diff --git a/CheckVendor.java b/CheckVendor.java
new file mode 100644
index 0000000000000000000000000000000000000000..29b296ba922a599a5c1d640939af7dd7402be824
--- /dev/null
+++ b/CheckVendor.java
@@ -0,0 +1,65 @@
+/* CheckVendor -- Check the vendor properties match specified values.
+ Copyright (C) 2020 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+/**
+ * @test
+ */
+public class CheckVendor {
+
+ public static void main(String[] args) {
+ if (args.length < 4) {
+ System.err.println("CheckVendor ");
+ System.exit(1);
+ }
+
+ String vendor = System.getProperty("java.vendor");
+ String expectedVendor = args[0];
+ String vendorURL = System.getProperty("java.vendor.url");
+ String expectedVendorURL = args[1];
+ String vendorBugURL = System.getProperty("java.vendor.url.bug");
+ String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
+
+ if (!expectedVendor.equals(vendor)) {
+ System.err.printf("Invalid vendor %s, expected %s\n",
+ vendor, expectedVendor);
+ System.exit(2);
+ }
+
+ if (!expectedVendorURL.equals(vendorURL)) {
+ System.err.printf("Invalid vendor URL %s, expected %s\n",
+ vendorURL, expectedVendorURL);
+ System.exit(3);
+ }
+
+ if (!expectedVendorBugURL.equals(vendorBugURL)) {
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
+ vendorBugURL, expectedVendorBugURL);
+ System.exit(4);
+ }
+
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
+ }
+}
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/README.en.md b/README.en.md
deleted file mode 100644
index fe2caf251e488dc496a8000197fa14d52344e4a0..0000000000000000000000000000000000000000
--- a/README.en.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# java-21-openjdk-portable
-
-#### Description
-{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
-
-#### Software Architecture
-Software architecture description
-
-#### Installation
-
-1. xxxx
-2. xxxx
-3. xxxx
-
-#### Instructions
-
-1. xxxx
-2. xxxx
-3. xxxx
-
-#### Contribution
-
-1. Fork the repository
-2. Create Feat_xxx branch
-3. Commit your code
-4. Create Pull Request
-
-
-#### Gitee Feature
-
-1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
-2. Gitee blog [blog.gitee.com](https://blog.gitee.com)
-3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
-4. The most valuable open source project [GVP](https://gitee.com/gvp)
-5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
-6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
diff --git a/README.md b/README.md
deleted file mode 100644
index 7681d9d01813bfe678152d6473bd4851303e4fd7..0000000000000000000000000000000000000000
--- a/README.md
+++ /dev/null
@@ -1,39 +0,0 @@
-# java-21-openjdk-portable
-
-#### 介绍
-{**以下是 Gitee 平台说明,您可以替换此简介**
-Gitee 是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台
-无论是个人、团队、或是企业,都能够用 Gitee 实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
-
-#### 软件架构
-软件架构说明
-
-
-#### 安装教程
-
-1. xxxx
-2. xxxx
-3. xxxx
-
-#### 使用说明
-
-1. xxxx
-2. xxxx
-3. xxxx
-
-#### 参与贡献
-
-1. Fork 本仓库
-2. 新建 Feat_xxx 分支
-3. 提交代码
-4. 新建 Pull Request
-
-
-#### 特技
-
-1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md
-2. Gitee 官方博客 [blog.gitee.com](https://blog.gitee.com)
-3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解 Gitee 上的优秀开源项目
-4. [GVP](https://gitee.com/gvp) 全称是 Gitee 最有价值开源项目,是综合评定出的优秀开源项目
-5. Gitee 官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
-6. Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java
new file mode 100644
index 0000000000000000000000000000000000000000..b32b7aef7da5d2347ec3b7379434b6570d803b26
--- /dev/null
+++ b/TestCryptoLevel.java
@@ -0,0 +1,72 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+ Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+ public static void main(String[] args)
+ throws NoSuchFieldException, ClassNotFoundException,
+ IllegalAccessException, InvocationTargetException
+ {
+ Class cls = null;
+ Method def = null, exempt = null;
+
+ try
+ {
+ cls = Class.forName("javax.crypto.JceSecurity");
+ }
+ catch (ClassNotFoundException ex)
+ {
+ System.err.println("Running a non-Sun JDK.");
+ System.exit(0);
+ }
+ try
+ {
+ def = cls.getDeclaredMethod("getDefaultPolicy");
+ exempt = cls.getDeclaredMethod("getExemptPolicy");
+ }
+ catch (NoSuchMethodException ex)
+ {
+ System.err.println("Running IcedTea with the original crypto patch.");
+ System.exit(0);
+ }
+ def.setAccessible(true);
+ exempt.setAccessible(true);
+ PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+ PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+ Class apCls = Class.forName("javax.crypto.CryptoAllPermission");
+ Field apField = apCls.getDeclaredField("INSTANCE");
+ apField.setAccessible(true);
+ Permission allPerms = (Permission) apField.get(null);
+ if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+ {
+ System.err.println("Running with the unlimited policy.");
+ System.exit(0);
+ }
+ else
+ {
+ System.err.println("WARNING: Running with a restricted crypto policy.");
+ System.exit(-1);
+ }
+ }
+}
diff --git a/TestECDSA.java b/TestECDSA.java
new file mode 100644
index 0000000000000000000000000000000000000000..6eb9cb211ff59b7ff60167a2a2171e6a8b0e760d
--- /dev/null
+++ b/TestECDSA.java
@@ -0,0 +1,49 @@
+/* TestECDSA -- Ensure ECDSA signatures are working.
+ Copyright (C) 2016 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+
+/**
+ * @test
+ */
+public class TestECDSA {
+
+ public static void main(String[] args) throws Exception {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+ KeyPair key = keyGen.generateKeyPair();
+
+ byte[] data = "This is a string to sign".getBytes("UTF-8");
+
+ Signature dsa = Signature.getInstance("NONEwithECDSA");
+ dsa.initSign(key.getPrivate());
+ dsa.update(data);
+ byte[] sig = dsa.sign();
+ System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
+
+ Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
+ dsaCheck.initVerify(key.getPublic());
+ dsaCheck.update(data);
+ boolean success = dsaCheck.verify(sig);
+ if (!success) {
+ throw new RuntimeException("Test failed. Signature verification error");
+ }
+ System.out.println("Test passed.");
+ }
+}
diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java
new file mode 100644
index 0000000000000000000000000000000000000000..2967a32c99488314f0d71d05a483fc32fce9a1bf
--- /dev/null
+++ b/TestSecurityProperties.java
@@ -0,0 +1,84 @@
+/* TestSecurityProperties -- Ensure system security properties can be used to
+ enable the crypto policies.
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+ // JDK 11
+ private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+ // JDK 8
+ private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
+ public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties ");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
+ Properties jdkProps = new Properties();
+ loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
+ for (Object key: jdkProps.keySet()) {
+ String sKey = (String)key;
+ String securityVal = Security.getProperty(sKey);
+ String jdkSecVal = jdkProps.getProperty(sKey);
+ if (!securityVal.equals(jdkSecVal)) {
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ sKey + "'" + " but got value '" + securityVal + "'";
+ throw new RuntimeException("Test failed! " + msg);
+ } else {
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
+ }
+ }
+ System.out.println("TestSecurityProperties PASSED!");
+ }
+
+ private static void loadProperties(Properties props) {
+ String javaVersion = System.getProperty("java.version");
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
+ String propsFile = JDK_PROPS_FILE_JDK_11;
+ if (javaVersion.startsWith("1.8.0")) {
+ propsFile = JDK_PROPS_FILE_JDK_8;
+ }
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
+}
diff --git a/TestTranslations.java b/TestTranslations.java
new file mode 100644
index 0000000000000000000000000000000000000000..f6a4fe290f0260c0816fea703e6e47ee55239172
--- /dev/null
+++ b/TestTranslations.java
@@ -0,0 +1,160 @@
+/* TestTranslations -- Ensure translations are available for new timezones
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.text.DateFormatSymbols;
+
+import java.time.ZoneId;
+import java.time.format.TextStyle;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.TimeZone;
+
+public class TestTranslations {
+
+ private static Map KYIV, CIUDAD_JUAREZ;
+
+ static {
+ Map map = new HashMap();
+ map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
+ "Eastern European Summer Time", "GMT+03:00", "EEST",
+ "Eastern European Time", "GMT+02:00", "EET"});
+ map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
+ "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
+ "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
+ map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
+ "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
+ "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
+ KYIV = Collections.unmodifiableMap(map);
+
+ map = new HashMap();
+ map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
+ "Mountain Daylight Time", "MDT", "MDT",
+ "Mountain Time", "MT", "MT"});
+ map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
+ "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT",
+ "heure des Rocheuses", "UTC\u221207:00", "MT"});
+ map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST",
+ "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT",
+ "Rocky-Mountain-Zeit", "GMT-07:00", "MT"});
+ CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
+ }
+
+
+ public static void main(String[] args) {
+ if (args.length < 1) {
+ System.err.println("Test must be started with the name of the locale provider.");
+ System.exit(1);
+ }
+
+ System.out.println("Checking sanity of full zone string set...");
+ boolean invalid = Arrays.stream(Locale.getAvailableLocales())
+ .peek(l -> System.out.println("Locale: " + l))
+ .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
+ .flatMap(zs -> Arrays.stream(zs))
+ .flatMap(names -> Arrays.stream(names))
+ .filter(name -> Objects.isNull(name) || name.isEmpty())
+ .findAny()
+ .isPresent();
+ if (invalid) {
+ System.err.println("Zone string for a locale returned null or empty string");
+ System.exit(2);
+ }
+
+ String localeProvider = args[0];
+ testZone(localeProvider, KYIV,
+ new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
+ testZone(localeProvider, CIUDAD_JUAREZ,
+ new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
+ }
+
+ private static void testZone(String localeProvider, Map exp, String[] ids) {
+ for (Locale l : exp.keySet()) {
+ String[] expected = exp.get(l);
+ System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
+ for (String id : ids) {
+ String expectedShortStd = null;
+ String expectedShortDST = null;
+ String expectedShortGen = null;
+
+ System.out.printf("Checking locale %s for %s...\n", l, id);
+
+ if ("JRE".equals(localeProvider)) {
+ expectedShortStd = expected[2];
+ expectedShortDST = expected[5];
+ expectedShortGen = expected[8];
+ } else if ("CLDR".equals(localeProvider)) {
+ expectedShortStd = expected[1];
+ expectedShortDST = expected[4];
+ expectedShortGen = expected[7];
+ } else {
+ System.err.printf("Invalid locale provider %s\n", localeProvider);
+ System.exit(3);
+ }
+ System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
+ localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
+
+ String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
+ String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
+ String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
+ String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
+ String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
+ String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
+
+ if (!expected[0].equals(longStd)) {
+ System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+ id, l, longStd, expected[0]);
+ System.exit(4);
+ }
+
+ if (!expectedShortStd.equals(shortStd)) {
+ System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
+ id, l, shortStd, expectedShortStd);
+ System.exit(5);
+ }
+
+ if (!expected[3].equals(longDST)) {
+ System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
+ id, l, longDST, expected[3]);
+ System.exit(6);
+ }
+
+ if (!expectedShortDST.equals(shortDST)) {
+ System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
+ id, l, shortDST, expectedShortDST);
+ System.exit(7);
+ }
+
+ if (!expected[6].equals(longGen)) {
+ System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
+ id, l, longGen, expected[6]);
+ System.exit(8);
+ }
+
+ if (!expectedShortGen.equals(shortGen)) {
+ System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
+ id, l, shortGen, expectedShortGen);
+ System.exit(9);
+ }
+ }
+ }
+ }
+}
diff --git a/alt-java.c b/alt-java.c
new file mode 100644
index 0000000000000000000000000000000000000000..644d002ae9ba2fe5a2115757747fbf454f783e0e
--- /dev/null
+++ b/alt-java.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2023 Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Red Hat designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Red Hat in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() {
+#if defined(__linux__) && defined(__x86_64__)
+ // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it
+ // if ( prctl(PR_SET_SPECULATION_CTRL,
+ // PR_SPEC_STORE_BYPASS,
+ // PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ // return;
+ // }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+#else
+#warning alt-java requested but SSB mitigation not available on this platform.
+#endif
+}
+
+int main(int argc, char **argv) {
+ set_speculation();
+
+ char our_name[PATH_MAX], java_name[PATH_MAX];
+ ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1);
+ if (len < 0) {
+ perror("I can't find myself");
+ exit(2);
+ }
+
+ our_name[len] = '\0'; // readlink(2) doesn't append a null byte
+ char *path = dirname(our_name);
+ strncpy(java_name, path, PATH_MAX - 1);
+
+ size_t remaining_bytes = PATH_MAX - strlen(path) - 1;
+ strncat(java_name, "/java", remaining_bytes);
+
+ execv(java_name, argv);
+ fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno));
+
+ exit(1);
+}
+
diff --git a/dist b/dist
new file mode 100644
index 0000000000000000000000000000000000000000..9c0e36ec42a2d9bfefacb21ac6354c9ddd910533
--- /dev/null
+++ b/dist
@@ -0,0 +1 @@
+an8
diff --git a/download b/download
new file mode 100644
index 0000000000000000000000000000000000000000..79e765071cdb8b62f2b6b54fa4353b4dfa72eca9
--- /dev/null
+++ b/download
@@ -0,0 +1,2 @@
+8dc19ce98ca6c05fae8907d968f0ddd3 openjdk-21.0.3+9.tar.xz
+5d441d6217cc75372ca5a0943997cb24 tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/fips-21u-0a42e29b391.patch b/fips-21u-0a42e29b391.patch
new file mode 100644
index 0000000000000000000000000000000000000000..54e8da0167dc9400a07c036a9c998b9a36c7699c
--- /dev/null
+++ b/fips-21u-0a42e29b391.patch
@@ -0,0 +1,4234 @@
+diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4
+index 5f4b22bb27f..1ca9f5b8ffe 100644
+--- a/make/autoconf/build-aux/pkg.m4
++++ b/make/autoconf/build-aux/pkg.m4
+@@ -179,3 +179,19 @@ else
+ ifelse([$3], , :, [$3])
+ fi[]dnl
+ ])# PKG_CHECK_MODULES
++
++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
++dnl -------------------------------------------
++dnl Since: 0.28
++dnl
++dnl Retrieves the value of the pkg-config variable for the given module.
++AC_DEFUN([PKG_CHECK_VAR],
++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
++
++_PKG_CONFIG([$1], [variable="][$3]["], [$2])
++AS_VAR_COPY([$1], [pkg_cv_][$1])
++
++AS_VAR_IF([$1], [""], [$5], [$4])dnl
++])dnl PKG_CHECK_VAR
+diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4
+new file mode 100644
+index 00000000000..f48fc7f7e80
+--- /dev/null
++++ b/make/autoconf/lib-sysconf.m4
+@@ -0,0 +1,87 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation. Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++ AC_MSG_CHECKING([for NSS library directory])
++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])])
++
++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++ AC_SUBST(NSS_LIBDIR)
++])
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+index 51d4f724c33..feb0bcf3e75 100644
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -35,6 +35,7 @@ m4_include([lib-std.m4])
+ m4_include([lib-x11.m4])
+
+ m4_include([lib-tests.m4])
++m4_include([lib-sysconf.m4])
+
+ ################################################################################
+ # Determine which libraries are needed for this configuration
+@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_X11
+
+ LIB_TESTS_SETUP_GTEST
++ LIB_SETUP_SYSCONF_LIBS
+
+ BASIC_JDKLIB_LIBS=""
+ BASIC_JDKLIB_LIBS_TARGET=""
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+index f6def153c82..4d7abc33427 100644
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++NSS_LIBDIR:=@NSS_LIBDIR@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk
+index 9e5cfe2d0fc..434ade8e182 100644
+--- a/make/modules/java.base/Gendata.gmk
++++ b/make/modules/java.base/Gendata.gmk
+@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST
+ TARGETS += $(GENDATA_JAVA_SECURITY)
+
+ ################################################################################
++
++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in
++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg
++
++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC)
++ $(call LogInfo, Generating nss.fips.cfg)
++ $(call MakeTargetDir)
++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \
++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \
++ )
++
++TARGETS += $(GENDATA_NSS_FIPS_CFG)
++
++################################################################################
+diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk
+index 1e0f66726d0..59fe923f2c5 100644
+--- a/make/modules/java.base/Lib.gmk
++++ b/make/modules/java.base/Lib.gmk
+@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++))
++
++TARGETS += $(BUILD_LIBSYSTEMCONF)
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+index 10093137151..b023c63ae58 100644
+--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+@@ -31,6 +31,7 @@ import java.security.SecureRandom;
+ import java.security.PrivilegedAction;
+ import java.util.HashMap;
+ import java.util.List;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.util.SecurityProviderConstants.*;
+
+@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*;
+
+ public final class SunJCE extends Provider {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ @java.io.Serial
+ private static final long serialVersionUID = 6812507587804302833L;
+
+@@ -147,298 +152,299 @@ public final class SunJCE extends Provider {
+ void putEntries() {
+ // reuse attribute map and reset before each reuse
+ HashMap attrs = new HashMap<>(3);
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
+- + "|OAEPWITHMD5ANDMGF1PADDING"
+- + "|OAEPWITHSHA1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-1ANDMGF1PADDING"
+- + "|OAEPWITHSHA-224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-256ANDMGF1PADDING"
+- + "|OAEPWITHSHA-384ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
+- + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
+- attrs.put("SupportedKeyClasses",
+- "java.security.interfaces.RSAPublicKey" +
+- "|java.security.interfaces.RSAPrivateKey");
+- ps("Cipher", "RSA",
+- "com.sun.crypto.provider.RSACipher", null, attrs);
+-
+- // common block cipher modes, pads
+- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
+- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
+- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
+- final String BLOCK_MODES128 = BLOCK_MODES +
+- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
+- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
+- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DES",
+- "com.sun.crypto.provider.DESCipher", null, attrs);
+- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
+- attrs);
+- ps("Cipher", "Blowfish",
+- "com.sun.crypto.provider.BlowfishCipher", null, attrs);
+-
+- ps("Cipher", "RC2",
+- "com.sun.crypto.provider.RC2Cipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", BLOCK_MODES128);
+- attrs.put("SupportedPaddings", BLOCK_PADS);
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES",
+- "com.sun.crypto.provider.AESCipher$General", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "AES/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_128/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_128/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_128/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_128/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_192/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_192/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_192/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_192/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
+- attrs);
+-
+- psA("Cipher", "AES_256/ECB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CBC/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/OFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/CFB/NoPadding",
+- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
+- attrs);
+- psA("Cipher", "AES_256/KW/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
+- attrs);
+- ps("Cipher", "AES_256/KW/PKCS5Padding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
+- null, attrs);
+- psA("Cipher", "AES_256/KWP/NoPadding",
+- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "GCM");
+- attrs.put("SupportedKeyFormats", "RAW");
+-
+- ps("Cipher", "AES/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
+- attrs);
+- psA("Cipher", "AES_128/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES128",
+- attrs);
+- psA("Cipher", "AES_192/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES192",
+- attrs);
+- psA("Cipher", "AES_256/GCM/NoPadding",
+- "com.sun.crypto.provider.GaloisCounterMode$AES256",
+- attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "CBC");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "DESedeWrap",
+- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedModes", "ECB");
+- attrs.put("SupportedPaddings", "NOPADDING");
+- attrs.put("SupportedKeyFormats", "RAW");
+- psA("Cipher", "ARCFOUR",
+- "com.sun.crypto.provider.ARCFOURCipher", attrs);
+-
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Cipher", "ChaCha20",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
+- null, attrs);
+- psA("Cipher", "ChaCha20-Poly1305",
+- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
+- attrs);
+-
+- // PBES1
+- psA("Cipher", "PBEWithMD5AndDES",
+- "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
+- null);
+- ps("Cipher", "PBEWithMD5AndTripleDES",
+- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
+- psA("Cipher", "PBEWithSHA1AndDESede",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_40",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC2_128",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
+- null);
+- psA("Cipher", "PBEWithSHA1AndRC4_40",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
+- null);
+-
+- psA("Cipher", "PBEWithSHA1AndRC4_128",
+- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
+- null);
+-
+- // PBES2
+- ps("Cipher", "PBEWithHmacSHA1AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128");
+-
+- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128");
+-
+-
+- ps("Cipher", "PBEWithHmacSHA1AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA224AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA256AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA384AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256");
+-
+- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256",
+- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256");
+-
+- /*
+- * Key(pair) Generator engines
+- */
+- ps("KeyGenerator", "DES",
+- "com.sun.crypto.provider.DESKeyGenerator");
+- psA("KeyGenerator", "DESede",
+- "com.sun.crypto.provider.DESedeKeyGenerator",
+- null);
+- ps("KeyGenerator", "Blowfish",
+- "com.sun.crypto.provider.BlowfishKeyGenerator");
+- psA("KeyGenerator", "AES",
+- "com.sun.crypto.provider.AESKeyGenerator",
+- null);
+- ps("KeyGenerator", "RC2",
+- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
+- psA("KeyGenerator", "ARCFOUR",
+- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
+- null);
+- ps("KeyGenerator", "ChaCha20",
+- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
+- ps("KeyGenerator", "HmacMD5",
+- "com.sun.crypto.provider.HmacMD5KeyGenerator");
+-
+- psA("KeyGenerator", "HmacSHA1",
+- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
+- psA("KeyGenerator", "HmacSHA224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
+- null);
+- psA("KeyGenerator", "HmacSHA256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
+- null);
+- psA("KeyGenerator", "HmacSHA384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
+- null);
+- psA("KeyGenerator", "HmacSHA512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
+- null);
+- psA("KeyGenerator", "HmacSHA512/224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
+- null);
+- psA("KeyGenerator", "HmacSHA512/256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
+- null);
+-
+- psA("KeyGenerator", "HmacSHA3-224",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
+- null);
+- psA("KeyGenerator", "HmacSHA3-256",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
+- null);
+- psA("KeyGenerator", "HmacSHA3-384",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
+- null);
+- psA("KeyGenerator", "HmacSHA3-512",
+- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
+- null);
+-
+- psA("KeyPairGenerator", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyPairGenerator",
+- null);
++ if (!systemFipsEnabled) {
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING"
++ + "|OAEPWITHMD5ANDMGF1PADDING"
++ + "|OAEPWITHSHA1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-1ANDMGF1PADDING"
++ + "|OAEPWITHSHA-224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-256ANDMGF1PADDING"
++ + "|OAEPWITHSHA-384ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
++ attrs.put("SupportedKeyClasses",
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey");
++ ps("Cipher", "RSA",
++ "com.sun.crypto.provider.RSACipher", null, attrs);
++
++ // common block cipher modes, pads
++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" +
++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" +
++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64";
++ final String BLOCK_MODES128 = BLOCK_MODES +
++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" +
++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128";
++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DES",
++ "com.sun.crypto.provider.DESCipher", null, attrs);
++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher",
++ attrs);
++ ps("Cipher", "Blowfish",
++ "com.sun.crypto.provider.BlowfishCipher", null, attrs);
++
++ ps("Cipher", "RC2",
++ "com.sun.crypto.provider.RC2Cipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", BLOCK_MODES128);
++ attrs.put("SupportedPaddings", BLOCK_PADS);
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES",
++ "com.sun.crypto.provider.AESCipher$General", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "AES/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_128/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_128/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_128/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_128/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_192/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_192/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_192/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_192/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding",
++ attrs);
++
++ psA("Cipher", "AES_256/ECB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CBC/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/OFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/CFB/NoPadding",
++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding",
++ attrs);
++ psA("Cipher", "AES_256/KW/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding",
++ attrs);
++ ps("Cipher", "AES_256/KW/PKCS5Padding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding",
++ null, attrs);
++ psA("Cipher", "AES_256/KWP/NoPadding",
++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "GCM");
++ attrs.put("SupportedKeyFormats", "RAW");
++
++ ps("Cipher", "AES/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null,
++ attrs);
++ psA("Cipher", "AES_128/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES128",
++ attrs);
++ psA("Cipher", "AES_192/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES192",
++ attrs);
++ psA("Cipher", "AES_256/GCM/NoPadding",
++ "com.sun.crypto.provider.GaloisCounterMode$AES256",
++ attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "CBC");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "DESedeWrap",
++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs);
++
++ attrs.clear();
++ attrs.put("SupportedModes", "ECB");
++ attrs.put("SupportedPaddings", "NOPADDING");
++ attrs.put("SupportedKeyFormats", "RAW");
++ psA("Cipher", "ARCFOUR",
++ "com.sun.crypto.provider.ARCFOURCipher", attrs);
++
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Cipher", "ChaCha20",
++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only",
++ null, attrs);
++ psA("Cipher", "ChaCha20-Poly1305",
++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305",
++ attrs);
++
++ // PBES1
++ psA("Cipher", "PBEWithMD5AndDES",
++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher",
++ null);
++ ps("Cipher", "PBEWithMD5AndTripleDES",
++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher");
++ psA("Cipher", "PBEWithSHA1AndDESede",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_40",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC2_128",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128",
++ null);
++ psA("Cipher", "PBEWithSHA1AndRC4_40",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40",
++ null);
++
++ psA("Cipher", "PBEWithSHA1AndRC4_128",
++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128",
++ null);
++
++ // PBES2
++ ps("Cipher", "PBEWithHmacSHA1AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128");
++
++ ps("Cipher", "PBEWithHmacSHA1AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA224AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA256AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA384AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256");
++
++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256",
++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256");
++
++ /*
++ * Key(pair) Generator engines
++ */
++ ps("KeyGenerator", "DES",
++ "com.sun.crypto.provider.DESKeyGenerator");
++ psA("KeyGenerator", "DESede",
++ "com.sun.crypto.provider.DESedeKeyGenerator",
++ null);
++ ps("KeyGenerator", "Blowfish",
++ "com.sun.crypto.provider.BlowfishKeyGenerator");
++ psA("KeyGenerator", "AES",
++ "com.sun.crypto.provider.AESKeyGenerator",
++ null);
++ ps("KeyGenerator", "RC2",
++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator");
++ psA("KeyGenerator", "ARCFOUR",
++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator",
++ null);
++ ps("KeyGenerator", "ChaCha20",
++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator");
++ ps("KeyGenerator", "HmacMD5",
++ "com.sun.crypto.provider.HmacMD5KeyGenerator");
++
++ psA("KeyGenerator", "HmacSHA1",
++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null);
++ psA("KeyGenerator", "HmacSHA224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224",
++ null);
++ psA("KeyGenerator", "HmacSHA256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256",
++ null);
++ psA("KeyGenerator", "HmacSHA384",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384",
++ null);
++ psA("KeyGenerator", "HmacSHA512",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512",
++ null);
++ psA("KeyGenerator", "HmacSHA512/224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224",
++ null);
++ psA("KeyGenerator", "HmacSHA512/256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256",
++ null);
++
++ psA("KeyGenerator", "HmacSHA3-224",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224",
++ null);
++ psA("KeyGenerator", "HmacSHA3-256",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256",
++ null);
++ psA("KeyGenerator", "HmacSHA3-384",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384",
++ null);
++ psA("KeyGenerator", "HmacSHA3-512",
++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512",
++ null);
++
++ psA("KeyPairGenerator", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyPairGenerator",
++ null);
++ }
+
+ /*
+ * Algorithm parameter generation engines
+@@ -447,15 +453,17 @@ public final class SunJCE extends Provider {
+ "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator",
+ null);
+
+- /*
+- * Key Agreement engines
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
+- "|javax.crypto.interfaces.DHPrivateKey");
+- psA("KeyAgreement", "DiffieHellman",
+- "com.sun.crypto.provider.DHKeyAgreement",
+- attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * Key Agreement engines
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" +
++ "|javax.crypto.interfaces.DHPrivateKey");
++ psA("KeyAgreement", "DiffieHellman",
++ "com.sun.crypto.provider.DHKeyAgreement",
++ attrs);
++ }
+
+ /*
+ * Algorithm Parameter engines
+@@ -625,10 +633,10 @@ public final class SunJCE extends Provider {
+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128");
+
+ ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128");
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128");
+
+ ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128",
+- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128");
++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128");
+
+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256",
+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256");
+@@ -651,136 +659,137 @@ public final class SunJCE extends Provider {
+ ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256",
+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256");
+
+- // PBKDF2
+- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
+- null);
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224");
+- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256",
+- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256");
+-
+- /*
+- * MAC
+- */
+- attrs.clear();
+- attrs.put("SupportedKeyFormats", "RAW");
+- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
+- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
+- attrs);
+- psA("Mac", "HmacSHA224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
+- psA("Mac", "HmacSHA256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
+- psA("Mac", "HmacSHA384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
+- psA("Mac", "HmacSHA512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
+- psA("Mac", "HmacSHA512/224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
+- psA("Mac", "HmacSHA512/256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
+- psA("Mac", "HmacSHA3-224",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
+- psA("Mac", "HmacSHA3-256",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
+- psA("Mac", "HmacSHA3-384",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
+- psA("Mac", "HmacSHA3-512",
+- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
+-
+- ps("Mac", "HmacPBESHA1",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
+- null, attrs);
+- ps("Mac", "HmacPBESHA224",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA256",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
+- null, attrs);
+- ps("Mac", "HmacPBESHA384",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/224",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
+- null, attrs);
+- ps("Mac", "HmacPBESHA512/256",
+- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
+- null, attrs);
+-
+-
+- // PBMAC1
+- ps("Mac", "PBEWithHmacSHA1",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
+- ps("Mac", "PBEWithHmacSHA224",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
+- ps("Mac", "PBEWithHmacSHA256",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
+- ps("Mac", "PBEWithHmacSHA384",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
+- ps("Mac", "PBEWithHmacSHA512",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
+- ps("Mac", "PBEWithHmacSHA512/224",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs);
+- ps("Mac", "PBEWithHmacSHA512/256",
+- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs);
+-
+- ps("Mac", "SslMacMD5",
+- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
+- ps("Mac", "SslMacSHA1",
+- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
+-
+- /*
+- * KeyStore
+- */
+- ps("KeyStore", "JCEKS",
+- "com.sun.crypto.provider.JceKeyStore");
+-
+- /*
+- * KEMs
+- */
+- attrs.clear();
+- attrs.put("ImplementedIn", "Software");
+- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" +
+- "|java.security.interfaces.XECKey");
+- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs);
+-
+- /*
+- * SSL/TLS mechanisms
+- *
+- * These are strictly internal implementations and may
+- * be changed at any time. These names were chosen
+- * because PKCS11/SunPKCS11 does not yet have TLS1.2
+- * mechanisms, and it will cause calls to come here.
+- */
+- ps("KeyGenerator", "SunTlsPrf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V10");
+- ps("KeyGenerator", "SunTls12Prf",
+- "com.sun.crypto.provider.TlsPrfGenerator$V12");
+-
+- ps("KeyGenerator", "SunTlsMasterSecret",
+- "com.sun.crypto.provider.TlsMasterSecretGenerator",
+- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
+- null);
+-
+- ps("KeyGenerator", "SunTlsKeyMaterial",
+- "com.sun.crypto.provider.TlsKeyMaterialGenerator",
+- List.of("SunTls12KeyMaterial"), null);
+-
+- ps("KeyGenerator", "SunTlsRsaPremasterSecret",
+- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
+- List.of("SunTls12RsaPremasterSecret"), null);
++ if (!systemFipsEnabled) {
++ // PBKDF2
++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1",
++ null);
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224");
++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256",
++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256");
++
++ /*
++ * MAC
++ */
++ attrs.clear();
++ attrs.put("SupportedKeyFormats", "RAW");
++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs);
++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1",
++ attrs);
++ psA("Mac", "HmacSHA224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs);
++ psA("Mac", "HmacSHA256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs);
++ psA("Mac", "HmacSHA384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs);
++ psA("Mac", "HmacSHA512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs);
++ psA("Mac", "HmacSHA512/224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs);
++ psA("Mac", "HmacSHA512/256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs);
++ psA("Mac", "HmacSHA3-224",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs);
++ psA("Mac", "HmacSHA3-256",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs);
++ psA("Mac", "HmacSHA3-384",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs);
++ psA("Mac", "HmacSHA3-512",
++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs);
++
++ ps("Mac", "HmacPBESHA1",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1",
++ null, attrs);
++ ps("Mac", "HmacPBESHA224",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA256",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256",
++ null, attrs);
++ ps("Mac", "HmacPBESHA384",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/224",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224",
++ null, attrs);
++ ps("Mac", "HmacPBESHA512/256",
++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256",
++ null, attrs);
++
++ // PBMAC1
++ ps("Mac", "PBEWithHmacSHA1",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs);
++ ps("Mac", "PBEWithHmacSHA224",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs);
++ ps("Mac", "PBEWithHmacSHA256",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs);
++ ps("Mac", "PBEWithHmacSHA384",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs);
++ ps("Mac", "PBEWithHmacSHA512",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs);
++ ps("Mac", "PBEWithHmacSHA512/224",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs);
++ ps("Mac", "PBEWithHmacSHA512/256",
++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs);
++
++ ps("Mac", "SslMacMD5",
++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs);
++ ps("Mac", "SslMacSHA1",
++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs);
++
++ /*
++ * KeyStore
++ */
++ ps("KeyStore", "JCEKS",
++ "com.sun.crypto.provider.JceKeyStore");
++
++ /*
++ * KEMs
++ */
++ attrs.clear();
++ attrs.put("ImplementedIn", "Software");
++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" +
++ "|java.security.interfaces.XECKey");
++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs);
++
++ /*
++ * SSL/TLS mechanisms
++ *
++ * These are strictly internal implementations and may
++ * be changed at any time. These names were chosen
++ * because PKCS11/SunPKCS11 does not yet have TLS1.2
++ * mechanisms, and it will cause calls to come here.
++ */
++ ps("KeyGenerator", "SunTlsPrf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V10");
++ ps("KeyGenerator", "SunTls12Prf",
++ "com.sun.crypto.provider.TlsPrfGenerator$V12");
++
++ ps("KeyGenerator", "SunTlsMasterSecret",
++ "com.sun.crypto.provider.TlsMasterSecretGenerator",
++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"),
++ null);
++
++ ps("KeyGenerator", "SunTlsKeyMaterial",
++ "com.sun.crypto.provider.TlsKeyMaterialGenerator",
++ List.of("SunTls12KeyMaterial"), null);
++
++ ps("KeyGenerator", "SunTlsRsaPremasterSecret",
++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator",
++ List.of("SunTls12RsaPremasterSecret"), null);
++ }
+ }
+
+ // Return the instance of this class or create one if needed.
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index 671529f71a1..af632936921 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -34,6 +34,7 @@ import java.net.URL;
+ import jdk.internal.access.JavaSecurityPropertiesAccess;
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -58,6 +59,11 @@ import sun.security.jca.*;
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -75,6 +81,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -96,6 +115,7 @@ public final class Security {
+ private static void initialize() {
+ props = new Properties();
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -116,6 +136,61 @@ public final class Security {
+ }
+ loadProps(null, extraPropFile, overrideAll);
+ }
++
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ if (systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
++
+ initialSecurityProperties = (Properties) props.clone();
+ if (sdebug != null) {
+ for (String key : props.stringPropertyNames()) {
+@@ -126,7 +201,7 @@ public final class Security {
+
+ }
+
+- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) {
+ InputStream is = null;
+ try {
+ if (masterFile != null && masterFile.exists()) {
+diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..9d26a54f5d4
+--- /dev/null
++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,232 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ @SuppressWarnings("removal")
++ var dummy = AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false);
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws Exception {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..3f3caac64dc
+--- /dev/null
++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.access;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+index 919d758a6e3..b1e5fbaf84a 100644
+--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+@@ -43,6 +43,7 @@ import java.io.PrintStream;
+ import java.io.PrintWriter;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -90,6 +91,7 @@ public class SharedSecrets {
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
+ private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
+ private static JavaTemplateAccess javaTemplateAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
+ javaUtilCollectionAccess = juca;
+@@ -537,4 +539,15 @@ public class SharedSecrets {
+ MethodHandles.lookup().ensureInitialized(c);
+ } catch (IllegalAccessException e) {}
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
+index 06b141dcf22..e8cbf7f15d7 100644
+--- a/src/java.base/share/classes/module-info.java
++++ b/src/java.base/share/classes/module-info.java
+@@ -158,6 +158,7 @@ module java.base {
+ java.naming,
+ java.rmi,
+ jdk.charsets,
++ jdk.crypto.ec,
+ jdk.jartool,
+ jdk.jlink,
+ jdk.jfr,
+diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java
+index f036a411f1d..1e9de933bd9 100644
+--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java
++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.LinkedHashSet;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.action.GetBooleanAction;
+
+@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ public final class SunEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ // the default algo used by SecureRandom class for new SecureRandom() calls
+ public static final String DEF_SECURE_RANDOM_ALGO;
+
+@@ -102,89 +107,92 @@ public final class SunEntries {
+ // common attribute map
+ HashMap attrs = new HashMap<>(3);
+
+- /*
+- * SecureRandom engines
+- */
+- attrs.put("ThreadSafe", "true");
+- if (NativePRNG.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNG",
+- "sun.security.provider.NativePRNG", attrs);
+- }
+- if (NativePRNG.Blocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGBlocking",
+- "sun.security.provider.NativePRNG$Blocking", attrs);
+- }
+- if (NativePRNG.NonBlocking.isAvailable()) {
+- add(p, "SecureRandom", "NativePRNGNonBlocking",
+- "sun.security.provider.NativePRNG$NonBlocking", attrs);
+- }
+- attrs.put("ImplementedIn", "Software");
+- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+- add(p, "SecureRandom", "SHA1PRNG",
+- "sun.security.provider.SecureRandom", attrs);
+-
+- /*
+- * Signature engines
+- */
+- attrs.clear();
+- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+- "|java.security.interfaces.DSAPrivateKey";
+- attrs.put("SupportedKeyClasses", dsaKeyClasses);
+- attrs.put("ImplementedIn", "Software");
+-
+- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+-
+- addWithAlias(p, "Signature", "SHA1withDSA",
+- "sun.security.provider.DSA$SHA1withDSA", attrs);
+- addWithAlias(p, "Signature", "NONEwithDSA",
+- "sun.security.provider.DSA$RawDSA", attrs);
+-
+- // for DSA signatures with 224/256-bit digests
+- attrs.put("KeySize", "2048");
+-
+- addWithAlias(p, "Signature", "SHA224withDSA",
+- "sun.security.provider.DSA$SHA224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA256withDSA",
+- "sun.security.provider.DSA$SHA256withDSA", attrs);
+-
+- addWithAlias(p, "Signature", "SHA3-224withDSA",
+- "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-256withDSA",
+- "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+-
+- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+-
+- addWithAlias(p, "Signature", "SHA384withDSA",
+- "sun.security.provider.DSA$SHA384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA512withDSA",
+- "sun.security.provider.DSA$SHA512withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-384withDSA",
+- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+- addWithAlias(p, "Signature", "SHA3-512withDSA",
+- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * SecureRandom engines
++ */
++ attrs.put("ThreadSafe", "true");
++ if (NativePRNG.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNG",
++ "sun.security.provider.NativePRNG", attrs);
++ }
++ if (NativePRNG.Blocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGBlocking",
++ "sun.security.provider.NativePRNG$Blocking", attrs);
++ }
++ if (NativePRNG.NonBlocking.isAvailable()) {
++ add(p, "SecureRandom", "NativePRNGNonBlocking",
++ "sun.security.provider.NativePRNG$NonBlocking", attrs);
++ }
++ attrs.put("ImplementedIn", "Software");
++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
++ add(p, "SecureRandom", "SHA1PRNG",
++ "sun.security.provider.SecureRandom", attrs);
+
+- attrs.remove("KeySize");
++ /*
++ * Signature engines
++ */
++ attrs.clear();
++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
++ "|java.security.interfaces.DSAPrivateKey";
++ attrs.put("SupportedKeyClasses", dsaKeyClasses);
++ attrs.put("ImplementedIn", "Software");
++
++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
++
++ addWithAlias(p, "Signature", "SHA1withDSA",
++ "sun.security.provider.DSA$SHA1withDSA", attrs);
++ addWithAlias(p, "Signature", "NONEwithDSA",
++ "sun.security.provider.DSA$RawDSA", attrs);
++
++ // for DSA signatures with 224/256-bit digests
++ attrs.put("KeySize", "2048");
++
++ addWithAlias(p, "Signature", "SHA224withDSA",
++ "sun.security.provider.DSA$SHA224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA256withDSA",
++ "sun.security.provider.DSA$SHA256withDSA", attrs);
++
++ addWithAlias(p, "Signature", "SHA3-224withDSA",
++ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-256withDSA",
++ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
++
++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
++
++ addWithAlias(p, "Signature", "SHA384withDSA",
++ "sun.security.provider.DSA$SHA384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA512withDSA",
++ "sun.security.provider.DSA$SHA512withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-384withDSA",
++ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
++ addWithAlias(p, "Signature", "SHA3-512withDSA",
++ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
++
++ attrs.remove("KeySize");
++
++ add(p, "Signature", "SHA1withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
++ add(p, "Signature", "NONEwithDSAinP1363Format",
++ "sun.security.provider.DSA$RawDSAinP1363Format");
++ add(p, "Signature", "SHA224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
++ add(p, "Signature", "SHA256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
++ add(p, "Signature", "SHA384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
++ add(p, "Signature", "SHA512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
++ add(p, "Signature", "SHA3-224withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
++ add(p, "Signature", "SHA3-256withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
++ add(p, "Signature", "SHA3-384withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
++ add(p, "Signature", "SHA3-512withDSAinP1363Format",
++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+
+- add(p, "Signature", "SHA1withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+- add(p, "Signature", "NONEwithDSAinP1363Format",
+- "sun.security.provider.DSA$RawDSAinP1363Format");
+- add(p, "Signature", "SHA224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+- add(p, "Signature", "SHA256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+- add(p, "Signature", "SHA384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+- add(p, "Signature", "SHA512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+- add(p, "Signature", "SHA3-224withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+- add(p, "Signature", "SHA3-256withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+- add(p, "Signature", "SHA3-384withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+- add(p, "Signature", "SHA3-512withDSAinP1363Format",
+- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
++ }
+
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+@@ -196,9 +204,11 @@ public final class SunEntries {
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+
+- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++ if (!systemFipsEnabled) {
++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
++ }
+
+ /*
+ * Algorithm Parameter Generator engines
+@@ -213,44 +223,46 @@ public final class SunEntries {
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
+
+- /*
+- * Key factories
+- */
+- addWithAlias(p, "KeyFactory", "DSA",
+- "sun.security.provider.DSAKeyFactory", attrs);
+- addWithAlias(p, "KeyFactory", "HSS/LMS",
+- "sun.security.provider.HSS$KeyFactoryImpl", attrs);
+-
+- /*
+- * Digest engines
+- */
+- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2",
+- attrs);
+- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5",
+- attrs);
+- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+- attrs);
++ if (!systemFipsEnabled) {
++ /*
++ * Key factories
++ */
++ addWithAlias(p, "KeyFactory", "DSA",
++ "sun.security.provider.DSAKeyFactory", attrs);
++ addWithAlias(p, "KeyFactory", "HSS/LMS",
++ "sun.security.provider.HSS$KeyFactoryImpl", attrs);
+
+- addWithAlias(p, "MessageDigest", "SHA-224",
+- "sun.security.provider.SHA2$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-256",
+- "sun.security.provider.SHA2$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-384",
+- "sun.security.provider.SHA5$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512",
+- "sun.security.provider.SHA5$SHA512", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/224",
+- "sun.security.provider.SHA5$SHA512_224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA-512/256",
+- "sun.security.provider.SHA5$SHA512_256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-224",
+- "sun.security.provider.SHA3$SHA224", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-256",
+- "sun.security.provider.SHA3$SHA256", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-384",
+- "sun.security.provider.SHA3$SHA384", attrs);
+- addWithAlias(p, "MessageDigest", "SHA3-512",
+- "sun.security.provider.SHA3$SHA512", attrs);
++ /*
++ * Digest engines
++ */
++ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2",
++ attrs);
++ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5",
++ attrs);
++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
++ attrs);
++
++ addWithAlias(p, "MessageDigest", "SHA-224",
++ "sun.security.provider.SHA2$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-256",
++ "sun.security.provider.SHA2$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-384",
++ "sun.security.provider.SHA5$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512",
++ "sun.security.provider.SHA5$SHA512", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/224",
++ "sun.security.provider.SHA5$SHA512_224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA-512/256",
++ "sun.security.provider.SHA5$SHA512_256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-224",
++ "sun.security.provider.SHA3$SHA224", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-256",
++ "sun.security.provider.SHA3$SHA256", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-384",
++ "sun.security.provider.SHA3$SHA384", attrs);
++ addWithAlias(p, "MessageDigest", "SHA3-512",
++ "sun.security.provider.SHA3$SHA512", attrs);
++ }
+
+ /*
+ * Certificates
+diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+index 539ef1e8ee8..435f57e3ff2 100644
+--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+@@ -27,6 +27,7 @@ package sun.security.rsa;
+
+ import java.util.*;
+ import java.security.Provider;
++import jdk.internal.access.SharedSecrets;
+ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ /**
+@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
+ */
+ public final class SunRsaSignEntries {
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private void add(Provider p, String type, String algo, String cn,
+ List aliases, HashMap attrs) {
+ services.add(new Provider.Service(p, type, algo, cn,
+@@ -63,42 +68,49 @@ public final class SunRsaSignEntries {
+ add(p, "KeyFactory", "RSA",
+ "sun.security.rsa.RSAKeyFactory$Legacy",
+ getAliases("PKCS1"), null);
+- add(p, "KeyPairGenerator", "RSA",
+- "sun.security.rsa.RSAKeyPairGenerator$Legacy",
+- getAliases("PKCS1"), null);
+- addA(p, "Signature", "MD2withRSA",
+- "sun.security.rsa.RSASignature$MD2withRSA", attrs);
+- addA(p, "Signature", "MD5withRSA",
+- "sun.security.rsa.RSASignature$MD5withRSA", attrs);
+- addA(p, "Signature", "SHA1withRSA",
+- "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
+- addA(p, "Signature", "SHA224withRSA",
+- "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
+- addA(p, "Signature", "SHA256withRSA",
+- "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
+- addA(p, "Signature", "SHA384withRSA",
+- "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
+- addA(p, "Signature", "SHA512withRSA",
+- "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
+- addA(p, "Signature", "SHA512/224withRSA",
+- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
+- addA(p, "Signature", "SHA512/256withRSA",
+- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-224withRSA",
+- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
+- addA(p, "Signature", "SHA3-256withRSA",
+- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
+- addA(p, "Signature", "SHA3-384withRSA",
+- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
+- addA(p, "Signature", "SHA3-512withRSA",
+- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++
++ if (!systemFipsEnabled) {
++ add(p, "KeyPairGenerator", "RSA",
++ "sun.security.rsa.RSAKeyPairGenerator$Legacy",
++ getAliases("PKCS1"), null);
++ addA(p, "Signature", "MD2withRSA",
++ "sun.security.rsa.RSASignature$MD2withRSA", attrs);
++ addA(p, "Signature", "MD5withRSA",
++ "sun.security.rsa.RSASignature$MD5withRSA", attrs);
++ addA(p, "Signature", "SHA1withRSA",
++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
++ addA(p, "Signature", "SHA224withRSA",
++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
++ addA(p, "Signature", "SHA256withRSA",
++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
++ addA(p, "Signature", "SHA384withRSA",
++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
++ addA(p, "Signature", "SHA512withRSA",
++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
++ addA(p, "Signature", "SHA512/224withRSA",
++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
++ addA(p, "Signature", "SHA512/256withRSA",
++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-224withRSA",
++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
++ addA(p, "Signature", "SHA3-256withRSA",
++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-384withRSA",
++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
++ addA(p, "Signature", "SHA3-512withRSA",
++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++ }
+
+ addA(p, "KeyFactory", "RSASSA-PSS",
+ "sun.security.rsa.RSAKeyFactory$PSS", attrs);
+- addA(p, "KeyPairGenerator", "RSASSA-PSS",
+- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
+- addA(p, "Signature", "RSASSA-PSS",
+- "sun.security.rsa.RSAPSSSignature", attrs);
++
++ if (!systemFipsEnabled) {
++ addA(p, "KeyPairGenerator", "RSASSA-PSS",
++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
++ addA(p, "Signature", "RSASSA-PSS",
++ "sun.security.rsa.RSAPSSSignature", attrs);
++ }
++
+ addA(p, "AlgorithmParameters", "RSASSA-PSS",
+ "sun.security.rsa.PSSParameters", null);
+ }
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index 5149edba0e5..8227d650a03 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -85,6 +85,17 @@ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=SunJSSE
++fips.provider.5=SunJCE
++fips.provider.6=SunRsaSign
++fips.provider.7=XMLDSig
++
+ #
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=pkcs12
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=pkcs12
++
++#
++# Location of the NSS DB keystore (PKCS11) in FIPS mode.
++#
++# The syntax for this property is identical to the 'nssSecmodDirectory'
++# attribute available in the SunPKCS11 NSS configuration file. Use the
++# 'sql:' prefix to refer to an SQLite DB.
++#
++# If the system property fips.nssdb.path is also specified, it supersedes
++# the security property value defined here.
++#
++# Note: the default value for this property points to an NSS DB that might be
++# readable by multiple operating system users and unsuitable to store keys.
++#
++fips.nssdb.path=sql:/etc/pki/nssdb
++
++#
++# PIN for the NSS DB keystore (PKCS11) in FIPS mode.
++#
++# Values must take any of the following forms:
++# 1) pin:
++# Value: clear text PIN value.
++# 2) env:
++# Value: environment variable containing the PIN value.
++# 3) file:
++# Value: path to a file containing the PIN value in its first
++# line.
++#
++# If the system property fips.nssdb.pin is also specified, it supersedes
++# the security property value defined here.
++#
++# When used as a system property, UTF-8 encoded values are valid. When
++# used as a security property (such as in this file), encode non-Basic
++# Latin Unicode characters with \uXXXX.
++#
++fips.nssdb.pin=pin:
++
+ #
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+@@ -332,6 +384,13 @@ package.definition=sun.misc.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
+new file mode 100644
+index 00000000000..55bbba98b7a
+--- /dev/null
++++ b/src/java.base/share/conf/security/nss.fips.cfg.in
+@@ -0,0 +1,8 @@
++name = NSS-FIPS
++nssLibraryDirectory = @NSS_LIBDIR@
++nssSecmodDirectory = ${fips.nssdb.path}
++nssDbMode = readWrite
++nssModule = fips
++
++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
++
+diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
+index 86d45147709..22fd8675503 100644
+--- a/src/java.base/share/lib/security/default.policy
++++ b/src/java.base/share/lib/security/default.policy
+@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" {
+ grant codeBase "jrt:/jdk.crypto.ec" {
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.sun.security.*";
++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
+ permission java.lang.RuntimePermission "loadLibrary.sunec";
+ permission java.security.SecurityPermission "putProviderProperty.SunEC";
+ permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write";
++ permission java.util.PropertyPermission "fips.nssdb.pin", "read";
+ permission java.security.SecurityPermission "putProviderProperty.*";
+ permission java.security.SecurityPermission "clearProviderProperties.*";
+ permission java.security.SecurityPermission "removeProviderProperty.*";
+diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c
+new file mode 100644
+index 00000000000..ddf9befe5bc
+--- /dev/null
++++ b/src/java.base/share/native/libsystemconf/systemconf.c
+@@ -0,0 +1,236 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include
++#include
++#include "jvm_md.h"
++#include
++
++#ifdef LINUX
++
++#ifdef SYSCONF_NSS
++#include
++#else
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
++
++#else // !LINUX
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ return JNI_FALSE;
++}
++
++#endif
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..48d6d656a28
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,457 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.security.interfaces.RSAPrivateCrtKey;
++import java.security.interfaces.RSAPrivateKey;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.spec.SecretKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAPrivateCrtKeyImpl;
++import sun.security.rsa.RSAUtil;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static volatile P11Key importerKey = null;
++ private static SecretKeySpec exporterKey = null;
++ private static volatile P11Key exporterKeyP11 = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ // Do not take the exporterKeyLock with the importerKeyLock held.
++ private static final ReentrantLock exporterKeyLock = new ReentrantLock();
++ private static volatile CK_MECHANISM importerKeyMechanism = null;
++ private static volatile CK_MECHANISM exporterKeyMechanism = null;
++ private static Cipher importerCipher = null;
++ private static Cipher exporterCipher = null;
++
++ private static volatile Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
++ }
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ importerKeyLock.lock();
++ try {
++ // No need to reset the cipher object because no multi-part
++ // operations are performed.
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ } finally {
++ importerKeyLock.unlock();
++ }
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject,
++ long keyClass, long keyType, Map sensitiveAttrs)
++ throws PKCS11Exception {
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be exported in" +
++ " system FIPS mode.");
++ }
++ if (exporterKeyP11 == null) {
++ try {
++ exporterKeyLock.lock();
++ if (exporterKeyP11 == null) {
++ if (exporterKeyMechanism == null) {
++ // Exporter Key creation has not been tried yet. Try it.
++ createExporterKey(token);
++ }
++ if (exporterKeyP11 == null || exporterCipher == null) {
++ if (debug != null) {
++ debug.println("Exporter Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key exporter");
++ }
++ if (debug != null) {
++ debug.println("Exporter Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ exporterKeyLock.unlock();
++ }
++ }
++ long exporterKeyID = exporterKeyP11.getKeyID();
++ try {
++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession,
++ exporterKeyMechanism, exporterKeyID, hObject);
++ byte[] plainExportedKey = null;
++ exporterKeyLock.lock();
++ try {
++ // No need to reset the cipher object because no multi-part
++ // operations are performed.
++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes);
++ } finally {
++ exporterKeyLock.unlock();
++ }
++ if (keyClass == CKO_PRIVATE_KEY) {
++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey);
++ } else if (keyClass == CKO_SECRET_KEY) {
++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey;
++ } else {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key exporter");
++ }
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ } finally {
++ exporterKeyP11.releaseKeyID();
++ }
++ }
++
++ private static void exportPrivateKey(
++ Map sensitiveAttrs, long keyType,
++ byte[] plainExportedKey) throws Throwable {
++ if (keyType == CKK_RSA) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey);
++ CK_ATTRIBUTE attr;
++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
++ }
++ if (rsaPKey instanceof RSAPrivateCrtKey) {
++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey;
++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) {
++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray();
++ }
++ } else {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
++ CKA_PRIVATE_EXPONENT);
++ }
++ } else if (keyType == CKK_DSA) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue =
++ new sun.security.provider.DSAPrivateKey(plainExportedKey)
++ .getX().toByteArray();
++ } else if (keyType == CKK_EC) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue =
++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey)
++ .getS().toByteArray();
++ } else {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " unsupported CKO_PRIVATE_KEY key type: " + keyType);
++ }
++ }
++
++ private static void checkAttrs(Map sensitiveAttrs,
++ String keyName, long... validAttrs)
++ throws PKCS11Exception {
++ int sensitiveAttrsCount = sensitiveAttrs.size();
++ if (sensitiveAttrsCount <= validAttrs.length) {
++ int validAttrsCount = 0;
++ for (long validAttr : validAttrs) {
++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++;
++ }
++ if (validAttrsCount == sensitiveAttrsCount) return;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " invalid attribute types for a " + keyName + " key object");
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec(
++ (byte[])importerKeyMechanism.pParameter), null);
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ if (debug != null) {
++ debug.println("Error generating the Importer Key");
++ }
++ }
++ }
++
++ private static void createExporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Exporter Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ byte[] exporterKeyRaw = new byte[32];
++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw);
++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES");
++ try {
++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES");
++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey));
++ if (exporterKeyP11 != null) {
++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey,
++ new IvParameterSpec(
++ (byte[])exporterKeyMechanism.pParameter), null);
++ }
++ } catch (Throwable t) {
++ // best effort
++ exporterKey = null;
++ exporterKeyP11 = null;
++ exporterCipher = null;
++ // exporterKeyMechanism value is kept initialized to indicate that
++ // Exporter Key creation has been tried and failed.
++ if (debug != null) {
++ debug.println("Error generating the Exporter Key");
++ }
++ }
++ }
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
+new file mode 100644
+index 00000000000..f8d505ca815
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java
+@@ -0,0 +1,149 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.io.BufferedReader;
++import java.io.ByteArrayInputStream;
++import java.io.InputStream;
++import java.io.InputStreamReader;
++import java.io.IOException;
++import java.nio.charset.StandardCharsets;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.nio.file.Paths;
++import java.nio.file.StandardOpenOption;
++import java.security.ProviderException;
++
++import javax.security.auth.callback.Callback;
++import javax.security.auth.callback.CallbackHandler;
++import javax.security.auth.callback.PasswordCallback;
++import javax.security.auth.callback.UnsupportedCallbackException;
++
++import sun.security.util.Debug;
++import sun.security.util.SecurityProperties;
++
++final class FIPSTokenLoginHandler implements CallbackHandler {
++
++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
++
++ private static final Debug debug = Debug.getInstance("sunpkcs11");
++
++ public void handle(Callback[] callbacks)
++ throws IOException, UnsupportedCallbackException {
++ if (!(callbacks[0] instanceof PasswordCallback)) {
++ throw new UnsupportedCallbackException(callbacks[0]);
++ }
++ PasswordCallback pc = (PasswordCallback)callbacks[0];
++ pc.setPassword(getFipsNssdbPin());
++ }
++
++ private static char[] getFipsNssdbPin() throws ProviderException {
++ if (debug != null) {
++ debug.println("FIPS: Reading NSS DB PIN for token...");
++ }
++ String pinProp = SecurityProperties
++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP);
++ if (pinProp != null && !pinProp.isEmpty()) {
++ String[] pinPropParts = pinProp.split(":", 2);
++ if (pinPropParts.length < 2) {
++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP +
++ " property value.");
++ }
++ String prefix = pinPropParts[0].toLowerCase();
++ String value = pinPropParts[1];
++ String pin = null;
++ if (prefix.equals("env")) {
++ if (debug != null) {
++ debug.println("FIPS: PIN value from the '" + value +
++ "' environment variable.");
++ }
++ pin = System.getenv(value);
++ } else if (prefix.equals("file")) {
++ if (debug != null) {
++ debug.println("FIPS: PIN value from the '" + value +
++ "' file.");
++ }
++ pin = getPinFromFile(Paths.get(value));
++ } else if (prefix.equals("pin")) {
++ if (debug != null) {
++ debug.println("FIPS: PIN value from the " +
++ FIPS_NSSDB_PIN_PROP + " property.");
++ }
++ pin = value;
++ } else {
++ throw new ProviderException("Unsupported prefix for " +
++ FIPS_NSSDB_PIN_PROP + ".");
++ }
++ if (pin != null && !pin.isEmpty()) {
++ if (debug != null) {
++ debug.println("FIPS: non-empty PIN.");
++ }
++ /*
++ * C_Login in libj2pkcs11 receives the PIN in a char[] and
++ * discards the upper byte of each char, before passing
++ * the value to the NSS Software Token. However, the
++ * NSS Software Token accepts any UTF-8 PIN value. Thus,
++ * expand the PIN here to account for later truncation.
++ */
++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8);
++ char[] pinChar = new char[pinUtf8.length];
++ for (int i = 0; i < pinChar.length; i++) {
++ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
++ }
++ return pinChar;
++ }
++ }
++ if (debug != null) {
++ debug.println("FIPS: empty PIN.");
++ }
++ return null;
++ }
++
++ /*
++ * This method extracts the token PIN from the first line of a password
++ * file in the same way as NSS modutil. See for example the -newpwfile
++ * argument used to change the password for an NSS DB.
++ */
++ private static String getPinFromFile(Path f) throws ProviderException {
++ try (InputStream is =
++ Files.newInputStream(f, StandardOpenOption.READ)) {
++ /*
++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil,
++ * reads up to 4096 bytes. In addition, the NSS Software Token
++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN
++ * in nss/lib/softoken/pkcs11i.h).
++ */
++ BufferedReader in =
++ new BufferedReader(new InputStreamReader(
++ new ByteArrayInputStream(is.readNBytes(4096)),
++ StandardCharsets.UTF_8));
++ return in.readLine();
++ } catch (IOException ioe) {
++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP +
++ " from the '" + f + "' file.", ioe);
++ }
++ }
++}
+\ No newline at end of file
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+index c3b412885a6..0e7ce73b158 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+@@ -37,6 +37,8 @@ import javax.crypto.*;
+ import javax.crypto.interfaces.*;
+ import javax.crypto.spec.*;
+
++import jdk.internal.access.SharedSecrets;
++
+ import sun.security.rsa.RSAUtil.KeyType;
+ import sun.security.rsa.RSAPublicKeyImpl;
+ import sun.security.rsa.RSAPrivateCrtKeyImpl;
+@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length {
+ @Serial
+ private static final long serialVersionUID = -2575874101938349339L;
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ private static final String PUBLIC = "public";
+ private static final String PRIVATE = "private";
+ private static final String SECRET = "secret";
+@@ -401,9 +406,10 @@ abstract class P11Key implements Key, Length {
+ new CK_ATTRIBUTE(CKA_EXTRACTABLE),
+ });
+
+- boolean keySensitive =
+- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
+- attrs[1].getBoolean() || !attrs[2].getBoolean();
++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH");
++ boolean keySensitive = (!exportable &&
++ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
++ attrs[1].getBoolean() || !attrs[2].getBoolean()));
+
+ return switch (algorithm) {
+ case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm,
+@@ -455,7 +461,8 @@ abstract class P11Key implements Key, Length {
+
+ public String getFormat() {
+ token.ensureValid();
+- if (sensitive || !extractable || (isNSS && tokenObject)) {
++ if (!plainKeySupportEnabled &&
++ (sensitive || !extractable || (isNSS && tokenObject))) {
+ return null;
+ } else {
+ return "RAW";
+@@ -1625,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference {
+ this.clear();
+ }
+ }
+-
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 5cd6828d293..bae49c4e8a9 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback;
+
+ import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+
++import jdk.internal.access.SharedSecrets;
+ import jdk.internal.misc.InnocuousThread;
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
++import sun.security.util.SecurityProperties;
+ import static sun.security.util.SecurityProviderConstants.getAliases;
+
+ import sun.security.pkcs11.Secmod.*;
+@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider {
+ @Serial
+ private static final long serialVersionUID = -1354835039035306505L;
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ private static final MethodHandle fipsExportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ MethodHandle fipsExportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ fipsExportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "exportKey",
++ MethodType.methodType(void.class, SunPKCS11.class,
++ long.class, long.class,
++ long.class, long.class, Map.class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer-exporter" +
++ " initialization failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ fipsExportKey = fipsExportKeyTmp;
++ }
++
++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
++
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+ // the PKCS11 object through which we make the native calls
+ @SuppressWarnings("serial") // Type of field is not Serializable;
+@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
+ @Override
+ public SunPKCS11 run() throws Exception {
++ if (systemFipsEnabled) {
++ /*
++ * The nssSecmodDirectory attribute in the SunPKCS11
++ * NSS configuration file takes the value of the
++ * fips.nssdb.path System property after expansion.
++ * Security properties expansion is unsupported.
++ */
++ String nssdbPath =
++ SecurityProperties.privilegedGetOverridable(
++ FIPS_NSSDB_PATH_PROP);
++ if (System.getSecurityManager() != null) {
++ AccessController.doPrivileged(
++ (PrivilegedAction) () -> {
++ System.setProperty(
++ FIPS_NSSDB_PATH_PROP,
++ nssdbPath);
++ return null;
++ });
++ } else {
++ System.setProperty(
++ FIPS_NSSDB_PATH_PROP, nssdbPath);
++ }
++ }
+ return new SunPKCS11(new Config(newConfigName));
+ }
+ });
+@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ MethodHandle fipsKeyExporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ fipsKeyExporter = MethodHandles.insertArguments(
++ fipsExportKey, 0, this);
++ }
+ try {
+- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs,
+- config.getOmitInitialize());
++ tmpPKCS11 = PKCS11.getInstance(
++ library, functionList, initArgs,
++ config.getOmitInitialize(), fipsKeyImporter,
++ fipsKeyExporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider {
+ } else {
+ initArgs.flags = 0;
+ }
+- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs,
+- config.getOmitInitialize());
++ tmpPKCS11 = PKCS11.getInstance(library,
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter,
++ fipsKeyExporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider {
+ }
+
+ @Override
++ @SuppressWarnings("removal")
+ public Object newInstance(Object param)
+ throws NoSuchAlgorithmException {
+ if (!token.isValid()) {
+ throw new NoSuchAlgorithmException("Token has been removed");
+ }
++ if (systemFipsEnabled && !token.fipsLoggedIn &&
++ !getType().equals("KeyStore")) {
++ /*
++ * The NSS Software Token in FIPS 140-2 mode requires a
++ * user login for most operations. See sftk_fipsCheck
++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore
++ * service, let the caller perform the login with
++ * KeyStore::load. Keytool, for example, does this to pass a
++ * PIN from either the -srcstorepass or -deststorepass
++ * argument. In case of a non-KeyStore service, perform the
++ * login now with the PIN available in the fips.nssdb.pin
++ * property.
++ */
++ try {
++ if (System.getSecurityManager() != null) {
++ try {
++ AccessController.doPrivileged(
++ (PrivilegedExceptionAction) () -> {
++ token.ensureLoggedIn(null);
++ return null;
++ });
++ } catch (PrivilegedActionException pae) {
++ Exception e = pae.getException();
++ if (e instanceof LoginException le) {
++ throw le;
++ } else if (e instanceof PKCS11Exception p11e) {
++ throw p11e;
++ } else {
++ throw new RuntimeException(e);
++ }
++ }
++ } else {
++ token.ensureLoggedIn(null);
++ }
++ } catch (PKCS11Exception | LoginException e) {
++ throw new ProviderException("FIPS: error during the Token" +
++ " login required for the " + getType() +
++ " service.", e);
++ }
++ }
+ try {
+ return newInstance0(param);
+ } catch (PKCS11Exception e) {
+@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider {
+ try {
+ session = token.getOpSession();
+ p11.C_Logout(session.id());
++ if (systemFipsEnabled) {
++ token.fipsLoggedIn = false;
++ }
+ if (debug != null) {
+ debug.println("logout succeeded");
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+index a6f5f0a8764..9a07c96ca4e 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
+@@ -33,6 +33,7 @@ import java.lang.ref.*;
+ import java.security.*;
+ import javax.security.auth.login.LoginException;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.jca.JCAUtil;
+
+ import sun.security.pkcs11.wrapper.*;
+@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
+ */
+ final class Token implements Serializable {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+ // need to be serializable to allow SecureRandom to be serialized
+ @Serial
+ private static final long serialVersionUID = 2541527649100571747L;
+@@ -125,6 +129,10 @@ final class Token implements Serializable {
+ // flag indicating whether we are logged in
+ private volatile boolean loggedIn;
+
++ // Flag indicating the login status for the NSS Software Token in FIPS mode.
++ // This Token is never asynchronously removed. Used from SunPKCS11.
++ volatile boolean fipsLoggedIn;
++
+ // time we last checked login status
+ private long lastLoginCheck;
+
+@@ -242,7 +250,12 @@ final class Token implements Serializable {
+ // call provider.login() if not
+ void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException {
+ if (!isLoggedIn(session)) {
+- provider.login(null, null);
++ if (systemFipsEnabled) {
++ provider.login(null, new FIPSTokenLoginHandler());
++ fipsLoggedIn = true;
++ } else {
++ provider.login(null, null);
++ }
+ }
+ }
+
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 4b06daaf264..55e14945469 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -174,18 +177,43 @@ public class PKCS11 {
+ return version;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter,
++ MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null &&
++ fipsKeyExporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(PKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ FIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.PKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ SynchronizedFIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public synchronized void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++ MethodHandle fipsKeyExporter, long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ Map sensitiveAttrs = new HashMap<>();
++ List nonSensitiveAttrs = new LinkedList<>();
++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++ sensitiveAttrs, nonSensitiveAttrs);
++ try {
++ if (sensitiveAttrs.size() > 0) {
++ long keyClass = -1L;
++ long keyType = -1L;
++ try {
++ // Secret and private keys have both class and type
++ // attributes, so we can query them at once.
++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++ new CK_ATTRIBUTE(CKA_CLASS),
++ new CK_ATTRIBUTE(CKA_KEY_TYPE),
++ };
++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++ keyClass = queryAttrs[0].getLong();
++ keyType = queryAttrs[1].getLong();
++ } catch (PKCS11Exception e) {
++ // If the query fails, the object is neither a secret nor a
++ // private key. As this case won't be handled with the FIPS
++ // Key Exporter, we keep keyClass initialized to -1L.
++ }
++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++ sensitiveAttrs);
++ if (nonSensitiveAttrs.size() > 0) {
++ CK_ATTRIBUTE[] pNonSensitiveAttrs =
++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++ int i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ pNonSensitiveAttrs[i++] = nonSensAttr;
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject,
++ pNonSensitiveAttrs);
++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++ // update the reference on the previous CK_ATTRIBUTEs
++ i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++ }
++ }
++ return;
++ }
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++ Map sensitiveAttrs,
++ List nonSensitiveAttrs) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ long type = attr.type;
++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++ type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++ type == CKA_COEFFICIENT) {
++ sensitiveAttrs.put(type, attr);
++ } else {
++ nonSensitiveAttrs.add(attr);
++ }
++ }
++ }
++}
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+index 920422376f8..6aa308fa5f8 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception {
+ return res;
+ }
+
++ /**
++ * Constructor taking the error code from the RV enum and
++ * extra info for error message.
++ */
++ public PKCS11Exception(RV errorEnum, String extraInfo) {
++ this(errorEnum.value, extraInfo);
++ }
++
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) and
+ * extra info for error message.
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 7f8c4dba002..e65b11fc3ee 100644
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -34,6 +34,7 @@ import java.security.ProviderException;
+ import java.util.HashMap;
+ import java.util.List;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+ import sun.security.ec.ed.EdDSASignature;
+@@ -50,6 +51,10 @@ public final class SunEC extends Provider {
+
+ private static final long serialVersionUID = -2279741672933606418L;
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private static class ProviderServiceA extends ProviderService {
+ ProviderServiceA(Provider p, String type, String algo, String cn,
+ HashMap attrs) {
+@@ -240,83 +245,85 @@ public final class SunEC extends Provider {
+ putXDHEntries();
+ putEdDSAEntries();
+
+- /*
+- * Signature engines
+- */
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+- null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$RawinP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA1withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+- putService(new ProviderService(this, "Signature",
+- "SHA3-224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+- /*
+- * Key Pair Generator engine
+- */
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS));
+-
+- /*
+- * Key Agreement engine
+- */
+- putService(new ProviderService(this, "KeyAgreement",
+- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ if (!systemFipsEnabled) {
++ /*
++ * Signature engines
++ */
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++ null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$RawinP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA1withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++ putService(new ProviderService(this, "Signature",
++ "SHA3-224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++ /*
++ * Key Pair Generator engine
++ */
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS));
++
++ /*
++ * Key Agreement engine
++ */
++ putService(new ProviderService(this, "KeyAgreement",
++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ }
+ }
+
+ private void putXDHEntries() {
+@@ -333,23 +340,25 @@ public final class SunEC extends Provider {
+ "X448", "sun.security.ec.XDHKeyFactory.X448",
+ ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "KeyAgreement",
+- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X448", "sun.security.ec.XDHKeyAgreement.X448",
+- ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++ ATTRS));
++
++ putService(new ProviderService(this, "KeyAgreement",
++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X448", "sun.security.ec.XDHKeyAgreement.X448",
++ ATTRS));
++ }
+ }
+
+ private void putEdDSAEntries() {
+@@ -364,21 +373,23 @@ public final class SunEC extends Provider {
+ putService(new ProviderServiceA(this, "KeyFactory",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ }
+
+ }
+ }
+diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+new file mode 100644
+index 00000000000..ce01c655eb8
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+@@ -0,0 +1,349 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Method;
++import java.nio.charset.StandardCharsets;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.security.KeyStore;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Arrays;
++import java.util.function.Consumer;
++import java.util.List;
++import javax.crypto.Cipher;
++import javax.crypto.spec.SecretKeySpec;
++
++import jdk.test.lib.process.Proc;
++import jdk.test.lib.util.FileUtils;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary
++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used
++ * for a successful login into an NSS DB. Some additional unitary testing
++ * is then performed. This test depends on NSS modutil and must be run in
++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available).
++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open
++ * @library /test/lib
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=600 NssdbPin
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class NssdbPin {
++
++ // Public properties and names
++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS";
++ private static final String NSSDB_TOKEN_NAME =
++ "NSS FIPS 140-2 Certificate DB";
++
++ // Data to be tested
++ private static final String[] PINS_TO_TEST =
++ new String[] {
++ "",
++ "1234567890abcdef1234567890ABCDEF\uA4F7"
++ };
++ private static enum PropType { SYSTEM, SECURITY }
++ private static enum LoginType { IMPLICIT, EXPLICIT }
++
++ // Internal test fields
++ private static final boolean DEBUG = true;
++ private static class TestContext {
++ String pin;
++ PropType propType;
++ Path workspace;
++ String nssdbPath;
++ Path nssdbPinFile;
++ LoginType loginType;
++ TestContext(String pin, Path workspace) {
++ this.pin = pin;
++ this.workspace = workspace;
++ this.nssdbPath = "sql:" + workspace;
++ this.loginType = LoginType.IMPLICIT;
++ }
++ }
++
++ public static void main(String[] args) throws Throwable {
++ if (args.length == 3) {
++ // Executed by a child process.
++ mainChild(args[0], args[1], LoginType.valueOf(args[2]));
++ } else if (args.length == 0) {
++ // Executed by the parent process.
++ mainLauncher();
++ // Test defaults
++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT);
++ System.out.println("TEST PASS - OK");
++ } else {
++ throw new Exception("Unexpected number of arguments.");
++ }
++ }
++
++ private static void mainChild(String expectedPath, String expectedPin,
++ LoginType loginType) throws Throwable {
++ if (DEBUG) {
++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP,
++ FIPS_NSSDB_PIN_PROP)) {
++ System.out.println(prop + " (System): " +
++ System.getProperty(prop));
++ System.out.println(prop + " (Security): " +
++ Security.getProperty(prop));
++ }
++ }
++
++ /*
++ * Functional cross-test against an NSS DB generated by modutil
++ * with the same PIN. Check that we can perform a crypto operation
++ * that requires a login. The login might be explicit or implicit.
++ */
++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME);
++ if (DEBUG) {
++ System.out.println(FIPS_PROVIDER_NAME + ": " + p);
++ }
++ if (p == null) {
++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed.");
++ }
++ if (DEBUG) {
++ System.out.println("Login type: " + loginType);
++ }
++ if (loginType == LoginType.EXPLICIT) {
++ // Do the expansion to account for truncation, so C_Login in
++ // the NSS Software Token gets a UTF-8 encoded PIN.
++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8);
++ char[] pinChar = new char[pinUtf8.length];
++ for (int i = 0; i < pinChar.length; i++) {
++ pinChar[i] = (char)(pinUtf8[i] & 0xFF);
++ }
++ KeyStore.getInstance("PKCS11", p).load(null, pinChar);
++ if (DEBUG) {
++ System.out.println("Explicit login succeeded.");
++ }
++ }
++ if (DEBUG) {
++ System.out.println("Trying a crypto operation...");
++ }
++ final int blockSize = 16;
++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p);
++ cipher.init(Cipher.ENCRYPT_MODE,
++ new SecretKeySpec(new byte[blockSize], "AES"));
++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) {
++ throw new Exception("Could not perform a crypto operation.");
++ }
++ if (DEBUG) {
++ if (loginType == LoginType.IMPLICIT) {
++ System.out.println("Implicit login succeeded.");
++ }
++ System.out.println("Crypto operation after login succeeded.");
++ }
++
++ if (loginType == LoginType.IMPLICIT) {
++ /*
++ * Additional unitary testing. Expected to succeed at this point.
++ */
++ if (DEBUG) {
++ System.out.println("Trying unitary test...");
++ }
++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP);
++ if (DEBUG) {
++ System.out.println("Path value (as a System property): " +
++ sysPathProp);
++ }
++ if (!expectedPath.equals(sysPathProp)) {
++ throw new Exception("Path is different than expected: " +
++ sysPathProp + " (actual) vs " + expectedPath +
++ " (expected).");
++ }
++ Class c = Class
++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler");
++ Method m = c.getDeclaredMethod("getFipsNssdbPin");
++ m.setAccessible(true);
++ String pin = null;
++ char[] pinChar = (char[]) m.invoke(c);
++ if (pinChar != null) {
++ byte[] pinUtf8 = new byte[pinChar.length];
++ for (int i = 0; i < pinUtf8.length; i++) {
++ pinUtf8[i] = (byte) pinChar[i];
++ }
++ pin = new String(pinUtf8, StandardCharsets.UTF_8);
++ }
++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) ||
++ expectedPin.isEmpty() && pin != null) {
++ throw new Exception("PIN is different than expected: '" + pin +
++ "' (actual) vs '" + expectedPin + "' (expected).");
++ }
++ if (DEBUG) {
++ System.out.println("PIN value: " + pin);
++ System.out.println("Unitary test succeeded.");
++ }
++ }
++ }
++
++ private static void mainLauncher() throws Throwable {
++ for (String pin : PINS_TO_TEST) {
++ Path workspace = Files.createTempDirectory(null);
++ try {
++ TestContext ctx = new TestContext(pin, workspace);
++ createNSSDB(ctx);
++ {
++ ctx.loginType = LoginType.IMPLICIT;
++ for (PropType propType : PropType.values()) {
++ ctx.propType = propType;
++ pinLauncher(ctx);
++ envLauncher(ctx);
++ fileLauncher(ctx);
++ }
++ }
++ explicitLoginLauncher(ctx);
++ } finally {
++ FileUtils.deleteFileTreeWithRetry(workspace);
++ }
++ }
++ }
++
++ private static void pinLauncher(TestContext ctx) throws Throwable {
++ launchTest(p -> {}, "pin:" + ctx.pin, ctx);
++ }
++
++ private static void envLauncher(TestContext ctx) throws Throwable {
++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR";
++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin),
++ "env:" + NSSDB_PIN_ENV_VAR, ctx);
++ }
++
++ private static void fileLauncher(TestContext ctx) throws Throwable {
++ // The file containing the PIN (ctx.nssdbPinFile) was created by the
++ // generatePinFile method, called from createNSSDB.
++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx);
++ }
++
++ private static void explicitLoginLauncher(TestContext ctx)
++ throws Throwable {
++ ctx.loginType = LoginType.EXPLICIT;
++ ctx.propType = PropType.SYSTEM;
++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx);
++ }
++
++ private static void launchTest(Consumer procCb, String pinPropVal,
++ TestContext ctx) throws Throwable {
++ if (DEBUG) {
++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP +
++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP +
++ "=" + pinPropVal);
++ }
++ Proc p = Proc.create(NssdbPin.class.getName())
++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name());
++ if (ctx.propType == PropType.SYSTEM) {
++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++ // Make sure that Security properties defaults are not used.
++ p.secprop(FIPS_NSSDB_PATH_PROP, "");
++ p.secprop(FIPS_NSSDB_PIN_PROP, "");
++ } else if (ctx.propType == PropType.SECURITY) {
++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++ pinPropVal = escapeForPropsFile(pinPropVal);
++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++ } else {
++ throw new Exception("Unsupported property type.");
++ }
++ if (DEBUG) {
++ p.inheritIO();
++ p.prop("java.security.debug", "sunpkcs11");
++ p.debug(NssdbPin.class.getName());
++
++ // Need the launched process to connect to a debugger?
++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" +
++ // "transport=dt_socket,address=localhost:8000,suspend=y");
++ } else {
++ p.nodump();
++ }
++ procCb.accept(p);
++ p.start().waitFor(0);
++ }
++
++ private static String escapeForPropsFile(String str) throws Throwable {
++ StringBuffer sb = new StringBuffer();
++ for (int i = 0; i < str.length(); i++) {
++ int cp = str.codePointAt(i);
++ if (Character.UnicodeBlock.of(cp)
++ == Character.UnicodeBlock.BASIC_LATIN) {
++ sb.append(Character.toChars(cp));
++ } else {
++ sb.append("\\u").append(String.format("%04X", cp));
++ }
++ }
++ return sb.toString();
++ }
++
++ private static void createNSSDB(TestContext ctx) throws Throwable {
++ ProcessBuilder pb = getModutilPB(ctx, "-create");
++ if (DEBUG) {
++ System.out.println("Creating an NSS DB in " + ctx.workspace +
++ "...");
++ System.out.println("cmd: " + String.join(" ", pb.command()));
++ }
++ if (pb.start().waitFor() != 0) {
++ throw new Exception("NSS DB creation failed.");
++ }
++ generatePinFile(ctx);
++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME,
++ "-newpwfile", ctx.nssdbPinFile.toString());
++ if (DEBUG) {
++ System.out.println("NSS DB created.");
++ System.out.println("Changing NSS DB PIN...");
++ System.out.println("cmd: " + String.join(" ", pb.command()));
++ }
++ if (pb.start().waitFor() != 0) {
++ throw new Exception("NSS DB PIN change failed.");
++ }
++ if (DEBUG) {
++ System.out.println("NSS DB PIN changed.");
++ }
++ }
++
++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args)
++ throws Throwable {
++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force");
++ List pbCommand = pb.command();
++ if (args != null) {
++ pbCommand.addAll(Arrays.asList(args));
++ }
++ pbCommand.add("-dbdir");
++ pbCommand.add(ctx.nssdbPath);
++ if (DEBUG) {
++ pb.inheritIO();
++ } else {
++ pb.redirectError(ProcessBuilder.Redirect.INHERIT);
++ }
++ return pb;
++ }
++
++ private static void generatePinFile(TestContext ctx) throws Throwable {
++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null);
++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() +
++ "2nd line with garbage");
++ }
++}
+diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+new file mode 100644
+index 00000000000..87f1ad04505
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+@@ -0,0 +1,77 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.security.Provider;
++import java.security.Security;
++
++/*
++ * @test
++ * @bug 9999999
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=30 VerifyMissingAttributes
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class VerifyMissingAttributes {
++
++ private static final String[] svcAlgImplementedIn = {
++ "AlgorithmParameterGenerator.DSA",
++ "AlgorithmParameters.DSA",
++ "CertificateFactory.X.509",
++ "KeyStore.JKS",
++ "KeyStore.CaseExactJKS",
++ "KeyStore.DKS",
++ "CertStore.Collection",
++ "CertStore.com.sun.security.IndexedCollection"
++ };
++
++ public static void main(String[] args) throws Throwable {
++ Provider sunProvider = Security.getProvider("SUN");
++ for (String svcAlg : svcAlgImplementedIn) {
++ String filter = svcAlg + " ImplementedIn:Software";
++ doQuery(sunProvider, filter);
++ }
++ if (Double.parseDouble(
++ System.getProperty("java.specification.version")) >= 17) {
++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" +
++ "java.security.interfaces.RSAPublicKey" +
++ "|java.security.interfaces.RSAPrivateKey";
++ doQuery(Security.getProvider("SunRsaSign"), filter);
++ }
++ System.out.println("TEST PASS - OK");
++ }
++
++ private static void doQuery(Provider expectedProvider, String filter)
++ throws Exception {
++ if (expectedProvider == null) {
++ throw new Exception("Provider not found.");
++ }
++ Provider[] providers = Security.getProviders(filter);
++ if (providers == null || providers.length != 1 ||
++ providers[0] != expectedProvider) {
++ throw new Exception("Failure retrieving the provider with this" +
++ " query: " + filter);
++ }
++ }
++}
diff --git a/java-21-openjdk-portable.spec b/java-21-openjdk-portable.spec
new file mode 100644
index 0000000000000000000000000000000000000000..df2cc5e2537359b54d1724960245fa8eb6f9cd34
--- /dev/null
+++ b/java-21-openjdk-portable.spec
@@ -0,0 +1,2307 @@
+%define anolis_release .0.1
+# debug_package %%{nil} is portable-jdks specific
+%define debug_package %{nil}
+
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-21-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-21-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
+
+# This is RHEL 7 specific as it doesn't seem to have the
+# __brp_strip_static_archive macro.
+%define __os_install_post %{nil}
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific
+# However, it does segfault on the Zero assembler port, so currently JIT only
+%global share_arches %{jit_arches}
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libsvml.so)
+%global svml_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+# s390x fails on RHEL 7 so we exclude it there
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches}
+%else
+%global gdb_arches %{jit_arches} %{zero_arches}
+%endif
+
+# By default, we build a slowdebug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# The static libraries are produced under the same configuration as the main
+# build for portables, as we expect in-tree libraries to be used throughout.
+# If system libraries are enabled, the static libraries will also use them
+# which may cause issues.
+%global bootstrap_targets images %{static_libs_target} legacy-jre-image
+%global release_targets images docs-zip %{static_libs_target} legacy-jre-image
+# No docs nor bootcycle for debug builds
+%global debug_targets images %{static_libs_target} legacy-jre-image
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# DTS toolset to use to provide gcc & binutils
+%global dtsversion 10
+
+# Disable LTO as this causes build failures at the moment.
+# See RHBZ#1861401
+%define _lto_cflags %{nil}
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 21
+%global interimver 0
+%global updatever 3
+%global patchver 0
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver %{featurever}
+# We don't add any LTS designator for STS packages (Fedora and EPEL).
+# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
+%if 0%{?rhel} && !0%{?epel}
+ %global lts_designator "LTS"
+ %global lts_designator_zip -%{lts_designator}
+%else
+ %global lts_designator ""
+ %global lts_designator_zip ""
+%endif
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+# This will only work where the bootstrap JDK is the same major version
+# as the JDK being built
+%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://access.redhat.com/support/cases/
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease})
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 0a42e29b391
+# Define JDK versions
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver %{featurever}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{vcstag}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 9
+%global rpmrelease 1
+#%%global tagsuffix %%{nil}
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 1
+%if %{is_ga}
+%global build_type GA
+%global ea_designator ""
+%global ea_designator_zip %{nil}
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
+%global altjavaoutputdir install/altjava.install
+%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+# portable only declarations
+%global jreimage jre
+%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable%{1}.jre;g")
+%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable%{1}.jdk;g")
+%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable%{1}.static-libs;g")
+%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz}
+%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz}
+%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz}
+%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}}
+%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}}
+# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on
+# top of the JDK archive
+%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}}
+%define docportablename() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable.docs;g")
+%define docportablearchive() %{docportablename}.tar.xz
+%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable.misc;g")
+%define miscportablearchive() %{miscportablename}.tar.xz
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for slowdebug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+# VM variant being built
+%ifarch %{zero_arches}
+%global vm_variant zero
+%else
+%global vm_variant server
+%endif
+
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+# Portables have no repo (requires/provides), but these are awesome for orientation in spec
+# Also scriptlets are happily missing and files are handled old fashion
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+}
+
+%define java_devel_rpo() %{expand:
+}
+
+%define java_static_libs_rpo() %{expand:
+}
+
+%define java_unstripped_rpo() %{expand:
+}
+
+%define java_docs_rpo() %{expand:
+}
+
+%define java_misc_rpo() %{expand:
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+# Define the architectures on which we build
+ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64
+# Define the OS this package is built on
+%undefine pkgos
+
+Name: java-%{javaver}-%{origin}-portable%{?pkgos:-%{pkgos}}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{anolis_release}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch: 1
+
+# portables have grown out of its component, moving back to java-x-vendor
+# this expression, when declared as global, filled component with java-x-vendor portable
+%define component %(echo %{name} | sed "s;-portable%{?pkgos:-%{pkgos}};;g")
+
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition
+# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+
+# The source tarball, generated using generate_source_tarball.sh
+Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+# Disabled in portables
+#Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# Source code for alt-java
+Source11: alt-java.c
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Follow system wide crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+# RH1996182: Login to the NSS software token in FIPS mode
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+# RH2021263: Resolve outstanding FIPS issues
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
+# RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
+# OJ1357: Fix issue on FIPS with a SecurityManager in place
+# RH2134669: Add missing attributes when registering services in FIPS mode.
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+# RH1940064: Enable XML Signature provider in FIPS mode
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+Patch1001: fips-%{featurever}u-%{fipsver}.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+
+# Currently empty
+
+#############################################
+#
+# OpenJDK patches which missed last update
+#
+#############################################
+
+#############################################
+#
+# Portable build specific patches
+#
+#############################################
+
+# Currently empty
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: file
+BuildRequires: fontconfig-devel
+# BuildRequires: devtoolset-%{dtsversion}-gcc
+# BuildRequires: devtoolset-%{dtsversion}-gcc-c++
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.fips.cfg
+BuildRequires: nss-devel
+# Requirement for system security property test
+# N/A for portable. RHEL7 doesn't provide them
+#BuildRequires: crypto-policies
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+# to pack portable tarballs
+BuildRequires: tar
+BuildRequires: unzip
+BuildRequires: javapackages-tools
+BuildRequires: java-%{buildjdkver}-%{origin}%{?pkgos:-%{pkgos}}-devel
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# Full documentation build requirements
+# pandoc is not available on RHEL 7
+%if 0%{?rhel} >= 8
+BuildRequires: graphviz
+BuildRequires: pandoc
+%endif
+# 2024a required as of JDK-8325150
+# Use 2023d until 2024a is in the buildroot
+BuildRequires: tzdata-java >= 2023d
+# cacerts build requirement in portable mode
+BuildRequires: ca-certificates
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/legal/freetype.md
+Provides: bundled(freetype) = 2.13.2
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 8.2.2
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.15.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.40
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment portable edition
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Tools
+%endif
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} runtime environment and development tools - portable edition
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package unstripped
+Summary: The %{origin_nice} %{featurever} runtime environment.
+
+%{java_unstripped_rpo %{nil}}
+
+%description unstripped
+The %{origin_nice} %{featurever} runtime environment.
+
+%endif
+
+%package docs
+Summary: %{origin_nice} %{featurever} API documentation
+
+%{java_docs_rpo %{nil}}
+
+%description docs
+The %{origin_nice} %{featurever} API documentation.
+
+%package misc
+Summary: %{origin_nice} %{featurever} miscellany
+
+%{java_misc_rpo %{nil}}
+
+%description misc
+The %{origin_nice} %{featurever} miscellany.
+
+%prep
+
+echo "Preparing %{oj_vendor_version}"
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?_build_cpu:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{_build_cpu}"
+%else
+ %{error:Unrecognised architecture %{_build_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+else
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+else
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+fi
+
+%if %{with fresh_libjvm} && ! %{build_hotspot_first}
+echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch"
+echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}"
+%endif
+
+export XZ_OPT="-T0"
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+
+%if %{system_libs}
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+%endif
+
+# Patch the JDK
+# This syntax is deprecated:
+# %patchN [...]
+# and should be replaced with:
+# %patch -PN [...]
+# For example:
+# %patch1001 -p1
+# becomes:
+# %patch -P1001 -p1
+# The replacement format suggested by recent (circa Fedora 38) RPM
+# deprecation messages:
+# %patch N [...]
+# is not backward-compatible with prior (circa RHEL-8) versions of
+# rpmbuild.
+pushd %{top_level_dir_name}
+# Add crypto policy and FIPS support
+%patch -P1001 -p1
+popd # openjdk
+
+
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ exit 17
+fi
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file
+ done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# Portables do not have desktop integration
+
+%build
+
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+export XZ_OPT="-T0"
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
+
+# Set modification times (mtimes) of files within JAR files generated
+# by the OpenJDK build to a timestamp that is constant across RPM
+# rebuilds. OpenJDK provides the --with-source-date configure option
+# for this purpose. Potential arguments in the RPM build context are:
+#
+# A) --with-source-date="${SOURCE_DATE_EPOCH}"
+# B) --with-source-date=version
+# C) --with-source-date="${OPENJDK_UPSTREAM_TAG_EPOCH}"
+#
+# Consider Option A. Fedora 38 (rpm-4.18.2) and RHEL-8 (rpm-4.14.3)
+# have different support for SOURCE_DATE_EPOCH. To keep
+# SOURCE_DATE_EPOCH constant across RPM rebuilds, one could set the
+# source_date_epoch_from_changelog macro to 1 on both Fedora 38 and
+# RHEL-8. However, on RHEL-8, this results in the RPM build times
+# being set to the timestamp of the most recent changelog. This is
+# bad for tracing when RPMs were actually built. Fedora 38 supports a
+# better behaviour via the introduction of the
+# use_source_date_epoch_as_buildtime macro, set to 0 by default.
+# There is no way to make this work on RHEL-8 as well though, so
+# option A is suboptimal.
+#
+# Option B uses the value of the DEFAULT_VERSION_DATE field from
+# make/conf/version-numbers.conf. DEFAULT_VERSION_DATE represents the
+# aspirational eventual JDK general availability (GA) release date.
+# When the RPM build occurs prior to GA, generated JAR files will have
+# payload mtimes in the future relative to the RPM build time.
+# Whereas for tarballs some tools will issue warnings about future
+# mtimes, per OPENJDK-2583 apparently this is no problem for Java and
+# JAR files.
+#
+# Option C uses the modification timestamp of files in the source
+# tarball. The reproducibility logic in generate_source_tarball.sh
+# sets them all to the commit time of the release-tagged OpenJDK
+# commit, as archived in the tarball. This timestamp is deterministic
+# across RPM rebuilds and is reliably in the past. Any file's mtime
+# will do, so use version-numbers.conf's.
+#
+# Use option B for JAR files, based on the discussion in OPENJDK-2583.
+#
+# For portable tarballs, use option C (OPENJDK_UPSTREAM_TAG_EPOCH) for
+# the modification times of all files in the portable tarballs. Doing
+# so eliminates one source of variability across RPM rebuilds.
+VERSION_FILE="$(pwd)"/"%{top_level_dir_name}"/make/conf/version-numbers.conf
+OPENJDK_UPSTREAM_TAG_EPOCH="$(stat --format=%Y "${VERSION_FILE}")"
+
+echo "Building %{SOURCE11}"
+mkdir -p %{altjavaoutputdir}
+gcc ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
+echo "Generating %{alt_java_name} man page"
+altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1
+echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage}
+cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage}
+
+echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+function buildjdk() {
+ local outputdir=${1}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
+ local link_opt=${5}
+ local debug_symbols=${6}
+
+ local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+ local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+ # This must be set using the global, so that the
+ # static libraries still use a dynamic stdc++lib
+ if [ "x%{link_type}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
+ echo "Using output directory: ${outputdir}";
+ echo "Checking build JDK ${buildjdk} is operational..."
+ ${buildjdk}/bin/java -version
+ echo "Using make targets: ${maketargets}"
+ echo "Using debuglevel: ${debuglevel}"
+ echo "Using link_opt: ${link_opt}"
+ echo "Using debug_symbols: ${debug_symbols}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+ mkdir -p ${outputdir}
+ pushd ${outputdir}
+
+ # Note: zlib and freetype use %{link_type}
+ # rather than ${link_opt} as the system versions
+ # are always used in a system_libs build, even
+ # for the static library build
+ bash -c "bash ${top_dir_abs_src_path}/configure \
+%ifarch %{zero_arches}
+ --with-jvm-variants=zero \
+%endif
+ --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts` \
+ --with-version-build=%{buildver} \
+ --with-version-pre=\"%{ea_designator}\" \
+ --with-version-opt=\"%{lts_designator}\" \
+ --with-vendor-version-string=\"%{oj_vendor_version}\" \
+ --with-vendor-name=\"%{oj_vendor}\" \
+ --with-vendor-url=\"%{oj_vendor_url}\" \
+ --with-vendor-bug-url=\"%{oj_vendor_bug_url}\" \
+ --with-vendor-vm-bug-url=\"%{oj_vendor_bug_url}\" \
+ --with-boot-jdk=${buildjdk} \
+ --with-debug-level=${debuglevel} \
+ --with-native-debug-symbols="${debug_symbols}" \
+ --disable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=%{link_type} \
+ --with-freetype=%{link_type} \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=${libc_link_opt} \
+ --with-extra-cxxflags=\"$EXTRA_CPP_FLAGS\" \
+ --with-extra-cflags=\"$EXTRA_CFLAGS\" \
+ --with-extra-ldflags=\"%{ourldflags}\" \
+ --with-num-cores=\"$NUM_PROC\" \
+ --with-source-date=\"version\" \
+ --disable-javac-server \
+%ifarch %{zgc_arches}
+ --with-jvm-features=zgc \
+%endif
+ --disable-warnings-as-errors"
+
+ cat spec.gmk
+ bash -c "make LOG=trace $maketargets || \
+ ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false )"
+ popd
+}
+
+function stripjdk() {
+ local outputdir=${1}
+ local jdkimagepath=${outputdir}/images/%{jdkimage}
+ local jreimagepath=${outputdir}/images/%{jreimage}
+ local jmodimagepath=${outputdir}/images/jmods
+ local supportdir=${outputdir}/support
+ local modulebuildpath=${outputdir}/jdk/modules
+
+ if [ "x$suffix" = "x" ] ; then
+ # Keep the unstripped version for consumption by RHEL RPMs
+ cp -a ${jdkimagepath}{,.unstripped}
+
+ # Strip the files
+ for file in $(find ${jdkimagepath} ${jreimagepath} ${supportdir} ${modulebuildpath} -type f) ; do
+ if file ${file} | cut -d ':' -f 2 | grep -q 'ELF'; then
+ noextfile=${file/.so/};
+ bash -c "objcopy --only-keep-debug ${file} ${noextfile}.debuginfo";
+ bash -c "objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file}";
+ bash -c "strip -g ${file}";
+ fi
+ done
+
+ # Rebuild jmod files against the stripped binaries
+ if [ ! -d ${supportdir} ] ; then
+ echo "Support directory missing.";
+ exit 15
+ fi
+ for cmd in $(find ${supportdir} -name '*.jmod_exec.cmdline') ; do
+ pre=${cmd/_exec/_pre};
+ post=${cmd/_exec/_post};
+ jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##')
+ echo "Rebuilding ${jmod} against stripped binaries...";
+ if [ -e ${pre} ] ; then
+ echo "Executing ${pre}...";
+ cat ${pre} | sh -s ;
+ fi
+ echo "Executing ${cmd}...";
+ cat ${cmd} | sh -s ;
+ if [ -e ${post} ] ; then
+ echo "Executing ${post}...";
+ cat ${post} | sh -s ;
+ fi
+ done
+ rm -rf ${jdkimagepath}/jmods
+ cp -a ${jmodimagepath} ${jdkimagepath}
+ fi
+}
+
+function installjdk() {
+ local outputdir=${1}
+ local installdir=${2}
+ local jdkimagepath=${installdir}/images/%{jdkimage}
+ local jreimagepath=${installdir}/images/%{jreimage}
+ local unstripped=${jdkimagepath}.unstripped
+
+ echo "Installing build from ${outputdir} to ${installdir}..."
+ mkdir -p ${installdir}
+ echo "Installing images..."
+ mv ${outputdir}/images ${installdir}
+ if [ -d ${outputdir}/bundles ] ; then
+ echo "Installing bundles...";
+ mv ${outputdir}/bundles ${installdir} ;
+ fi
+
+%if !%{with artifacts}
+ echo "Removing output directory...";
+ rm -rf ${outputdir}
+%endif
+
+ # legacy-jre-image target does not install any man pages for the JRE
+ # We copy the jdk man directory and then remove pages for binaries that
+ # don't exist in the JRE
+ cp -a ${jdkimagepath}/man ${jreimagepath}
+ for manpage in $(find ${jreimagepath}/man -name '*.1'); do
+ filename=$(basename ${manpage});
+ binary=${filename/.1/};
+ if [ ! -f ${jreimagepath}/bin/${binary} ] ; then
+ echo "Removing ${manpage} from JRE for which no binary ${binary} exists";
+ rm -f ${manpage};
+ fi;
+ done
+
+ for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do
+
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install local files which are distributed with the JDK
+ install -m 644 %{SOURCE10} ${imagepath}
+
+ # Print release information
+ cat ${imagepath}/release
+ fi
+ done
+}
+
+function genchecksum() {
+ local checkedfile=${1}
+
+ checkdir=$(dirname ${1})
+ checkfile=$(basename ${1})
+
+ echo "Generating checksum for ${checkfile} in ${checkdir}..."
+ pushd ${checkdir}
+ sha256sum ${checkfile} > ${checkfile}.sha256sum
+ sha256sum --check ${checkfile}.sha256sum
+ popd
+}
+
+# Create a reproducible tarball in an appropriate way for
+# the version of tar in use
+function createtar() {
+ local directory=${1}
+ local archive=${2}
+ local filter=${3}
+ local transform=${4}
+
+ if [ "x${filter}" != "x" ] ; then
+ local filteroption="-name ${filter}";
+ fi
+ if [ "x${transform}" != "x" ] ; then
+ local transoption="--transform ${transform}";
+ fi
+
+ local common_tar_opts="--owner=0 --group=0 --numeric-owner \
+ ${transoption} --create --xz"
+ # Capture tar version, removing the decimal point (so 1.28 => 128)
+ tarver=$(tar --version|head -n1|sed -re 's|tar \(GNU tar\) ([0-9]).([0-9]*)|\1\2|')
+ echo "Detected tar ${tarver}"
+ if [ ${tarver} -gt 128 ] ; then
+ local tar_time="$(date --utc --iso-8601=seconds --date=@"${OPENJDK_UPSTREAM_TAG_EPOCH}")"
+ local tar_opts="--mtime=${tar_time} --sort=name ${common_tar_opts}"
+ if test "x${filteroption}" = "x"; then
+ tar ${tar_opts} --file ${archive} ${directory}
+ else
+ tar ${tar_opts} --file ${archive} $(find ${directory} ${filteroption})
+ fi
+ else
+ # See https://reproducible-builds.org/docs/archives/
+ # RHEL-7 has tar 1.26 which does not support --sort=name (added
+ # in 1.28), so use find-piped-through-sort instead. Omit
+ # --pax-option since it made the docs package not reproducible
+ # due to PaxHeaders timestamp differences.
+ local tar_opts="--mtime=@${OPENJDK_UPSTREAM_TAG_EPOCH} \
+ --no-recursion --null --files-from - \
+ ${common_tar_opts}"
+ find ${directory} ${filteroption} -print0 | \
+ LC_ALL=C sort -z | \
+ tar ${tar_opts} --file ${archive}
+ fi
+}
+
+function packagejdk() {
+ local imagesdir=$(pwd)/${1}/images
+ local docdir=$(pwd)/${1}/images/docs
+ local bundledir=$(pwd)/${1}/bundles
+ local packagesdir=$(pwd)/${2}
+ local srcdir=$(pwd)/%{top_level_dir_name}
+ local tapsetdir=$(pwd)/tapset
+ local altjavadir=$(pwd)/${3}
+
+ echo "Packaging build from ${imagesdir} to ${packagesdir}..."
+ mkdir -p ${packagesdir}
+ pushd ${imagesdir}
+
+ if [ "x$suffix" = "x" ] ; then
+ nameSuffix=""
+ else
+ nameSuffix=`echo "$suffix"| sed s/-/./`
+ fi
+
+ jdkname=%{jdkportablename -- "$nameSuffix"}
+ jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"}
+ jrename=%{jreportablename -- "$nameSuffix"}
+ jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
+ staticname=%{staticlibsportablename -- "$nameSuffix"}
+ staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
+ debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"}
+ unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"}
+ # We only use docs for the release build
+ docname=%{docportablename}
+ docarchive=${packagesdir}/%{docportablearchive}
+ built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+ # These are from the source tree so no debug variants
+ miscname=%{miscportablename}
+ miscarchive=${packagesdir}/%{miscportablearchive}
+
+ if [ "x$suffix" = "x" ] ; then
+ # Keep the unstripped version for consumption by RHEL RPMs
+ mv %{jdkimage}.unstripped ${jdkname}
+ createtar ${jdkname} ${unstrippedarchive}
+ genchecksum ${unstrippedarchive}
+ mv ${jdkname} %{jdkimage}.unstripped
+ fi
+
+ # Rename directories for packaging
+ mv %{jdkimage} ${jdkname}
+ mv %{jreimage} ${jrename}
+
+ # Release images have external debug symbols
+ if [ "x$suffix" = "x" ] ; then
+ createtar ${jdkname} ${debugarchive} \*.debuginfo
+ genchecksum ${debugarchive}
+
+ mkdir ${docname}
+ mv ${docdir} ${docname}
+ mv ${bundledir}/${built_doc_archive} ${docname}
+ createtar ${docname} ${docarchive}
+ genchecksum ${docarchive}
+
+ mkdir ${miscname}
+ for s in 16 24 32 48 ; do
+ cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname}
+ done
+%if %{with_systemtap}
+ cp -a ${tapsetdir}* ${miscname}
+%endif
+ cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname}
+ createtar ${miscname} ${miscarchive}
+ genchecksum ${miscarchive}
+ fi
+
+ createtar ${jdkname} ${jdkarchive}
+ genchecksum ${jdkarchive}
+
+ createtar ${jrename} ${jrearchive}
+ genchecksum ${jrearchive}
+
+%if %{include_staticlibs}
+ # Static libraries (needed for building graal vm with native image)
+ # Tar as overlay. Transform to the JDK name, since we just want to "add"
+ # static libraries to that folder
+ createtar "%{static_libs_image}/lib" ${staticarchive} "" \
+ "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|"
+ genchecksum ${staticarchive}
+%endif
+
+ # Revert directory renaming so testing will run
+ # TODO: testing should run on the packaged JDK
+ mv ${jdkname} %{jdkimage}
+ mv ${jrename} %{jreimage}
+
+ popd #images
+
+}
+
+%if %{build_hotspot_first}
+ # Build a fresh libjvm.so first and use it to bootstrap
+ cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+ systemjdk=$(pwd)/newboot
+ buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal"
+ mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant}
+%else
+ systemjdk=%{bootjdk}
+%endif
+
+for suffix in %{build_loop} ; do
+
+ if [ "x$suffix" = "x" ] ; then
+ debugbuild=release
+ else
+ # change --something to something
+ debugbuild=`echo $suffix | sed "s/-//g"`
+ fi
+ # We build with internal debug symbols and do
+ # our own stripping for one version of the
+ # release build
+ debug_symbols=internal
+
+ builddir=%{buildoutputdir -- ${suffix}}
+ bootbuilddir=boot${builddir}
+ installdir=%{installoutputdir -- ${suffix}}
+ bootinstalldir=boot${installdir}
+ packagesdir=%{packageoutputdir -- ${suffix}}
+
+ link_opt="%{link_type}"
+%if %{system_libs}
+ # Copy the source tree so we can remove all in-tree libraries
+ cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+ # Remove all libraries that are linked
+ sh %{SOURCE12} %{top_level_dir_name} full
+%endif
+ # Debug builds don't need same targets as release for
+ # build speed-up. We also avoid bootstrapping these
+ # slower builds.
+ if echo $debugbuild | grep -q "debug" ; then
+ maketargets="%{debug_targets}"
+ run_bootstrap=false
+ else
+ maketargets="%{release_targets}"
+ run_bootstrap=%{bootstrap_build}
+ fi
+ if ${run_bootstrap} ; then
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols}
+ installjdk ${bootbuilddir} ${bootinstalldir}
+ buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+ stripjdk ${builddir}
+ installjdk ${builddir} ${installdir}
+ %{!?with_artifacts:rm -rf ${bootinstalldir}}
+ else
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
+ stripjdk ${builddir}
+ installjdk ${builddir} ${installdir}
+ fi
+ packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir}
+
+%if %{system_libs}
+ # Restore original source tree we modified by removing full in-tree sources
+ rm -rf %{top_level_dir_name}
+ mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path
+top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# Pre-test setup
+
+# System security properties are disabled by default on portable.
+# Turn on system security properties
+#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+#${JAVA_HOME}/conf/security/java.security
+
+# Check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+# Specific to portable:System security properties to be off by default
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+# set_speculation function exists in both cases, so check for prctl call
+%ifarch %{ssbd_arches}
+nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl
+%else
+if ! nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi
+%endif
+
+%if ! 0%{?flatpak}
+# Check translations are available for new timezones (during flatpak builds, the
+# tzdb.dat used by this test is not where the test expects it, so this is
+# disabled for flatpak builds)
+# Disable test until we are on the latest JDK
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+%endif
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+ls -l $STATIC_LIBS_HOME
+ls -l $STATIC_LIBS_HOME/lib
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c
+%endif
+
+# Release builds strip the debug symbols into external .debuginfo files
+if [ "x$suffix" = "x" ] ; then
+ so_suffix="debuginfo"
+else
+ so_suffix="so"
+fi
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp and .S files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" < - 1:21.0.3.0.9.0.1-1
+- Use anolis dist
+
+* Sat Apr 13 2024 Andrew Hughes - 1:21.0.3.0.9-1
+- Update to jdk-21.0.3+9 (GA)
+- Update release notes to 21.0.3+9
+- Switch to GA mode.
+- Change --with-source-date value to 'version' to match Temurin builds
+- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
+- Resolves: OPENJDK-2585
+
+* Thu Apr 04 2024 Andrew Hughes - 1:21.0.3.0.7-0.1.ea
+- Update to jdk-21.0.3+7 (EA)
+- Update release notes to 21.0.3+7
+- Require tzdata 2024a due to upstream inclusion of JDK-8322725
+- Only require tzdata 2023d for now as 2024a is unavailable in buildroot
+- Drop JDK-8009550 which is now available upstream
+- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254
+
+* Thu Mar 21 2024 Andrew Hughes - 1:21.0.3.0.1-0.2.ea
+- generate_source_tarball.sh: Update examples in header for clarity
+- generate_source_tarball.sh: Cleanup message issued when checkout already exists
+- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP
+- generate_source_tarball.sh: Only add --depth=1 on non-local repositories
+- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch
+- Move maintenance scripts to a scripts subdirectory
+- discover_trees.sh: Set compile-command and indentation instructions for Emacs
+- discover_trees.sh: shellcheck: Do not use -o (SC2166)
+- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- discover_trees.sh: shellcheck: Double-quote variable references (SC2086)
+- generate_source_tarball.sh: Add authorship
+- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs
+- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086)
+- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- openjdk_news.sh: Set compile-command and indentation instructions for Emacs
+- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086)
+- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196)
+- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST
+- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086)
+- Vary reproducible tar creation by version of tar detected
+- Set OPENJDK_UPSTREAM_TAG_EPOCH & VERSION_FILE at start of build section as in 17u
+- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck
+
+* Wed Mar 20 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.2.ea
+- generate_source_tarball.sh: Add WITH_TEMP environment variable
+- generate_source_tarball.sh: Multithread xz on all available cores
+- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
+- generate_source_tarball.sh: Update comment about tarball naming
+- generate_source_tarball.sh: Reformat comment header
+- generate_source_tarball.sh: Reformat and update help output
+- generate_source_tarball.sh: Do a shallow clone, for speed
+- generate_source_tarball.sh: Append -ea designator when required
+- generate_source_tarball.sh: Eliminate some removal prompting
+- generate_source_tarball.sh: Make tarball reproducible
+- generate_source_tarball.sh: Prefix temporary directory with temp-
+- generate_source_tarball.sh: Remove temporary directory exit conditions
+- generate_source_tarball.sh: Fix -ea logic to add dash
+- generate_source_tarball.sh: Set compile-command in Emacs
+- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
+- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
+- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
+- generate_source_tarball.sh: shellcheck: Double-quote variable references (SC2086)
+- generate_source_tarball.sh: shellcheck: Do not use -a (SC2166)
+- generate_source_tarball.sh: shellcheck: Do not use $ on arithmetic variables (SC2004)
+- Use backward-compatible patch syntax
+- generate_source_tarball.sh: Ignore -ga tags with OPENJDK_LATEST
+- generate_source_tarball.sh: Fix whitespace
+- generate_source_tarball.sh: Remove trailing period in echo
+- generate_source_tarball.sh: Use long-style argument to grep
+- generate_source_tarball.sh: Add license
+- generate_source_tarball.sh: Add indentation instructions for Emacs
+- Remove -T0 argument from systemtap tar invocation
+
+* Mon Mar 11 2024 Andrew Hughes - 1:21.0.3.0.1-0.2.ea
+- Introduce tar_opts to avoid repetition of lengthy tar creation options
+- Add module build path to stripped directories to catch jpackageapplauncher files
+- Move alt-java man page to the misc tarball so it is not in the JDK image
+- Resolves: OPENJDK-2820
+- Resolves: OPENJDK-2821
+
+* Thu Feb 08 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.2.ea
+- Invoke xz in multi-threaded mode
+- Remove ppc64le with-jobs=1 workaround
+- Make portable tarball modification times reproducible
+- Use RHEL-7 tar-1.26-compatible invocations for reproducible tarballs
+
+* Fri Feb 02 2024 Andrew Hughes - 1:21.0.3.0.1-0.1.ea
+- Update to jdk-21.0.3+1 (EA)
+- Update release notes to 21.0.3+1
+- Switch to EA mode
+- Require tzdata 2023d due to upstream inclusion of JDK-8322725
+- Bump FreeType version to 2.13.2 following JDK-8316028
+
+* Sat Jan 27 2024 Andrew Hughes - 1:21.0.2.0.13-2
+- Sync with upstream release notes
+
+* Tue Jan 09 2024 Andrew Hughes - 1:21.0.2.0.13-1
+- Update to jdk-21.0.2+13 (GA)
+- Update release notes to 21.0.2+13
+- Drop no longer needed local patch to fix versioning
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Mon Jan 08 2024 Andrew Hughes - 1:21.0.2.0.12-1
+- Update to jdk-21.0.2+12 (GA)
+- Update release notes to 21.0.2+12
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Sat Jan 06 2024 Andrew Hughes - 1:21.0.2.0.11-1
+- Update to jdk-21.0.2+11 (GA)
+- Update release notes to 21.0.2+11
+- Bump libpng version to 1.6.40 following JDK-8316030
+- Bump HarfBuzz version to 8.2.2 following JDK-8313643
+- Drop local JDK-8311630 patch which is now upstream
+- Locally patch versioning to be 21.0.2 released on 2014-01-16
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Mon Nov 06 2023 Andrew Hughes - 1:21.0.1.0.12-2
+- Include JDK-8311630 patch to implement Foreign Function & Memory preview API on s390x
+
+* Sun Oct 29 2023 Andrew Hughes - 1:21.0.1.0.12-1
+- Update to jdk-21.0.1.0+12 (GA)
+- Update release notes to 21.0.1.0+12
+- Update openjdk_news script to specify subdirectory last
+- Add missing discover_trees script required by openjdk_news
+- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng)
+- Sync generate_tarball.sh with 11u & 17u version
+- Update bug URL for RHEL to point to the Red Hat customer portal
+- Fix upstream release URL for OpenJDK source
+- Update buildjdkver to match the featurever
+- Re-enable SystemTap support and perform only substitutions possible without final NVR available
+- Fix typo which stops the EA designator being included in the build
+- Include tapsets in the miscellaneous tarball
+- Drop unused globals for tapset installation
+- Rebuild jmods using the stripped binaries in release builds
+- Make sure the unstripped JDK is customised by the installjdk function
+
+* Sat Oct 28 2023 Andrew Hughes - 1:21.0.0.0.35-1
+- Update to jdk-21.0.0+35
+- Update release notes to 21.0.0+35
+- Update documentation (README.md)
+- Update system crypto policy & FIPS patch from new fips-21u tree
+- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal
+- Drop fakefeaturever now it is no longer needed
+- Hardcode buildjdkver while the build JDK is not yet 21
+- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
+- Use upstream release URL for OpenJDK source
+- Re-enable tzdata tests now we are on the latest JDK and things are back in sync
+- Fix trailing '.' in tarball name
+- Use rpmrelease in vendor version to avoid inclusion of dist tag
+- Replace alt-java patch with a binary separate from the JDK
+- Drop stale patches that are of little use any more:
+- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
+- * No accessibility subpackage to warrant RH1648242 patch any more
+- * No use of system libjpeg turbo to warrant RH649512 patch any more
+- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
+
+* Sat Oct 28 2023 Petra Alice Mikova - 1:21.0.0.0.35-1
+- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798
+- Related: rhbz#2192749
+
+* Fri Oct 27 2023 Andrew Hughes - 1:20.0.2.0.9-1.1
+- Update to jdk-20.0.2+9
+- Update release notes to 20.0.2+9
+- Update system crypto policy & FIPS patch from new fips-20u tree
+- Update generate_tarball.sh ICEDTEA_VERSION
+- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit)
+- Related: rhbz#2192749
+
+* Fri Oct 27 2023 Jiri Vanek - 1:20.0.0.0.36-1
+- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream
+- Adapted rh1750419-redhat_alt_java.patch
+- Related: rhbz#2192749
+
+* Fri Oct 27 2023 Andrew Hughes - 1:19.0.1.0.10-1
+- Update to jdk-19.0.2 release
+- Update release notes to 19.0.2
+- Rebase FIPS patches from fips-19u branch
+- Remove references to sample directory removed by JDK-8284999
+- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag
+- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases
+- Related: rhbz#2192749
+
+* Tue Oct 24 2023 Andrew Hughes - 1:18.0.2.0.9-1
+- Update to jdk-18.0.2 release
+- Update release notes to actually reflect OpenJDK 18
+- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory
+- Rebase FIPS patches from fips-18u branch
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built
+- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21
+- Switch bootjdkver to java-21-openjdk
+- Disable tzdata tests until we are on the latest JDK and things are back in sync
+- Drop bootstrap JDKs and use the java-21-openjdk-rhel7 build
+- Related: rhbz#2192749
+
+* Tue Oct 24 2023 Petra Alice Mikova - 1:18.0.0.0.37-1
+- Update to ea version of jdk18
+- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+* Tue Aug 22 2023 Andrew Hughes - 1:17.0.7.0.7-2
+- Define architectures we build on to avoid those without DTS 10 (e.g. s390)
+
+* Tue Aug 22 2023 Andrew Hughes - 1:17.0.7.0.7-2
+- Switch to DTS 10
+- Related: rhbz#2192749
+
+* Mon May 15 2023 Andrew Hughes - 1:17.0.7.0.7-2
+- Create java-21-openjdk-portable package based on java-17-openjdk-portable
+- Related: rhbz#2192749
+
+* Thu Apr 13 2023 Andrew Hughes - 1:17.0.7.0.7-1
+- Update to jdk-17.0.7.0+7
+- Update release notes to 17.0.7.0+7
+- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
+- Reintroduce generate_source_tarball.sh from RHEL 9
+- Update generate_tarball.sh to add support for passing a boot JDK to the configure run
+- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
+- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
+- Update FIPS support against 17.0.7+6 and bring in latest changes:
+- * RH2134669: Add missing attributes when registering services in FIPS mode.
+- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+- * RH1940064: Enable XML Signature provider in FIPS mode
+- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
+- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
+- Resolves: rhbz#2185182
+- Resolves: rhbz#2134669
+- Resolves: rhbz#1940064
+- Resolves: rhbz#2173781
+
+* Tue Feb 21 2023 Andrew Hughes - 1:17.0.6.0.10-6
+- Add docs, icons and samples to the portable output
+- Make sure generated checksums work and don't include full path
+- The docs directory is a subdirectory of images, so remove confusing separate copying
+
+* Wed Feb 15 2023 Andrew Hughes - 1:17.0.6.0.10-5
+- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build
+- Restore compiler flags to those used in RHEL
+- Drop unused static library patch
+- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago
+
+* Tue Feb 14 2023 Andrew Hughes - 1:17.0.6.0.10-4
+- Separate JDK packaging into a separate function
+- Use variables to make it clearer what is going on
+- Use a package output directory as we do for building and installing
+- Workaround missing manpage directory in the JRE image
+
+* Sun Feb 12 2023 Andrew Hughes - 1:17.0.6.0.10-3
+- Adapt the portable build to use the same system library handling as RHEL builds
+
+* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3
+- Add missing release note for JDK-8295687
+- Resolves: rhbz#2160111
+
+* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.10-2
+- Update FIPS support to bring in latest changes
+- * Add nss.fips.cfg support to OpenJDK tree
+- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+- * Remove forgotten dead code from RH2020290 and RH2104724
+- * OJ1357: Fix issue on FIPS with a SecurityManager in place
+- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
+- Resolves: rhbz#2118493
+
+* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.10-2
+- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
+- Related: rhbz#2160111
+
+* Wed Jan 11 2023 Andrew Hughes - 1:17.0.6.0.10-1
+- Update to jdk-17.0.6.0+10
+- Update release notes to 17.0.6.0+10
+- Re-enable EA upstream status check now it is being actively maintained.
+- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
+- Drop JDK-8275535 local patch now this has been accepted and backported upstream
+- Drop local copy of JDK-8293834 now this is upstream
+- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
+- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
+- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. **
+- Resolves: rhbz#2160111
+
+* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+- Related: rhbz#2160111
+
+* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- * This tarball is embargoed until 2022-10-18 @ 1pm PT. *
+- Resolves: rhbz#2133695
+
+* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2
+- Update FIPS support to bring in latest changes
+- * RH2023467: Enable FIPS keys export
+- * RH2104724: Avoid import/export of DH private keys
+- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+- * Build the systemconf library on all platforms
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- Resolves: rhbz#2123579
+- Resolves: rhbz#2123580
+- Resolves: rhbz#2123581
+- Resolves: rhbz#2123583
+- Resolves: rhbz#2123584
+
+* Sun Aug 21 2022 Jayashree Huttanagoudar - 1:17.0.4.1.1-1
+- Added a missing change to portable NEWS file from upstream.
+
+* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1
+- Update to jdk-17.0.4.1+1
+- Update release notes to 17.0.4.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119532
+
+* Mon Jul 18 2022 Jayashree Huttanagoudar - 1:17.0.4.0.8-1
+- Commented out: fipsver f8142a23d0a which was from rhel-9-main
+- Picked 17.0.4+8 GA tag from rhel-9.0.0
+- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0
+
+* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1
+- Update to jdk-17.0.4.0+8 (GA)
+- Update release notes to 17.0.4.0+8
+- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. **
+
+* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Related: rhbz#2084779
+
+* Tue Jul 12 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.1.ea
+- Tweaked line to print release information for portable
+
+* Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea
+- Update to jdk-17.0.4.0+1
+- Update release notes to 17.0.4.0+1
+- Switch to EA mode for 17.0.4 pre-release builds.
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Move EA designator check to prep so failures can be caught earlier
+- Make EA designator check non-fatal while upstream is not maintaining it
+- Related: rhbz#2084218
+
+* Thu Jun 30 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-8
+- Comment line for portable: System security properties to be off by default
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-8
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102433
+
+* Wed Jun 29 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-7
+- System security properties are disabled by default on portable.
+- Commented out lines which are not applicable for portable.
+
+* Wed Jun 29 2022 Andrew Hughes - 1:17.0.3.0.7-7
+- Update FIPS support to bring in latest changes
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099844
+- Resolves: rhbz#2100677
+
+* Tue Jun 28 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-6
+- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch
+
+* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-6
+- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- RH2023467: Enable FIPS keys export
+- RH2094027: SunEC runtime permission for FIPS
+- Resolves: rhbz#2029657
+- Resolves: rhbz#2096117
+
+* Wed May 25 2022 Andrew Hughes - 1:17.0.3.0.7-5
+- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build
+
+* Tue May 24 2022 Jiri Vanek - 1:17.0.3.0.7-4
+- to pass aqa, fixing genuie failure in :
+- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions
+- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions
+- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch
+- this, properly named, patch must go to all our jdk17 builds, and to the fips repo
+
+* Thu May 19 2022 Jiri Vanek - 1:17.0.3.0.7-3
+- to pass aqa:
+- removed copy system tzdb in favour of in-tree
+- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch
+- This is not intended to release untill we decide proper steps
+
+* Thu May 19 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-2
+- Include BOOT_JDK for s390x for portable
+- BOOT_JDK downlaoded form hydra as
+ java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz
+ and renamed
+- Added cosmetic changes to bypass a failure for s390x
+
+* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1
+- April 2022 security update to jdk 17.0.3+7
+- Remove JDK-8284548 and JDK-8284920 they are upstreamed now
+- Resolves: rhbz#2073579
+
+* Sat Apr 16 2022 Andrew Hughes - 1:17.0.3.0.6-3
+- Add JDK-8284920 fix for XPath regression
+- Related: rhbz#2073575
+
+* Fri Apr 15 2022 Andrew Hughes - 1:17.0.3.0.6-2
+- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit
+- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476
+- Related: rhbz#2073575
+
+* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1
+- April 2022 security update to jdk 17.0.3+6
+- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408)
+- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga
+- Update release notes to 17.0.3.0+6
+- Add missing README.md and generate_source_tarball.sh
+- Introduce tests/tests.yml, based on the one in java-11-openjdk
+- JDK-8283911 patch no longer needed now we're GA...
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. **
+- Resolves: rhbz#2073575
+
+* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea
+- Update to jdk-17.0.3.0+5
+- Update release notes to 17.0.3.0+5
+- Resolves: rhbz#2050460
+
+* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea
+- Update to jdk-17.0.3.0+1
+- Update release notes to 17.0.3.0+1
+- Switch to EA mode for 17.0.3 pre-release builds.
+- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
+- Related: rhbz#2050456
+
+* Mon Feb 28 2022 Jayashree Huttanagoudar - 1:17.0.2.0.8-10
+- Update icedtea_sync.sh with suitable message for portable
+
+* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-10
+- Restructure the build so a minimal initial build is then used for the final build (with docs)
+- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Handle Fedora in distro conditionals that currently only pertain to RHEL.
+- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
+- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
+- Need to support noarch for creating source RPMs for non-scratch builds.
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
+- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Resolves: rhbz#2022822
+
+* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-9
+- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+- Correction to previous changelog entry
+- Resolves: rhbz#2052070
+
+* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-8
+- Detect NSS at runtime for FIPS detection
+- Resolves: rhbz#2051605
+
+* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053521
+
+* Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-6
+- Minor cosmetic improvements to make spec more comparable between variants
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-5
+- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
+- Related: rhbz#2022822
+
+* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-4
+- Extend LTS check to exclude EPEL.
+- Related: rhbz#2022822
+
+* Tue Jan 18 2022 Andrew Hughes - 1:17.0.2.0.8-3
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+
+* Mon Jan 17 2022 Andrew Hughes - 1:17.0.2.0.8-2
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Related: rhbz#2039366
+
+* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1
+- January 2022 security update to jdk 17.0.2+8
+- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
+- Resolves: rhbz#2039366
+- Minor change to the OUTPUT_FILE value to separate the name from the version with '-'
+
+* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-3
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+ secmod.db file as part of nss
+- Resolves: rhbz#2023537
+
+* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2
+- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1
+- October CPU update to jdk 17.0.1+12
+- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Add patch to allow plain key import.
+
+* Mon Oct 25 2021 Jiri Vanek - 1:17.0.0.0.35-5
+- cacerts symlink is resolved before passed to configure
+- https://issues.redhat.com/browse/OPENJDK-487
+- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS
+-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss
+-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started
+
+* Thu Sep 30 2021 Jiri Vanek - 1:17.0.0.0.35-4
+- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
new file mode 100644
index 0000000000000000000000000000000000000000..25c2fc8d6b6223c0442a41adb51230244589d1a1
--- /dev/null
+++ b/remove-intree-libraries.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+# Arguments:
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+ echo "$0 (MINIMAL|FULL)";
+ exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib & freetype having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+ echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
+
+# Minimal is limited to just zlib and freetype so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+fi
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h