From 8f5e526646f466df6b6e6911040af7603c1ae0e2 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Mon, 8 Jul 2024 13:34:39 +0800 Subject: [PATCH 1/2] import java-21-openjdk-portable-21.0.3.0.9-1.src.rpm Signed-off-by: Zhao Hang --- CheckVendor.java | 65 + NEWS | 0 README.en.md | 36 - README.md | 39 - TestCryptoLevel.java | 72 + TestECDSA.java | 49 + TestSecurityProperties.java | 84 + TestTranslations.java | 160 ++ alt-java.c | 100 + dist | 1 + download | 2 + fips-21u-0a42e29b391.patch | 4234 +++++++++++++++++++++++++++++++++ java-21-openjdk-portable.spec | 2303 ++++++++++++++++++ remove-intree-libraries.sh | 164 ++ 14 files changed, 7234 insertions(+), 75 deletions(-) create mode 100644 CheckVendor.java create mode 100644 NEWS delete mode 100644 README.en.md delete mode 100644 README.md create mode 100644 TestCryptoLevel.java create mode 100644 TestECDSA.java create mode 100644 TestSecurityProperties.java create mode 100644 TestTranslations.java create mode 100644 alt-java.c create mode 100644 dist create mode 100644 download create mode 100644 fips-21u-0a42e29b391.patch create mode 100644 java-21-openjdk-portable.spec create mode 100644 remove-intree-libraries.sh diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..e69de29 diff --git a/README.en.md b/README.en.md deleted file mode 100644 index fe2caf2..0000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# java-21-openjdk-portable - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 7681d9d..0000000 --- a/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# java-21-openjdk-portable - -#### 介绍 -{**以下是 Gitee 平台说明,您可以替换此简介** -Gitee 是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 -无论是个人、团队、或是企业,都能够用 Gitee 实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. Gitee 官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解 Gitee 上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是 Gitee 最有价值开源项目,是综合评定出的优秀开源项目 -5. Gitee 官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/TestECDSA.java b/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java new file mode 100644 index 0000000..2967a32 --- /dev/null +++ b/TestSecurityProperties.java @@ -0,0 +1,84 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties "); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(propsFile)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + +} diff --git a/TestTranslations.java b/TestTranslations.java new file mode 100644 index 0000000..f6a4fe2 --- /dev/null +++ b/TestTranslations.java @@ -0,0 +1,160 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV, CIUDAD_JUAREZ; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET", + "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST", + "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + + map = new HashMap(); + map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", + "Mountain Daylight Time", "MDT", "MDT", + "Mountain Time", "MT", "MT"}); + map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", + "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", + "heure des Rocheuses", "UTC\u221207:00", "MT"}); + map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST", + "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", + "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); + CIUDAD_JUAREZ = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + String localeProvider = args[0]; + testZone(localeProvider, KYIV, + new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); + testZone(localeProvider, CIUDAD_JUAREZ, + new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); + } + + private static void testZone(String localeProvider, Map exp, String[] ids) { + for (Locale l : exp.keySet()) { + String[] expected = exp.get(l); + System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); + for (String id : ids) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/alt-java.c b/alt-java.c new file mode 100644 index 0000000..644d002 --- /dev/null +++ b/alt-java.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2023 Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Red Hat designates this + * particular file as subject to the "Classpath" exception as provided + * by Red Hat in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* Per task speculation control */ +#ifndef PR_GET_SPECULATION_CTRL +# define PR_GET_SPECULATION_CTRL 52 +#endif +#ifndef PR_SET_SPECULATION_CTRL +# define PR_SET_SPECULATION_CTRL 53 +#endif +/* Speculation control variants */ +#ifndef PR_SPEC_STORE_BYPASS +# define PR_SPEC_STORE_BYPASS 0 +#endif +/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ + +#ifndef PR_SPEC_NOT_AFFECTED +# define PR_SPEC_NOT_AFFECTED 0 +#endif +#ifndef PR_SPEC_PRCTL +# define PR_SPEC_PRCTL (1UL << 0) +#endif +#ifndef PR_SPEC_ENABLE +# define PR_SPEC_ENABLE (1UL << 1) +#endif +#ifndef PR_SPEC_DISABLE +# define PR_SPEC_DISABLE (1UL << 2) +#endif +#ifndef PR_SPEC_FORCE_DISABLE +# define PR_SPEC_FORCE_DISABLE (1UL << 3) +#endif +#ifndef PR_SPEC_DISABLE_NOEXEC +# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) +#endif + +static void set_speculation() { +#if defined(__linux__) && defined(__x86_64__) + // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it + // if ( prctl(PR_SET_SPECULATION_CTRL, + // PR_SPEC_STORE_BYPASS, + // PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { + // return; + // } + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); +#else +#warning alt-java requested but SSB mitigation not available on this platform. +#endif +} + +int main(int argc, char **argv) { + set_speculation(); + + char our_name[PATH_MAX], java_name[PATH_MAX]; + ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1); + if (len < 0) { + perror("I can't find myself"); + exit(2); + } + + our_name[len] = '\0'; // readlink(2) doesn't append a null byte + char *path = dirname(our_name); + strncpy(java_name, path, PATH_MAX - 1); + + size_t remaining_bytes = PATH_MAX - strlen(path) - 1; + strncat(java_name, "/java", remaining_bytes); + + execv(java_name, argv); + fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno)); + + exit(1); +} + diff --git a/dist b/dist new file mode 100644 index 0000000..9c0e36e --- /dev/null +++ b/dist @@ -0,0 +1 @@ +an8 diff --git a/download b/download new file mode 100644 index 0000000..79e7650 --- /dev/null +++ b/download @@ -0,0 +1,2 @@ +8dc19ce98ca6c05fae8907d968f0ddd3 openjdk-21.0.3+9.tar.xz +5d441d6217cc75372ca5a0943997cb24 tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/fips-21u-0a42e29b391.patch b/fips-21u-0a42e29b391.patch new file mode 100644 index 0000000..54e8da0 --- /dev/null +++ b/fips-21u-0a42e29b391.patch @@ -0,0 +1,4234 @@ +diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 +index 5f4b22bb27f..1ca9f5b8ffe 100644 +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..f48fc7f7e80 +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,87 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) ++ ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index 51d4f724c33..feb0bcf3e75 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -35,6 +35,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_X11 + + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + BASIC_JDKLIB_LIBS_TARGET="" +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index f6def153c82..4d7abc33427 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk +index 9e5cfe2d0fc..434ade8e182 100644 +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 1e0f66726d0..59fe923f2c5 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index 10093137151..b023c63ae58 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -147,298 +152,299 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); +- +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -447,15 +453,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -625,10 +633,10 @@ public final class SunJCE extends Provider { + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +@@ -651,136 +659,137 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256"); + +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); +- +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * KEMs +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + +- "|java.security.interfaces.XECKey"); +- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); ++ ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * KEMs ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + ++ "|java.security.interfaces.XECKey"); ++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 671529f71a1..af632936921 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -34,6 +34,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -58,6 +59,11 @@ import sun.security.jca.*; + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -75,6 +81,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -96,6 +115,7 @@ public final class Security { + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -116,6 +136,61 @@ public final class Security { + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } ++ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -126,7 +201,7 @@ public final class Security { + + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..9d26a54f5d4 +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index 919d758a6e3..b1e5fbaf84a 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -43,6 +43,7 @@ import java.io.PrintStream; + import java.io.PrintWriter; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -90,6 +91,7 @@ public class SharedSecrets { + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; + private static JavaTemplateAccess javaTemplateAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -537,4 +539,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 06b141dcf22..e8cbf7f15d7 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -158,6 +158,7 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.jfr, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index f036a411f1d..1e9de933bd9 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.LinkedHashSet; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetBooleanAction; + +@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -102,89 +107,92 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- attrs.remove("KeySize"); ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ } + + attrs.clear(); + attrs.put("ImplementedIn", "Software"); +@@ -196,9 +204,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -213,44 +223,46 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- addWithAlias(p, "KeyFactory", "HSS/LMS", +- "sun.security.provider.HSS$KeyFactoryImpl", attrs); +- +- /* +- * Digest engines +- */ +- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", +- attrs); +- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", +- attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); ++ addWithAlias(p, "KeyFactory", "HSS/LMS", ++ "sun.security.provider.HSS$KeyFactoryImpl", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", ++ attrs); ++ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", ++ attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index 539ef1e8ee8..435f57e3ff2 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 5149edba0e5..8227d650a03 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -85,6 +85,17 @@ security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign ++fips.provider.7=XMLDSig ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=pkcs12 ++ ++# ++# Location of the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# The syntax for this property is identical to the 'nssSecmodDirectory' ++# attribute available in the SunPKCS11 NSS configuration file. Use the ++# 'sql:' prefix to refer to an SQLite DB. ++# ++# If the system property fips.nssdb.path is also specified, it supersedes ++# the security property value defined here. ++# ++# Note: the default value for this property points to an NSS DB that might be ++# readable by multiple operating system users and unsuitable to store keys. ++# ++fips.nssdb.path=sql:/etc/pki/nssdb ++ ++# ++# PIN for the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# Values must take any of the following forms: ++# 1) pin: ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -332,6 +384,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in +new file mode 100644 +index 00000000000..55bbba98b7a +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ +diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy +index 86d45147709..22fd8675503 100644 +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..48d6d656a28 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,457 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +new file mode 100644 +index 00000000000..f8d505ca815 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index c3b412885a6..0e7ce73b158 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length { + @Serial + private static final long serialVersionUID = -2575874101938349339L; + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final String PUBLIC = "public"; + private static final String PRIVATE = "private"; + private static final String SECRET = "secret"; +@@ -401,9 +406,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + +- boolean keySensitive = +- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) || +- attrs[1].getBoolean() || !attrs[2].getBoolean(); ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && ++ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + return switch (algorithm) { + case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, +@@ -455,7 +461,8 @@ abstract class P11Key implements Key, Length { + + public String getFormat() { + token.ensureValid(); +- if (sensitive || !extractable || (isNSS && tokenObject)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || !extractable || (isNSS && tokenObject))) { + return null; + } else { + return "RAW"; +@@ -1625,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference { + this.clear(); + } + } +- +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 5cd6828d293..bae49c4e8a9 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider { + @Serial + private static final long serialVersionUID = -1354835039035306505L; + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ + static final Debug debug = Debug.getInstance("sunpkcs11"); + // the PKCS11 object through which we make the native calls + @SuppressWarnings("serial") // Type of field is not Serializable; +@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance( ++ library, functionList, initArgs, ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider { + } else { + initArgs.flags = 0; + } +- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, +- config.getOmitInitialize()); ++ tmpPKCS11 = PKCS11.getInstance(library, ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (!token.isValid()) { + throw new NoSuchAlgorithmException("Token has been removed"); + } ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ ++ try { ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); ++ } ++ } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +index a6f5f0a8764..9a07c96ca4e 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; + */ + final class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + @Serial + private static final long serialVersionUID = 2541527649100571747L; +@@ -125,6 +129,10 @@ final class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -242,7 +250,12 @@ final class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (!isLoggedIn(session)) { +- provider.login(null, null); ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { ++ provider.login(null, null); ++ } + } + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 4b06daaf264..55e14945469 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.AccessController; +@@ -174,18 +177,43 @@ public class PKCS11 { + return version; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter, ++ MethodHandle fipsKeyExporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null && ++ fipsKeyExporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(PKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ FIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.PKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ SynchronizedFIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public synchronized void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, ++ MethodHandle fipsKeyExporter, long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ Map sensitiveAttrs = new HashMap<>(); ++ List nonSensitiveAttrs = new LinkedList<>(); ++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, ++ sensitiveAttrs, nonSensitiveAttrs); ++ try { ++ if (sensitiveAttrs.size() > 0) { ++ long keyClass = -1L; ++ long keyType = -1L; ++ try { ++ // Secret and private keys have both class and type ++ // attributes, so we can query them at once. ++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ ++ new CK_ATTRIBUTE(CKA_CLASS), ++ new CK_ATTRIBUTE(CKA_KEY_TYPE), ++ }; ++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); ++ keyClass = queryAttrs[0].getLong(); ++ keyType = queryAttrs[1].getLong(); ++ } catch (PKCS11Exception e) { ++ // If the query fails, the object is neither a secret nor a ++ // private key. As this case won't be handled with the FIPS ++ // Key Exporter, we keep keyClass initialized to -1L. ++ } ++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { ++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, ++ sensitiveAttrs); ++ if (nonSensitiveAttrs.size() > 0) { ++ CK_ATTRIBUTE[] pNonSensitiveAttrs = ++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; ++ int i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ pNonSensitiveAttrs[i++] = nonSensAttr; ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, ++ pNonSensitiveAttrs); ++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we ++ // update the reference on the previous CK_ATTRIBUTEs ++ i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; ++ } ++ } ++ return; ++ } ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, ++ Map sensitiveAttrs, ++ List nonSensitiveAttrs) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ long type = attr.type; ++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c ++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || ++ type == CKA_PRIME_1 || type == CKA_PRIME_2 || ++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || ++ type == CKA_COEFFICIENT) { ++ sensitiveAttrs.put(type, attr); ++ } else { ++ nonSensitiveAttrs.add(attr); ++ } ++ } ++ } ++} + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +index 920422376f8..6aa308fa5f8 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception { + return res; + } + ++ /** ++ * Constructor taking the error code from the RV enum and ++ * extra info for error message. ++ */ ++ public PKCS11Exception(RV errorEnum, String extraInfo) { ++ this(errorEnum.value, extraInfo); ++ } ++ + /** + * Constructor taking the error code (the CKR_* constants in PKCS#11) and + * extra info for error message. +diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 7f8c4dba002..e65b11fc3ee 100644 +--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -34,6 +34,7 @@ import java.security.ProviderException; + import java.util.HashMap; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; + import sun.security.ec.ed.EdDSASignature; +@@ -50,6 +51,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -240,83 +245,85 @@ public final class SunEC extends Provider { + putXDHEntries(); + putEdDSAEntries(); + +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -333,23 +340,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -364,21 +373,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } +diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +new file mode 100644 +index 00000000000..ce01c655eb8 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +@@ -0,0 +1,349 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Method; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Arrays; ++import java.util.function.Consumer; ++import java.util.List; ++import javax.crypto.Cipher; ++import javax.crypto.spec.SecretKeySpec; ++ ++import jdk.test.lib.process.Proc; ++import jdk.test.lib.util.FileUtils; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary ++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used ++ * for a successful login into an NSS DB. Some additional unitary testing ++ * is then performed. This test depends on NSS modutil and must be run in ++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). ++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @library /test/lib ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=600 NssdbPin ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class NssdbPin { ++ ++ // Public properties and names ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; ++ private static final String NSSDB_TOKEN_NAME = ++ "NSS FIPS 140-2 Certificate DB"; ++ ++ // Data to be tested ++ private static final String[] PINS_TO_TEST = ++ new String[] { ++ "", ++ "1234567890abcdef1234567890ABCDEF\uA4F7" ++ }; ++ private static enum PropType { SYSTEM, SECURITY } ++ private static enum LoginType { IMPLICIT, EXPLICIT } ++ ++ // Internal test fields ++ private static final boolean DEBUG = true; ++ private static class TestContext { ++ String pin; ++ PropType propType; ++ Path workspace; ++ String nssdbPath; ++ Path nssdbPinFile; ++ LoginType loginType; ++ TestContext(String pin, Path workspace) { ++ this.pin = pin; ++ this.workspace = workspace; ++ this.nssdbPath = "sql:" + workspace; ++ this.loginType = LoginType.IMPLICIT; ++ } ++ } ++ ++ public static void main(String[] args) throws Throwable { ++ if (args.length == 3) { ++ // Executed by a child process. ++ mainChild(args[0], args[1], LoginType.valueOf(args[2])); ++ } else if (args.length == 0) { ++ // Executed by the parent process. ++ mainLauncher(); ++ // Test defaults ++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); ++ System.out.println("TEST PASS - OK"); ++ } else { ++ throw new Exception("Unexpected number of arguments."); ++ } ++ } ++ ++ private static void mainChild(String expectedPath, String expectedPin, ++ LoginType loginType) throws Throwable { ++ if (DEBUG) { ++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, ++ FIPS_NSSDB_PIN_PROP)) { ++ System.out.println(prop + " (System): " + ++ System.getProperty(prop)); ++ System.out.println(prop + " (Security): " + ++ Security.getProperty(prop)); ++ } ++ } ++ ++ /* ++ * Functional cross-test against an NSS DB generated by modutil ++ * with the same PIN. Check that we can perform a crypto operation ++ * that requires a login. The login might be explicit or implicit. ++ */ ++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); ++ if (DEBUG) { ++ System.out.println(FIPS_PROVIDER_NAME + ": " + p); ++ } ++ if (p == null) { ++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); ++ } ++ if (DEBUG) { ++ System.out.println("Login type: " + loginType); ++ } ++ if (loginType == LoginType.EXPLICIT) { ++ // Do the expansion to account for truncation, so C_Login in ++ // the NSS Software Token gets a UTF-8 encoded PIN. ++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ KeyStore.getInstance("PKCS11", p).load(null, pinChar); ++ if (DEBUG) { ++ System.out.println("Explicit login succeeded."); ++ } ++ } ++ if (DEBUG) { ++ System.out.println("Trying a crypto operation..."); ++ } ++ final int blockSize = 16; ++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); ++ cipher.init(Cipher.ENCRYPT_MODE, ++ new SecretKeySpec(new byte[blockSize], "AES")); ++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { ++ throw new Exception("Could not perform a crypto operation."); ++ } ++ if (DEBUG) { ++ if (loginType == LoginType.IMPLICIT) { ++ System.out.println("Implicit login succeeded."); ++ } ++ System.out.println("Crypto operation after login succeeded."); ++ } ++ ++ if (loginType == LoginType.IMPLICIT) { ++ /* ++ * Additional unitary testing. Expected to succeed at this point. ++ */ ++ if (DEBUG) { ++ System.out.println("Trying unitary test..."); ++ } ++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); ++ if (DEBUG) { ++ System.out.println("Path value (as a System property): " + ++ sysPathProp); ++ } ++ if (!expectedPath.equals(sysPathProp)) { ++ throw new Exception("Path is different than expected: " + ++ sysPathProp + " (actual) vs " + expectedPath + ++ " (expected)."); ++ } ++ Class c = Class ++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); ++ Method m = c.getDeclaredMethod("getFipsNssdbPin"); ++ m.setAccessible(true); ++ String pin = null; ++ char[] pinChar = (char[]) m.invoke(c); ++ if (pinChar != null) { ++ byte[] pinUtf8 = new byte[pinChar.length]; ++ for (int i = 0; i < pinUtf8.length; i++) { ++ pinUtf8[i] = (byte) pinChar[i]; ++ } ++ pin = new String(pinUtf8, StandardCharsets.UTF_8); ++ } ++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || ++ expectedPin.isEmpty() && pin != null) { ++ throw new Exception("PIN is different than expected: '" + pin + ++ "' (actual) vs '" + expectedPin + "' (expected)."); ++ } ++ if (DEBUG) { ++ System.out.println("PIN value: " + pin); ++ System.out.println("Unitary test succeeded."); ++ } ++ } ++ } ++ ++ private static void mainLauncher() throws Throwable { ++ for (String pin : PINS_TO_TEST) { ++ Path workspace = Files.createTempDirectory(null); ++ try { ++ TestContext ctx = new TestContext(pin, workspace); ++ createNSSDB(ctx); ++ { ++ ctx.loginType = LoginType.IMPLICIT; ++ for (PropType propType : PropType.values()) { ++ ctx.propType = propType; ++ pinLauncher(ctx); ++ envLauncher(ctx); ++ fileLauncher(ctx); ++ } ++ } ++ explicitLoginLauncher(ctx); ++ } finally { ++ FileUtils.deleteFileTreeWithRetry(workspace); ++ } ++ } ++ } ++ ++ private static void pinLauncher(TestContext ctx) throws Throwable { ++ launchTest(p -> {}, "pin:" + ctx.pin, ctx); ++ } ++ ++ private static void envLauncher(TestContext ctx) throws Throwable { ++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; ++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), ++ "env:" + NSSDB_PIN_ENV_VAR, ctx); ++ } ++ ++ private static void fileLauncher(TestContext ctx) throws Throwable { ++ // The file containing the PIN (ctx.nssdbPinFile) was created by the ++ // generatePinFile method, called from createNSSDB. ++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); ++ } ++ ++ private static void explicitLoginLauncher(TestContext ctx) ++ throws Throwable { ++ ctx.loginType = LoginType.EXPLICIT; ++ ctx.propType = PropType.SYSTEM; ++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); ++ } ++ ++ private static void launchTest(Consumer procCb, String pinPropVal, ++ TestContext ctx) throws Throwable { ++ if (DEBUG) { ++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + ++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + ++ "=" + pinPropVal); ++ } ++ Proc p = Proc.create(NssdbPin.class.getName()) ++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); ++ if (ctx.propType == PropType.SYSTEM) { ++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ // Make sure that Security properties defaults are not used. ++ p.secprop(FIPS_NSSDB_PATH_PROP, ""); ++ p.secprop(FIPS_NSSDB_PIN_PROP, ""); ++ } else if (ctx.propType == PropType.SECURITY) { ++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ pinPropVal = escapeForPropsFile(pinPropVal); ++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ } else { ++ throw new Exception("Unsupported property type."); ++ } ++ if (DEBUG) { ++ p.inheritIO(); ++ p.prop("java.security.debug", "sunpkcs11"); ++ p.debug(NssdbPin.class.getName()); ++ ++ // Need the launched process to connect to a debugger? ++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + ++ // "transport=dt_socket,address=localhost:8000,suspend=y"); ++ } else { ++ p.nodump(); ++ } ++ procCb.accept(p); ++ p.start().waitFor(0); ++ } ++ ++ private static String escapeForPropsFile(String str) throws Throwable { ++ StringBuffer sb = new StringBuffer(); ++ for (int i = 0; i < str.length(); i++) { ++ int cp = str.codePointAt(i); ++ if (Character.UnicodeBlock.of(cp) ++ == Character.UnicodeBlock.BASIC_LATIN) { ++ sb.append(Character.toChars(cp)); ++ } else { ++ sb.append("\\u").append(String.format("%04X", cp)); ++ } ++ } ++ return sb.toString(); ++ } ++ ++ private static void createNSSDB(TestContext ctx) throws Throwable { ++ ProcessBuilder pb = getModutilPB(ctx, "-create"); ++ if (DEBUG) { ++ System.out.println("Creating an NSS DB in " + ctx.workspace + ++ "..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB creation failed."); ++ } ++ generatePinFile(ctx); ++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, ++ "-newpwfile", ctx.nssdbPinFile.toString()); ++ if (DEBUG) { ++ System.out.println("NSS DB created."); ++ System.out.println("Changing NSS DB PIN..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB PIN change failed."); ++ } ++ if (DEBUG) { ++ System.out.println("NSS DB PIN changed."); ++ } ++ } ++ ++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) ++ throws Throwable { ++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); ++ List pbCommand = pb.command(); ++ if (args != null) { ++ pbCommand.addAll(Arrays.asList(args)); ++ } ++ pbCommand.add("-dbdir"); ++ pbCommand.add(ctx.nssdbPath); ++ if (DEBUG) { ++ pb.inheritIO(); ++ } else { ++ pb.redirectError(ProcessBuilder.Redirect.INHERIT); ++ } ++ return pb; ++ } ++ ++ private static void generatePinFile(TestContext ctx) throws Throwable { ++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); ++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + ++ "2nd line with garbage"); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +new file mode 100644 +index 00000000000..87f1ad04505 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=30 VerifyMissingAttributes ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class VerifyMissingAttributes { ++ ++ private static final String[] svcAlgImplementedIn = { ++ "AlgorithmParameterGenerator.DSA", ++ "AlgorithmParameters.DSA", ++ "CertificateFactory.X.509", ++ "KeyStore.JKS", ++ "KeyStore.CaseExactJKS", ++ "KeyStore.DKS", ++ "CertStore.Collection", ++ "CertStore.com.sun.security.IndexedCollection" ++ }; ++ ++ public static void main(String[] args) throws Throwable { ++ Provider sunProvider = Security.getProvider("SUN"); ++ for (String svcAlg : svcAlgImplementedIn) { ++ String filter = svcAlg + " ImplementedIn:Software"; ++ doQuery(sunProvider, filter); ++ } ++ if (Double.parseDouble( ++ System.getProperty("java.specification.version")) >= 17) { ++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"; ++ doQuery(Security.getProvider("SunRsaSign"), filter); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void doQuery(Provider expectedProvider, String filter) ++ throws Exception { ++ if (expectedProvider == null) { ++ throw new Exception("Provider not found."); ++ } ++ Provider[] providers = Security.getProviders(filter); ++ if (providers == null || providers.length != 1 || ++ providers[0] != expectedProvider) { ++ throw new Exception("Failure retrieving the provider with this" + ++ " query: " + filter); ++ } ++ } ++} diff --git a/java-21-openjdk-portable.spec b/java-21-openjdk-portable.spec new file mode 100644 index 0000000..fd2a77e --- /dev/null +++ b/java-21-openjdk-portable.spec @@ -0,0 +1,2303 @@ +# debug_package %%{nil} is portable-jdks specific +%define debug_package %{nil} + +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-21-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-21-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs + +# This is RHEL 7 specific as it doesn't seem to have the +# __brp_strip_static_archive macro. +%define __os_install_post %{nil} + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libsvml.so) +%global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +# s390x fails on RHEL 7 so we exclude it there +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches} +%else +%global gdb_arches %{jit_arches} %{zero_arches} +%endif + +# By default, we build a slowdebug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif + +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# The static libraries are produced under the same configuration as the main +# build for portables, as we expect in-tree libraries to be used throughout. +# If system libraries are enabled, the static libraries will also use them +# which may cause issues. +%global bootstrap_targets images %{static_libs_target} legacy-jre-image +%global release_targets images docs-zip %{static_libs_target} legacy-jre-image +# No docs nor bootcycle for debug builds +%global debug_targets images %{static_libs_target} legacy-jre-image +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# DTS toolset to use to provide gcc & binutils +%global dtsversion 10 + +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 21 +%global interimver 0 +%global updatever 3 +%global patchver 0 +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, +# and this it is better to change it here, on single place +%global buildjdkver %{featurever} +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +# This will only work where the bootstrap JDK is the same major version +# as the JDK being built +%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease}) + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 0a42e29b391 +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{vcstag} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 9 +%global rpmrelease 1 +#%%global tagsuffix %%{nil} +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global ea_designator "" +%global ea_designator_zip %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%global altjavaoutputdir install/altjava.install +%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +# portable only declarations +%global jreimage jre +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.static-libs;g") +%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} +%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} +%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz} +%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}} +%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on +# top of the JDK archive +%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g") +%define docportablearchive() %{docportablename}.tar.xz +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g") +%define miscportablearchive() %{miscportablename}.tar.xz + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for slowdebug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + +# VM variant being built +%ifarch %{zero_arches} +%global vm_variant zero +%else +%global vm_variant server +%endif + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +# Portables have no repo (requires/provides), but these are awesome for orientation in spec +# Also scriptlets are happily missing and files are handled old fashion +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +} + +%define java_devel_rpo() %{expand: +} + +%define java_static_libs_rpo() %{expand: +} + +%define java_unstripped_rpo() %{expand: +} + +%define java_docs_rpo() %{expand: +} + +%define java_misc_rpo() %{expand: +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 +# Define the architectures on which we build +ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64 +# Define the OS this package is built on +%undefine pkgos + +Name: java-%{javaver}-%{origin}-portable%{?pkgos:-%{pkgos}} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 + +# portables have grown out of its component, moving back to java-x-vendor +# this expression, when declared as global, filled component with java-x-vendor portable +%define component %(echo %{name} | sed "s;-portable%{?pkgos:-%{pkgos}};;g") + +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + +# The source tarball, generated using generate_source_tarball.sh +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_designator_zip}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +# Disabled in portables +#Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# Source code for alt-java +Source11: alt-java.c + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# Crypto policy and FIPS support patches +# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Follow system wide crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# RH1929465: Improve system FIPS detection +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +# RH1996182: Login to the NSS software token in FIPS mode +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +# RH2021263: Resolve outstanding FIPS issues +# RH2052819: Fix FIPS reliance on crypto policies +# RH2052829: Detect NSS at Runtime for FIPS detection +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] +# RH2020290: Support TLS 1.3 in FIPS mode +# Add nss.fips.cfg support to OpenJDK tree +# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +# Remove forgotten dead code from RH2020290 and RH2104724 +# OJ1357: Fix issue on FIPS with a SecurityManager in place +# RH2134669: Add missing attributes when registering services in FIPS mode. +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +# RH1940064: Enable XML Signature provider in FIPS mode +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# + +# Currently empty + +############################################# +# +# OpenJDK patches which missed last update +# +############################################# + +############################################# +# +# Portable build specific patches +# +############################################# + +# Currently empty + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: file +BuildRequires: fontconfig-devel +# BuildRequires: devtoolset-%{dtsversion}-gcc +# BuildRequires: devtoolset-%{dtsversion}-gcc-c++ +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.fips.cfg +BuildRequires: nss-devel +# Requirement for system security property test +# N/A for portable. RHEL7 doesn't provide them +#BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +# to pack portable tarballs +BuildRequires: tar +BuildRequires: unzip +BuildRequires: javapackages-tools +BuildRequires: java-%{buildjdkver}-%{origin}%{?pkgos:-%{pkgos}}-devel +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# Full documentation build requirements +# pandoc is not available on RHEL 7 +%if 0%{?rhel} >= 8 +BuildRequires: graphviz +BuildRequires: pandoc +%endif +# 2024a required as of JDK-8325150 +# Use 2023d until 2024a is in the buildroot +BuildRequires: tzdata-java >= 2023d +# cacerts build requirement in portable mode +BuildRequires: ca-certificates +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in src/java.desktop/share/legal/freetype.md +Provides: bundled(freetype) = 2.13.2 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 8.2.2 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.15.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.40 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment - portable edition. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment - portable edition. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment portable edition +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools - portable edition. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools - portable edition. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Tools +%endif + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} runtime environment and development tools - portable edition +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking - portable edition. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking - portable edition +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package unstripped +Summary: The %{origin_nice} %{featurever} runtime environment. + +%{java_unstripped_rpo %{nil}} + +%description unstripped +The %{origin_nice} %{featurever} runtime environment. + +%endif + +%package docs +Summary: %{origin_nice} %{featurever} API documentation + +%{java_docs_rpo %{nil}} + +%description docs +The %{origin_nice} %{featurever} API documentation. + +%package misc +Summary: %{origin_nice} %{featurever} miscellany + +%{java_misc_rpo %{nil}} + +%description misc +The %{origin_nice} %{featurever} miscellany. + +%prep + +echo "Preparing %{oj_vendor_version}" + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?_build_cpu:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{_build_cpu}" +%else + %{error:Unrecognised architecture %{_build_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi + +%if %{with fresh_libjvm} && ! %{build_hotspot_first} +echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch" +echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}" +%endif + +export XZ_OPT="-T0" +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} +%endif + +# Patch the JDK +# This syntax is deprecated: +# %patchN [...] +# and should be replaced with: +# %patch -PN [...] +# For example: +# %patch1001 -p1 +# becomes: +# %patch -P1001 -p1 +# The replacement format suggested by recent (circa Fedora 38) RPM +# deprecation messages: +# %patch N [...] +# is not backward-compatible with prior (circa RHEL-8) versions of +# rpmbuild. +pushd %{top_level_dir_name} +# Add crypto policy and FIPS support +%patch -P1001 -p1 +popd # openjdk + + +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "WARNING: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + exit 17 +fi + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + sed -i -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# Portables do not have desktop integration + +%build + +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif +export XZ_OPT="-T0" + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set the C++ standard as the default has changed on GCC >= 6 +EXTRA_CFLAGS="%ourcppflags" +EXTRA_CPP_FLAGS="%ourcppflags" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +export EXTRA_CFLAGS EXTRA_CPP_FLAGS + +# Set modification times (mtimes) of files within JAR files generated +# by the OpenJDK build to a timestamp that is constant across RPM +# rebuilds. OpenJDK provides the --with-source-date configure option +# for this purpose. Potential arguments in the RPM build context are: +# +# A) --with-source-date="${SOURCE_DATE_EPOCH}" +# B) --with-source-date=version +# C) --with-source-date="${OPENJDK_UPSTREAM_TAG_EPOCH}" +# +# Consider Option A. Fedora 38 (rpm-4.18.2) and RHEL-8 (rpm-4.14.3) +# have different support for SOURCE_DATE_EPOCH. To keep +# SOURCE_DATE_EPOCH constant across RPM rebuilds, one could set the +# source_date_epoch_from_changelog macro to 1 on both Fedora 38 and +# RHEL-8. However, on RHEL-8, this results in the RPM build times +# being set to the timestamp of the most recent changelog. This is +# bad for tracing when RPMs were actually built. Fedora 38 supports a +# better behaviour via the introduction of the +# use_source_date_epoch_as_buildtime macro, set to 0 by default. +# There is no way to make this work on RHEL-8 as well though, so +# option A is suboptimal. +# +# Option B uses the value of the DEFAULT_VERSION_DATE field from +# make/conf/version-numbers.conf. DEFAULT_VERSION_DATE represents the +# aspirational eventual JDK general availability (GA) release date. +# When the RPM build occurs prior to GA, generated JAR files will have +# payload mtimes in the future relative to the RPM build time. +# Whereas for tarballs some tools will issue warnings about future +# mtimes, per OPENJDK-2583 apparently this is no problem for Java and +# JAR files. +# +# Option C uses the modification timestamp of files in the source +# tarball. The reproducibility logic in generate_source_tarball.sh +# sets them all to the commit time of the release-tagged OpenJDK +# commit, as archived in the tarball. This timestamp is deterministic +# across RPM rebuilds and is reliably in the past. Any file's mtime +# will do, so use version-numbers.conf's. +# +# Use option B for JAR files, based on the discussion in OPENJDK-2583. +# +# For portable tarballs, use option C (OPENJDK_UPSTREAM_TAG_EPOCH) for +# the modification times of all files in the portable tarballs. Doing +# so eliminates one source of variability across RPM rebuilds. +VERSION_FILE="$(pwd)"/"%{top_level_dir_name}"/make/conf/version-numbers.conf +OPENJDK_UPSTREAM_TAG_EPOCH="$(stat --format=%Y "${VERSION_FILE}")" + +echo "Building %{SOURCE11}" +mkdir -p %{altjavaoutputdir} +gcc ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11} +echo "Generating %{alt_java_name} man page" +altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1 +echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage} +cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage} + +echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + local debug_symbols=${6} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Using debug_symbols: ${debug_symbols}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + + mkdir -p ${outputdir} + pushd ${outputdir} + + # Note: zlib and freetype use %{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build + bash -c "bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} + --with-jvm-variants=zero \ +%endif + --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts` \ + --with-version-build=%{buildver} \ + --with-version-pre=\"%{ea_designator}\" \ + --with-version-opt=\"%{lts_designator}\" \ + --with-vendor-version-string=\"%{oj_vendor_version}\" \ + --with-vendor-name=\"%{oj_vendor}\" \ + --with-vendor-url=\"%{oj_vendor_url}\" \ + --with-vendor-bug-url=\"%{oj_vendor_bug_url}\" \ + --with-vendor-vm-bug-url=\"%{oj_vendor_bug_url}\" \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="${debug_symbols}" \ + --disable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ + --with-stdc++lib=${libc_link_opt} \ + --with-extra-cxxflags=\"$EXTRA_CPP_FLAGS\" \ + --with-extra-cflags=\"$EXTRA_CFLAGS\" \ + --with-extra-ldflags=\"%{ourldflags}\" \ + --with-num-cores=\"$NUM_PROC\" \ + --with-source-date=\"version\" \ + --disable-javac-server \ +%ifarch %{zgc_arches} + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors" + + cat spec.gmk + bash -c "make LOG=trace $maketargets || \ + ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false )" + popd +} + +function stripjdk() { + local outputdir=${1} + local jdkimagepath=${outputdir}/images/%{jdkimage} + local jreimagepath=${outputdir}/images/%{jreimage} + local jmodimagepath=${outputdir}/images/jmods + local supportdir=${outputdir}/support + local modulebuildpath=${outputdir}/jdk/modules + + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + cp -a ${jdkimagepath}{,.unstripped} + + # Strip the files + for file in $(find ${jdkimagepath} ${jreimagepath} ${supportdir} ${modulebuildpath} -type f) ; do + if file ${file} | cut -d ':' -f 2 | grep -q 'ELF'; then + noextfile=${file/.so/}; + bash -c "objcopy --only-keep-debug ${file} ${noextfile}.debuginfo"; + bash -c "objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file}"; + bash -c "strip -g ${file}"; + fi + done + + # Rebuild jmod files against the stripped binaries + if [ ! -d ${supportdir} ] ; then + echo "Support directory missing."; + exit 15 + fi + for cmd in $(find ${supportdir} -name '*.jmod_exec.cmdline') ; do + pre=${cmd/_exec/_pre}; + post=${cmd/_exec/_post}; + jmod=$(echo ${cmd}|sed 's#.*_create_##'|sed 's#_exec.cmdline##') + echo "Rebuilding ${jmod} against stripped binaries..."; + if [ -e ${pre} ] ; then + echo "Executing ${pre}..."; + cat ${pre} | sh -s ; + fi + echo "Executing ${cmd}..."; + cat ${cmd} | sh -s ; + if [ -e ${post} ] ; then + echo "Executing ${post}..."; + cat ${post} | sh -s ; + fi + done + rm -rf ${jdkimagepath}/jmods + cp -a ${jmodimagepath} ${jdkimagepath} + fi +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local jdkimagepath=${installdir}/images/%{jdkimage} + local jreimagepath=${installdir}/images/%{jreimage} + local unstripped=${jdkimagepath}.unstripped + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif + + # legacy-jre-image target does not install any man pages for the JRE + # We copy the jdk man directory and then remove pages for binaries that + # don't exist in the JRE + cp -a ${jdkimagepath}/man ${jreimagepath} + for manpage in $(find ${jreimagepath}/man -name '*.1'); do + filename=$(basename ${manpage}); + binary=${filename/.1/}; + if [ ! -f ${jreimagepath}/bin/${binary} ] ; then + echo "Removing ${manpage} from JRE for which no binary ${binary} exists"; + rm -f ${manpage}; + fi; + done + + for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install local files which are distributed with the JDK + install -m 644 %{SOURCE10} ${imagepath} + + # Print release information + cat ${imagepath}/release + fi + done +} + +function genchecksum() { + local checkedfile=${1} + + checkdir=$(dirname ${1}) + checkfile=$(basename ${1}) + + echo "Generating checksum for ${checkfile} in ${checkdir}..." + pushd ${checkdir} + sha256sum ${checkfile} > ${checkfile}.sha256sum + sha256sum --check ${checkfile}.sha256sum + popd +} + +# Create a reproducible tarball in an appropriate way for +# the version of tar in use +function createtar() { + local directory=${1} + local archive=${2} + local filter=${3} + local transform=${4} + + if [ "x${filter}" != "x" ] ; then + local filteroption="-name ${filter}"; + fi + if [ "x${transform}" != "x" ] ; then + local transoption="--transform ${transform}"; + fi + + local common_tar_opts="--owner=0 --group=0 --numeric-owner \ + ${transoption} --create --xz" + # Capture tar version, removing the decimal point (so 1.28 => 128) + tarver=$(tar --version|head -n1|sed -re 's|tar \(GNU tar\) ([0-9]).([0-9]*)|\1\2|') + echo "Detected tar ${tarver}" + if [ ${tarver} -gt 128 ] ; then + local tar_time="$(date --utc --iso-8601=seconds --date=@"${OPENJDK_UPSTREAM_TAG_EPOCH}")" + local tar_opts="--mtime=${tar_time} --sort=name ${common_tar_opts}" + if test "x${filteroption}" = "x"; then + tar ${tar_opts} --file ${archive} ${directory} + else + tar ${tar_opts} --file ${archive} $(find ${directory} ${filteroption}) + fi + else + # See https://reproducible-builds.org/docs/archives/ + # RHEL-7 has tar 1.26 which does not support --sort=name (added + # in 1.28), so use find-piped-through-sort instead. Omit + # --pax-option since it made the docs package not reproducible + # due to PaxHeaders timestamp differences. + local tar_opts="--mtime=@${OPENJDK_UPSTREAM_TAG_EPOCH} \ + --no-recursion --null --files-from - \ + ${common_tar_opts}" + find ${directory} ${filteroption} -print0 | \ + LC_ALL=C sort -z | \ + tar ${tar_opts} --file ${archive} + fi +} + +function packagejdk() { + local imagesdir=$(pwd)/${1}/images + local docdir=$(pwd)/${1}/images/docs + local bundledir=$(pwd)/${1}/bundles + local packagesdir=$(pwd)/${2} + local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset + local altjavadir=$(pwd)/${3} + + echo "Packaging build from ${imagesdir} to ${packagesdir}..." + mkdir -p ${packagesdir} + pushd ${imagesdir} + + if [ "x$suffix" = "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + + jdkname=%{jdkportablename -- "$nameSuffix"} + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrename=%{jreportablename -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + staticname=%{staticlibsportablename -- "$nameSuffix"} + staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} + debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + # We only use docs for the release build + docname=%{docportablename} + docarchive=${packagesdir}/%{docportablearchive} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + # These are from the source tree so no debug variants + miscname=%{miscportablename} + miscarchive=${packagesdir}/%{miscportablearchive} + + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + mv %{jdkimage}.unstripped ${jdkname} + createtar ${jdkname} ${unstrippedarchive} + genchecksum ${unstrippedarchive} + mv ${jdkname} %{jdkimage}.unstripped + fi + + # Rename directories for packaging + mv %{jdkimage} ${jdkname} + mv %{jreimage} ${jrename} + + # Release images have external debug symbols + if [ "x$suffix" = "x" ] ; then + createtar ${jdkname} ${debugarchive} \*.debuginfo + genchecksum ${debugarchive} + + mkdir ${docname} + mv ${docdir} ${docname} + mv ${bundledir}/${built_doc_archive} ${docname} + createtar ${docname} ${docarchive} + genchecksum ${docarchive} + + mkdir ${miscname} + for s in 16 24 32 48 ; do + cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname} + done +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif + cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname} + createtar ${miscname} ${miscarchive} + genchecksum ${miscarchive} + fi + + createtar ${jdkname} ${jdkarchive} + genchecksum ${jdkarchive} + + createtar ${jrename} ${jrearchive} + genchecksum ${jrearchive} + +%if %{include_staticlibs} + # Static libraries (needed for building graal vm with native image) + # Tar as overlay. Transform to the JDK name, since we just want to "add" + # static libraries to that folder + createtar "%{static_libs_image}/lib" ${staticarchive} "" \ + "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" + genchecksum ${staticarchive} +%endif + + # Revert directory renaming so testing will run + # TODO: testing should run on the packaged JDK + mv ${jdkname} %{jdkimage} + mv ${jrename} %{jreimage} + + popd #images + +} + +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" + mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant} +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + # We build with internal debug symbols and do + # our own stripping for one version of the + # release build + debug_symbols=internal + + builddir=%{buildoutputdir -- ${suffix}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}} + bootinstalldir=boot${installdir} + packagesdir=%{packageoutputdir -- ${suffix}} + + link_opt="%{link_type}" +%if %{system_libs} + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + stripjdk ${builddir} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + stripjdk ${builddir} + installjdk ${builddir} ${installdir} + fi + packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir} + +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +# Pre-test setup + +# System security properties are disabled by default on portable. +# Turn on system security properties +#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ +#${JAVA_HOME}/conf/security/java.security + +# Check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. +$JAVA_HOME/bin/javac -d . %{SOURCE15} +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +# Specific to portable:System security properties to be off by default +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call +%ifarch %{ssbd_arches} +nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl +%else +if ! nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi +%endif + +%if ! 0%{?flatpak} +# Check translations are available for new timezones (during flatpak builds, the +# tzdb.dat used by this test is not where the test expects it, so this is +# disabled for flatpak builds) +# Disable test until we are on the latest JDK +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE +$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +ls -l $STATIC_LIBS_HOME +ls -l $STATIC_LIBS_HOME/lib +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c +%endif + +# Release builds strip the debug symbols into external .debuginfo files +if [ "x$suffix" = "x" ] ; then + so_suffix="debuginfo" +else + so_suffix="so" +fi +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp and .S files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < - 1:21.0.3.0.9-1 +- Update to jdk-21.0.3+9 (GA) +- Update release notes to 21.0.3+9 +- Switch to GA mode. +- Change --with-source-date value to 'version' to match Temurin builds +- ** This tarball is embargoed until 2024-04-16 @ 1pm PT. ** +- Resolves: OPENJDK-2585 + +* Thu Apr 04 2024 Andrew Hughes - 1:21.0.3.0.7-0.1.ea +- Update to jdk-21.0.3+7 (EA) +- Update release notes to 21.0.3+7 +- Require tzdata 2024a due to upstream inclusion of JDK-8322725 +- Only require tzdata 2023d for now as 2024a is unavailable in buildroot +- Drop JDK-8009550 which is now available upstream +- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254 + +* Thu Mar 21 2024 Andrew Hughes - 1:21.0.3.0.1-0.2.ea +- generate_source_tarball.sh: Update examples in header for clarity +- generate_source_tarball.sh: Cleanup message issued when checkout already exists +- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP +- generate_source_tarball.sh: Only add --depth=1 on non-local repositories +- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch +- Move maintenance scripts to a scripts subdirectory +- discover_trees.sh: Set compile-command and indentation instructions for Emacs +- discover_trees.sh: shellcheck: Do not use -o (SC2166) +- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- discover_trees.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: Add authorship +- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs +- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086) +- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: Set compile-command and indentation instructions for Emacs +- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086) +- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196) +- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST +- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086) +- Vary reproducible tar creation by version of tar detected +- Set OPENJDK_UPSTREAM_TAG_EPOCH & VERSION_FILE at start of build section as in 17u +- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck + +* Wed Mar 20 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.2.ea +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: Remove temporary directory exit conditions +- generate_source_tarball.sh: Fix -ea logic to add dash +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268) +- generate_source_tarball.sh: shellcheck: Double-quote variable references (SC2086) +- generate_source_tarball.sh: shellcheck: Do not use -a (SC2166) +- generate_source_tarball.sh: shellcheck: Do not use $ on arithmetic variables (SC2004) +- Use backward-compatible patch syntax +- generate_source_tarball.sh: Ignore -ga tags with OPENJDK_LATEST +- generate_source_tarball.sh: Fix whitespace +- generate_source_tarball.sh: Remove trailing period in echo +- generate_source_tarball.sh: Use long-style argument to grep +- generate_source_tarball.sh: Add license +- generate_source_tarball.sh: Add indentation instructions for Emacs +- Remove -T0 argument from systemtap tar invocation + +* Mon Mar 11 2024 Andrew Hughes - 1:21.0.3.0.1-0.2.ea +- Introduce tar_opts to avoid repetition of lengthy tar creation options +- Add module build path to stripped directories to catch jpackageapplauncher files +- Move alt-java man page to the misc tarball so it is not in the JDK image +- Resolves: OPENJDK-2820 +- Resolves: OPENJDK-2821 + +* Thu Feb 08 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.2.ea +- Invoke xz in multi-threaded mode +- Remove ppc64le with-jobs=1 workaround +- Make portable tarball modification times reproducible +- Use RHEL-7 tar-1.26-compatible invocations for reproducible tarballs + +* Fri Feb 02 2024 Andrew Hughes - 1:21.0.3.0.1-0.1.ea +- Update to jdk-21.0.3+1 (EA) +- Update release notes to 21.0.3+1 +- Switch to EA mode +- Require tzdata 2023d due to upstream inclusion of JDK-8322725 +- Bump FreeType version to 2.13.2 following JDK-8316028 + +* Sat Jan 27 2024 Andrew Hughes - 1:21.0.2.0.13-2 +- Sync with upstream release notes + +* Tue Jan 09 2024 Andrew Hughes - 1:21.0.2.0.13-1 +- Update to jdk-21.0.2+13 (GA) +- Update release notes to 21.0.2+13 +- Drop no longer needed local patch to fix versioning +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** + +* Mon Jan 08 2024 Andrew Hughes - 1:21.0.2.0.12-1 +- Update to jdk-21.0.2+12 (GA) +- Update release notes to 21.0.2+12 +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** + +* Sat Jan 06 2024 Andrew Hughes - 1:21.0.2.0.11-1 +- Update to jdk-21.0.2+11 (GA) +- Update release notes to 21.0.2+11 +- Bump libpng version to 1.6.40 following JDK-8316030 +- Bump HarfBuzz version to 8.2.2 following JDK-8313643 +- Drop local JDK-8311630 patch which is now upstream +- Locally patch versioning to be 21.0.2 released on 2014-01-16 +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** + +* Mon Nov 06 2023 Andrew Hughes - 1:21.0.1.0.12-2 +- Include JDK-8311630 patch to implement Foreign Function & Memory preview API on s390x + +* Sun Oct 29 2023 Andrew Hughes - 1:21.0.1.0.12-1 +- Update to jdk-21.0.1.0+12 (GA) +- Update release notes to 21.0.1.0+12 +- Update openjdk_news script to specify subdirectory last +- Add missing discover_trees script required by openjdk_news +- Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng) +- Sync generate_tarball.sh with 11u & 17u version +- Update bug URL for RHEL to point to the Red Hat customer portal +- Fix upstream release URL for OpenJDK source +- Update buildjdkver to match the featurever +- Re-enable SystemTap support and perform only substitutions possible without final NVR available +- Fix typo which stops the EA designator being included in the build +- Include tapsets in the miscellaneous tarball +- Drop unused globals for tapset installation +- Rebuild jmods using the stripped binaries in release builds +- Make sure the unstripped JDK is customised by the installjdk function + +* Sat Oct 28 2023 Andrew Hughes - 1:21.0.0.0.35-1 +- Update to jdk-21.0.0+35 +- Update release notes to 21.0.0+35 +- Update documentation (README.md) +- Update system crypto policy & FIPS patch from new fips-21u tree +- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal +- Drop fakefeaturever now it is no longer needed +- Hardcode buildjdkver while the build JDK is not yet 21 +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Re-enable tzdata tests now we are on the latest JDK and things are back in sync +- Fix trailing '.' in tarball name +- Use rpmrelease in vendor version to avoid inclusion of dist tag +- Replace alt-java patch with a binary separate from the JDK +- Drop stale patches that are of little use any more: +- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work +- * No accessibility subpackage to warrant RH1648242 patch any more +- * No use of system libjpeg turbo to warrant RH649512 patch any more +- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed + +* Sat Oct 28 2023 Petra Alice Mikova - 1:21.0.0.0.35-1 +- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798 +- Related: rhbz#2192749 + +* Fri Oct 27 2023 Andrew Hughes - 1:20.0.2.0.9-1.1 +- Update to jdk-20.0.2+9 +- Update release notes to 20.0.2+9 +- Update system crypto policy & FIPS patch from new fips-20u tree +- Update generate_tarball.sh ICEDTEA_VERSION +- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit) +- Related: rhbz#2192749 + +* Fri Oct 27 2023 Jiri Vanek - 1:20.0.0.0.36-1 +- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream +- Adapted rh1750419-redhat_alt_java.patch +- Related: rhbz#2192749 + +* Fri Oct 27 2023 Andrew Hughes - 1:19.0.1.0.10-1 +- Update to jdk-19.0.2 release +- Update release notes to 19.0.2 +- Rebase FIPS patches from fips-19u branch +- Remove references to sample directory removed by JDK-8284999 +- Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag +- Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases +- Related: rhbz#2192749 + +* Tue Oct 24 2023 Andrew Hughes - 1:18.0.2.0.9-1 +- Update to jdk-18.0.2 release +- Update release notes to actually reflect OpenJDK 18 +- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory +- Rebase FIPS patches from fips-18u branch +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built +- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21 +- Switch bootjdkver to java-21-openjdk +- Disable tzdata tests until we are on the latest JDK and things are back in sync +- Drop bootstrap JDKs and use the java-21-openjdk-rhel7 build +- Related: rhbz#2192749 + +* Tue Oct 24 2023 Petra Alice Mikova - 1:18.0.0.0.37-1 +- Update to ea version of jdk18 +- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch + +* Tue Aug 22 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Define architectures we build on to avoid those without DTS 10 (e.g. s390) + +* Tue Aug 22 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Switch to DTS 10 +- Related: rhbz#2192749 + +* Mon May 15 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Create java-21-openjdk-portable package based on java-17-openjdk-portable +- Related: rhbz#2192749 + +* Thu Apr 13 2023 Andrew Hughes - 1:17.0.7.0.7-1 +- Update to jdk-17.0.7.0+7 +- Update release notes to 17.0.7.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Reintroduce generate_source_tarball.sh from RHEL 9 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Update FIPS support against 17.0.7+6 and bring in latest changes: +- * RH2134669: Add missing attributes when registering services in FIPS mode. +- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +- * RH1940064: Enable XML Signature provider in FIPS mode +- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2134669 +- Resolves: rhbz#1940064 +- Resolves: rhbz#2173781 + +* Tue Feb 21 2023 Andrew Hughes - 1:17.0.6.0.10-6 +- Add docs, icons and samples to the portable output +- Make sure generated checksums work and don't include full path +- The docs directory is a subdirectory of images, so remove confusing separate copying + +* Wed Feb 15 2023 Andrew Hughes - 1:17.0.6.0.10-5 +- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build +- Restore compiler flags to those used in RHEL +- Drop unused static library patch +- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago + +* Tue Feb 14 2023 Andrew Hughes - 1:17.0.6.0.10-4 +- Separate JDK packaging into a separate function +- Use variables to make it clearer what is going on +- Use a package output directory as we do for building and installing +- Workaround missing manpage directory in the JRE image + +* Sun Feb 12 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Adapt the portable build to use the same system library handling as RHEL builds + +* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Add missing release note for JDK-8295687 +- Resolves: rhbz#2160111 + +* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.10-2 +- Update FIPS support to bring in latest changes +- * Add nss.fips.cfg support to OpenJDK tree +- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +- * Remove forgotten dead code from RH2020290 and RH2104724 +- * OJ1357: Fix issue on FIPS with a SecurityManager in place +- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build +- Resolves: rhbz#2118493 + +* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.10-2 +- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat +- Related: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:17.0.6.0.10-1 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Re-enable EA upstream status check now it is being actively maintained. +- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream +- Drop JDK-8275535 local patch now this has been accepted and backported upstream +- Drop local copy of JDK-8293834 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. ** +- Resolves: rhbz#2160111 + +* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2 +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Update CLDR data with Europe/Kyiv (JDK-8293834) +- Drop JDK-8292223 patch which we found to be unnecessary +- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream +- Related: rhbz#2160111 + +* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Switch to GA mode for final release. +- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- Resolves: rhbz#2133695 + +* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2 +- Update FIPS support to bring in latest changes +- * RH2023467: Enable FIPS keys export +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms +- * RH2048582: Support PKCS#12 keystores +- * RH2020290: Support TLS 1.3 in FIPS mode +- Resolves: rhbz#2123579 +- Resolves: rhbz#2123580 +- Resolves: rhbz#2123581 +- Resolves: rhbz#2123583 +- Resolves: rhbz#2123584 + +* Sun Aug 21 2022 Jayashree Huttanagoudar - 1:17.0.4.1.1-1 +- Added a missing change to portable NEWS file from upstream. + +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +- Update to jdk-17.0.4.1+1 +- Update release notes to 17.0.4.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated +- Resolves: rhbz#2119532 + +* Mon Jul 18 2022 Jayashree Huttanagoudar - 1:17.0.4.0.8-1 +- Commented out: fipsver f8142a23d0a which was from rhel-9-main +- Picked 17.0.4+8 GA tag from rhel-9.0.0 +- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0 + +* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1 +- Update to jdk-17.0.4.0+8 (GA) +- Update release notes to 17.0.4.0+8 +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. ** + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2084779 + +* Tue Jul 12 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.1.ea +- Tweaked line to print release information for portable + +* Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Move EA designator check to prep so failures can be caught earlier +- Make EA designator check non-fatal while upstream is not maintaining it +- Related: rhbz#2084218 + +* Thu Jun 30 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-8 +- Comment line for portable: System security properties to be off by default + +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-8 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102433 + +* Wed Jun 29 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-7 +- System security properties are disabled by default on portable. +- Commented out lines which are not applicable for portable. + +* Wed Jun 29 2022 Andrew Hughes - 1:17.0.3.0.7-7 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099844 +- Resolves: rhbz#2100677 + +* Tue Jun 28 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-6 +- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch + +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-6 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS +- Resolves: rhbz#2029657 +- Resolves: rhbz#2096117 + +* Wed May 25 2022 Andrew Hughes - 1:17.0.3.0.7-5 +- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build + +* Tue May 24 2022 Jiri Vanek - 1:17.0.3.0.7-4 +- to pass aqa, fixing genuie failure in : +- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions +- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions +- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch +- this, properly named, patch must go to all our jdk17 builds, and to the fips repo + +* Thu May 19 2022 Jiri Vanek - 1:17.0.3.0.7-3 +- to pass aqa: +- removed copy system tzdb in favour of in-tree +- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch +- This is not intended to release untill we decide proper steps + +* Thu May 19 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-2 +- Include BOOT_JDK for s390x for portable +- BOOT_JDK downlaoded form hydra as + java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz + and renamed +- Added cosmetic changes to bypass a failure for s390x + +* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+7 +- Remove JDK-8284548 and JDK-8284920 they are upstreamed now +- Resolves: rhbz#2073579 + +* Sat Apr 16 2022 Andrew Hughes - 1:17.0.3.0.6-3 +- Add JDK-8284920 fix for XPath regression +- Related: rhbz#2073575 + +* Fri Apr 15 2022 Andrew Hughes - 1:17.0.3.0.6-2 +- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit +- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476 +- Related: rhbz#2073575 + +* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1 +- April 2022 security update to jdk 17.0.3+6 +- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408) +- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga +- Update release notes to 17.0.3.0+6 +- Add missing README.md and generate_source_tarball.sh +- Introduce tests/tests.yml, based on the one in java-11-openjdk +- JDK-8283911 patch no longer needed now we're GA... +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. ** +- Resolves: rhbz#2073575 + +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 +- Resolves: rhbz#2050460 + +* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value +- Related: rhbz#2050456 + +* Mon Feb 28 2022 Jayashree Huttanagoudar - 1:17.0.2.0.8-10 +- Update icedtea_sync.sh with suitable message for portable + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-10 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Resolves: rhbz#2022822 + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-9 +- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +- Correction to previous changelog entry +- Resolves: rhbz#2052070 + +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Resolves: rhbz#2051605 + +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053521 + +* Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-4 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2022822 + +* Tue Jan 18 2022 Andrew Hughes - 1:17.0.2.0.8-3 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent + +* Mon Jan 17 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Related: rhbz#2039366 + +* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 +- January 2022 security update to jdk 17.0.2+8 +- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java +- Resolves: rhbz#2039366 +- Minor change to the OUTPUT_FILE value to separate the name from the version with '-' + +* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023537 + +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 +- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 +- October CPU update to jdk 17.0.1+12 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Add patch to allow plain key import. + +* Mon Oct 25 2021 Jiri Vanek - 1:17.0.0.0.35-5 +- cacerts symlink is resolved before passed to configure +- https://issues.redhat.com/browse/OPENJDK-487 +- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS +-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss +-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started + +* Thu Sep 30 2021 Jiri Vanek - 1:17.0.0.0.35-4 +- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7 diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh new file mode 100644 index 0000000..25c2fc8 --- /dev/null +++ b/remove-intree-libraries.sh @@ -0,0 +1,164 @@ +#!/bin/sh + +# Arguments: +TREE=${1} +TYPE=${2} + +ZIP_SRC=src/java.base/share/native/libzip/zlib/ +FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ +JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ +GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ +PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ +LCMS_SRC=src/java.desktop/share/native/liblcms/ + +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} + +echo "Removing built-in libs (they will be linked)" + +# On full runs, allow for zlib & freetype having already been deleted by minimal +echo "Removing zlib" +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then + echo "${ZIP_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${ZIP_SRC} +echo "Removing freetype" +if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then + echo "${FREETYPE_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${FREETYPE_SRC} + +# Minimal is limited to just zlib and freetype so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + +echo "Removing libjpeg" +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist + echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." + exit 1 +fi + +rm -vf ${JPEG_SRC}/jcomapi.c +rm -vf ${JPEG_SRC}/jdapimin.c +rm -vf ${JPEG_SRC}/jdapistd.c +rm -vf ${JPEG_SRC}/jdcoefct.c +rm -vf ${JPEG_SRC}/jdcolor.c +rm -vf ${JPEG_SRC}/jdct.h +rm -vf ${JPEG_SRC}/jddctmgr.c +rm -vf ${JPEG_SRC}/jdhuff.c +rm -vf ${JPEG_SRC}/jdhuff.h +rm -vf ${JPEG_SRC}/jdinput.c +rm -vf ${JPEG_SRC}/jdmainct.c +rm -vf ${JPEG_SRC}/jdmarker.c +rm -vf ${JPEG_SRC}/jdmaster.c +rm -vf ${JPEG_SRC}/jdmerge.c +rm -vf ${JPEG_SRC}/jdphuff.c +rm -vf ${JPEG_SRC}/jdpostct.c +rm -vf ${JPEG_SRC}/jdsample.c +rm -vf ${JPEG_SRC}/jerror.c +rm -vf ${JPEG_SRC}/jerror.h +rm -vf ${JPEG_SRC}/jidctflt.c +rm -vf ${JPEG_SRC}/jidctfst.c +rm -vf ${JPEG_SRC}/jidctint.c +rm -vf ${JPEG_SRC}/jidctred.c +rm -vf ${JPEG_SRC}/jinclude.h +rm -vf ${JPEG_SRC}/jmemmgr.c +rm -vf ${JPEG_SRC}/jmemsys.h +rm -vf ${JPEG_SRC}/jmemnobs.c +rm -vf ${JPEG_SRC}/jmorecfg.h +rm -vf ${JPEG_SRC}/jpegint.h +rm -vf ${JPEG_SRC}/jpeglib.h +rm -vf ${JPEG_SRC}/jquant1.c +rm -vf ${JPEG_SRC}/jquant2.c +rm -vf ${JPEG_SRC}/jutils.c +rm -vf ${JPEG_SRC}/jcapimin.c +rm -vf ${JPEG_SRC}/jcapistd.c +rm -vf ${JPEG_SRC}/jccoefct.c +rm -vf ${JPEG_SRC}/jccolor.c +rm -vf ${JPEG_SRC}/jcdctmgr.c +rm -vf ${JPEG_SRC}/jchuff.c +rm -vf ${JPEG_SRC}/jchuff.h +rm -vf ${JPEG_SRC}/jcinit.c +rm -vf ${JPEG_SRC}/jconfig.h +rm -vf ${JPEG_SRC}/jcmainct.c +rm -vf ${JPEG_SRC}/jcmarker.c +rm -vf ${JPEG_SRC}/jcmaster.c +rm -vf ${JPEG_SRC}/jcparam.c +rm -vf ${JPEG_SRC}/jcphuff.c +rm -vf ${JPEG_SRC}/jcprepct.c +rm -vf ${JPEG_SRC}/jcsample.c +rm -vf ${JPEG_SRC}/jctrans.c +rm -vf ${JPEG_SRC}/jdtrans.c +rm -vf ${JPEG_SRC}/jfdctflt.c +rm -vf ${JPEG_SRC}/jfdctfst.c +rm -vf ${JPEG_SRC}/jfdctint.c +rm -vf ${JPEG_SRC}/jversion.h +rm -vf ${JPEG_SRC}/README + +echo "Removing giflib" +if [ ! -d ${GIF_SRC} ]; then + echo "${GIF_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${GIF_SRC} + +echo "Removing libpng" +if [ ! -d ${PNG_SRC} ]; then + echo "${PNG_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${PNG_SRC} + +echo "Removing lcms" +if [ ! -d ${LCMS_SRC} ]; then + echo "${LCMS_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -vf ${LCMS_SRC}/cmscam02.c +rm -vf ${LCMS_SRC}/cmscgats.c +rm -vf ${LCMS_SRC}/cmscnvrt.c +rm -vf ${LCMS_SRC}/cmserr.c +rm -vf ${LCMS_SRC}/cmsgamma.c +rm -vf ${LCMS_SRC}/cmsgmt.c +rm -vf ${LCMS_SRC}/cmshalf.c +rm -vf ${LCMS_SRC}/cmsintrp.c +rm -vf ${LCMS_SRC}/cmsio0.c +rm -vf ${LCMS_SRC}/cmsio1.c +rm -vf ${LCMS_SRC}/cmslut.c +rm -vf ${LCMS_SRC}/cmsmd5.c +rm -vf ${LCMS_SRC}/cmsmtrx.c +rm -vf ${LCMS_SRC}/cmsnamed.c +rm -vf ${LCMS_SRC}/cmsopt.c +rm -vf ${LCMS_SRC}/cmspack.c +rm -vf ${LCMS_SRC}/cmspcs.c +rm -vf ${LCMS_SRC}/cmsplugin.c +rm -vf ${LCMS_SRC}/cmsps2.c +rm -vf ${LCMS_SRC}/cmssamp.c +rm -vf ${LCMS_SRC}/cmssm.c +rm -vf ${LCMS_SRC}/cmstypes.c +rm -vf ${LCMS_SRC}/cmsvirt.c +rm -vf ${LCMS_SRC}/cmswtpnt.c +rm -vf ${LCMS_SRC}/cmsxform.c +rm -vf ${LCMS_SRC}/lcms2.h +rm -vf ${LCMS_SRC}/lcms2_internal.h +rm -vf ${LCMS_SRC}/lcms2_plugin.h -- Gitee From d6b3679024d93dfc93ffb39ddc33502a2595c868 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Mon, 8 Jul 2024 15:51:20 +0800 Subject: [PATCH 2/2] Use anolis dist Signed-off-by: Zhao Hang --- java-21-openjdk-portable.spec | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/java-21-openjdk-portable.spec b/java-21-openjdk-portable.spec index fd2a77e..df2cc5e 100644 --- a/java-21-openjdk-portable.spec +++ b/java-21-openjdk-portable.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # debug_package %%{nil} is portable-jdks specific %define debug_package %{nil} @@ -430,9 +431,9 @@ %define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} # portable only declarations %global jreimage jre -%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g") -%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g") -%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.static-libs;g") +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable%{1}.jre;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable%{1}.jdk;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable%{1}.static-libs;g") %define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} %define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} %define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz} @@ -441,9 +442,9 @@ # Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on # top of the JDK archive %define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} -%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g") +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable.docs;g") %define docportablearchive() %{docportablename}.tar.xz -%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g") +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;an%{anolis}\\(_[0-9]\\)*;portable.misc;g") %define miscportablearchive() %{miscportablename}.tar.xz ################################################################# @@ -524,7 +525,7 @@ ExclusiveArch: %{aarch64} %{ppc64le} s390x x86_64 Name: java-%{javaver}-%{origin}-portable%{?pkgos:-%{pkgos}} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{anolis_release}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1785,6 +1786,9 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Mon Jul 08 2024 Zhao Hang - 1:21.0.3.0.9.0.1-1 +- Use anolis dist + * Sat Apr 13 2024 Andrew Hughes - 1:21.0.3.0.9-1 - Update to jdk-21.0.3+9 (GA) - Update release notes to 21.0.3+9 -- Gitee