.UTF_8)); -+ return in.readLine(); -+ } catch (IOException ioe) { -+ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + -+ " from the '" + f + "' file.", ioe); -+ } -+ } -+} -\ No newline at end of file -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 9b69072280e..5696b904979 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -@@ -37,6 +37,8 @@ import javax.crypto.*; - import javax.crypto.interfaces.*; - import javax.crypto.spec.*; - -+import jdk.internal.access.SharedSecrets; -+ - import sun.security.rsa.RSAUtil.KeyType; - import sun.security.rsa.RSAPublicKeyImpl; - import sun.security.rsa.RSAPrivateCrtKeyImpl; -@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; - */ - abstract class P11Key implements Key, Length { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - private static final long serialVersionUID = -2575874101938349339L; - - private static final String PUBLIC = "public"; -@@ -136,9 +141,7 @@ abstract class P11Key implements Key, Length { - this.tokenObject = tokenObject; - this.sensitive = sensitive; - this.extractable = extractable; -- char[] tokenLabel = this.token.tokenInfo.label; -- boolean isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' -- && tokenLabel[2] == 'S'); -+ boolean isNSS = P11Util.isNSS(this.token); - boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && - extractable && !tokenObject); - this.keyIDHolder = new NativeKeyHolder(this, keyID, session, -@@ -379,7 +382,9 @@ abstract class P11Key implements Key, Length { - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), - }); -- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { -+ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); -+ if (!exportable && (attributes[1].getBoolean() || -+ (attributes[2].getBoolean() == false))) { - return new P11PrivateKey - (session, keyID, algorithm, keyLength, attributes); - } else { -@@ -461,7 +466,8 @@ abstract class P11Key implements Key, Length { - } - public String getFormat() { - token.ensureValid(); -- if (sensitive || (extractable == false)) { -+ if (!plainKeySupportEnabled && -+ (sensitive || (extractable == false))) { - return null; - } else { - return "RAW"; -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -index ba0b7faf3f8..4840a116b34 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -@@ -29,14 +29,17 @@ import java.nio.ByteBuffer; - - import java.security.*; - import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidKeySpecException; - - import javax.crypto.MacSpi; -+import javax.crypto.spec.PBEKeySpec; - - import sun.nio.ch.DirectBuffer; - - import sun.security.pkcs11.wrapper.*; - import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - import static sun.security.pkcs11.wrapper.PKCS11Exception.*; -+import sun.security.util.PBEUtil; - - /** - * MAC implementation class. This class currently supports HMAC using -@@ -202,12 +205,23 @@ final class P11Mac extends MacSpi { - // see JCE spec - protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- if (params != null) { -- throw new InvalidAlgorithmParameterException -- ("Parameters not supported"); -+ if (algorithm.startsWith("HmacPBE")) { -+ PBEKeySpec pbeSpec = PBEUtil.getPBAKeySpec(key, params); -+ reset(true); -+ try { -+ p11Key = P11SecretKeyFactory.derivePBEKey( -+ token, pbeSpec, algorithm); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ } else { -+ if (params != null) { -+ throw new InvalidAlgorithmParameterException -+ ("Parameters not supported"); -+ } -+ reset(true); -+ p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); - } -- reset(true); -- p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); - try { - initialize(); - } catch (PKCS11Exception e) { -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java -new file mode 100644 -index 00000000000..ae4262703e6 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java -@@ -0,0 +1,200 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.security.AlgorithmParameters; -+import java.security.Key; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.InvalidKeyException; -+import java.security.NoSuchAlgorithmException; -+import java.security.SecureRandom; -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidKeySpecException; -+import javax.crypto.BadPaddingException; -+import javax.crypto.CipherSpi; -+import javax.crypto.IllegalBlockSizeException; -+import javax.crypto.NoSuchPaddingException; -+import javax.crypto.ShortBufferException; -+import javax.crypto.spec.PBEKeySpec; -+ -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.util.PBEUtil; -+ -+final class P11PBECipher extends CipherSpi { -+ -+ private static final int DEFAULT_SALT_LENGTH = 20; -+ private static final int DEFAULT_COUNT = 4096; -+ -+ private final Token token; -+ private final String pbeAlg; -+ private final P11Cipher cipher; -+ private final int blkSize; -+ private final int keyLen; -+ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( -+ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); -+ -+ P11PBECipher(Token token, String pbeAlg, long cipherMech) -+ throws PKCS11Exception, NoSuchAlgorithmException { -+ super(); -+ String cipherTrans; -+ if (cipherMech == CKM_AES_CBC_PAD || cipherMech == CKM_AES_CBC) { -+ cipherTrans = "AES/CBC/PKCS5Padding"; -+ } else { -+ throw new NoSuchAlgorithmException( -+ "Cipher transformation not supported."); -+ } -+ cipher = new P11Cipher(token, cipherTrans, cipherMech); -+ blkSize = cipher.engineGetBlockSize(); -+ assert P11Util.kdfDataMap.get(pbeAlg) != null; -+ keyLen = P11Util.kdfDataMap.get(pbeAlg).keyLen; -+ this.pbeAlg = pbeAlg; -+ this.token = token; -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineSetMode(String mode) -+ throws NoSuchAlgorithmException { -+ cipher.engineSetMode(mode); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineSetPadding(String padding) -+ throws NoSuchPaddingException { -+ cipher.engineSetPadding(padding); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetBlockSize() { -+ return cipher.engineGetBlockSize(); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetOutputSize(int inputLen) { -+ return cipher.engineGetOutputSize(inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineGetIV() { -+ return cipher.engineGetIV(); -+ } -+ -+ // see JCE spec -+ @Override -+ protected AlgorithmParameters engineGetParameters() { -+ return pbes2Helper.getAlgorithmParameters( -+ blkSize, pbeAlg, null, JCAUtil.getSecureRandom()); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ SecureRandom random) throws InvalidKeyException { -+ try { -+ engineInit(opmode, key, (AlgorithmParameterSpec) null, random); -+ } catch (InvalidAlgorithmParameterException e) { -+ throw new InvalidKeyException("requires PBE parameters", e); -+ } -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ AlgorithmParameterSpec params, SecureRandom random) -+ throws InvalidKeyException, -+ InvalidAlgorithmParameterException { -+ -+ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLen, -+ opmode, key, params, random); -+ -+ Key derivedKey; -+ try { -+ derivedKey = P11SecretKeyFactory.derivePBEKey( -+ token, pbeSpec, pbeAlg); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ cipher.engineInit(opmode, derivedKey, pbes2Helper.getIvSpec(), random); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ AlgorithmParameters params, SecureRandom random) -+ throws InvalidKeyException, -+ InvalidAlgorithmParameterException { -+ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), -+ random); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineUpdate(byte[] input, int inputOffset, -+ int inputLen) { -+ return cipher.engineUpdate(input, inputOffset, inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineUpdate(byte[] input, int inputOffset, -+ int inputLen, byte[] output, int outputOffset) -+ throws ShortBufferException { -+ return cipher.engineUpdate(input, inputOffset, inputLen, -+ output, outputOffset); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineDoFinal(byte[] input, int inputOffset, -+ int inputLen) -+ throws IllegalBlockSizeException, BadPaddingException { -+ return cipher.engineDoFinal(input, inputOffset, inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineDoFinal(byte[] input, int inputOffset, -+ int inputLen, byte[] output, int outputOffset) -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { -+ return cipher.engineDoFinal(input, inputOffset, inputLen, output, -+ outputOffset); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetKeySize(Key key) -+ throws InvalidKeyException { -+ return cipher.engineGetKeySize(key); -+ } -+ -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -index 8d1b8ccb0ae..950ed20cf62 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.spec.*; - - import javax.crypto.*; -+import javax.crypto.interfaces.PBEKey; - import javax.crypto.spec.*; - - import static sun.security.pkcs11.TemplateManager.*; -@@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - return p11Key; - } - -+ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) -+ throws InvalidKeySpecException { -+ token.ensureValid(); -+ if (keySpec == null) { -+ throw new InvalidKeySpecException("PBEKeySpec must not be null"); -+ } -+ Session session = null; -+ try { -+ session = token.getObjSession(); -+ P11Util.KDFData kdfData = P11Util.kdfDataMap.get(algo); -+ CK_MECHANISM ckMech; -+ char[] password = keySpec.getPassword(); -+ byte[] salt = keySpec.getSalt(); -+ int itCount = keySpec.getIterationCount(); -+ int keySize = keySpec.getKeyLength(); -+ if (kdfData.keyLen != -1) { -+ if (keySize == 0) { -+ keySize = kdfData.keyLen; -+ } else if (keySize != kdfData.keyLen) { -+ throw new InvalidKeySpecException( -+ "Key length is invalid for " + algo); -+ } -+ } -+ -+ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { -+ CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion; -+ if (P11Util.isNSS(token) || p11Ver.major < 2 || -+ p11Ver.major == 2 && p11Ver.minor < 40) { -+ // NSS keeps using the old structure beyond PKCS #11 v2.40 -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PKCS5_PBKD2_PARAMS(password, salt, -+ itCount, kdfData.prfMech)); -+ } else { -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PKCS5_PBKD2_PARAMS2(password, salt, -+ itCount, kdfData.prfMech)); -+ } -+ } else { -+ // PKCS #12 "General Method" PBKD (RFC 7292, Appendix B.2) -+ if (P11Util.isNSS(token)) { -+ // According to PKCS #11, "password" in CK_PBE_PARAMS has -+ // a CK_UTF8CHAR_PTR type. This suggests that it is encoded -+ // in UTF-8. However, NSS expects the password to be encoded -+ // as BMPString with a NULL terminator when C_GenerateKey -+ // is called for a PKCS #12 "General Method" derivation -+ // (see RFC 7292, Appendix B.1). -+ // -+ // The char size in Java is 2 bytes. When a char is -+ // converted to a CK_UTF8CHAR, the high-order byte is -+ // discarded (see jCharArrayToCKUTF8CharArray in -+ // p11_util.c). In order to have a BMPString passed to -+ // C_GenerateKey, we need to account for that and expand: -+ // the high and low parts of each char are split into 2 -+ // chars. As an example, this is the transformation for -+ // a NULL terminated password "a": -+ // char[] => [ 0x0061, 0x0000 ] -+ // / \ / \ -+ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] -+ // | | | | -+ // BMPString => [ 0x00, 0x61, 0x00, 0x00] -+ // -+ int inputLength = (password == null) ? 0 : password.length; -+ char[] expPassword = new char[inputLength * 2 + 2]; -+ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { -+ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); -+ expPassword[j + 1] = (char) (password[i] & 0xFF); -+ } -+ password = expPassword; -+ } -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PBE_PARAMS(password, salt, itCount)); -+ } -+ -+ long keyType = getKeyType(kdfData.keyAlgo); -+ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ -+ switch (kdfData.op) { -+ case ENCRYPTION, AUTHENTICATION -> 4; -+ case GENERIC -> 5; -+ }]; -+ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); -+ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); -+ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); -+ switch (kdfData.op) { -+ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; -+ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; -+ case GENERIC -> { -+ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; -+ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; -+ } -+ } -+ CK_ATTRIBUTE[] attr = token.getAttributes( -+ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); -+ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); -+ return (P11Key)P11Key.secretKey( -+ session, keyID, kdfData.keyAlgo, keySize, attr); -+ } catch (PKCS11Exception e) { -+ throw new InvalidKeySpecException("Could not create key", e); -+ } finally { -+ token.releaseSession(session); -+ } -+ } -+ -+ static P11Key derivePBEKey(Token token, PBEKey key, String algo) -+ throws InvalidKeyException { -+ token.ensureValid(); -+ if (key == null) { -+ throw new InvalidKeyException("PBEKey must not be null"); -+ } -+ P11Key p11Key = token.secretCache.get(key); -+ if (p11Key != null) { -+ return p11Key; -+ } -+ try { -+ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), -+ key.getSalt(), key.getIterationCount()), algo); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ token.secretCache.put(key, p11Key); -+ return p11Key; -+ } -+ - static void fixDESParity(byte[] key, int offset) { - for (int i = 0; i < 8; i++) { - int b = key[offset] & 0xfe; -@@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - keySpec = new SecretKeySpec(keyBytes, "DESede"); - return engineGenerateSecret(keySpec); - } -+ } else if (keySpec instanceof PBEKeySpec) { -+ return (SecretKey)derivePBEKey(token, -+ (PBEKeySpec)keySpec, algorithm); - } - throw new InvalidKeySpecException - ("Unsupported spec: " + keySpec.getClass().getName()); -@@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - // see JCE spec - protected SecretKey engineTranslateKey(SecretKey key) - throws InvalidKeyException { -+ if (key instanceof PBEKey) { -+ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); -+ } - return (SecretKey)convertKey(token, key, algorithm); - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -index 262cfc062ad..72b64f72c0a 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -@@ -27,6 +27,10 @@ package sun.security.pkcs11; - - import java.math.BigInteger; - import java.security.*; -+import java.util.HashMap; -+import java.util.Map; -+ -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - - /** - * Collection of static utility methods. -@@ -40,10 +44,106 @@ public final class P11Util { - - private static volatile Provider sun, sunRsaSign, sunJce; - -+ // Used by PBE -+ static final class KDFData { -+ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} -+ public long kdfMech; -+ public long prfMech; -+ public String keyAlgo; -+ public int keyLen; -+ public Operation op; -+ KDFData(long kdfMech, long prfMech, String keyAlgo, -+ int keyLen, Operation op) { -+ this.kdfMech = kdfMech; -+ this.prfMech = prfMech; -+ this.keyAlgo = keyAlgo; -+ this.keyLen = keyLen; -+ this.op = op; -+ } -+ -+ public static void addPbkdf2Data(String algo, long kdfMech, -+ long prfMech) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, -+ "Generic", -1, Operation.GENERIC)); -+ } -+ -+ public static void addPbkdf2AesData(String algo, long kdfMech, -+ long prfMech, int keyLen) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, -+ "AES", keyLen, Operation.ENCRYPTION)); -+ } -+ -+ public static void addPkcs12KDData(String algo, long kdfMech, -+ int keyLen) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, -1, -+ "Generic", keyLen, Operation.AUTHENTICATION)); -+ } -+ } -+ -+ static final Map kdfDataMap = new HashMap<>(); -+ -+ static { -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); -+ -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); -+ -+ KDFData.addPkcs12KDData("HmacPBESHA1", -+ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); -+ KDFData.addPkcs12KDData("HmacPBESHA224", -+ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); -+ KDFData.addPkcs12KDData("HmacPBESHA256", -+ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); -+ KDFData.addPkcs12KDData("HmacPBESHA384", -+ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); -+ KDFData.addPkcs12KDData("HmacPBESHA512", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ KDFData.addPkcs12KDData("HmacPBESHA512/224", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ KDFData.addPkcs12KDData("HmacPBESHA512/256", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ } -+ - private P11Util() { - // empty - } - -+ static boolean isNSS(Token token) { -+ char[] tokenLabel = token.tokenInfo.label; -+ if (tokenLabel != null && tokenLabel.length >= 3) { -+ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' -+ && tokenLabel[2] == 'S'); -+ } -+ return false; -+ } -+ - static Provider getSunProvider() { - Provider p = sun; - if (p == null) { -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index aa35e8fa668..1855e5631bd 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; - - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.misc.InnocuousThread; - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - import static sun.security.util.SecurityConstants.PROVIDER_VER; -+import sun.security.util.SecurityProperties; - import static sun.security.util.SecurityProviderConstants.getAliases; - - import sun.security.pkcs11.Secmod.*; -@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ private static final MethodHandle fipsExportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ MethodHandle fipsExportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ fipsExportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "exportKey", -+ MethodType.methodType(void.class, SunPKCS11.class, -+ long.class, long.class, -+ long.class, long.class, Map.class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer-exporter" + -+ " initialization failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ fipsExportKey = fipsExportKeyTmp; -+ } -+ -+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { - return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { - @Override - public SunPKCS11 run() throws Exception { -+ if (systemFipsEnabled) { -+ /* -+ * The nssSecmodDirectory attribute in the SunPKCS11 -+ * NSS configuration file takes the value of the -+ * fips.nssdb.path System property after expansion. -+ * Security properties expansion is unsupported. -+ */ -+ String nssdbPath = -+ SecurityProperties.privilegedGetOverridable( -+ FIPS_NSSDB_PATH_PROP); -+ if (System.getSecurityManager() != null) { -+ AccessController.doPrivileged( -+ (PrivilegedAction) () -> { -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, -+ nssdbPath); -+ return null; -+ }); -+ } else { -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, nssdbPath); -+ } -+ } - return new SunPKCS11(new Config(newConfigName)); - } - }); -@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ MethodHandle fipsKeyExporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ fipsKeyExporter = MethodHandles.insertArguments( -+ fipsExportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } - p11 = tmpPKCS11; - -- CK_INFO p11Info = p11.C_GetInfo(); -+ CK_INFO p11Info = p11.getInfo(); - if (p11Info.cryptokiVersion.major < 2) { - throw new ProviderException("Only PKCS#11 v2.0 and later " - + "supported, library version is v" + p11Info.cryptokiVersion); -@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { - final String className; - final List aliases; - final int[] mechanisms; -+ final int[] requiredMechs; - -+ // mechanisms is a list of possible mechanisms that implement the -+ // algorithm, at least one of them must be available. requiredMechs -+ // is a list of auxiliary mechanisms, all of them must be available - private Descriptor(String type, String algorithm, String className, -- List aliases, int[] mechanisms) { -+ List aliases, int[] mechanisms, int[] requiredMechs) { - this.type = type; - this.algorithm = algorithm; - this.className = className; - this.aliases = aliases; - this.mechanisms = mechanisms; -+ this.requiredMechs = requiredMechs; - } - private P11Service service(Token token, int mechanism) { - return new P11Service -@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { - - private static void d(String type, String algorithm, String className, - int[] m) { -- register(new Descriptor(type, algorithm, className, null, m)); -+ register(new Descriptor(type, algorithm, className, null, m, null)); - } - - private static void d(String type, String algorithm, String className, - List aliases, int[] m) { -- register(new Descriptor(type, algorithm, className, aliases, m)); -+ register(new Descriptor(type, algorithm, className, aliases, m, null)); -+ } -+ -+ private static void d(String type, String algorithm, String className, -+ int[] m, int[] requiredMechs) { -+ register(new Descriptor(type, algorithm, className, null, m, -+ requiredMechs)); -+ } -+ private static void dA(String type, String algorithm, String className, -+ int[] m, int[] requiredMechs) { -+ register(new Descriptor(type, algorithm, className, -+ getAliases(algorithm), m, requiredMechs)); - } - - private static void dA(String type, String algorithm, String className, - int[] m) { - register(new Descriptor(type, algorithm, className, -- getAliases(algorithm), m)); -+ getAliases(algorithm), m, null)); - } - - private static void register(Descriptor d) { -@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { - String P11Cipher = "sun.security.pkcs11.P11Cipher"; - String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; - String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; -+ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; - String P11Signature = "sun.security.pkcs11.P11Signature"; - String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; - -@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { - d(MAC, "SslMacSHA1", P11Mac, - m(CKM_SSL3_SHA1_MAC)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBA HMacs -+ * -+ * KeyDerivationMech must be supported -+ * for these services to be available. -+ * -+ */ -+ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), -+ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); -+ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ } -+ - d(KPG, "RSA", P11KeyPairGenerator, - getAliases("PKCS1"), - m(CKM_RSA_PKCS_KEY_PAIR_GEN)); -@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { - d(SKF, "ChaCha20", P11SecretKeyFactory, - m(CKM_CHACHA20_POLY1305)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBE Secret Key Factories -+ * -+ * KeyDerivationPrf must be supported for these services -+ * to be available. -+ * -+ */ -+ d(SKF, "PBEWithHmacSHA1AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBEWithHmacSHA224AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBEWithHmacSHA256AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBEWithHmacSHA384AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBEWithHmacSHA512AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ d(SKF, "PBEWithHmacSHA1AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBEWithHmacSHA224AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBEWithHmacSHA256AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBEWithHmacSHA384AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBEWithHmacSHA512AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ /* -+ * PBA Secret Key Factories -+ */ -+ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, -+ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); -+ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ /* -+ * PBKDF2 Secret Key Factories -+ */ -+ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ } -+ - // XXX attributes for Ciphers (supported modes, padding) - dA(CIP, "ARCFOUR", P11Cipher, - m(CKM_RC4)); -@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { - d(CIP, "RSA/ECB/NoPadding", P11RSACipher, - m(CKM_RSA_X_509)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBE Ciphers -+ * -+ * KeyDerivationMech and KeyDerivationPrf must be supported -+ * for these services to be available. -+ * -+ */ -+ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); -+ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); -+ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); -+ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); -+ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); -+ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); -+ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); -+ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); -+ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); -+ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); -+ } -+ - d(SIG, "RawDSA", P11Signature, - List.of("NONEwithDSA"), - m(CKM_DSA)); -@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider { - if (ds == null) { - continue; - } -+ descLoop: - for (Descriptor d : ds) { - Integer oldMech = supportedAlgs.get(d); - if (oldMech == null) { -+ if (d.requiredMechs != null) { -+ // Check that other mechanisms required for the -+ // service are supported before listing it as -+ // available for the first time. -+ for (int requiredMech : d.requiredMechs) { -+ if (token.getMechanismInfo( -+ requiredMech & 0xFFFFFFFFL) == null) { -+ continue descLoop; -+ } -+ } -+ } - supportedAlgs.put(d, integerMech); - continue; - } -@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider { - } - - @Override -+ @SuppressWarnings("removal") - public Object newInstance(Object param) - throws NoSuchAlgorithmException { - if (token.isValid() == false) { - throw new NoSuchAlgorithmException("Token has been removed"); - } -+ if (systemFipsEnabled && !token.fipsLoggedIn && -+ !getType().equals("KeyStore")) { -+ /* -+ * The NSS Software Token in FIPS 140-2 mode requires a -+ * user login for most operations. See sftk_fipsCheck -+ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore -+ * service, let the caller perform the login with -+ * KeyStore::load. Keytool, for example, does this to pass a -+ * PIN from either the -srcstorepass or -deststorepass -+ * argument. In case of a non-KeyStore service, perform the -+ * login now with the PIN available in the fips.nssdb.pin -+ * property. -+ */ -+ try { -+ if (System.getSecurityManager() != null) { -+ try { -+ AccessController.doPrivileged( -+ (PrivilegedExceptionAction) () -> { -+ token.ensureLoggedIn(null); -+ return null; -+ }); -+ } catch (PrivilegedActionException pae) { -+ Exception e = pae.getException(); -+ if (e instanceof LoginException le) { -+ throw le; -+ } else if (e instanceof PKCS11Exception p11e) { -+ throw p11e; -+ } else { -+ throw new RuntimeException(e); -+ } -+ } -+ } else { -+ token.ensureLoggedIn(null); -+ } -+ } catch (PKCS11Exception | LoginException e) { -+ throw new ProviderException("FIPS: error during the Token" + -+ " login required for the " + getType() + -+ " service.", e); -+ } -+ } - try { - return newInstance0(param); - } catch (PKCS11Exception e) { -@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider { - } else if (algorithm.endsWith("GCM/NoPadding") || - algorithm.startsWith("ChaCha20-Poly1305")) { - return new P11AEADCipher(token, algorithm, mechanism); -+ } else if (algorithm.startsWith("PBE")) { -+ return new P11PBECipher(token, algorithm, mechanism); - } else { - return new P11Cipher(token, algorithm, mechanism); - } -@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider { - try { - session = token.getOpSession(); - p11.C_Logout(session.id()); -+ if (systemFipsEnabled) { -+ token.fipsLoggedIn = false; -+ } - if (debug != null) { - debug.println("logout succeeded"); - } -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index 9858a5faedf..e63585486d9 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -@@ -33,6 +33,7 @@ import java.lang.ref.*; - import java.security.*; - import javax.security.auth.login.LoginException; - -+import jdk.internal.access.SharedSecrets; - import sun.security.jca.JCAUtil; - - import sun.security.pkcs11.wrapper.*; -@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; - */ - class Token implements Serializable { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ - // need to be serializable to allow SecureRandom to be serialized - private static final long serialVersionUID = 2541527649100571747L; - -@@ -114,6 +118,10 @@ class Token implements Serializable { - // flag indicating whether we are logged in - private volatile boolean loggedIn; - -+ // Flag indicating the login status for the NSS Software Token in FIPS mode. -+ // This Token is never asynchronously removed. Used from SunPKCS11. -+ volatile boolean fipsLoggedIn; -+ - // time we last checked login status - private long lastLoginCheck; - -@@ -232,7 +240,12 @@ class Token implements Serializable { - // call provider.login() if not - void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { - if (isLoggedIn(session) == false) { -- provider.login(null, null); -+ if (systemFipsEnabled) { -+ provider.login(null, new FIPSTokenLoginHandler()); -+ fipsLoggedIn = true; -+ } else { -+ provider.login(null, null); -+ } - } - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -index 88ff8a71fc3..47a2f97eddf 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { - } - - /** -- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. -+ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. - * -- * @return the string representation of CK_PKCS5_PBKD2_PARAMS -+ * @return the string representation of CK_ECDH1_DERIVE_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -index 0c9ebb289c1..b4b2448464d 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -@@ -160,6 +160,18 @@ public class CK_MECHANISM { - init(mechanism, params); - } - -+ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { -+ init(mechanism, params); -+ } -+ -+ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { -+ init(mechanism, params); -+ } -+ -+ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { -+ init(mechanism, params); -+ } -+ - // For PSS. the parameter may be set multiple times, use the - // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) - // methods instead of creating yet another constructor -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -index e8b048869c4..a25fa1c39e5 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; - - - /** -- * class CK_PBE_PARAMS provides all of the necessary information required byte -+ * class CK_PBE_PARAMS provides all the necessary information required by - * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

- * PKCS#11 structure: - * 

-  * typedef struct CK_PBE_PARAMS {
-- *   CK_CHAR_PTR pInitVector;
-- *   CK_CHAR_PTR pPassword;
-+ *   CK_BYTE_PTR pInitVector;
-+ *   CK_UTF8CHAR_PTR pPassword;
-  *   CK_ULONG ulPasswordLen;
-- *   CK_CHAR_PTR pSalt;
-+ *   CK_BYTE_PTR pSalt;
-  *   CK_ULONG ulSaltLen;
-  *   CK_ULONG ulIteration;
-  * } CK_PBE_PARAMS;
-@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pInitVector;
-+     *   CK_BYTE_PTR pInitVector;
-      * 

-      */
--    public char[] pInitVector;
-+    public byte[] pInitVector;
- 
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pPassword;
-+     *   CK_UTF8CHAR_PTR pPassword;
-      *   CK_ULONG ulPasswordLen;
-      * 

-      */
-@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pSalt
-+     *   CK_BYTE_PTR pSalt
-      *   CK_ULONG ulSaltLen;
-      * 

-      */
--    public char[] pSalt;
-+    public byte[] pSalt;
- 
-     /**
-      * PKCS#11:
-@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
-      */
-     public long ulIteration;
- 
-+    public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
-+         this.pPassword = pPassword;
-+         this.pSalt = pSalt;
-+         this.ulIteration = ulIteration;
-+     }
-+
-     /**
-      * Returns the string representation of CK_PBE_PARAMS.
-      *
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-index fb90bfced27..a01beb0753a 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-@@ -47,7 +47,7 @@
- 
- package sun.security.pkcs11.wrapper;
- 
--
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- 
- /**
-  * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
-@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
-  * PKCS#11 structure:
-  * 
-  * typedef struct CK_PKCS5_PBKD2_PARAMS {
-- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
-+ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-  *   CK_VOID_PTR pSaltSourceData;
-  *   CK_ULONG ulSaltSourceDataLen;
-  *   CK_ULONG iterations;
-  *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-  *   CK_VOID_PTR pPrfData;
-  *   CK_ULONG ulPrfDataLen;
-+ *   CK_UTF8CHAR_PTR pPassword;
-+ *   CK_ULONG_PTR ulPasswordLen;
-  * } CK_PKCS5_PBKD2_PARAMS;
-  * 

-  *
-@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
-      */
-     public byte[] pPrfData;
- 
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_UTF8CHAR_PTR pPassword
-+     *   CK_ULONG_PTR ulPasswordLen;
-+     * 

-+     */
-+    public char[] pPassword;
-+
-+    public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
-+            long iterations, long prf) {
-+        this.pPassword = pPassword;
-+        this.pSaltSourceData = pSalt;
-+        this.iterations = iterations;
-+        this.prf = prf;
-+        this.saltSource = CKZ_SALT_SPECIFIED;
-+    }
-+
-     /**
-      * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
-      *
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
-new file mode 100644
-index 00000000000..935db656639
---- /dev/null
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
-@@ -0,0 +1,156 @@
-+/*
-+ * Copyright (c) 2022, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11.wrapper;
-+
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+
-+/**
-+ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
-+ * mechanism.

-+ * PKCS#11 structure:
-+ * 
-+ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
-+ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-+ *   CK_VOID_PTR pSaltSourceData;
-+ *   CK_ULONG ulSaltSourceDataLen;
-+ *   CK_ULONG iterations;
-+ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+ *   CK_VOID_PTR pPrfData;
-+ *   CK_ULONG ulPrfDataLen;
-+ *   CK_UTF8CHAR_PTR pPassword;
-+ *   CK_ULONG ulPasswordLen;
-+ * } CK_PKCS5_PBKD2_PARAMS2;
-+ * 

-+ *
-+ */
-+public class CK_PKCS5_PBKD2_PARAMS2 {
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-+     * 

-+     */
-+    public long saltSource;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_VOID_PTR pSaltSourceData;
-+     *   CK_ULONG ulSaltSourceDataLen;
-+     * 

-+     */
-+    public byte[] pSaltSourceData;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_ULONG iterations;
-+     * 

-+     */
-+    public long iterations;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+     * 

-+     */
-+    public long prf;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_VOID_PTR pPrfData;
-+     *   CK_ULONG ulPrfDataLen;
-+     * 

-+     */
-+    public byte[] pPrfData;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_UTF8CHAR_PTR pPassword
-+     *   CK_ULONG ulPasswordLen;
-+     * 

-+     */
-+    public char[] pPassword;
-+
-+    public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
-+            long iterations, long prf) {
-+        this.pPassword = pPassword;
-+        this.pSaltSourceData = pSalt;
-+        this.iterations = iterations;
-+        this.prf = prf;
-+        this.saltSource = CKZ_SALT_SPECIFIED;
-+    }
-+
-+    /**
-+     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
-+     *
-+     * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
-+     */
-+    public String toString() {
-+        StringBuilder sb = new StringBuilder();
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("saltSource: ");
-+        sb.append(saltSource);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("pSaltSourceData: ");
-+        sb.append(Functions.toHexString(pSaltSourceData));
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("ulSaltSourceDataLen: ");
-+        sb.append(pSaltSourceData.length);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("iterations: ");
-+        sb.append(iterations);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("prf: ");
-+        sb.append(prf);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("pPrfData: ");
-+        sb.append(Functions.toHexString(pPrfData));
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("ulPrfDataLen: ");
-+        sb.append(pPrfData.length);
-+
-+        return sb.toString();
-+    }
-+
-+}
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-index 1f9c4d39f57..5e3c1b9d29f 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
-     public byte[] pPublicData;
- 
-     /**
--     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
-+     * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
-      *
--     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
-+     * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
-      */
-     public String toString() {
-         StringBuilder sb = new StringBuilder();
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 5c0aacd1a67..5fbf8addcba 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
- 
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
- 
- import java.security.AccessController;
-@@ -113,6 +116,8 @@ public class PKCS11 {
- 
-     private long pNativeData;
- 
-+    private CK_INFO pInfo;
-+
-     /**
-      * This method does the initialization of the native library. It is called
-      * exactly once for this class.
-@@ -145,23 +150,49 @@ public class PKCS11 {
-      * @postconditions
-      */
-     PKCS11(String pkcs11ModulePath, String functionListName)
--            throws IOException {
-+            throws IOException, PKCS11Exception {
-         connect(pkcs11ModulePath, functionListName);
-         this.pkcs11ModulePath = pkcs11ModulePath;
-+        pInfo = C_GetInfo();
-+    }
-+
-+    /*
-+     * Compatibility wrapper to allow this method to work as before
-+     * when FIPS mode support is not active.
-+     */
-+    public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-+           String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-+           boolean omitInitialize) throws IOException, PKCS11Exception {
-+        return getInstance(pkcs11ModulePath, functionList,
-+                           pInitArgs, omitInitialize, null, null);
-     }
- 
-     public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-             String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
--            boolean omitInitialize) throws IOException, PKCS11Exception {
-+            boolean omitInitialize, MethodHandle fipsKeyImporter,
-+            MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
-         // we may only call C_Initialize once per native .so/.dll
-         // so keep a cache using the (non-canonicalized!) path
-         PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
-         if (pkcs11 == null) {
-+            boolean nssFipsMode = fipsKeyImporter != null &&
-+                    fipsKeyExporter != null;
-             if ((pInitArgs != null)
-                     && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
--                pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+                if (nssFipsMode) {
-+                    pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+                            fipsKeyImporter, fipsKeyExporter);
-+                } else {
-+                    pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+                }
-             } else {
--                pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+                if (nssFipsMode) {
-+                    pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+                            functionList, fipsKeyImporter, fipsKeyExporter);
-+                } else {
-+                    pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+                }
-             }
-             if (omitInitialize == false) {
-                 try {
-@@ -179,6 +210,14 @@ public class PKCS11 {
-         return pkcs11;
-     }
- 
-+    /**
-+     * Returns the CK_INFO structure fetched at initialization with
-+     * C_GetInfo. This structure represent Cryptoki library information.
-+     */
-+    public CK_INFO getInfo() {
-+        return pInfo;
-+    }
-+
-     /**
-      * Connects this object to the specified PKCS#11 library. This method is for
-      * internal use only.
-@@ -1625,7 +1664,7 @@ public class PKCS11 {
- static class SynchronizedPKCS11 extends PKCS11 {
- 
-     SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
--            throws IOException {
-+            throws IOException, PKCS11Exception {
-         super(pkcs11ModulePath, functionListName);
-     }
- 
-@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
-         super.C_GenerateRandom(hSession, randomData);
-     }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+    private MethodHandle fipsKeyImporter;
-+    private MethodHandle fipsKeyExporter;
-+    private MethodHandle hC_GetAttributeValue;
-+    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
-+        super(pkcs11ModulePath, functionListName);
-+        this.fipsKeyImporter = fipsKeyImporter;
-+        this.fipsKeyExporter = fipsKeyExporter;
-+        try {
-+            hC_GetAttributeValue = MethodHandles.insertArguments(
-+                    MethodHandles.lookup().findSpecial(PKCS11.class,
-+                            "C_GetAttributeValue", MethodType.methodType(
-+                                    void.class, long.class, long.class,
-+                                    CK_ATTRIBUTE[].class),
-+                            FIPSPKCS11.class), 0, this);
-+        } catch (Throwable t) {
-+            throw new RuntimeException(
-+                    "sun.security.pkcs11.wrapper.PKCS11" +
-+                    "::C_GetAttributeValue method not found.", t);
-+        }
-+    }
-+
-+    public long C_CreateObject(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        // Creating sensitive key objects from plain key material in a
-+        // FIPS-configured NSS Software Token is not allowed. We apply
-+        // a key-unwrapping scheme to achieve so.
-+        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+            try {
-+                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+                        .longValue();
-+            } catch (Throwable t) {
-+                if (t instanceof PKCS11Exception) {
-+                    throw (PKCS11Exception)t;
-+                }
-+                throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+                        t.getMessage());
-+            }
-+        }
-+        return super.C_CreateObject(hSession, pTemplate);
-+    }
-+
-+    public void C_GetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
-+                fipsKeyExporter, hSession, hObject, pTemplate);
-+    }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+    private MethodHandle fipsKeyImporter;
-+    private MethodHandle fipsKeyExporter;
-+    private MethodHandle hC_GetAttributeValue;
-+    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
-+        super(pkcs11ModulePath, functionListName);
-+        this.fipsKeyImporter = fipsKeyImporter;
-+        this.fipsKeyExporter = fipsKeyExporter;
-+        try {
-+            hC_GetAttributeValue = MethodHandles.insertArguments(
-+                    MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
-+                            "C_GetAttributeValue", MethodType.methodType(
-+                                    void.class, long.class, long.class,
-+                                    CK_ATTRIBUTE[].class),
-+                            SynchronizedFIPSPKCS11.class), 0, this);
-+        } catch (Throwable t) {
-+            throw new RuntimeException(
-+                    "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
-+                    "::C_GetAttributeValue method not found.", t);
-+        }
-+    }
-+
-+    public synchronized long C_CreateObject(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        // See FIPSPKCS11::C_CreateObject.
-+        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+            try {
-+                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+                        .longValue();
-+            } catch (Throwable t) {
-+                if (t instanceof PKCS11Exception) {
-+                    throw (PKCS11Exception)t;
-+                }
-+                throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+                        t.getMessage());
-+            }
-+        }
-+        return super.C_CreateObject(hSession, pTemplate);
-+    }
-+
-+    public synchronized void C_GetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
-+                fipsKeyExporter, hSession, hObject, pTemplate);
-+    }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+    static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+        for (CK_ATTRIBUTE attr : pTemplate) {
-+            if (attr.type == CKA_CLASS &&
-+                    (attr.getLong() == CKO_PRIVATE_KEY ||
-+                    attr.getLong() == CKO_SECRET_KEY)) {
-+                return true;
-+            }
-+        }
-+        return false;
-+    }
-+    static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
-+            MethodHandle fipsKeyExporter, long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        Map sensitiveAttrs = new HashMap<>();
-+        List nonSensitiveAttrs = new LinkedList<>();
-+        FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
-+                sensitiveAttrs, nonSensitiveAttrs);
-+        try {
-+            if (sensitiveAttrs.size() > 0) {
-+                long keyClass = -1L;
-+                long keyType = -1L;
-+                try {
-+                    // Secret and private keys have both class and type
-+                    // attributes, so we can query them at once.
-+                    CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
-+                            new CK_ATTRIBUTE(CKA_CLASS),
-+                            new CK_ATTRIBUTE(CKA_KEY_TYPE),
-+                    };
-+                    hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
-+                    keyClass = queryAttrs[0].getLong();
-+                    keyType = queryAttrs[1].getLong();
-+                } catch (PKCS11Exception e) {
-+                    // If the query fails, the object is neither a secret nor a
-+                    // private key. As this case won't be handled with the FIPS
-+                    // Key Exporter, we keep keyClass initialized to -1L.
-+                }
-+                if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
-+                    fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
-+                            sensitiveAttrs);
-+                    if (nonSensitiveAttrs.size() > 0) {
-+                        CK_ATTRIBUTE[] pNonSensitiveAttrs =
-+                                new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
-+                        int i = 0;
-+                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
-+                            pNonSensitiveAttrs[i++] = nonSensAttr;
-+                        }
-+                        hC_GetAttributeValue.invoke(hSession, hObject,
-+                                pNonSensitiveAttrs);
-+                        // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
-+                        // update the reference on the previous CK_ATTRIBUTEs
-+                        i = 0;
-+                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
-+                            nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
-+                        }
-+                    }
-+                    return;
-+                }
-+            }
-+            hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
-+        } catch (Throwable t) {
-+            if (t instanceof PKCS11Exception) {
-+                throw (PKCS11Exception)t;
-+            }
-+            throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+                    t.getMessage());
-+        }
-+    }
-+    private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
-+            Map sensitiveAttrs,
-+            List nonSensitiveAttrs) {
-+        for (CK_ATTRIBUTE attr : pTemplate) {
-+            long type = attr.type;
-+            // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
-+            if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
-+                    type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
-+                    type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
-+                    type == CKA_COEFFICIENT) {
-+                sensitiveAttrs.put(type, attr);
-+            } else {
-+                nonSensitiveAttrs.add(attr);
-+            }
-+        }
-+    }
-+}
- }
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-index 0d65ee26805..38fd4aff1f3 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
-     public static final long  CKD_BLAKE2B_384_KDF      = 0x00000019L;
-     public static final long  CKD_BLAKE2B_512_KDF      = 0x0000001aL;
- 
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
--
--    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
--
-     public static final long  CK_OTP_VALUE            = 0x00000000L;
-     public static final long  CK_OTP_PIN              = 0x00000001L;
-     public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
-@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
-     public static final long  CKF_HKDF_SALT_KEY    = 0x00000004L;
-     */
- 
-+    // PBKDF2 support, used in P11Util
-+    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
-+
-     // private NSS attribute (for DSA and DH private keys)
-     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
- 
-     // base number of NSS private attributes
-     public static final long  CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
--                                                      = 0xCE534350L;
-+    /*          now known as CKM_NSS ^        */      = 0xCE534350L;
- 
-     // object type for NSS trust
-     public static final long  CKO_NETSCAPE_TRUST      = 0xCE534353L;
-@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
-                                                              = 0xCE534355L;
-     public static final long  CKT_NETSCAPE_VALID             = 0xCE53435AL;
-     public static final long  CKT_NETSCAPE_VALID_DELEGATOR   = 0xCE53435BL;
-+
-+    // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 29) */ = 0xCE53436DL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 30) */ = 0xCE53436EL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 31) */ = 0xCE53436FL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
- }
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-index d941b574cc7..e2de13648be 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
-         case CKM_PBE_SHA1_DES3_EDE_CBC:
-         case CKM_PBE_SHA1_DES2_EDE_CBC:
-         case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-+        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
-             ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
-             break;
-         case CKM_PKCS5_PBKD2:
-@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
-     // retrieve java values
-     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-     if (jPbeParamsClass == NULL) { return NULL; }
--    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
-+    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
-     if (fieldID == NULL) { return NULL; }
-     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
--    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
-+    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
-@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
- 
-     // populate using java values
-     ckParamPtr->ulIteration = jLongToCKULong(jIteration);
--    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
-+    jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
-+    jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
-+    jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
-@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
-     }
- }
- 
-+#define PBKD2_PARAM_SET(member, value)                              \
-+    do {                                                            \
-+        if(ckParamPtr->version == PARAMS) {                         \
-+            ckParamPtr->params.v1.member = value;                   \
-+        } else {                                                    \
-+            ckParamPtr->params.v2.member = value;                   \
-+        }                                                           \
-+    } while(0)
-+
-+#define PBKD2_PARAM_ADDR(member)                                    \
-+    (                                                               \
-+        (ckParamPtr->version == PARAMS) ?                           \
-+        (void*) &ckParamPtr->params.v1.member :                     \
-+        (void*) &ckParamPtr->params.v2.member                       \
-+    )
-+
- /*
-- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
-+ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
-+ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
-  * pointer
-  *
-- * @param env - used to call JNI funktions to get the Java classes and objects
-- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
-+ * @param env - used to call JNI functions to get the Java classes and objects
-+ * @param jParam - the Java object to convert
-  * @param pLength - length of the allocated memory of the returned pointer
-- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
-+ * @return pointer to the new structure
-  */
--CK_PKCS5_PBKD2_PARAMS_PTR
-+CK_VOID_PTR
- jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
- {
--    CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
-+    VersionedPbkd2ParamsPtr ckParamPtr;
-+    ParamVersion paramVersion;
-+    CK_ULONG_PTR pUlPasswordLen;
-     jclass jPkcs5Pbkd2ParamsClass;
-     jfieldID fieldID;
-     jlong jSaltSource, jIteration, jPrf;
--    jobject jSaltSourceData, jPrfData;
-+    jobject jSaltSourceData, jPrfData, jPassword;
- 
-     if (pLength != NULL) {
-         *pLength = 0L;
-     }
- 
-     // retrieve java values
--    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
--    if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
-+    if ((jPkcs5Pbkd2ParamsClass =
-+            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
-+            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-+        paramVersion = PARAMS;
-+    } else if ((jPkcs5Pbkd2ParamsClass =
-+            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
-+            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-+        paramVersion = PARAMS2;
-+    } else {
-+        return NULL;
-+    }
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
-     if (fieldID == NULL) { return NULL; }
-     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
-@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
-+    fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
-+    if (fieldID == NULL) { return NULL; }
-+    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
- 
--    // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
--    ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
-+    // allocate memory for VersionedPbkd2Params and store the structure version
-+    ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
-     if (ckParamPtr == NULL) {
-         throwOutOfMemoryError(env, 0);
-         return NULL;
-     }
-+    ckParamPtr->version = paramVersion;
- 
-     // populate using java values
--    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
--    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
--            &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
-+    PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
-+    jByteArrayToCKByteArray(env, jSaltSourceData,
-+            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
-+            PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    ckParamPtr->iterations = jLongToCKULong(jIteration);
--    ckParamPtr->prf = jLongToCKULong(jPrf);
--    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
--            &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
-+    PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
-+    PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
-+    jByteArrayToCKByteArray(env, jPrfData,
-+            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
-+            PBKD2_PARAM_ADDR(ulPrfDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        goto cleanup;
-+    }
-+    if (ckParamPtr->version == PARAMS) {
-+        pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
-+        if (pUlPasswordLen == NULL) {
-+            throwOutOfMemoryError(env, 0);
-+            goto cleanup;
-+        }
-+        ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
-+    } else {
-+        pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
-+    }
-+    jCharArrayToCKUTF8CharArray(env, jPassword,
-+            (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
-+            pUlPasswordLen);
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
- 
-     if (pLength != NULL) {
--        *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
-+        *pLength = (ckParamPtr->version == PARAMS ?
-+            sizeof(ckParamPtr->params.v1) :
-+            sizeof(ckParamPtr->params.v2));
-     }
-+    // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
-     return ckParamPtr;
- cleanup:
--    free(ckParamPtr->pSaltSourceData);
--    free(ckParamPtr->pPrfData);
-+    FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
-     free(ckParamPtr);
-     return NULL;
- 
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-index 520bd52a2cd..aa76945283d 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
-                  case CKM_CAMELLIA_CTR:
-                      // params do not contain pointers
-                      break;
-+                 case CKM_PKCS5_PBKD2:
-+                     // get the versioned structure from behind memory
-+                     TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
-+                             "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
-+                             "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
-+                     FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
-+                     break;
-+                 case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-+                 case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
-+                     break;
-                  default:
-                      // currently unsupported mechs by SunPKCS11 provider
-                      // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
-                      // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
--                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
-+                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
-                      // PBE mechs, WTLS mechs, CMS mechs,
-                      // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
-                      // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
-@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
-     jboolean* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
-     jbyte* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
-     jlong* jTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
-     if (jTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
-     jchar* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
-     jchar* jTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
-     if (jTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-index eb6d01b9e47..450e4d27d62 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-@@ -68,6 +68,7 @@
- /* extra PKCS#11 constants not in the standard include files */
- 
- #define CKA_NETSCAPE_BASE                       (0x80000000 + 0x4E534350)
-+/*             ^ now known as CKM_NSS   (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
- #define CKA_NETSCAPE_TRUST_BASE                 (CKA_NETSCAPE_BASE + 0x2000)
- #define CKA_NETSCAPE_TRUST_SERVER_AUTH          (CKA_NETSCAPE_TRUST_BASE + 8)
- #define CKA_NETSCAPE_TRUST_CLIENT_AUTH          (CKA_NETSCAPE_TRUST_BASE + 9)
-@@ -76,6 +77,12 @@
- #define CKA_NETSCAPE_DB                         0xD5A0DB00
- #define CKM_NSS_TLS_PRF_GENERAL                 0x80000373
- 
-+/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
-+#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 29)
-+#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 30)
-+#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 31)
-+#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 32)
-+
- /*
- 
-  Define the PKCS#11 functions to include and exclude. Reduces the size
-@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
- #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
- #define PBE_INIT_VECTOR_SIZE 8
- #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
-+#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
- #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
- 
- #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
-@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
- CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
-     jobject jParam, CK_ULONG* pLength);
- CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
--CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
-+CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
-@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
- CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- 
-+/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
-+typedef enum {PARAMS=0, PARAMS2} ParamVersion;
-+
-+typedef struct {
-+    union {
-+        CK_PKCS5_PBKD2_PARAMS v1;
-+        CK_PKCS5_PBKD2_PARAMS2 v2;
-+    } params;
-+    ParamVersion version;
-+} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
-+
-+#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr)                  \
-+    do {                                                            \
-+        if ((verParamsPtr)->version == PARAMS) {                    \
-+            free((verParamsPtr)->params.v1.pSaltSourceData);        \
-+            free((verParamsPtr)->params.v1.pPrfData);               \
-+            free((verParamsPtr)->params.v1.pPassword);              \
-+            free((verParamsPtr)->params.v1.ulPasswordLen);          \
-+        } else {                                                    \
-+            free((verParamsPtr)->params.v2.pSaltSourceData);        \
-+            free((verParamsPtr)->params.v2.pPrfData);               \
-+            free((verParamsPtr)->params.v2.pPassword);              \
-+        }                                                           \
-+    } while(0)
-+
- /* functions to copy the returned values inside CK-mechanism back to Java object */
- 
- void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
-diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-index 8c9e4f9dbe6..883dc04758e 100644
---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-@@ -38,6 +38,7 @@ import java.util.HashMap;
- import java.util.Iterator;
- import java.util.List;
- 
-+import jdk.internal.access.SharedSecrets;
- import sun.security.ec.ed.EdDSAAlgorithmParameters;
- import sun.security.ec.ed.EdDSAKeyFactory;
- import sun.security.ec.ed.EdDSAKeyPairGenerator;
-@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
- 
-     private static final long serialVersionUID = -2279741672933606418L;
- 
-+    private static final boolean systemFipsEnabled =
-+            SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+            .isSystemFipsEnabled();
-+
-     private static class ProviderServiceA extends ProviderService {
-         ProviderServiceA(Provider p, String type, String algo, String cn,
-             HashMap attrs) {
-@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
- 
-         putXDHEntries();
-         putEdDSAEntries();
--
--        /*
--         * Signature engines
--         */
--        putService(new ProviderService(this, "Signature",
--            "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
--            null, ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
--            ATTRS));
--
--        putService(new ProviderService(this, "Signature",
--             "NONEwithECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$RawinP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA1withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA224withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA256withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA384withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA512withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
--
--        putService(new ProviderService(this, "Signature",
--             "SHA3-224withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA3-256withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA3-384withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA3-512withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
--
--        /*
--         *  Key Pair Generator engine
--         */
--        putService(new ProviderService(this, "KeyPairGenerator",
--            "EC", "sun.security.ec.ECKeyPairGenerator",
--            List.of("EllipticCurve"), ATTRS));
--
--        /*
--         * Key Agreement engine
--         */
--        putService(new ProviderService(this, "KeyAgreement",
--            "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
-+        if (!systemFipsEnabled) {
-+            /*
-+             * Signature engines
-+             */
-+            putService(new ProviderService(this, "Signature",
-+                "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
-+                null, ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
-+                ATTRS));
-+
-+            putService(new ProviderService(this, "Signature",
-+                 "NONEwithECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$RawinP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA1withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA224withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA256withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA384withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA512withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
-+
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA3-224withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA3-256withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA3-384withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA3-512withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
-+
-+            /*
-+             *  Key Pair Generator engine
-+             */
-+            putService(new ProviderService(this, "KeyPairGenerator",
-+                "EC", "sun.security.ec.ECKeyPairGenerator",
-+                List.of("EllipticCurve"), ATTRS));
-+
-+            /*
-+             * Key Agreement engine
-+             */
-+            putService(new ProviderService(this, "KeyAgreement",
-+                "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
-+        }
-     }
- 
-     private void putXDHEntries() {
-@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
-             "X448", "sun.security.ec.XDHKeyFactory.X448",
-             ATTRS));
- 
--        putService(new ProviderService(this, "KeyPairGenerator",
--            "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
--            ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
--            ATTRS));
--
--        putService(new ProviderService(this, "KeyAgreement",
--            "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
--        putService(new ProviderServiceA(this, "KeyAgreement",
--            "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
--            ATTRS));
--        putService(new ProviderServiceA(this, "KeyAgreement",
--            "X448", "sun.security.ec.XDHKeyAgreement.X448",
--            ATTRS));
-+        if (!systemFipsEnabled) {
-+            putService(new ProviderService(this, "KeyPairGenerator",
-+                "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
-+                ATTRS));
-+
-+            putService(new ProviderService(this, "KeyAgreement",
-+                "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
-+            putService(new ProviderServiceA(this, "KeyAgreement",
-+                "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "KeyAgreement",
-+                "X448", "sun.security.ec.XDHKeyAgreement.X448",
-+                ATTRS));
-+        }
-     }
- 
-     private void putEdDSAEntries() {
-@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
-         putService(new ProviderServiceA(this, "KeyFactory",
-             "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
- 
--        putService(new ProviderService(this, "KeyPairGenerator",
--            "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
--            ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
--            ATTRS));
--
--        putService(new ProviderService(this, "Signature",
--            "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
-+        if (!systemFipsEnabled) {
-+            putService(new ProviderService(this, "KeyPairGenerator",
-+                "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
-+                ATTRS));
-+
-+            putService(new ProviderService(this, "Signature",
-+                "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
-+        }
- 
-     }
- }
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index d3fda7c..9e83141 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -21,10 +21,6 @@
 %bcond_without release
 # Enable static library builds by default.
 %bcond_without staticlibs
-# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
-%bcond_without fresh_libjvm
-# Build with system libraries
-%bcond_with system_libs
 
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
@@ -34,31 +30,14 @@
 %global include_staticlibs 0
 %endif
 
-# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
-%if %{with fresh_libjvm}
-%global build_hotspot_first 1
-%else
-%global build_hotspot_first 0
-%endif
-
-%if %{with system_libs}
-%global system_libs 1
-%global link_type system
+#placeholder - used in regexes, otherwise for no use in portables
 %global freetype_lib %{nil}
-%else
-%global system_libs 0
-%global link_type bundled
-%global freetype_lib |libfreetype[.]so.*
-%endif
 
 # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
 # This fixes detailed NMT and other tools which need minimal debug info.
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
 %global _find_debuginfo_opts -g
 
-# With LTO flags enabled, debuginfo checks fail for some reason. Disable
-# LTO for a passing build. This really needs to be looked at.
-%define _lto_cflags %{nil}
 
 # note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
 # also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
@@ -128,8 +107,6 @@
 %global jit_arches      %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
 # Set of architectures which use the Zero assembler port (!jit_arches)
 %global zero_arches ppc s390
-# Set of architectures which run a full bootstrap cycle
-%global bootstrap_arches %{jit_arches}
 # Set of architectures which support SystemTap tapsets
 %global systemtap_arches %{jit_arches}
 # Set of architectures with a Ahead-Of-Time (AOT) compiler
@@ -202,16 +179,6 @@
 %global staticlibs_loop %{nil}
 %endif
 
-%if 0%{?flatpak}
-%global bootstrap_build false
-%else
-%ifarch %{bootstrap_arches}
-%global bootstrap_build true
-%else
-%global bootstrap_build false
-%endif
-%endif
-
 %if %{include_staticlibs}
 # Extra target for producing the static-libraries. Separate from
 # other targets since this target is configured to use in-tree
@@ -225,27 +192,6 @@
 # RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
 %global debug_symbols internal
 
-# unlike portables,the rpms have to use static_libs_target very dynamically
-%global bootstrap_targets images
-%global release_targets images docs-zip
-# No docs nor bootcycle for debug builds
-%global debug_targets images
-# Target to use to just build HotSpot
-%global hotspot_target hotspot
-
-# JDK to use for bootstrapping
-%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
-
-
-# Filter out flags from the optflags macro that cause problems with the OpenJDK build
-# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
-# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
-# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
-# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
-%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
-%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
-%global ourldflags %{__global_ldflags}
-
 # With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
 # the initialization must be here. Later the pkg-config have buggy behavior
 # looks like openjdk RPM specific bug
@@ -323,10 +269,7 @@
 %global interimver 0
 %global updatever 6
 %global patchver 0
-# buildjdkver is usually same as %%{featurever},
-# but in time of bootstrap of next jdk, it is featurever-1,
-# and this it is better to change it here, on single place
-%global buildjdkver %{featurever}
+
 # We don't add any LTS designator for STS packages (Fedora and EPEL).
 # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
 %if 0%{?rhel} && !0%{?epel}
@@ -360,8 +303,6 @@
 
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
-# Define current Git revision for the FIPS support patches
-%global fipsver 257d544b594
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
@@ -369,7 +310,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        10
-%global rpmrelease      1
+%global rpmrelease      2
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -420,8 +361,7 @@
 %global static_libs_root        lib/static
 %global static_libs_arch_dir    %{static_libs_root}/linux-%{archinstall}
 %global static_libs_install_dir %{static_libs_arch_dir}/glibc
-# output dir stub
-%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
@@ -869,9 +809,6 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
-%if ! %{system_libs}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
-%endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@@ -909,7 +846,7 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
 %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+#%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* #TODO, resolve alt-java man page
 %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
@@ -1083,7 +1020,6 @@ exit 0
 %define files_demo() %{expand:
 %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
 %{_jvmdir}/%{sdkdir -- %{?1}}/demo
-%{_jvmdir}/%{sdkdir -- %{?1}}/sample
 }
 
 %define files_src() %{expand:
@@ -1283,6 +1219,8 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
 # Prevent brp-java-repack-jars from being run
 %global __jar_repack 0
 
+%global portable_name %{name}-portable
+
 Name:    java-17-%{origin}
 Version: %{newjavaver}.%{buildver}
 Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
@@ -1320,10 +1258,6 @@ Group:   Development/Languages
 License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
 URL:      http://openjdk.java.net/
 
-
-# The source tarball, generated using generate_source_tarball.sh
-Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
-
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
@@ -1332,15 +1266,6 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz
 # Desktop files. Adapted from IcedTea
 Source9: jconsole.desktop.in
 
-# Release notes
-Source10: NEWS
-
-# nss configuration file
-Source11: nss.cfg.in
-
-# Removed libraries that we link instead
-Source12: remove-intree-libraries.sh
-
 # Ensure we aren't using the limited crypto policy
 Source13: TestCryptoLevel.java
 
@@ -1356,122 +1281,47 @@ Source16: CheckVendor.java
 # Ensure translations are available for new timezones
 Source18: TestTranslations.java
 
-############################################
-#
-# RPM/distribution specific patches
-#
-############################################
-
-# NSS via SunPKCS11 Provider (disabled comment
-# due to memory leak).
-Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
-Patch600: rh1750419-redhat_alt_java.patch
-
-# Ignore AWTError when assistive technologies are loaded
-Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-# Restrict access to java-atk-wrapper classes
-Patch2:    rh1648644-java_access_bridge_privileged_security.patch
-Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
-Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-
-# Crypto policy and FIPS support patches
-# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
-# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
-# Diff is limited to src and make subdirectories to exclude .github changes
-# Fixes currently included:
-# PR3183, RH1340845: Follow system wide crypto policy
-# PR3695: Allow use of system crypto policy to be disabled by the user
-# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-# RH1929465: Improve system FIPS detection
-# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
-# RH1996182: Login to the NSS software token in FIPS mode
-# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-# RH2021263: Resolve outstanding FIPS issues
-# RH2052819: Fix FIPS reliance on crypto policies
-# RH2052829: Detect NSS at Runtime for FIPS detection
-# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-# RH2023467: Enable FIPS keys export
-# RH2094027: SunEC runtime permission for FIPS
-# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-# RH2090378: Revert to disabling system security properties and FIPS mode support together
-# RH2104724: Avoid import/export of DH private keys
-# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-# Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores
-# RH2020290: Support TLS 1.3 in FIPS mode
-# Add nss.fips.cfg support to OpenJDK tree
-# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
-# Remove forgotten dead code from RH2020290 and RH2104724
-# OJ1357: Fix issue on FIPS with a SecurityManager in place
-Patch1001: fips-17u-%{fipsver}.patch
-
-#############################################
-#
-# OpenJDK patches in need of upstreaming
-#
-#############################################
+%if %{include_normal_build}
+BuildRequires: %{portable_name}
+BuildRequires: %{portable_name}-devel
+%if %{include_staticlibs}
+BuildRequires: %{portable_name}-static-libs
+%endif
+%endif
+%if %{include_fastdebug_build}
+BuildRequires: %{portable_name}-fastdebug
+BuildRequires: %{portable_name}-devel-fastdebug
+%if %{include_staticlibs}
+BuildRequires: %{portable_name}-static-libs-fastdebug
+%endif
+%endif
+%if %{include_debug_build}
+BuildRequires: %{portable_name}-slowdebug
+BuildRequires: %{portable_name}-devel-slowdebug
+%if %{include_staticlibs}
+BuildRequires: %{portable_name}-static-libs-slowdebug
+%endif
+%endif 
 
-#############################################
-#
-# OpenJDK patches targetted for 17.0.6
-#
-#############################################
 
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: alsa-lib-devel
-BuildRequires: binutils
-BuildRequires: cups-devel
 BuildRequires: desktop-file-utils
 # elfutils only are OK for build without AOT
 BuildRequires: elfutils-devel
-BuildRequires: fontconfig-devel
-BuildRequires: gcc-c++
 BuildRequires: gdb
-BuildRequires: libxslt
-BuildRequires: libX11-devel
-BuildRequires: libXi-devel
-BuildRequires: libXinerama-devel
-BuildRequires: libXrandr-devel
-BuildRequires: libXrender-devel
-BuildRequires: libXt-devel
-BuildRequires: libXtst-devel
 # Requirement for setting up nss.cfg and nss.fips.cfg
 BuildRequires: nss-devel
 # Requirement for system security property test
 BuildRequires: crypto-policies
 BuildRequires: pkgconfig
-BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
 BuildRequires: javapackages-filesystem
-BuildRequires: java-%{buildjdkver}-openjdk-devel
-# Zero-assembler build requirement
-%ifarch %{zero_arches}
-BuildRequires: libffi-devel
-%endif
 # 2022g required as of JDK-8297804
 BuildRequires: tzdata-java >= 2022g
-# Earlier versions have a bug in tree vectorization on PPC
-BuildRequires: gcc >= 4.8.3-8
 
 %if %{with_systemtap}
 BuildRequires: systemtap-sdt-devel
 %endif
-BuildRequires: make
 
-%if %{system_libs}
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
-%else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
 Provides: bundled(freetype) = 2.12.1
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
@@ -1486,7 +1336,6 @@ Provides: bundled(libjpeg) = 6b
 Provides: bundled(libpng) = 1.6.37
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
-%endif
 
 # this is always built, also during debug-only build
 # when it is built in debug-only this package is just placeholder
@@ -1796,16 +1645,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
 %endif
 
 %prep
-
 echo "Preparing %{oj_vendor_version}"
 
-# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
-%if 0%{?stapinstall:1}
-  echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
-%else
-  %{error:Unrecognised architecture %{_target_cpu}}
-%endif
-
 if [ %{include_normal_build} -eq 0 -o  %{include_normal_build} -eq 1 ] ; then
   echo "include_normal_build is %{include_normal_build}"
 else
@@ -1828,54 +1669,33 @@ if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{includ
   echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
   exit 14
 fi
-%setup -q -c -n %{uniquesuffix ""} -T -a 0
 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084
 prioritylength=`expr length %{priority}`
 if [ $prioritylength -ne 8 ] ; then
  echo "priority must be 8 digits in total, violated"
  exit 14
 fi
-
-# OpenJDK patches
-
-%if %{system_libs}
-# Remove libraries that are linked by both static and dynamic builds
-sh %{SOURCE12} %{top_level_dir_name}
-%endif
-
-# Patch the JDK
-pushd %{top_level_dir_name}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
-# Add crypto policy and FIPS support
-%patch1001 -p1
-# nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-popd # openjdk
-
-%patch600
-
-# The OpenJDK version file includes the current
-# upstream version information. For some reason,
-# configure does not automatically use the
-# default pre-version supplied there (despite
-# what the file claims), so we pass it manually
-# to configure
-VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
-if [ -f ${VERSION_FILE} ] ; then
-    UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
-else
-    echo "Could not find OpenJDK version file.";
-    exit 16
-fi
-if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
-    echo "WARNING: Designator mismatch";
-    echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
-    echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
-    exit 17
-fi
+%if %{include_normal_build}
+tar -xf %{_jvmdir}/%{compatiblename}*portable.jdk.*tar.xz 
+#tar -xf %{_jvmdir}/%{compatiblename}*portable.jre.*tar.xz 
+%if %{include_staticlibs}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.static-libs.*tar.xz 
+%endif
+%endif
+%if %{include_fastdebug_build}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.jdk.*tar.xz 
+ #tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.jre.*tar.xz 
+%if %{include_staticlibs}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.static-libs.*tar.xz 
+%endif
+%endif
+%if %{include_debug_build}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.jdk.*tar.xz 
+ #tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.jre.*tar.xz 
+%if %{include_staticlibs}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.static-libs.*tar.xz 
+%endif
+%endif 
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -1923,126 +1743,8 @@ for file in %{SOURCE9}; do
 done
 done
 
-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
-
 %build
-
-# How many CPU's do we have?
-export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
-export NUM_PROC=${NUM_PROC:-1}
-%if 0%{?_smp_ncpus_max}
-# Honor %%_smp_ncpus_max
-[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
-%endif
-
-%ifarch s390x sparc64 alpha %{power64} %{aarch64}
-export ARCH_DATA_MODEL=64
-%endif
-%ifarch alpha
-export CFLAGS="$CFLAGS -mieee"
-%endif
-
-# We use ourcppflags because the OpenJDK build seems to
-# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
-# Explicitly set the C++ standard as the default has changed on GCC >= 6
-EXTRA_CFLAGS="%ourcppflags"
-EXTRA_CPP_FLAGS="%ourcppflags"
-
-%ifarch %{power64} ppc
-# fix rpmlint warnings
-EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
-%endif
-%ifarch %{ix86}
-# Align stack boundary on x86_32
-EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
-EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
-%endif
-export EXTRA_CFLAGS EXTRA_CPP_FLAGS
-
-function buildjdk() {
-    local outputdir=${1}
-    local buildjdk=${2}
-    local maketargets="${3}"
-    local debuglevel=${4}
-    local link_opt=${5}
-
-    local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
-    local top_dir_abs_build_path=$(pwd)/${outputdir}
-
-    # This must be set using the global, so that the
-    # static libraries still use a dynamic stdc++lib
-    if [ "x%{link_type}" = "xbundled" ] ; then
-        libc_link_opt="static";
-    else
-        libc_link_opt="dynamic";
-    fi
-
-    echo "Using output directory: ${outputdir}";
-    echo "Checking build JDK ${buildjdk} is operational..."
-    ${buildjdk}/bin/java -version
-    echo "Using make targets: ${maketargets}"
-    echo "Using debuglevel: ${debuglevel}"
-    echo "Using link_opt: ${link_opt}"
-    echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
-
-    mkdir -p ${outputdir}
-    pushd ${outputdir}
-
-    # Note: zlib and freetype use %{link_type}
-    # rather than ${link_opt} as the system versions
-    # are always used in a system_libs build, even
-    # for the static library build
-    bash ${top_dir_abs_src_path}/configure \
-%ifarch %{zero_arches}
-    --with-jvm-variants=zero \
-%endif
-%ifarch %{ppc64le}
-    --with-jobs=1 \
-%endif
-    --with-version-build=%{buildver} \
-    --with-version-pre="%{ea_designator}" \
-    --with-version-opt=%{lts_designator} \
-    --with-vendor-version-string="%{oj_vendor_version}" \
-    --with-vendor-name="%{oj_vendor}" \
-    --with-vendor-url="%{oj_vendor_url}" \
-    --with-vendor-bug-url="%{oj_vendor_bug_url}" \
-    --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
-    --with-boot-jdk=${buildjdk} \
-    --with-debug-level=${debuglevel} \
-    --with-native-debug-symbols="%{debug_symbols}" \
-    --disable-sysconf-nss \
-    --enable-unlimited-crypto \
-    --with-zlib=%{link_type} \
-    --with-freetype=%{link_type} \
-    --with-libjpeg=${link_opt} \
-    --with-giflib=${link_opt} \
-    --with-libpng=${link_opt} \
-    --with-lcms=${link_opt} \
-    --with-harfbuzz=${link_opt} \
-    --with-stdc++lib=${libc_link_opt} \
-    --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
-    --with-extra-cflags="$EXTRA_CFLAGS" \
-    --with-extra-ldflags="%{ourldflags}" \
-    --with-num-cores="$NUM_PROC" \
-    --with-source-date="${SOURCE_DATE_EPOCH}" \
-    --disable-javac-server \
-%ifarch %{zgc_arches}
-    --with-jvm-features=zgc \
-%endif
-    --disable-warnings-as-errors
-
-    cat spec.gmk
-
-    make \
-      LOG=trace \
-      WARNINGS_ARE_ERRORS="-Wno-error" \
-      CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
-      $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
-
-    popd
-}
-
+%install
 function installjdk() {
     local imagepath=${1}
 
@@ -2057,9 +1759,6 @@ function installjdk() {
         find ${imagepath} -iname '*.so' -exec chmod +x {} \;
         find ${imagepath}/bin/ -exec chmod +x {} \;
 
-        # Install nss.cfg right away as we will be using the JRE above
-        install -m 644 nss.cfg ${imagepath}/conf/security/
-
         # Turn on system security properties
         sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
             ${imagepath}/conf/security/java.security
@@ -2073,12 +1772,8 @@ function installjdk() {
         # Install cacerts symlink needed by some apps which hard-code the path
         ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
 
-        # Create fake alt-java as a placeholder for future alt-java
-        pushd ${imagepath}
         # add alt-java man page
-        echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-        cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-        popd
+		#  alt-java man and bianry are here from portables. Or not?
     fi
 }
 
@@ -2158,94 +1853,49 @@ EOF
     fi
 }
 
-%if %{build_hotspot_first}
-  # Build a fresh libjvm.so first and use it to bootstrap
-  cp -LR --preserve=mode,timestamps %{bootjdk} newboot
-  systemjdk=$(pwd)/newboot
-  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
-  mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
-%else
-  systemjdk=%{bootjdk}
-%endif
-
 for suffix in %{build_loop} ; do
 
   if [ "x$suffix" = "x" ] ; then
-      debugbuild=release
+      debugbuild=""
   else
-      # change --something to something
-      debugbuild=`echo $suffix  | sed "s/-//g"`
+      # change - something to .something
+      debugbuild=`echo $suffix  | sed "s/-/./g"`
   fi
-
-
-  for loop in %{main_suffix} %{staticlibs_loop} ; do
-
-    builddir=%{buildoutputdir -- ${suffix}${loop}}
-    bootbuilddir=boot${builddir}
-
-    if test "x${loop}" = "x%{main_suffix}" ; then
-      link_opt="%{link_type}"
-%if %{system_libs}
-      # Copy the source tree so we can remove all in-tree libraries
-      cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
-      # Remove all libraries that are linked
-      sh %{SOURCE12} %{top_level_dir_name} full
-%endif
-      # Debug builds don't need same targets as release for
-      # build speed-up. We also avoid bootstrapping these
-      # slower builds.
-      if echo $debugbuild | grep -q "debug" ; then
-        maketargets="%{debug_targets}"
-        run_bootstrap=false
-      else
-        maketargets="%{release_targets}"
-        run_bootstrap=%{bootstrap_build}
-      fi
-      if ${run_bootstrap} ; then
-        buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
-        buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
-        rm -rf ${bootbuilddir}
-      else
-        buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
-      fi
-%if %{system_libs}
-      # Restore original source tree we modified by removing full in-tree sources
-      rm -rf %{top_level_dir_name}
-      mv %{top_level_dir_name_backup} %{top_level_dir_name}
-%endif
-    else
-      # Use bundled libraries for building statically
-      link_opt="bundled"
-      # Static library cycle only builds the static libraries
-      maketargets="%{static_libs_target}"
-      # Always just do the one build for the static libraries
-      buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
-    fi
-
-  done # end of main / staticlibs loop
-
-  # Final setup on the main image
-  top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
-  installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
-  # Check debug symbols were built into the dynamic libraries
-  debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
-
-  # Print release information
-  cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
-
+  # Final setup on the untarred images
+  # TODO revisit. jre may be complety useless to unpack and process,
+  # as all the files are taken from JDK tarball ans put to packages manually.
+  # jre tarball may be usefull for  checking integrity of jre and jre headless subpackages
+   #for jdkjre in jdk jre ; do
+   for jdkjre in jdk ; do
+     buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.${jdkjre}*`
+     top_dir_abs_main_build_path=$(pwd)/${buildoutputdir}
+     installjdk ${top_dir_abs_main_build_path}
+     # Check debug symbols were built into the dynamic libraries
+     if [ $jdkjre == jdk ] ; then
+       #jdk only?
+       debugcheckjdk ${top_dir_abs_main_build_path} 
+     fi
+     # Print release information
+     cat ${top_dir_abs_main_build_path}/release
+   done 
 # build cycles
 done # end of release / debug cycle loop
 
-%install
 STRIP_KEEP_SYMTAB=libjvm*
 
 for suffix in %{build_loop} ; do
-
-top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
-%if %{include_staticlibs}
-top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
-%endif
-jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
+  if [ "x$suffix" = "x" ] ; then
+      debugbuild=""
+  else
+      # change -something to .something
+      debugbuild=`echo $suffix  | sed "s/-/./g"`
+  fi
+  buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.jdk*`
+  top_dir_abs_main_build_path=$(pwd)/${buildoutputdir} 
+  %if %{include_staticlibs}
+     top_dir_abs_staticlibs_build_path=`ls -d $top_dir_abs_main_build_path/lib/static/*/glibc/`
+  %endif
+  jdk_image=${top_dir_abs_main_build_path}
 
 # Install the jdk
 mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
@@ -2257,7 +1907,7 @@ pushd ${jdk_image}
   # Install systemtap support files
   install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset
   # note, that uniquesuffix  is in BUILD dir in this case
-  cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+  cp -a $RPM_BUILD_DIR/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
   pushd  $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
    tapsetFiles=`ls *.stp`
   popd
@@ -2280,8 +1930,7 @@ pushd ${jdk_image}
     # Convert man pages to UTF8 encoding
     iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp
     mv -f $manpage.tmp $manpage
-    install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \
-      $manpage .1)-%{uniquesuffix -- $suffix}.1
+    install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename $manpage .1)-%{uniquesuffix -- $suffix}.1
   done
   # Remove man pages from jdk image
   rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
@@ -2291,29 +1940,34 @@ popd
 # Install static libs artefacts
 %if %{include_staticlibs}
 mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
-cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
-  $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
+cp -a ${top_dir_abs_staticlibs_build_path}/*.a $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
 %endif
 
 if ! echo $suffix | grep -q "debug" ; then
   # Install Javadoc documentation
   install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
-  cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
-  built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
-  cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \
-     $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/
+  install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+  built_doc_archive=javadocs.zip
+  cp -a ${top_dir_abs_main_build_path}/${built_doc_archive} \
+     $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}
+  pushd $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+    unzip ${top_dir_abs_main_build_path}/${built_doc_archive} 
+  popd
 fi
 
 # Install release notes
 commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
 install -d -m 755 ${commondocdir}
-cp -a %{SOURCE10} ${commondocdir}
+cp -a ${top_dir_abs_main_build_path}/NEWS ${commondocdir}
 
 # Install icons and menu entries
 for s in 16 24 32 48 ; do
+  # TODO!! publish in portables!
+  mkdir -p ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/ #remove this line to once published
+  echo "PALCEHOLDER TODO REMOVE.ME" > ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png
   install -D -p -m 644 \
-    %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
-    $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
+    ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
+     $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
 done
 
 # Install desktop files
@@ -2327,10 +1981,6 @@ done
 # See https://bugzilla.redhat.com/show_bug.cgi?id=741821
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs
 
-# copy samples next to demos; samples are mostly js files
-cp -r %{top_level_dir_name}/src/sample  $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/
-
-
 # moving config files to /etc
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
@@ -2344,11 +1994,18 @@ pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
 popd
 # end moving files to /etc
 
+#TODO this is done also i portables and in install jdk. But hard to say where the operation will hapen at the end
 # stabilize permissions
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
 
+#TODO conslut this clean up
+rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/NEWS #is in commondocdir. Ok ot go, or also pack
+if [ "x$suffix" = "x" ] ; then
+  rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/javadocs.zip #is in subpackages, 1 renamed, 2nd unpacked
+fi
+rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/libfreetype.so #bug in portables? bug in rpms?
 # end, dual install
 done
 
@@ -2395,15 +2052,17 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
 
 # Check correct vendor values have been set
 $JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+#TODO skipped vendor check. It now points to PORTABLE version of jdk.
+#$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
 
 %if ! 0%{?flatpak}
 # Check translations are available for new timezones (during flatpak builds, the
 # tzdb.dat used by this test is not where the test expects it, so this is
 # disabled for flatpak builds)
 $JAVA_HOME/bin/javac -d . %{SOURCE18}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+#TODO doublecheck tzdata handling
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE || echo "TZDATA no longer can be synced with system, because we repack"
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR || echo "TZDATA no longer can be synced with system, because we repack"
 %endif
 
 %if %{include_staticlibs}
@@ -2673,6 +2332,15 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Thu Jan 26 2023 Jiri Vanek  - 1:19.0.2.0.7-2.rolling
+- repacked portables
+- todo icons
+- disabled tzdata tests - todo, resolve
+- left some duplicated "final tunings"
+- todo, lost alt java manpage.. probably already in portables
+- TODO conslut this clean up - javdoc, freetype and NEWS
+- todo, debuginfo
+
 * Thu Jan 26 2023 Andrew Hughes  - 1:17.0.6.0.10-1
 - Update to jdk-17.0.6.0+10
 - Update release notes to 17.0.6.0+10
diff --git a/nss.cfg.in b/nss.cfg.in
deleted file mode 100644
index 377a39c..0000000
--- a/nss.cfg.in
+++ /dev/null
@@ -1,5 +0,0 @@
-name = NSS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssDbMode = noDb
-attributes = compatibility
-handleStartupErrors = ignoreMultipleInitialisation
diff --git a/openjdk_news.sh b/openjdk_news.sh
deleted file mode 100755
index 560b356..0000000
--- a/openjdk_news.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2022 Red Hat, Inc.
-# Written by Andrew John Hughes , 2012-2022
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see .
-
-OLD_RELEASE=$1
-NEW_RELEASE=$2
-SUBDIR=$3
-REPO=$4
-SCRIPT_DIR=$(dirname ${0})
-
-if test "x${SUBDIR}" = "x"; then
-    echo "No subdirectory specified; using .";
-    SUBDIR=".";
-fi
-
-if test "x$REPO" = "x"; then
-    echo "No repository specified; using ${PWD}"
-    REPO=${PWD}
-fi
-
-if test x${TMPDIR} = x; then
-    TMPDIR=/tmp;
-fi
-
-echo "Repository: ${REPO}"
-
-if [ -e ${REPO}/.git ] ; then
-    TYPE=git;
-elif [ -e ${REPO}/.hg ] ; then
-    TYPE=hg;
-else
-    echo "No Mercurial or Git repository detected.";
-    exit 1;
-fi
-
-if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
-    echo "ERROR: Need to specify old and new release";
-    exit 2;
-fi
-
-echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
-rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
-for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
-do
-    if test "x$TYPE" = "xhg"; then
-	hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
-	    egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])#  - JDK-\1#'| \
-	    sed 's#^[o:| ]*summary:\W*#  - #' >> ${TMPDIR}/fixes2;
-	hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
-	    egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})#  - JDK-\1#' >> ${TMPDIR}/fixes3;
-    else
-	git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
-	    sed -r 's#^([0-9])#  - JDK-\1#' >> ${TMPDIR}/fixes2;
-	touch ${TMPDIR}/fixes3 ; # unused
-    fi
-done
-
-sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
-rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
-
-echo "In ${TMPDIR}/fixes:"
-cat ${TMPDIR}/fixes
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
deleted file mode 100644
index 25c2fc8..0000000
--- a/remove-intree-libraries.sh
+++ /dev/null
@@ -1,164 +0,0 @@
-#!/bin/sh
-
-# Arguments:  
-TREE=${1}
-TYPE=${2}
-
-ZIP_SRC=src/java.base/share/native/libzip/zlib/
-FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
-JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
-GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
-PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
-LCMS_SRC=src/java.desktop/share/native/liblcms/
-
-if test "x${TREE}" = "x"; then
-    echo "$0  (MINIMAL|FULL)";
-    exit 1;
-fi
-
-if test "x${TYPE}" = "x"; then
-    TYPE=minimal;
-fi
-
-if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
-    echo "Type must be minimal or full";
-    exit 2;
-fi
-
-echo "Removing in-tree libraries from ${TREE}"
-echo "Cleansing operation: ${TYPE}";
-
-cd ${TREE}
-
-echo "Removing built-in libs (they will be linked)"
-
-# On full runs, allow for zlib & freetype having already been deleted by minimal
-echo "Removing zlib"
-if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
-	echo "${ZIP_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi	
-rm -rvf ${ZIP_SRC}
-echo "Removing freetype"
-if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
-	echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi
-rm -rvf ${FREETYPE_SRC}
-
-# Minimal is limited to just zlib and freetype so finish here
-if test "x${TYPE}" = "xminimal"; then
-    echo "Finished.";
-    exit 0;
-fi
-
-echo "Removing libjpeg"
-if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
-	echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
-	exit 1
-fi	
-
-rm -vf ${JPEG_SRC}/jcomapi.c
-rm -vf ${JPEG_SRC}/jdapimin.c
-rm -vf ${JPEG_SRC}/jdapistd.c
-rm -vf ${JPEG_SRC}/jdcoefct.c
-rm -vf ${JPEG_SRC}/jdcolor.c
-rm -vf ${JPEG_SRC}/jdct.h
-rm -vf ${JPEG_SRC}/jddctmgr.c
-rm -vf ${JPEG_SRC}/jdhuff.c
-rm -vf ${JPEG_SRC}/jdhuff.h
-rm -vf ${JPEG_SRC}/jdinput.c
-rm -vf ${JPEG_SRC}/jdmainct.c
-rm -vf ${JPEG_SRC}/jdmarker.c
-rm -vf ${JPEG_SRC}/jdmaster.c
-rm -vf ${JPEG_SRC}/jdmerge.c
-rm -vf ${JPEG_SRC}/jdphuff.c
-rm -vf ${JPEG_SRC}/jdpostct.c
-rm -vf ${JPEG_SRC}/jdsample.c
-rm -vf ${JPEG_SRC}/jerror.c
-rm -vf ${JPEG_SRC}/jerror.h
-rm -vf ${JPEG_SRC}/jidctflt.c
-rm -vf ${JPEG_SRC}/jidctfst.c
-rm -vf ${JPEG_SRC}/jidctint.c
-rm -vf ${JPEG_SRC}/jidctred.c
-rm -vf ${JPEG_SRC}/jinclude.h
-rm -vf ${JPEG_SRC}/jmemmgr.c
-rm -vf ${JPEG_SRC}/jmemsys.h
-rm -vf ${JPEG_SRC}/jmemnobs.c
-rm -vf ${JPEG_SRC}/jmorecfg.h
-rm -vf ${JPEG_SRC}/jpegint.h
-rm -vf ${JPEG_SRC}/jpeglib.h
-rm -vf ${JPEG_SRC}/jquant1.c
-rm -vf ${JPEG_SRC}/jquant2.c
-rm -vf ${JPEG_SRC}/jutils.c
-rm -vf ${JPEG_SRC}/jcapimin.c
-rm -vf ${JPEG_SRC}/jcapistd.c
-rm -vf ${JPEG_SRC}/jccoefct.c
-rm -vf ${JPEG_SRC}/jccolor.c
-rm -vf ${JPEG_SRC}/jcdctmgr.c
-rm -vf ${JPEG_SRC}/jchuff.c
-rm -vf ${JPEG_SRC}/jchuff.h
-rm -vf ${JPEG_SRC}/jcinit.c
-rm -vf ${JPEG_SRC}/jconfig.h
-rm -vf ${JPEG_SRC}/jcmainct.c
-rm -vf ${JPEG_SRC}/jcmarker.c
-rm -vf ${JPEG_SRC}/jcmaster.c
-rm -vf ${JPEG_SRC}/jcparam.c
-rm -vf ${JPEG_SRC}/jcphuff.c
-rm -vf ${JPEG_SRC}/jcprepct.c
-rm -vf ${JPEG_SRC}/jcsample.c
-rm -vf ${JPEG_SRC}/jctrans.c
-rm -vf ${JPEG_SRC}/jdtrans.c
-rm -vf ${JPEG_SRC}/jfdctflt.c
-rm -vf ${JPEG_SRC}/jfdctfst.c
-rm -vf ${JPEG_SRC}/jfdctint.c
-rm -vf ${JPEG_SRC}/jversion.h
-rm -vf ${JPEG_SRC}/README
-
-echo "Removing giflib"
-if [ ! -d ${GIF_SRC} ]; then
-	echo "${GIF_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi	
-rm -rvf ${GIF_SRC}
-
-echo "Removing libpng"
-if [ ! -d ${PNG_SRC} ]; then
-	echo "${PNG_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi	
-rm -rvf ${PNG_SRC}
-
-echo "Removing lcms"
-if [ ! -d ${LCMS_SRC} ]; then
-	echo "${LCMS_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi
-rm -vf ${LCMS_SRC}/cmscam02.c
-rm -vf ${LCMS_SRC}/cmscgats.c
-rm -vf ${LCMS_SRC}/cmscnvrt.c
-rm -vf ${LCMS_SRC}/cmserr.c
-rm -vf ${LCMS_SRC}/cmsgamma.c
-rm -vf ${LCMS_SRC}/cmsgmt.c
-rm -vf ${LCMS_SRC}/cmshalf.c
-rm -vf ${LCMS_SRC}/cmsintrp.c
-rm -vf ${LCMS_SRC}/cmsio0.c
-rm -vf ${LCMS_SRC}/cmsio1.c
-rm -vf ${LCMS_SRC}/cmslut.c
-rm -vf ${LCMS_SRC}/cmsmd5.c
-rm -vf ${LCMS_SRC}/cmsmtrx.c
-rm -vf ${LCMS_SRC}/cmsnamed.c
-rm -vf ${LCMS_SRC}/cmsopt.c
-rm -vf ${LCMS_SRC}/cmspack.c
-rm -vf ${LCMS_SRC}/cmspcs.c
-rm -vf ${LCMS_SRC}/cmsplugin.c
-rm -vf ${LCMS_SRC}/cmsps2.c
-rm -vf ${LCMS_SRC}/cmssamp.c
-rm -vf ${LCMS_SRC}/cmssm.c
-rm -vf ${LCMS_SRC}/cmstypes.c
-rm -vf ${LCMS_SRC}/cmsvirt.c
-rm -vf ${LCMS_SRC}/cmswtpnt.c
-rm -vf ${LCMS_SRC}/cmsxform.c
-rm -vf ${LCMS_SRC}/lcms2.h
-rm -vf ${LCMS_SRC}/lcms2_internal.h
-rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
deleted file mode 100644
index 3042186..0000000
--- a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
---- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
-+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
-@@ -595,7 +595,11 @@
-                 toolkit = new HeadlessToolkit(toolkit);
-             }
-             if (!GraphicsEnvironment.isHeadless()) {
--                loadAssistiveTechnologies();
-+                try {
-+                    loadAssistiveTechnologies();
-+                } catch (AWTError error) {
-+                    // ignore silently
-+                }
-             }
-         }
-         return toolkit;
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
deleted file mode 100644
index 6d2342a..0000000
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index adfaf57d29e..abf89bbf327 100644
---- a/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
-@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
- security.provider.tbd=Apple
- #endif
- security.provider.tbd=SunPKCS11
-+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
- 
- #
- # Security providers used when FIPS mode support is active
diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch
deleted file mode 100644
index 53026ad..0000000
--- a/rh1648644-java_access_bridge_privileged_security.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- openjdk/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -304,6 +304,8 @@
- #
- package.access=sun.misc.,\
-                sun.reflect.,\
-+               org.GNOME.Accessibility.,\
-+               org.GNOME.Bonobo.,\
- 
- #
- # List of comma-separated packages that start with or equal this string
-@@ -316,6 +318,8 @@
- #
- package.definition=sun.misc.,\
-                    sun.reflect.,\
-+                   org.GNOME.Accessibility.,\
-+                   org.GNOME.Bonobo.,\
- 
- #
- # Determines whether this properties file can be appended to
diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
deleted file mode 100644
index 5e2b254..0000000
--- a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:12.038189968 +0100
-+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:11.913188505 +0100
-@@ -48,8 +48,8 @@
- 
-     private final static String PROP_NAME = "sun.security.smartcardio.library";
- 
--    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
--    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
-+    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
-+    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
-     private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
- 
-     PlatformPCSC() {
diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch
deleted file mode 100644
index 88f5e5a..0000000
--- a/rh1750419-redhat_alt_java.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
-index 700ddefda49..2882de68eb2 100644
---- openjdk.orig/make/modules/java.base/Launcher.gmk
-+++ openjdk/make/modules/java.base/Launcher.gmk
-@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
-     OPTIMIZATION := HIGH, \
- ))
- 
-+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
-+$(eval $(call SetupBuildLauncher, alt-java, \
-+    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
-+    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
-+    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
-+    OPTIMIZATION := HIGH, \
-+))
-+
- ifeq ($(call isTargetOs, windows), true)
-   $(eval $(call SetupBuildLauncher, javaw, \
-       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
-diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
-new file mode 100644
-index 00000000000..697df2898ac
---- /dev/null
-+++ openjdk/src/java.base/share/native/launcher/alt_main.h
-@@ -0,0 +1,73 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#ifdef REDHAT_ALT_JAVA
-+
-+#include 
-+
-+
-+/* Per task speculation control */
-+#ifndef PR_GET_SPECULATION_CTRL
-+# define PR_GET_SPECULATION_CTRL    52
-+#endif
-+#ifndef PR_SET_SPECULATION_CTRL
-+# define PR_SET_SPECULATION_CTRL    53
-+#endif
-+/* Speculation control variants */
-+#ifndef PR_SPEC_STORE_BYPASS
-+# define PR_SPEC_STORE_BYPASS          0
-+#endif
-+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
-+
-+#ifndef PR_SPEC_NOT_AFFECTED
-+# define PR_SPEC_NOT_AFFECTED          0
-+#endif
-+#ifndef PR_SPEC_PRCTL
-+# define PR_SPEC_PRCTL                 (1UL << 0)
-+#endif
-+#ifndef PR_SPEC_ENABLE
-+# define PR_SPEC_ENABLE                (1UL << 1)
-+#endif
-+#ifndef PR_SPEC_DISABLE
-+# define PR_SPEC_DISABLE               (1UL << 2)
-+#endif
-+#ifndef PR_SPEC_FORCE_DISABLE
-+# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
-+#endif
-+#ifndef PR_SPEC_DISABLE_NOEXEC
-+# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
-+#endif
-+
-+static void set_speculation() __attribute__((constructor));
-+static void set_speculation() {
-+  if ( prctl(PR_SET_SPECULATION_CTRL,
-+             PR_SPEC_STORE_BYPASS,
-+             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
-+    return;
-+  }
-+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
-+}
-+
-+#endif // REDHAT_ALT_JAVA
-diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
-index b734fe2ba78..79dc8307650 100644
---- openjdk.orig/src/java.base/share/native/launcher/main.c
-+++ openjdk/src/java.base/share/native/launcher/main.c
-@@ -34,6 +34,14 @@
- #include "jli_util.h"
- #include "jni.h"
- 
-+#ifdef REDHAT_ALT_JAVA
-+#if defined(__linux__) && defined(__x86_64__)
-+#include "alt_main.h"
-+#else
-+#warning alt-java requested but SSB mitigation not available on this platform.
-+#endif
-+#endif
-+
- #ifdef _MSC_VER
- #if _MSC_VER > 1400 && _MSC_VER < 1600
- 
diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
deleted file mode 100644
index 1b706a1..0000000
--- a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Remove uses of FAR in jpeg code
-
-Upstream libjpeg-trubo removed the (empty) FAR macro:
-http://sourceforge.net/p/libjpeg-turbo/code/1312/
-
-Adjust our code to not use the undefined FAR macro anymore.
-
-diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-@@ -1385,7 +1385,7 @@
-     /* and fill it in */
-     dst_ptr = icc_data;
-     for (seq_no = first; seq_no < last; seq_no++) {
--        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-+        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-         unsigned int length =
-             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
- 
diff --git a/sources b/sources
index bf52ee4..3bbbb1b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.6+10.tar.xz) = 2878aae52e2f49146b9631e3b0379370dce1a0a620dc5c5b763d1432b82e705e3aa33a83008391b4845bf0cb493b08179e7ac3419f597fb80fd65df393e12cf1