The package rpms/java-17-openjdk.git has added or updated architecture specific content in
its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=ee...
https://src.fedoraproject.org/cgit/rpms/java-17-openjdk.git/commit/?id=db....
Change:
+%ifarch noarch
+%ifarch %{zero_arches}
Thanks.
Full change:
============
commit 39fcd54de766e759b3ee516f9d9977a8b064a1b6
Author: Jiri <jvanek(a)redhat.com>
Date: Thu Apr 28 16:34:27 2022 +0200
Reverted: moved to become system jdk; not applicable to f35 and down
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 121bd41..498970e 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -100,7 +100,7 @@
# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk
stops to be an techpreview, move it to 1
# as sytem JDK, we mean any JDK which can run whole system java stack without issues
(like bytecode issues, module issues, dependencies...)
-%global is_system_jdk 1
+%global is_system_jdk 0
%global aarch64 aarch64 arm64 armv8
# we need to distinguish between big and little endian PPC64
@@ -2577,9 +2577,6 @@ cjc.mainProgram(args)
- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on
aarch64)
- Need to support noarch for creating source RPMs for non-scratch builds.
-* Fri Feb 04 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.2.0.8-4
-- moved to become system jdk
-
* Fri Feb 04 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-2
- Temporarily move x86 to use Zero in order to get a working build
- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on
x86_32 for stack alignment
commit e5bfe5ebd7823f8c32f3822aeeb4a167d4266411
Merge: b44b85d 3cbe105
Author: Jiri <jvanek(a)redhat.com>
Date: Thu Apr 28 16:24:02 2022 +0200
Merge branch 'rawhide' into f35
commit 3cbe105c02a34a9a45c741b1e5ea997241cfb84b
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Sun Apr 24 22:13:48 2022 +0100
April 2022 security update to jdk 17.0.3+7
Update release notes to 17.0.3.0+7
Update README.md and generate_source_tarball.sh to match CentOS
Switch to GA mode for release
JDK-8283911 patch no longer needed now we're GA...
diff --git a/.gitignore b/.gitignore
index a07e974..9d53f89 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,5 @@
/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
/openjdk-jdk17u-jdk-17.0.3+1.tar.xz
/openjdk-jdk17u-jdk-17.0.3+5.tar.xz
+/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
+/openjdk-jdk17u-jdk-17.0.3+7.tar.xz
diff --git a/NEWS b/NEWS
index 7c85481..b0e58ad 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,25 @@ Live versions of these release notes can be found at:
*
https://bitly.com/openjdk1703
*
https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
+* Security fixes
+ - JDK-8269938: Enhance XML processing passes redux
+ - JDK-8270504, CVE-2022-21426: Better XPath expression handling
+ - JDK-8272255: Completely handle MIDI files
+ - JDK-8272261: Improve JFR recording file processing
+ - JDK-8272588: Enhanced recording parsing
+ - JDK-8272594: Better record of recordings
+ - JDK-8274221: More definite BER encodings
+ - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
+ - JDK-8275151, CVE-2022-21443: Improved Object Identification
+ - JDK-8277227: Better identification of OIDs
+ - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
+ - JDK-8277672, CVE-2022-21434: Better invocation handler handling
+ - JDK-8278356: Improve file creation
+ - JDK-8278449: Improve keychain support
+ - JDK-8278798: Improve supported intrinsic
+ - JDK-8278805: Enhance BMP image loading
+ - JDK-8278972, CVE-2022-21496: Improve URL supports
+ - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
* Other changes
- JDK-8177814: jdk/editpad is not in jdk TEST.groups
- JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
@@ -79,7 +98,6 @@ Live versions of these release notes can be found at:
- JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
- JDK-8274935: dumptime_table has stale entry
- JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class
info
- - JDK-8275082: Update XML Security for Java to 2.3.0
- JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() ||
n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by
definitions
- JDK-8275536: Add test to check that File::lastModified returns same time stamp as
Files.getLastModifiedTime
@@ -175,7 +193,11 @@ Live versions of these release notes can be found at:
- JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
- JDK-8281460: Let ObjectMonitor have its own NMT category
- JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
+ - JDK-8282300: Throws NamingException instead of InvalidNameException after
JDK-8278972
+ - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix
of spaces character
- JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
+ - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
+ - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
Notes on individual issues:
===========================
diff --git a/README.md b/README.md
index 079e78c..3bfd7d2 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,13 @@
-Package of LTS OpenJDK 17
-OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6
months only.
+OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform.
-JDK17 is last LTS release of Java platform. It is bringing many cool improvements -
http://openjdk.java.net/projects/jdk/17/ and is landing to your Fedora. Where it will be
maintained for several years. You will always be allowed to install Used LTSs in build
root, and alongside via alternatives.
+*
https://fedoraproject.org/wiki/Changes/Java17
-See announcement:
http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
-See java SIG plans:
https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
+For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream
+release page for OpenJDK 17 and the preceding interim releases:
-https://fedoraproject.org/wiki/Changes/Java17
-https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview
+* 12:
https://openjdk.java.net/projects/jdk/12/
+* 13:
https://openjdk.java.net/projects/jdk/13/
+* 14:
https://openjdk.java.net/projects/jdk/14/
+* 15:
https://openjdk.java.net/projects/jdk/15/
+* 16:
https://openjdk.java.net/projects/jdk/16/
+* 17:
https://openjdk.java.net/projects/jdk/17/
diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh
index 1a019ff..bf21bc4 100755
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@@ -8,8 +8,8 @@
#
# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
# PROJECT_NAME=openjdk
-# REPO_NAME=jdk16
-# VERSION=HEAD
+# REPO_NAME=jdk17u
+# VERSION=jdk-17.0.3+5
# or to eg prepare systemtap:
# icedtea7's jstack and other tapsets
# VERSION=6327cf1cea9e
@@ -130,7 +130,7 @@ pushd "${FILE_NAME_ROOT}"
# get PR3823.patch (from
http://icedtea.classpath.org/hg/icedtea16) from
most correct tag
# Do not push it or publish it (see
https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
echo "PR3823 not found. Downloading..."
- wget
https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
+ wget
https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.p...
echo "Applying ${PWD}/pr3823.patch"
patch -Np1 < pr3823.patch
rm pr3823.patch
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index eefa952..121bd41 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -333,7 +333,7 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 5
+%global buildver 7
%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
@@ -353,11 +353,14 @@
# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version
used in filenames
%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done;
echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
# Define milestone (EA for pre-releases, GA for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 0
+%global is_ga 1
%if %{is_ga}
%global build_type GA
%global expected_ea_designator ""
@@ -1249,9 +1252,8 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and
GPL+ and GPLv
URL:
http://openjdk.java.net/
-# to regenerate source0 (jdk) run update_package.sh
-# update_package.sh contains hard-coded repos, revisions, tags, and projects to
regenerate the source archives
-Source0:
openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
+# The source tarball, generated using generate_source_tarball.sh
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1342,8 +1344,6 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
#############################################
# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
Patch7: jdk8282004-x86_32-missing_call_effects.patch
-# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
-Patch2001: jdk8283911-default_promoted_version_pre.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1769,8 +1769,6 @@ popd # openjdk
%patch1017
%patch1018
-%patch2001
-
# Extract systemtap tapsets
%if %{with_systemtap}
tar --strip-components=1 -x -I xz -f %{SOURCE8}
@@ -2541,6 +2539,13 @@ cjc.mainProgram(args)
%endif
%changelog
+* Sun Apr 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+7
+- Update release notes to 17.0.3.0+7
+- Update README.md and generate_source_tarball.sh to match CentOS
+- Switch to GA mode for release
+- JDK-8283911 patch no longer needed now we're GA...
+
* Wed Apr 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.5-0.1.ea
- Update to jdk-17.0.3.0+5
- Update release notes to 17.0.3.0+5
diff --git a/jdk8283911-default_promoted_version_pre.patch
b/jdk8283911-default_promoted_version_pre.patch
deleted file mode 100644
index b94cbd5..0000000
--- a/jdk8283911-default_promoted_version_pre.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-commit 37807a694f89611f60880260d2bb7162908bc0c8
-Author: Andrew Hughes <gnu.andrew(a)redhat.com>
-Date: Wed Mar 30 04:19:43 2022 +0100
-
- 8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
-
-diff --git openjdk.orig/make/conf/version-numbers.conf
openjdk/make/conf/version-numbers.conf
-index 71b19762f2e..7378ec67a48 100644
---- openjdk.orig/make/conf/version-numbers.conf
-+++ openjdk/make/conf/version-numbers.conf
-@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0
- DEFAULT_VERSION_DOCS_API_SINCE=11
- DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
- DEFAULT_JDK_SOURCE_TARGET_VERSION=17
--DEFAULT_PROMOTED_VERSION_PRE=
-+DEFAULT_PROMOTED_VERSION_PRE=ea
diff --git a/sources b/sources
index dda3fdf..e4816a7 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) =
97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) =
a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160
+SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) =
9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567
commit a29fc2e2664f82174bee5f1e6956cbce2f0d2127
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Wed Apr 13 03:34:46 2022 +0100
Update to jdk-17.0.3.0+5
Update release notes to 17.0.3.0+5
diff --git a/.gitignore b/.gitignore
index fa4239b..a07e974 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,4 @@
/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
/openjdk-jdk17u-jdk-17.0.3+1.tar.xz
+/openjdk-jdk17u-jdk-17.0.3+5.tar.xz
diff --git a/NEWS b/NEWS
index 50b37ae..7c85481 100644
--- a/NEWS
+++ b/NEWS
@@ -32,14 +32,21 @@ Live versions of these release notes can be found at:
- JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when
expecting 'VM operation took too long'
- JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address
already in use error
- JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java
failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar
replaced objects"
+ - JDK-8270117: Broken jtreg link in "Building the JDK" page
- JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI
monitor
- JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to
cmoving identity
+ - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom
sensitive PKCS11 key
- JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
- JDK-8271506: Add ResourceHashtable support for deleting selected entries
+ - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests
- JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
- JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates
- JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
+ - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger
multiplication
- JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code
+ - JDK-8272600: (test) Use native "sleep" in Basic.java
+ - JDK-8272866: java.util.random package summary contains incorrect mixing function in
table
+ - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is
enabled
- JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt
- JDK-8273277: C2: Move conditional negation into rc_predicate
- JDK-8273341: Update Siphash to version 1.0
@@ -51,6 +58,7 @@ Live versions of these release notes can be found at:
- JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
- JDK-8273526: Extend the OSContainer API pids controller with pids.current
- JDK-8273634: [TEST_BUG] Improve
javax/swing/text/ParagraphView/6364882/bug6364882.java
+ - JDK-8273655: content-types.properties files are missing some common types
- JDK-8273682: Upgrade Jline to 3.20.0
- JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform
transform takes long time
- JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size
with TieredStopAtLevel=2,3
@@ -58,8 +66,12 @@ Live versions of these release notes can be found at:
- JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12
- JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform)
- JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes
+ - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content
type" mismatches
- JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
+ - JDK-8274471: Add support for RSASSA-PSS in OCSP Response
- JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
+ - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
+ - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if
supported when using OverlayFS
- JDK-8274658: ISO 4217 Amendment 170 Update
- JDK-8274714: Incorrect verifier protected access error message
- JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976
@@ -69,6 +81,7 @@ Live versions of these release notes can be found at:
- JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class
info
- JDK-8275082: Update XML Security for Java to 2.3.0
- JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
+ - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() ||
n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by
definitions
- JDK-8275536: Add test to check that File::lastModified returns same time stamp as
Files.getLastModifiedTime
- JDK-8275586: Zero: Simplify interpreter initialization
- JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow
@@ -81,6 +94,7 @@ Live versions of these release notes can be found at:
- JDK-8275847: Scheduling fails with "too many D-U pinch points" on small
method
- JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue
- JDK-8276057: Update JMH devkit to 1.33
+ - JDK-8276141: XPathFactory set/getProperty method
- JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed
with "assert(def_ik->is_being_redefined()) failed: should be being redefined to
get here"
- JDK-8276314: [JVMCI] check alignment of call displacement during code installation
- JDK-8276623: JDK-8275650 accidentally pushed "out" file
@@ -88,32 +102,42 @@ Live versions of these release notes can be found at:
- JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common()
- JDK-8276764: Enable deterministic file content ordering for Jar and Jmod
- JDK-8276766: Enable jar and jmod to produce deterministic timestamped content
+ - JDK-8276841: Add support for Visual Studio 2022
- JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation
"reproducible"
- JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for
Arm Neoverse N1
- JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
+ - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits
- JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
- JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in
InstanceKlass::jni_id_for
+ - JDK-8277383: VM.metaspace optionally show chunk freelist details
- JDK-8277385: Zero: Enable CompactStrings support
- JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed:
not last
- JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
- JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
+ - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May
2022
- JDK-8277497: Last column cell in the JTable row is read as empty cell
- JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with
"OnSpinWaitInst with the expected value 'isb' not found."
+ - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER
- JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in
x86_32.ad
+ - JDK-8277795: ldap connection timeout not honoured under contention
- JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64
- JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR
recording
- JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
- JDK-8278016: Add compiler tests to tier{2,3}
- JDK-8278020: ~13% variation in Renaissance-Scrabble
+ - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable
deterministic cacerts generation
- JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError
- JDK-8278104: C1 should support the compiler directive 'BreakAtExecute'
- JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
- JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
+ - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup
- JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on
Linux
+ - JDK-8278185: Custom JRE cannot find non-ASCII named module inside
- JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with
EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d
- JDK-8278241: Implement JVM SpinPause on linux-aarch64
- JDK-8278309: [windows] use of uninitialized OSThread::_state
- JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
different openssl output
+ - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15
machine
- JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
- JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of
T_INT
- JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic
@@ -124,6 +148,7 @@ Live versions of these release notes can be found at:
- JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3
- JDK-8278824: Uneven work distribution when scanning heap roots in G1
- JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
+ - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
- JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in
__write_sample_info__
- JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t
- JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
@@ -131,18 +156,35 @@ Live versions of these release notes can be found at:
- JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
- JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
- JDK-8279379: GHA: Print tests that are in error
+ - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after
8278344
- JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to
it
- JDK-8279445: Update JMH devkit to 1.34
- JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms
- JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
+ - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
+ - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to
run on C1 also
- JDK-8279702: [macosx] ignore xcodebuild warnings on M1
- JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
- JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
- JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub:
predicate_failed_trap_id"
- JDK-8280002: jmap -histo may leak stream
- JDK-8280155: [PPC64, s390] frame size checks are not yet correct
+ - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
- JDK-8280414: Memory leak in DefaultProxySelector
- JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
+ - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
+ - JDK-8281460: Let ObjectMonitor have its own NMT category
+ - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
+ - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8274791: Support for RSASSA-PSS in OCSP Response
+====================================================
+An OCSP response signed with the RSASSA-PSS algorithm is now supported.
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 035d14c..eefa952 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -333,7 +333,7 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 1
+%global buildver 5
%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
@@ -2541,6 +2541,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Apr 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.5-0.1.ea
+- Update to jdk-17.0.3.0+5
+- Update release notes to 17.0.3.0+5
+
* Fri Apr 08 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.1-0.1.ea
- Update to jdk-17.0.3.0+1
- Update release notes to 17.0.3.0+1
diff --git a/sources b/sources
index 363f8f6..dda3fdf 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) =
97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.3+1.tar.xz) =
f6bc8ba86a3e7dcd7d5c9ac17fe0ff337b76cc654b667bd1d506778dfa76b3d140731119738fa330601f5f4751ce11c9bf9877bad403d6ed610f2c91570dd304
+SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) =
a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160
commit 52e513df50dce3236b17ac5f0fbc3bb9d6dea57e
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Fri Apr 8 17:42:37 2022 +0100
Update to jdk-17.0.3.0+1
Update release notes to 17.0.3.0+1
Switch to EA mode for 17.0.3 pre-release builds.
Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
diff --git a/.gitignore b/.gitignore
index 2bc3036..fa4239b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -21,3 +21,4 @@
/openjdk-jdk17u-jdk-17.0.1+12.tar.xz
/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
/openjdk-jdk17u-jdk-17.0.2+8.tar.xz
+/openjdk-jdk17u-jdk-17.0.3+1.tar.xz
diff --git a/NEWS b/NEWS
index 78938f4..50b37ae 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,147 @@ Key:
JDK-X -
https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 17.0.3 (2022-04-19):
+===========================================
+Live versions of these release notes can be found at:
+ *
https://bitly.com/openjdk1703
+ *
https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
+
+* Other changes
+ - JDK-8177814: jdk/editpad is not in jdk TEST.groups
+ - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
+ - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and
NonGregorianFormatTest fail intermittently
+ - JDK-8225559: assertion error at TransTypes.visitApply
+ - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
+ - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never
fails
+ - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
+ - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1
+ - JDK-8251216: Implement MD5 intrinsics on AArch64
+ - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails
with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
+ - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with
"guarantee(false) failed: wrong number of expression stack elements during
deopt"
+ - JDK-8263567: gtests don't terminate the VM safely
+ - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
+ - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups
+ - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not
support it
+ - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only
+ - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM
+ - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file
+ - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java
+ - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when
expecting 'VM operation took too long'
+ - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address
already in use error
+ - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java
failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar
replaced objects"
+ - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI
monitor
+ - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to
cmoving identity
+ - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8271506: Add ResourceHashtable support for deleting selected entries
+ - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
+ - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates
+ - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
+ - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code
+ - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt
+ - JDK-8273277: C2: Move conditional negation into rc_predicate
+ - JDK-8273341: Update Siphash to version 1.0
+ - JDK-8273351: bad tag in jdk.random module-info.java
+ - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on
macOS12
+ - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm
+ - JDK-8273387: remove some unreferenced gtk-related functions
+ - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
+ - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
+ - JDK-8273526: Extend the OSContainer API pids controller with pids.current
+ - JDK-8273634: [TEST_BUG] Improve
javax/swing/text/ParagraphView/6364882/bug6364882.java
+ - JDK-8273682: Upgrade Jline to 3.20.0
+ - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform
transform takes long time
+ - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size
with TieredStopAtLevel=2,3
+ - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
+ - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12
+ - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform)
+ - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes
+ - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
+ - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
+ - JDK-8274658: ISO 4217 Amendment 170 Update
+ - JDK-8274714: Incorrect verifier protected access error message
+ - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976
+ - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes
+ - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
+ - JDK-8274935: dumptime_table has stale entry
+ - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class
info
+ - JDK-8275082: Update XML Security for Java to 2.3.0
+ - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
+ - JDK-8275536: Add test to check that File::lastModified returns same time stamp as
Files.getLastModifiedTime
+ - JDK-8275586: Zero: Simplify interpreter initialization
+ - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow
+ - JDK-8275610: C2: Object field load floats above its null check resulting in a
segfault
+ - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle
LongVector.neg
+ - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64
+ - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows
11
+ - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch
RuntimeException
+ - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock
+ - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small
method
+ - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue
+ - JDK-8276057: Update JMH devkit to 1.33
+ - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed
with "assert(def_ik->is_being_redefined()) failed: should be being redefined to
get here"
+ - JDK-8276314: [JVMCI] check alignment of call displacement during code installation
+ - JDK-8276623: JDK-8275650 accidentally pushed "out" file
+ - JDK-8276654: element-list order is non deterministic
+ - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common()
+ - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod
+ - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content
+ - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation
"reproducible"
+ - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for
Arm Neoverse N1
+ - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
+ - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
+ - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in
InstanceKlass::jni_id_for
+ - JDK-8277385: Zero: Enable CompactStrings support
+ - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed:
not last
+ - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
+ - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
+ - JDK-8277497: Last column cell in the JTable row is read as empty cell
+ - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with
"OnSpinWaitInst with the expected value 'isb' not found."
+ - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in
x86_32.ad
+ - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64
+ - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR
recording
+ - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
+ - JDK-8278016: Add compiler tests to tier{2,3}
+ - JDK-8278020: ~13% variation in Renaissance-Scrabble
+ - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError
+ - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute'
+ - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
+ - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
+ - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on
Linux
+ - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with
EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d
+ - JDK-8278241: Implement JVM SpinPause on linux-aarch64
+ - JDK-8278309: [windows] use of uninitialized OSThread::_state
+ - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
different openssl output
+ - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
+ - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of
T_INT
+ - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic
+ - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null,
dimmed row for last column
+ - JDK-8278604: SwingSet2 table demo does not have accessible description set for
images
+ - JDK-8278627: Shenandoah: TestHeapDump test failed
+ - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after
JDK-8262134
+ - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3
+ - JDK-8278824: Uneven work distribution when scanning heap roots in G1
+ - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
+ - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in
__write_sample_info__
+ - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t
+ - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
+ - JDK-8279124: VM does not handle SIGQUIT during initialization
+ - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
+ - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
+ - JDK-8279379: GHA: Print tests that are in error
+ - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to
it
+ - JDK-8279445: Update JMH devkit to 1.34
+ - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms
+ - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
+ - JDK-8279702: [macosx] ignore xcodebuild warnings on M1
+ - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
+ - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
+ - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub:
predicate_failed_trap_id"
+ - JDK-8280002: jmap -histo may leak stream
+ - JDK-8280155: [PPC64, s390] frame size checks are not yet correct
+ - JDK-8280414: Memory leak in DefaultProxySelector
+ - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
+
New in release OpenJDK 17.0.2 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 1de2899..035d14c 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -305,7 +305,7 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
-%global updatever 2
+%global updatever 3
%global patchver 0
# If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was
@@ -333,8 +333,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 8
-%global rpmrelease 9
+%global buildver 1
+%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -357,7 +357,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global build_type GA
%global expected_ea_designator ""
@@ -1342,6 +1342,8 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
#############################################
# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
Patch7: jdk8282004-x86_32-missing_call_effects.patch
+# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
+Patch2001: jdk8283911-default_promoted_version_pre.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1767,6 +1769,8 @@ popd # openjdk
%patch1017
%patch1018
+%patch2001
+
# Extract systemtap tapsets
%if %{with_systemtap}
tar --strip-components=1 -x -I xz -f %{SOURCE8}
@@ -2537,6 +2541,12 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Apr 08 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.1-0.1.ea
+- Update to jdk-17.0.3.0+1
+- Update release notes to 17.0.3.0+1
+- Switch to EA mode for 17.0.3 pre-release builds.
+- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
+
* Wed Apr 06 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-9
- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
diff --git a/jdk8283911-default_promoted_version_pre.patch
b/jdk8283911-default_promoted_version_pre.patch
new file mode 100644
index 0000000..b94cbd5
--- /dev/null
+++ b/jdk8283911-default_promoted_version_pre.patch
@@ -0,0 +1,16 @@
+commit 37807a694f89611f60880260d2bb7162908bc0c8
+Author: Andrew Hughes <gnu.andrew(a)redhat.com>
+Date: Wed Mar 30 04:19:43 2022 +0100
+
+ 8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
+
+diff --git openjdk.orig/make/conf/version-numbers.conf
openjdk/make/conf/version-numbers.conf
+index 71b19762f2e..7378ec67a48 100644
+--- openjdk.orig/make/conf/version-numbers.conf
++++ openjdk/make/conf/version-numbers.conf
+@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0
+ DEFAULT_VERSION_DOCS_API_SINCE=11
+ DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
+ DEFAULT_JDK_SOURCE_TARGET_VERSION=17
+-DEFAULT_PROMOTED_VERSION_PRE=
++DEFAULT_PROMOTED_VERSION_PRE=ea
diff --git a/sources b/sources
index 22e666f..363f8f6 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) =
97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.2+8.tar.xz) =
03371771574c19c38f9091eaad7c46d1638c95e5a3ab16e5ce540bf0f9dcbf8f60fd3848f75fd6fb5eb5fa35a91ca8a6a7b582ce4cf5c7cd2efe6c0957c98719
+SHA512 (openjdk-jdk17u-jdk-17.0.3+1.tar.xz) =
f6bc8ba86a3e7dcd7d5c9ac17fe0ff337b76cc654b667bd1d506778dfa76b3d140731119738fa330601f5f4751ce11c9bf9877bad403d6ed610f2c91570dd304
commit 8a08a43c551d78d40fb56eea17a9cea27d1f3711
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Wed Apr 6 17:42:56 2022 +0100
Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 562b6c9..1de2899 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -334,7 +334,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
-%global rpmrelease 8
+%global rpmrelease 9
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -1332,6 +1332,8 @@ Patch1015: rh2021263-fips_missing_native_returns.patch
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS
mode
+Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
#############################################
#
@@ -1763,6 +1765,7 @@ popd # openjdk
%patch1015
%patch1016
%patch1017
+%patch1018
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -2534,6 +2537,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Apr 06 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-9
+- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+
* Wed Mar 30 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-8
- java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now
OpenJDK 18
diff --git a/rh2052070-enable_algorithmparameters_in_fips_mode.patch
b/rh2052070-enable_algorithmparameters_in_fips_mode.patch
new file mode 100644
index 0000000..7488ea5
--- /dev/null
+++ b/rh2052070-enable_algorithmparameters_in_fips_mode.patch
@@ -0,0 +1,1182 @@
+commit 6e74f283739af0d867df01d20f82865f559a45ea
+Author: Martin Balao <mbalao(a)redhat.com>
+Date: Mon Feb 28 04:58:05 2022 +0000
+
+ RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in
FIPS mode
+
+diff --git openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+index a020e1c15d8..6d459fdec01 100644
+--- openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
++++ openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+@@ -31,6 +31,7 @@ import java.security.SecureRandom;
+ import java.security.PrivilegedAction;
+ import java.util.HashMap;
+ import java.util.List;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.util.SecurityProviderConstants.*;
+
+@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*;
+
+ public final class SunJCE extends Provider {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ @java.io.Serial
+ private static final long serialVersionUID = 6812507587804302833L;
+
+@@ -143,285 +148,287 @@ public final class SunJCE extends Provider {
+ void putEntries() {
+ // reuse attribute map and reset before each reuse
+ HashMap<String, String> attrs = new HashMap<>(3);
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings",
"NOPADDING|PKCS1PADDING|OAEPPADDING"
+- + "|OAEPWITHMD5ANDMGF1PADDING"
+- + "|OAEPWITHSHA1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-256ANDMGF1PADDING"
+- + "|OAEPWITHSHA-384ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
+- attrs.put("SupportedKeyClasses",
+- "java.security.interfaces.RSAPublicKey" +
+- "|java.security.interfaces.RSAPrivateKey");
+- ps("Cipher", "RSA",
+- "com.sun.crypto.provider.RSACipher", null, attrs);
+-
+- // common block cipher modes, pads
+- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
+- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
+- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
+- final String BLOCK_MODES128 = BLOCK_MODES +
+- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
+- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
+- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DES",
+- "com.sun.crypto.provider.DESCipher", null, attrs);
+- psA("Cipher", "DESede",
"com.sun.crypto.provider.DESedeCipher",
+- attrs);
+- ps("Cipher", "Blowfish",
+- "com.sun.crypto.provider.BlowfishCipher", null, attrs);
+-
+- ps("Cipher", "RC2",
+- "com.sun.crypto.provider.RC2Cipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES128);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES",
+- "com.sun.crypto.provider.AESCipher$General", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_128/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_128/KW/PKCS5Padding",
+-
"com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_128/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_192/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_192/KW/PKCS5Padding",
+-
"com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_192/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_256/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_256/KW/PKCS5Padding",
+-
"com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_256/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "GCM");
+- attrs.put("SupportedKeyFormats", "RAW");
+-
+- ps("Cipher", "AES/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
+- attrs);
+- psA("Cipher", "AES_128/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES128",
+- attrs);
+- psA("Cipher", "AES_192/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES192",
+- attrs);
+- psA("Cipher", "AES_256/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES256",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "CBC");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DESedeWrap",
+- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "ARCFOUR",
+- "com.sun.crypto.provider.ARCFOURCipher", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "ChaCha20",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
+- null, attrs);
+- psA("Cipher", "ChaCha20-Poly1305",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
+- attrs);
+-
+- // PBES1
+- psA("Cipher", "PBEWithMD5AndDES",
+- "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
+- null);
+- ps("Cipher", "PBEWithMD5AndTripleDES",
+- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
+- psA("Cipher", "PBEWithSHA1AndDESede",
+-
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_40",
+-
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_128",
+-
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC4_40",
+-
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
+- null);
+-
+- psA("Cipher", "PBEWithSHA1AndRC4_128",
+-
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
+- null);
+-
+- // PBES2
+- ps("Cipher", "PBEWithHmacSHA1AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA1AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
+-
+- /*
+- * Key(pair) Generator engines
+- */
+- ps("KeyGenerator", "DES",
+- "com.sun.crypto.provider.DESKeyGenerator");
+- psA("KeyGenerator", "DESede",
+- "com.sun.crypto.provider.DESedeKeyGenerator",
+- null);
+- ps("KeyGenerator", "Blowfish",
+- "com.sun.crypto.provider.BlowfishKeyGenerator");
+- psA("KeyGenerator", "AES",
+- "com.sun.crypto.provider.AESKeyGenerator",
+- null);
+- ps("KeyGenerator", "RC2",
+- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
+- psA("KeyGenerator", "ARCFOUR",
+-
"com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
+- null);
+- ps("KeyGenerator", "ChaCha20",
+-
"com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
+- ps("KeyGenerator", "HmacMD5",
+- "com.sun.crypto.provider.HmacMD5KeyGenerator");
+-
+- psA("KeyGenerator", "HmacSHA1",
+- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
+- psA("KeyGenerator", "HmacSHA224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
+- null);
+- psA("KeyGenerator", "HmacSHA256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
+- null);
+- psA("KeyGenerator", "HmacSHA384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
+- null);
+- psA("KeyGenerator", "HmacSHA512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
+- null);
+- psA("KeyGenerator", "HmacSHA512/224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
+- null);
+- psA("KeyGenerator", "HmacSHA512/256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
+- null);
+-
+- psA("KeyGenerator", "HmacSHA3-224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
+- null);
+- psA("KeyGenerator", "HmacSHA3-256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
+- null);
+- psA("KeyGenerator", "HmacSHA3-384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
+- null);
+- psA("KeyGenerator", "HmacSHA3-512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
+- null);
+-
+- psA("KeyPairGenerator", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyPairGenerator",
+- null);
++ if (!systemFipsEnabled) {
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings",
"NOPADDING|PKCS1PADDING|OAEPPADDING"
++ + "|OAEPWITHMD5ANDMGF1PADDING"
++ + "|OAEPWITHSHA1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-256ANDMGF1PADDING"
++ + "|OAEPWITHSHA-384ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
++ attrs.put("SupportedKeyClasses",
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey");
++ ps("Cipher", "RSA",
++ "com.sun.crypto.provider.RSACipher", null, attrs);
++
++ // common block cipher modes, pads
++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
++ final String BLOCK_MODES128 = BLOCK_MODES +
++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
++ final String BLOCK_PADS =
"NOPADDING|PKCS5PADDING|ISO10126PADDING";
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DES",
++ "com.sun.crypto.provider.DESCipher", null, attrs);
++ psA("Cipher", "DESede",
"com.sun.crypto.provider.DESedeCipher",
++ attrs);
++ ps("Cipher", "Blowfish",
++ "com.sun.crypto.provider.BlowfishCipher", null, attrs);
++
++ ps("Cipher", "RC2",
++ "com.sun.crypto.provider.RC2Cipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES128);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES",
++ "com.sun.crypto.provider.AESCipher$General", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES/KW/PKCS5Padding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES/KWP/NoPadding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_128/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/KW/NoPadding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_128/KW/PKCS5Padding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_128/KWP/NoPadding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_192/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/KW/NoPadding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_192/KW/PKCS5Padding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_192/KWP/NoPadding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_256/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/KW/NoPadding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_256/KW/PKCS5Padding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_256/KWP/NoPadding",
++
"com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "GCM");
++ attrs.put("SupportedKeyFormats", "RAW");
++
++ ps("Cipher", "AES/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
++ attrs);
++ psA("Cipher", "AES_128/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES128",
++ attrs);
++ psA("Cipher", "AES_192/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES192",
++ attrs);
++ psA("Cipher", "AES_256/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES256",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "CBC");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DESedeWrap",
++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "ARCFOUR",
++ "com.sun.crypto.provider.ARCFOURCipher", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "ChaCha20",
++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
++ null, attrs);
++ psA("Cipher", "ChaCha20-Poly1305",
++
"com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
++ attrs);
++
++ // PBES1
++ psA("Cipher", "PBEWithMD5AndDES",
++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
++ null);
++ ps("Cipher", "PBEWithMD5AndTripleDES",
++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
++ psA("Cipher", "PBEWithSHA1AndDESede",
++
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_40",
++
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_128",
++
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC4_40",
++
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
++ null);
++
++ psA("Cipher", "PBEWithSHA1AndRC4_128",
++
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
++ null);
++
++ // PBES2
++ ps("Cipher", "PBEWithHmacSHA1AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_128",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_128",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_128",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_128",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA1AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_256",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_256",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_256",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_256",
++
"com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
++
++ /*
++ * Key(pair) Generator engines
++ */
++ ps("KeyGenerator", "DES",
++ "com.sun.crypto.provider.DESKeyGenerator");
++ psA("KeyGenerator", "DESede",
++ "com.sun.crypto.provider.DESedeKeyGenerator",
++ null);
++ ps("KeyGenerator", "Blowfish",
++ "com.sun.crypto.provider.BlowfishKeyGenerator");
++ psA("KeyGenerator", "AES",
++ "com.sun.crypto.provider.AESKeyGenerator",
++ null);
++ ps("KeyGenerator", "RC2",
++
"com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
++ psA("KeyGenerator", "ARCFOUR",
++
"com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
++ null);
++ ps("KeyGenerator", "ChaCha20",
++
"com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
++ ps("KeyGenerator", "HmacMD5",
++ "com.sun.crypto.provider.HmacMD5KeyGenerator");
++
++ psA("KeyGenerator", "HmacSHA1",
++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
++ psA("KeyGenerator", "HmacSHA224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
++ null);
++ psA("KeyGenerator", "HmacSHA256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
++ null);
++ psA("KeyGenerator", "HmacSHA384",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
++ null);
++ psA("KeyGenerator", "HmacSHA512",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
++ null);
++ psA("KeyGenerator", "HmacSHA512/224",
++
"com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
++ null);
++ psA("KeyGenerator", "HmacSHA512/256",
++
"com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
++ null);
++
++ psA("KeyGenerator", "HmacSHA3-224",
++
"com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
++ null);
++ psA("KeyGenerator", "HmacSHA3-256",
++
"com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
++ null);
++ psA("KeyGenerator", "HmacSHA3-384",
++
"com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
++ null);
++ psA("KeyGenerator", "HmacSHA3-512",
++
"com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
++ null);
++
++ psA("KeyPairGenerator", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyPairGenerator",
++ null);
++ }
+
+ /*
+ * Algorithm parameter generation engines
+@@ -430,15 +437,17 @@ public final class SunJCE extends Provider {
+ "DiffieHellman",
"com.sun.crypto.provider.DHParameterGenerator",
+ null);
+
+- /*
+- * Key Agreement engines
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyClasses",
"javax.crypto.interfaces.DHPublicKey" +
+- "|javax.crypto.interfaces.DHPrivateKey");
+- psA("KeyAgreement", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyAgreement",
+- attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * Key Agreement engines
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyClasses",
"javax.crypto.interfaces.DHPublicKey" +
++ "|javax.crypto.interfaces.DHPrivateKey");
++ psA("KeyAgreement", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyAgreement",
++ attrs);
++ }
+
+ /*
+ * Algorithm Parameter engines
+@@ -531,197 +540,199 @@ public final class SunJCE extends Provider {
+ psA("AlgorithmParameters", "ChaCha20-Poly1305",
+ "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null);
+
+- /*
+- * Key factories
+- */
+- psA("KeyFactory", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyFactory",
+- null);
+-
+- /*
+- * Secret-key factories
+- */
+- ps("SecretKeyFactory", "DES",
+- "com.sun.crypto.provider.DESKeyFactory");
+-
+- psA("SecretKeyFactory", "DESede",
+- "com.sun.crypto.provider.DESedeKeyFactory", null);
+-
+- psA("SecretKeyFactory", "PBEWithMD5AndDES",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES",
+- null);
+-
+- /*
+- * Internal in-house crypto algorithm used for
+- * the JCEKS keystore type. Since this was developed
+- * internally, there isn't an OID corresponding to this
+- * algorithm.
+- */
+- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES");
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndDESede",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40",
+- null);
+-
+- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128",
+- null);
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256");
+-
+- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256",
+-
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256");
+-
+- // PBKDF2
+- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
+- null);
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
+-
+- /*
+- * MAC
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Mac", "HmacMD5",
"com.sun.crypto.provider.HmacMD5", null, attrs);
+- psA("Mac", "HmacSHA1",
"com.sun.crypto.provider.HmacSHA1",
+- attrs);
+- psA("Mac", "HmacSHA224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
+- psA("Mac", "HmacSHA256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
+- psA("Mac", "HmacSHA384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
+- psA("Mac", "HmacSHA512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
+- psA("Mac", "HmacSHA512/224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
+- psA("Mac", "HmacSHA512/256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
+- psA("Mac", "HmacSHA3-224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
+- psA("Mac", "HmacSHA3-256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
+- psA("Mac", "HmacSHA3-384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
+- psA("Mac", "HmacSHA3-512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
+-
+- ps("Mac", "HmacPBESHA1",
+-
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
+- null, attrs);
+- ps("Mac", "HmacPBESHA224",
+-
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA256",
+-
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
+- null, attrs);
+- ps("Mac", "HmacPBESHA384",
+-
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512",
+-
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/224",
+-
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/256",
+-
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
+- null, attrs);
+-
+-
+- // PBMAC1
+- ps("Mac", "PBEWithHmacSHA1",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
+- ps("Mac", "PBEWithHmacSHA224",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null,
attrs);
+- ps("Mac", "PBEWithHmacSHA256",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null,
attrs);
+- ps("Mac", "PBEWithHmacSHA384",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null,
attrs);
+- ps("Mac", "PBEWithHmacSHA512",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null,
attrs);
+- ps("Mac", "SslMacMD5",
+- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
+- ps("Mac", "SslMacSHA1",
+- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null,
attrs);
+-
+- /*
+- * KeyStore
+- */
+- ps("KeyStore", "JCEKS",
+- "com.sun.crypto.provider.JceKeyStore");
+-
+- /*
+- * SSL/TLS mechanisms
+- *
+- * These are strictly internal implementations and may
+- * be changed at any time. These names were chosen
+- * because PKCS11/SunPKCS11 does not yet have TLS1.2
+- * mechanisms, and it will cause calls to come here.
+- */
+- ps("KeyGenerator", "SunTlsPrf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V10");
+- ps("KeyGenerator", "SunTls12Prf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V12");
+-
+- ps("KeyGenerator", "SunTlsMasterSecret",
+- "com.sun.crypto.provider.TlsMasterSecretGenerator",
+- List.of("SunTls12MasterSecret",
"SunTlsExtendedMasterSecret"),
+- null);
+-
+- ps("KeyGenerator", "SunTlsKeyMaterial",
+- "com.sun.crypto.provider.TlsKeyMaterialGenerator",
+- List.of("SunTls12KeyMaterial"), null);
+-
+- ps("KeyGenerator", "SunTlsRsaPremasterSecret",
+- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
+- List.of("SunTls12RsaPremasterSecret"), null);
++ if (!systemFipsEnabled) {
++ /*
++ * Key factories
++ */
++ psA("KeyFactory", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyFactory",
++ null);
++
++ /*
++ * Secret-key factories
++ */
++ ps("SecretKeyFactory", "DES",
++ "com.sun.crypto.provider.DESKeyFactory");
++
++ psA("SecretKeyFactory", "DESede",
++ "com.sun.crypto.provider.DESedeKeyFactory", null);
++
++ psA("SecretKeyFactory", "PBEWithMD5AndDES",
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES",
++ null);
++
++ /*
++ * Internal in-house crypto algorithm used for
++ * the JCEKS keystore type. Since this was developed
++ * internally, there isn't an OID corresponding to this
++ * algorithm.
++ */
++ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES");
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndDESede",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40",
++ null);
++
++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128",
++ null);
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256");
++
++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256",
++
"com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256");
++
++ // PBKDF2
++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
++ null);
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
++
++ /*
++ * MAC
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Mac", "HmacMD5",
"com.sun.crypto.provider.HmacMD5", null, attrs);
++ psA("Mac", "HmacSHA1",
"com.sun.crypto.provider.HmacSHA1",
++ attrs);
++ psA("Mac", "HmacSHA224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
++ psA("Mac", "HmacSHA256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
++ psA("Mac", "HmacSHA384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
++ psA("Mac", "HmacSHA512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
++ psA("Mac", "HmacSHA512/224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224",
attrs);
++ psA("Mac", "HmacSHA512/256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256",
attrs);
++ psA("Mac", "HmacSHA3-224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
++ psA("Mac", "HmacSHA3-256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
++ psA("Mac", "HmacSHA3-384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
++ psA("Mac", "HmacSHA3-512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
++
++ ps("Mac", "HmacPBESHA1",
++
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
++ null, attrs);
++ ps("Mac", "HmacPBESHA224",
++
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA256",
++
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
++ null, attrs);
++ ps("Mac", "HmacPBESHA384",
++
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512",
++
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/224",
++
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/256",
++
"com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
++ null, attrs);
++
++
++ // PBMAC1
++ ps("Mac", "PBEWithHmacSHA1",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null,
attrs);
++ ps("Mac", "PBEWithHmacSHA224",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null,
attrs);
++ ps("Mac", "PBEWithHmacSHA256",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null,
attrs);
++ ps("Mac", "PBEWithHmacSHA384",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null,
attrs);
++ ps("Mac", "PBEWithHmacSHA512",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null,
attrs);
++ ps("Mac", "SslMacMD5",
++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null,
attrs);
++ ps("Mac", "SslMacSHA1",
++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null,
attrs);
++
++ /*
++ * KeyStore
++ */
++ ps("KeyStore", "JCEKS",
++ "com.sun.crypto.provider.JceKeyStore");
++
++ /*
++ * SSL/TLS mechanisms
++ *
++ * These are strictly internal implementations and may
++ * be changed at any time. These names were chosen
++ * because PKCS11/SunPKCS11 does not yet have TLS1.2
++ * mechanisms, and it will cause calls to come here.
++ */
++ ps("KeyGenerator", "SunTlsPrf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V10");
++ ps("KeyGenerator", "SunTls12Prf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V12");
++
++ ps("KeyGenerator", "SunTlsMasterSecret",
++ "com.sun.crypto.provider.TlsMasterSecretGenerator",
++ List.of("SunTls12MasterSecret",
"SunTlsExtendedMasterSecret"),
++ null);
++
++ ps("KeyGenerator", "SunTlsKeyMaterial",
++ "com.sun.crypto.provider.TlsKeyMaterialGenerator",
++ List.of("SunTls12KeyMaterial"), null);
++
++ ps("KeyGenerator", "SunTlsRsaPremasterSecret",
++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
++ List.of("SunTls12RsaPremasterSecret"), null);
++ }
+ }
+
+ // Return the instance of this class or create one if needed.
+diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+index 7cb5ebcde51..709d32912ca 100644
+--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+@@ -193,20 +193,22 @@ public final class SunEntries {
+ String dsaKPGImplClass =
"sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" :
"Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA",
dsaKPGImplClass, attrs);
++ }
+
+- /*
+- * Algorithm Parameter Generator engines
+- */
+- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+- "sun.security.provider.DSAParameterGenerator", attrs);
+- attrs.remove("KeySize");
++ /*
++ * Algorithm Parameter Generator engines
++ */
++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
++ "sun.security.provider.DSAParameterGenerator", attrs);
++ attrs.remove("KeySize");
+
+- /*
+- * Algorithm Parameter engines
+- */
+- addWithAlias(p, "AlgorithmParameters", "DSA",
+- "sun.security.provider.DSAParameters", attrs);
++ /*
++ * Algorithm Parameter engines
++ */
++ addWithAlias(p, "AlgorithmParameters", "DSA",
++ "sun.security.provider.DSAParameters", attrs);
+
++ if (!systemFipsEnabled) {
+ /*
+ * Key factories
+ */
+diff --git
openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+index ca79f25cc44..16c5ad2e227 100644
+--- openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
++++ openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+@@ -27,6 +27,7 @@ package sun.security.rsa;
+
+ import java.util.*;
+ import java.security.Provider;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ /**
+@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+ */
+ public final class SunRsaSignEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private void add(Provider p, String type, String algo, String cn,
+ List<String> aliases, HashMap<String, String> attrs) {
+ services.add(new Provider.Service(p, type, algo, cn,
+@@ -56,49 +61,52 @@ public final class SunRsaSignEntries {
+ // start populating content using the specified provider
+ // common attribute map
+ HashMap<String, String> attrs = new HashMap<>(3);
+- attrs.put("SupportedKeyClasses",
+- "java.security.interfaces.RSAPublicKey" +
+- "|java.security.interfaces.RSAPrivateKey");
++ if (!systemFipsEnabled) {
++ attrs.put("SupportedKeyClasses",
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey");
++
++ add(p, "KeyFactory", "RSA",
++ "sun.security.rsa.RSAKeyFactory$Legacy",
++ getAliases("PKCS1"), null);
++ add(p, "KeyPairGenerator", "RSA",
++ "sun.security.rsa.RSAKeyPairGenerator$Legacy",
++ getAliases("PKCS1"), null);
++ addA(p, "Signature", "MD2withRSA",
++ "sun.security.rsa.RSASignature$MD2withRSA", attrs);
++ addA(p, "Signature", "MD5withRSA",
++ "sun.security.rsa.RSASignature$MD5withRSA", attrs);
++ addA(p, "Signature", "SHA1withRSA",
++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
++ addA(p, "Signature", "SHA224withRSA",
++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
++ addA(p, "Signature", "SHA256withRSA",
++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
++ addA(p, "Signature", "SHA384withRSA",
++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
++ addA(p, "Signature", "SHA512withRSA",
++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
++ addA(p, "Signature", "SHA512/224withRSA",
++ "sun.security.rsa.RSASignature$SHA512_224withRSA",
attrs);
++ addA(p, "Signature", "SHA512/256withRSA",
++ "sun.security.rsa.RSASignature$SHA512_256withRSA",
attrs);
++ addA(p, "Signature", "SHA3-224withRSA",
++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
++ addA(p, "Signature", "SHA3-256withRSA",
++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-384withRSA",
++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
++ addA(p, "Signature", "SHA3-512withRSA",
++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
+
+- add(p, "KeyFactory", "RSA",
+- "sun.security.rsa.RSAKeyFactory$Legacy",
+- getAliases("PKCS1"), null);
+- add(p, "KeyPairGenerator", "RSA",
+- "sun.security.rsa.RSAKeyPairGenerator$Legacy",
+- getAliases("PKCS1"), null);
+- addA(p, "Signature", "MD2withRSA",
+- "sun.security.rsa.RSASignature$MD2withRSA", attrs);
+- addA(p, "Signature", "MD5withRSA",
+- "sun.security.rsa.RSASignature$MD5withRSA", attrs);
+- addA(p, "Signature", "SHA1withRSA",
+- "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
+- addA(p, "Signature", "SHA224withRSA",
+- "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
+- addA(p, "Signature", "SHA256withRSA",
+- "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
+- addA(p, "Signature", "SHA384withRSA",
+- "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
+- addA(p, "Signature", "SHA512withRSA",
+- "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
+- addA(p, "Signature", "SHA512/224withRSA",
+- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
+- addA(p, "Signature", "SHA512/256withRSA",
+- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-224withRSA",
+- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
+- addA(p, "Signature", "SHA3-256withRSA",
+- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-384withRSA",
+- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
+- addA(p, "Signature", "SHA3-512withRSA",
+- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++ addA(p, "KeyFactory", "RSASSA-PSS",
++ "sun.security.rsa.RSAKeyFactory$PSS", attrs);
++ addA(p, "KeyPairGenerator", "RSASSA-PSS",
++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
++ addA(p, "Signature", "RSASSA-PSS",
++ "sun.security.rsa.RSAPSSSignature", attrs);
++ }
+
+- addA(p, "KeyFactory", "RSASSA-PSS",
+- "sun.security.rsa.RSAKeyFactory$PSS", attrs);
+- addA(p, "KeyPairGenerator", "RSASSA-PSS",
+- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
+- addA(p, "Signature", "RSASSA-PSS",
+- "sun.security.rsa.RSAPSSSignature", attrs);
+ addA(p, "AlgorithmParameters", "RSASSA-PSS",
+ "sun.security.rsa.PSSParameters", null);
+ }
+diff --git openjdk.orig/src/java.base/share/conf/security/java.security
openjdk/src/java.base/share/conf/security/java.security
+index 3a322854204..5a355e70cae 100644
+--- openjdk.orig/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -86,6 +86,8 @@ fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+ fips.provider.2=SUN
+ fips.provider.3=SunEC
+ fips.provider.4=SunJSSE
++fips.provider.5=SunJCE
++fips.provider.6=SunRsaSign
+
+ #
+ # A list of preferred providers for specific algorithms. These providers will
commit 8c47abf37c9994a9d8283b382cf6ad45ad9fe744
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Wed Mar 30 20:15:01 2022 +0100
java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now
OpenJDK 18
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index db24254..562b6c9 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -314,7 +314,7 @@
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
-%global buildjdkver 17
+%global buildjdkver %{featurever}
# We don't add any LTS designator for STS packages (Fedora and EPEL).
# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
%if 0%{?rhel} && !0%{?epel}
@@ -1372,7 +1372,7 @@ BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: javapackages-filesystem
-BuildRequires: java-latest-openjdk-devel
+BuildRequires: java-%{buildjdkver}-openjdk-devel
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
@@ -2534,6 +2534,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Mar 30 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-8
+- java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now
OpenJDK 18
+
* Wed Feb 23 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-8
- Detect NSS at runtime for FIPS detection
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
commit 87b704d81ec002600766d11d0563307349610ae6
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Thu Feb 24 01:09:59 2022 +0000
Detect NSS at runtime for FIPS detection
Turn off build-time NSS linking and go back to an explicit Requires on NSS
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index f6aaf78..db24254 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -334,7 +334,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
-%global rpmrelease 7
+%global rpmrelease 8
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -1104,6 +1104,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for FIPS PKCS11 provider
+Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# Postun requires alternatives to uninstall tool alternatives
@@ -1326,7 +1328,10 @@ Patch1013: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2052819: Fix FIPS reliance on crypto policies
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
+# RH2052829: Detect NSS at Runtime for FIPS detection
+Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
#
@@ -1361,8 +1366,8 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg and FIPS support
-BuildRequires: nss-devel >= 3.53
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1757,6 +1762,7 @@ popd # openjdk
%patch1014
%patch1015
%patch1016
+%patch1017
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -1900,7 +1906,7 @@ function buildjdk() {
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
- --enable-sysconf-nss \
+ --disable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=${link_opt} \
@@ -2528,6 +2534,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Wed Feb 23 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-8
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+
* Tue Feb 08 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-7
- Reinstate JIT builds on x86_32.
- Add JDK-8282004 to fix missing CALL effects on x86_32.
diff --git a/rh2052829-fips_runtime_nss_detection.patch
b/rh2052829-fips_runtime_nss_detection.patch
new file mode 100644
index 0000000..c609fce
--- /dev/null
+++ b/rh2052829-fips_runtime_nss_detection.patch
@@ -0,0 +1,213 @@
+commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
+Author: Andrew Hughes <gnu.andrew(a)redhat.com>
+Date: Mon Feb 7 15:33:27 2022 +0000
+
+ RH2051605: Detect NSS at Runtime for FIPS detection
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index caf678a7dd6..8dcb7d9073f 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -23,26 +23,37 @@
+ * questions.
+ */
+
+-#include <dlfcn.h>
+ #include <jni.h>
+ #include <jni_util.h>
++#include "jvm_md.h"
+ #include <stdio.h>
+
+ #ifdef SYSCONF_NSS
+ #include <nss3/pk11pub.h>
++#else
++#include <dlfcn.h>
+ #endif //SYSCONF_NSS
+
+ #include "java_security_SystemConfigurator.h"
+
+-#define MSG_MAX_SIZE 96
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+
+-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
+-#ifndef SYSCONF_NSS
+-
+-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
+
+ static void throwIOException(JNIEnv *env, const char *msg)
+ {
+@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
+ (*env)->ThrowNew(env, cls, msg);
+ }
+
+-#endif
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
+
+-static void dbgPrint(JNIEnv *env, const char* msg)
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
+ {
+- jstring jMsg;
+- if (debugObj != NULL) {
+- jMsg = (*env)->NewStringUTF(env, msg);
+- CHECK_NULL(jMsg);
+- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+- }
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle,
"SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
+ }
+
++#endif
++
+ /*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
+ return (*env)->GetVersion(env);
+ }
+
+@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+ }
+@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL
Java_java_security_SystemConfigurator_getSystemFIPSEn
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+-#ifdef SYSCONF_NSS
+-
+- dbgPrint(env, "getSystemFIPSEnabled: calling
SECMOD_GetSystemFIPSEnabled");
+- fips_enabled = SECMOD_GetSystemFIPSEnabled();
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling
SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x",
fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " SECMOD_GetSystemFIPSEnabled return value");
+- }
+- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ FILE *fe;
+
+-#else // SYSCONF_NSS
+-
+- FILE *fe;
+-
+- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+- }
+- fips_enabled = fgetc(fe);
+- fclose(fe);
+- if (fips_enabled == EOF) {
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+ }
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " read character is '%c'", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
+- } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " read character");
+- }
+- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+-
+-#endif // SYSCONF_NSS
+ }
commit 7f8f4b1f1d276578a26e5ce7c1985abdca2986bb
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Tue Feb 8 02:13:32 2022 +0000
Reinstate JIT builds on x86_32.
Add JDK-8282004 to fix missing CALL effects on x86_32.
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a1f3aaf..f6aaf78 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -113,11 +113,11 @@
# Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
-%global jit_arches %{arm} %{aarch64} %{power64} s390x sparcv9 sparc64 x86_64
+%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64
x86_64
# Set of architectures which use the Zero assembler port (!jit_arches)
-%global zero_arches ppc s390 %{ix86}
+%global zero_arches ppc s390
# Set of architectures which run a full bootstrap cycle
-%global bootstrap_arches %{jit_arches} %{ix86}
+%global bootstrap_arches %{jit_arches}
# Set of architectures which support SystemTap tapsets
%global systemtap_arches %{jit_arches}
# Set of architectures with a Ahead-Of-Time (AOT) compiler
@@ -334,7 +334,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
-%global rpmrelease 6
+%global rpmrelease 7
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -1333,6 +1333,8 @@ Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# OpenJDK patches in need of upstreaming
#
#############################################
+# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
+Patch7: jdk8282004-x86_32-missing_call_effects.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -1737,6 +1739,7 @@ pushd %{top_level_dir_name}
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
popd # openjdk
%patch1000
@@ -2525,6 +2528,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Tue Feb 08 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-7
+- Reinstate JIT builds on x86_32.
+- Add JDK-8282004 to fix missing CALL effects on x86_32.
+
* Mon Feb 07 2022 Severin Gehwolf <sgehwolf(a)redhat.com> - 1:17.0.2.0.8-6
- Re-enable gdb backtrace check.
diff --git a/jdk8282004-x86_32-missing_call_effects.patch
b/jdk8282004-x86_32-missing_call_effects.patch
new file mode 100644
index 0000000..3efe993
--- /dev/null
+++ b/jdk8282004-x86_32-missing_call_effects.patch
@@ -0,0 +1,28 @@
+diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
+index a31a38a384f..6138ca5281f 100644
+--- a/src/hotspot/cpu/x86/x86_32.ad
++++ b/src/hotspot/cpu/x86/x86_32.ad
+@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg
cr) %{
+ %}
+
+ // Divide Register Long
+-instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx,
eBXRegI bx ) %{
++instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
+ match(Set dst (DivL src1 src2));
+- effect( KILL cr, KILL cx, KILL bx );
++ effect(CALL);
+ ins_cost(10000);
+ format %{ "PUSH $src1.hi\n\t"
+ "PUSH $src1.lo\n\t"
+@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg
cr) %{
+ %}
+
+ // Remainder Register Long
+-instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx,
eBXRegI bx ) %{
++instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
+ match(Set dst (ModL src1 src2));
+- effect( KILL cr, KILL cx, KILL bx );
++ effect(CALL);
+ ins_cost(10000);
+ format %{ "PUSH $src1.hi\n\t"
+ "PUSH $src1.lo\n\t"
commit a4b6f5006617be092f4c9b67d9bdcc87e2158aad
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Tue Feb 8 15:51:33 2022 +0000
Re-enable gdb backtrace check
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index aa70294..a1f3aaf 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -136,13 +136,8 @@
%global ssbd_arches x86_64
# Set of architectures for which java has short vector math library (libsvml.so)
%global svml_arches x86_64
-# Set of architectures where we verify backtraces with gdb (ideally all)
-# Temporarily disable check on x86, x86_64, ppc64le and s390x as gdb crashes
-# ../../gdb/objfiles.h:510: internal-error: sect_index_data not initialized
-# A problem internal to GDB has been detected,
-# further debugging may prove unreliable.
-# See
https://bugzilla.redhat.com/show_bug.cgi?id=2041970
-%global gdb_arches sparcv9 sparc64 %{aarch64} %{arm} %{zero_arches}
+# Set of architectures where we verify backtraces with gdb
+%global gdb_arches %{jit_arches} %{zero_arches}
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
@@ -339,7 +334,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
-%global rpmrelease 5
+%global rpmrelease 6
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -2530,6 +2525,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Mon Feb 07 2022 Severin Gehwolf <sgehwolf(a)redhat.com> - 1:17.0.2.0.8-6
+- Re-enable gdb backtrace check.
+
* Mon Feb 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-5
- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on
aarch64)
- Need to support noarch for creating source RPMs for non-scratch builds.
commit ee33a7679324c1afbeb05d0abf0978ccd3602df9
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Tue Feb 8 02:08:49 2022 +0000
Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64
on aarch64)
Need to support noarch for creating source RPMs for non-scratch builds.
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index d2f5665..aa70294 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -244,51 +244,63 @@
# In some cases, the arch used by the JDK does
# not match _arch.
# Also, in some cases, the machine name used by SystemTap
-# does not match that given by _build_cpu
+# does not match that given by _target_cpu
%ifarch x86_64
%global archinstall amd64
+%global stapinstall x86_64
%endif
%ifarch ppc
%global archinstall ppc
+%global stapinstall powerpc
%endif
%ifarch %{ppc64be}
%global archinstall ppc64
+%global stapinstall powerpc
%endif
%ifarch %{ppc64le}
%global archinstall ppc64le
+%global stapinstall powerpc
%endif
%ifarch %{ix86}
%global archinstall i686
+%global stapinstall i386
%endif
%ifarch ia64
%global archinstall ia64
+%global stapinstall ia64
%endif
%ifarch s390
%global archinstall s390
+%global stapinstall s390
%endif
%ifarch s390x
%global archinstall s390x
+%global stapinstall s390
%endif
%ifarch %{arm}
%global archinstall arm
+%global stapinstall arm
%endif
%ifarch %{aarch64}
%global archinstall aarch64
+%global stapinstall arm64
%endif
# 32 bit sparc, optimized for v9
%ifarch sparcv9
%global archinstall sparc
+%global stapinstall %{_target_cpu}
%endif
# 64 bit sparc
%ifarch sparc64
%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
%endif
-%ifnarch %{jit_arches}
-%global archinstall %{_arch}
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
%endif
-
-
%ifarch %{systemtap_arches}
%global with_systemtap 1
%else
@@ -327,7 +339,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
-%global rpmrelease 4
+%global rpmrelease 5
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -448,10 +460,10 @@
# and 32 bit architectures we place the tapsets under the arch
# specific dir (note that systemtap will only pickup the tapset
# for the primary arch for now). Systemtap uses the machine name
-# aka build_cpu as architecture specific directory name.
+# aka target_cpu as architecture specific directory name.
%global tapsetroot /usr/share/systemtap
%global tapsetdirttapset %{tapsetroot}/tapset/
-%global tapsetdir %{tapsetdirttapset}/%{_build_cpu}
+%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
# not-duplicated scriptlets for normal/debug packages
@@ -1680,6 +1692,14 @@ The %{origin_nice} %{featurever} API documentation compressed in a
single archiv
%endif
%prep
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap
install directory: %{stapinstall}"
+%else
+ %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
echo "include_normal_build is %{include_normal_build}"
else
@@ -2510,6 +2530,10 @@ cjc.mainProgram(args)
%endif
%changelog
+* Mon Feb 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-5
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on
aarch64)
+- Need to support noarch for creating source RPMs for non-scratch builds.
+
* Fri Feb 04 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.2.0.8-4
- moved to become system jdk
commit fbc4f641987b9ea9cd628f4425c40544d8cdc9d5
Author: Jiri <jvanek(a)redhat.com>
Date: Fri Feb 4 20:19:20 2022 +0100
moved to become system jdk
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 7fd089b..d2f5665 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -100,7 +100,7 @@
# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk
stops to be an techpreview, move it to 1
# as sytem JDK, we mean any JDK which can run whole system java stack without issues
(like bytecode issues, module issues, dependencies...)
-%global is_system_jdk 0
+%global is_system_jdk 1
%global aarch64 aarch64 arm64 armv8
# we need to distinguish between big and little endian PPC64
@@ -327,7 +327,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
-%global rpmrelease 2
+%global rpmrelease 4
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -2510,6 +2510,9 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Feb 04 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.2.0.8-4
+- moved to become system jdk
+
* Fri Feb 04 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-2
- Temporarily move x86 to use Zero in order to get a working build
- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on
x86_32 for stack alignment
commit db599045110a4f123fb7f519fce8cd65f7f5e1bd
Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org>
Date: Fri Feb 4 15:34:46 2022 +0000
Temporarily move x86 to use Zero in order to get a working build
Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4
on x86_32 for stack alignment
Support a HotSpot-only build so a freshly built libjvm.so can then be used in the
bootstrap JDK.
Explicitly list JIT architectures rather than relying on those with slowdebug builds
Disable the serviceability agent on Zero architectures even when the architecture
itself is supported
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 7c1bb36..7fd089b 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -21,6 +21,8 @@
%bcond_without release
# Enable static library builds by default.
%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@@ -30,6 +32,13 @@
%global include_staticlibs 0
%endif
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See:
https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -104,11 +113,11 @@
# Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
-%global jit_arches %{debug_arches} %{arm}
+%global jit_arches %{arm} %{aarch64} %{power64} s390x sparcv9 sparc64 x86_64
# Set of architectures which use the Zero assembler port (!jit_arches)
-%global zero_arches ppc s390
+%global zero_arches ppc s390 %{ix86}
# Set of architectures which run a full bootstrap cycle
-%global bootstrap_arches %{jit_arches}
+%global bootstrap_arches %{jit_arches} %{ix86}
# Set of architectures which support SystemTap tapsets
%global systemtap_arches %{jit_arches}
# Set of architectures with a Ahead-Of-Time (AOT) compiler
@@ -176,7 +185,7 @@
%global fastdebug_build %{nil}
%endif
-# If you disable both builds, then the build fails
+# If you disable all builds, then the build fails
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
@@ -210,6 +219,11 @@
%global release_targets images docs-zip
# No docs nor bootcycle for debug builds
%global debug_targets images
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
@@ -313,7 +327,7 @@
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
-%global rpmrelease 1
+%global rpmrelease 2
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we
moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and
build versions
@@ -595,7 +609,9 @@ alternatives \\
--slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
--slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
--slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
+%endif
%endif
--slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
--slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
@@ -808,8 +824,10 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
# Some architectures don't have the serviceability agent
%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
%endif
+%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
%ifarch %{svml_arches}
@@ -901,9 +919,11 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
# Some architectures don't have the serviceability agent
%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
%endif
+%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
@@ -1340,7 +1360,7 @@ BuildRequires: zip
BuildRequires: javapackages-filesystem
BuildRequires: java-latest-openjdk-devel
# Zero-assembler build requirement
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
BuildRequires: tzdata-java >= 2015d
@@ -1798,7 +1818,12 @@ EXTRA_CPP_FLAGS="%ourcppflags"
# fix rpmlint warnings
EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
%endif
-export EXTRA_CFLAGS
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e
's|-mstackrealign|-mincoming-stack-boundary=2
-mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e
's|-mstackrealign|-mincoming-stack-boundary=2
-mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
function buildjdk() {
local outputdir=${1}
@@ -1840,7 +1865,7 @@ function buildjdk() {
pushd ${outputdir}
bash ${top_dir_abs_src_path}/configure \
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
--with-jvm-variants=zero \
%endif
%ifarch %{ppc64le}
@@ -1891,34 +1916,46 @@ function buildjdk() {
function installjdk() {
local imagepath=${1}
- # the build (erroneously) removes read permissions from some jars
- # this is a regression in OpenJDK 7 (our compiler):
- #
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
- find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
-
- # Build screws up permissions on binaries
- #
https://bugs.openjdk.java.net/browse/JDK-8173610
- find ${imagepath} -iname '*.so' -exec chmod +x {} \;
- find ${imagepath}/bin/ -exec chmod +x {} \;
-
- # Install nss.cfg right away as we will be using the JRE above
- install -m 644 nss.cfg ${imagepath}/conf/security/
-
- # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
- install -m 644 nss.fips.cfg ${imagepath}/conf/security/
-
- # Use system-wide tzdata
- rm ${imagepath}/lib/tzdb.dat
- ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
-
- # Create fake alt-java as a placeholder for future alt-java
- pushd ${imagepath}
- # add alt-java man page
- echo "Hardened java binary recommended for launching untrusted code from the Web
e.g. javaws" > man/man1/%{alt_java_name}.1
- cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
- popd
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ #
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+ # Build screws up permissions on binaries
+ #
https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
+
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+
+ # Use system-wide tzdata
+ rm ${imagepath}/lib/tzdb.dat
+ ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web
e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+ fi
}
+%if %{build_hotspot_first}
+ # Build a fresh libjvm.so first and use it to bootstrap
+ cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+ systemjdk=$(pwd)/newboot
+ buildjdk build/newboot ${systemjdk} %{hotspot_target} "release"
"bundled"
+ mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
+%else
+ systemjdk=%{bootjdk}
+%endif
+
for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
@@ -1928,7 +1965,6 @@ for suffix in %{build_loop} ; do
debugbuild=`echo $suffix | sed "s/-//g"`
fi
- systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
for loop in %{main_suffix} %{staticlibs_loop} ; do
@@ -2474,6 +2510,13 @@ cjc.mainProgram(args)
%endif
%changelog
+* Fri Feb 04 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-2
+- Temporarily move x86 to use Zero in order to get a working build
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on
x86_32 for stack alignment
+- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the
bootstrap JDK.
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture
itself is supported
+
* Mon Jan 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-1.rolling
- January 2022 security update to jdk 17.0.2+8
- Extend LTS check to exclude EPEL.