commit 3a4b9756dc12909e122ad33c2cd9d778b7a43dbb9740d8a12c35c71f44e80fbd Author: Fridrich Strba Date: Wed Jan 22 10:44:44 2025 +0000 OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=146 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/JDK-8303509.patch b/JDK-8303509.patch new file mode 100644 index 0000000..3a5e363 --- /dev/null +++ b/JDK-8303509.patch @@ -0,0 +1,107 @@ +--- jdk17/src/java.base/share/classes/sun/nio/ch/Net.java 2023-04-19 08:11:27.942170484 +0200 ++++ jdk17/src/java.base/share/classes/sun/nio/ch/Net.java 2023-04-26 14:03:06.115523856 +0200 +@@ -109,8 +108,8 @@ + /** + * Tells whether both IPV6_XXX and IP_XXX socket options should be set on + * IPv6 sockets. On some kernels, both IPV6_XXX and IP_XXX socket options +- * need to be set so that the settings are effective for IPv4 multicast +- * datagrams sent using the socket. ++ * need to be set so that the settings are effective for IPv4 connections ++ * and datagrams. + */ + static boolean shouldSetBothIPv4AndIPv6Options() { + return shouldSetBothIPv4AndIPv6Options0(); +@@ -455,6 +454,23 @@ + setIntOption0(fd, mayNeedConversion, key.level(), key.name(), arg, isIPv6); + } + ++ /** ++ * Sets a IPPROTO_IPV6/IPPROTO level socket. Some platforms require both ++ * IPPROTO_IPV6 and IPPROTO socket options to be set when the socket is IPv6. ++ * In that case, the IPPROTO socket option is set on a best effort basis. ++ */ ++ static void setIpSocketOption(FileDescriptor fd, ProtocolFamily family, ++ SocketOption opt, T value) ++ throws IOException ++ { ++ setSocketOption(fd, family, opt, value); ++ if (family == StandardProtocolFamily.INET6 && shouldSetBothIPv4AndIPv6Options()) { ++ try { ++ setSocketOption(fd, StandardProtocolFamily.INET, opt, value); ++ } catch (IOException ignore) { } ++ } ++ } ++ + static Object getSocketOption(FileDescriptor fd, SocketOption name) + throws IOException + { +@@ -489,7 +505,7 @@ + } + } + +- public static boolean isFastTcpLoopbackRequested() { ++ private static boolean isFastTcpLoopbackRequested() { + String loopbackProp = GetPropertyAction + .privilegedGetProperty("jdk.net.useFastTcpLoopback", "false"); + return loopbackProp.isEmpty() ? true : Boolean.parseBoolean(loopbackProp); +--- jdk17/src/java.base/share/classes/sun/nio/ch/NioSocketImpl.java 2023-04-19 08:11:27.942170484 +0200 ++++ jdk17/src/java.base/share/classes/sun/nio/ch/NioSocketImpl.java 2023-04-26 14:03:06.115523856 +0200 +@@ -959,8 +959,8 @@ + synchronized (stateLock) { + ensureOpen(); + if (opt == StandardSocketOptions.IP_TOS) { +- // maps to IP_TOS or IPV6_TCLASS +- Net.setSocketOption(fd, family(), opt, value); ++ // maps to IPV6_TCLASS and/or IP_TOS ++ Net.setIpSocketOption(fd, family(), opt, value); + } else if (opt == StandardSocketOptions.SO_REUSEADDR) { + boolean b = (boolean) value; + if (Net.useExclusiveBind()) { +@@ -1034,7 +1034,7 @@ + } + case IP_TOS: { + int i = intValue(value, "IP_TOS"); +- Net.setSocketOption(fd, family(), StandardSocketOptions.IP_TOS, i); ++ Net.setIpSocketOption(fd, family(), StandardSocketOptions.IP_TOS, i); + break; + } + case TCP_NODELAY: { +--- jdk17/src/java.base/share/classes/sun/nio/ch/SocketChannelImpl.java 2023-04-19 08:11:27.942170484 +0200 ++++ jdk17/src/java.base/share/classes/sun/nio/ch/SocketChannelImpl.java 2023-04-26 14:03:06.115523856 +0200 +@@ -265,8 +265,8 @@ + + if (isNetSocket()) { + if (name == StandardSocketOptions.IP_TOS) { +- // special handling for IP_TOS +- Net.setSocketOption(fd, family, name, value); ++ // maps to IPV6_TCLASS and/or IP_TOS ++ Net.setIpSocketOption(fd, family, name, value); + return this; + } + if (name == StandardSocketOptions.SO_REUSEADDR && Net.useExclusiveBind()) { +--- jdk17/src/java.base/unix/native/libnio/ch/Net.c 2023-04-19 08:11:27.974170704 +0200 ++++ jdk17/src/java.base/unix/native/libnio/ch/Net.c 2023-04-26 14:03:06.115523856 +0200 +@@ -159,10 +159,10 @@ + Java_sun_nio_ch_Net_shouldSetBothIPv4AndIPv6Options0(JNIEnv* env, jclass cl) + { + #if defined(__linux__) +- /* Set both IPv4 and IPv6 socket options when setting multicast options */ ++ /* Set both IPv4 and IPv6 socket options when setting IPPROTO_IPV6 options */ + return JNI_TRUE; + #else +- /* Do not set both IPv4 and IPv6 socket options when setting multicast options */ ++ /* Do not set both IPv4 and IPv6 socket options when setting IPPROTO_IPV6 options */ + return JNI_FALSE; + #endif + } +--- jdk17/src/java.base/windows/native/libnio/ch/Net.c 2023-04-19 08:11:27.978170731 +0200 ++++ jdk17/src/java.base/windows/native/libnio/ch/Net.c 2023-04-26 14:03:06.115523856 +0200 +@@ -126,7 +126,7 @@ + JNIEXPORT jboolean JNICALL + Java_sun_nio_ch_Net_shouldSetBothIPv4AndIPv6Options0(JNIEnv* env, jclass cl) + { +- /* Set both IPv4 and IPv6 socket options when setting multicast options */ ++ /* Set both IPv4 and IPv6 socket options when setting IPPROTO_IPV6 options */ + return JNI_TRUE; + } + diff --git a/PStack-808293.patch b/PStack-808293.patch new file mode 100644 index 0000000..fde02d1 --- /dev/null +++ b/PStack-808293.patch @@ -0,0 +1,33 @@ +--- jdk10/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/tools/PStack.java 2016-01-21 19:16:09.000000000 +0100 ++++ jdk10/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/tools/PStack.java 2016-01-29 15:49:47.815913736 +0100 +@@ -101,7 +102,8 @@ + if (jthread != null) { + jthread.printThreadInfoOn(out); + } +- while (f != null) { ++ int maxStack = 256; ++ while (f != null && maxStack-- > 0) { + ClosestSymbol sym = f.closestSymbolToPC(); + Address pc = f.pc(); + out.print(pc + "\t"); +@@ -183,10 +185,19 @@ + } + } + } ++ Address oldPC = f.pc(); ++ Address oldFP = f.localVariableBase(); + f = f.sender(th); ++ if (f != null ++ && oldPC.equals(f.pc()) ++ && oldFP.equals(f.localVariableBase())) { ++ // We didn't make any progress ++ f = null; ++ } + } + } catch (Exception exp) { +- exp.printStackTrace(); ++ // exp.printStackTrace(); ++ out.println("bad stack: " + exp); + // continue, may be we can do a better job for other threads + } + if (concurrentLocks) { diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java new file mode 100644 index 0000000..325a89c --- /dev/null +++ b/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/TestECDSA.java b/TestECDSA.java new file mode 100644 index 0000000..ca7fe59 --- /dev/null +++ b/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..03d1b24 --- /dev/null +++ b/_constraints @@ -0,0 +1,10 @@ + + + + 4096 + + + 20 + + + diff --git a/adlc-parser.patch b/adlc-parser.patch new file mode 100644 index 0000000..43e69fc --- /dev/null +++ b/adlc-parser.patch @@ -0,0 +1,10 @@ +--- jdk10/src/hotspot/share/adlc/formsopt.cpp 2014-07-03 21:56:12.000000000 +0200 ++++ jdk10/src/hotspot/share/adlc/formsopt.cpp 2014-07-14 11:43:21.900408570 +0200 +@@ -445,6 +445,7 @@ + _return_value = NULL; + _c_return_value = NULL; + _interpreter_frame_pointer_reg = NULL; ++ _cisc_spilling_operand_name = NULL; + } + + FrameForm::~FrameForm() { diff --git a/config.guess b/config.guess new file mode 100644 index 0000000..54bbfc1 --- /dev/null +++ b/config.guess @@ -0,0 +1,1803 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright 1992-2023 Free Software Foundation, Inc. + +# shellcheck disable=SC2006,SC2268 # see below for rationale + +timestamp='2023-07-20' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). +# +# Originally written by Per Bothner; maintained since 2000 by Ben Elliston. +# +# You can get the latest version of this script from: +# https://git.savannah.gnu.org/cgit/config.git/plain/config.guess +# +# Please send patches to . + + +# The "shellcheck disable" line above the timestamp inhibits complaints +# about features and limitations of the classic Bourne shell that were +# superseded or lifted in POSIX. However, this script identifies a wide +# variety of pre-POSIX systems that do not have POSIX shells at all, and +# even some reasonably current systems (Solaris 10 as case-in-point) still +# have a pre-POSIX /bin/sh. + + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] + +Output the configuration name of the system '$me' is run on. + +Options: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.guess ($timestamp) + +Originally written by Per Bothner. +Copyright 1992-2023 Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try '$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + * ) + break ;; + esac +done + +if test $# != 0; then + echo "$me: too many arguments$help" >&2 + exit 1 +fi + +# Just in case it came from the environment. +GUESS= + +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. + +# Historically, 'CC_FOR_BUILD' used to be named 'HOST_CC'. We still +# use 'HOST_CC' if defined, but it is deprecated. + +# Portable tmp directory creation inspired by the Autoconf team. + +tmp= +# shellcheck disable=SC2172 +trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 + +set_cc_for_build() { + # prevent multiple calls if $tmp is already set + test "$tmp" && return 0 + : "${TMPDIR=/tmp}" + # shellcheck disable=SC2039,SC3028 + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } + dummy=$tmp/dummy + case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in + ,,) echo "int x;" > "$dummy.c" + for driver in cc gcc c89 c99 ; do + if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then + CC_FOR_BUILD=$driver + break + fi + done + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; + esac +} + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 1994-08-24) +if test -f /.attbin/uname ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +case $UNAME_SYSTEM in +Linux|GNU|GNU/*) + LIBC=unknown + + set_cc_for_build + cat <<-EOF > "$dummy.c" + #include + #if defined(__UCLIBC__) + LIBC=uclibc + #elif defined(__dietlibc__) + LIBC=dietlibc + #elif defined(__GLIBC__) + LIBC=gnu + #else + #include + /* First heuristic to detect musl libc. */ + #ifdef __DEFINED_va_list + LIBC=musl + #endif + #endif + EOF + cc_set_libc=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + eval "$cc_set_libc" + + # Second heuristic to detect musl libc. + if [ "$LIBC" = unknown ] && + command -v ldd >/dev/null && + ldd --version 2>&1 | grep -q ^musl; then + LIBC=musl + fi + + # If the system lacks a compiler, then just pick glibc. + # We could probably try harder. + if [ "$LIBC" = unknown ]; then + LIBC=gnu + fi + ;; +esac + +# Note: order is significant - the case branches are not exclusive. + +case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in + *:NetBSD:*:*) + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward + # compatibility and a consistent mechanism for selecting the + # object file format. + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ + /sbin/sysctl -n hw.machine_arch 2>/dev/null || \ + /usr/sbin/sysctl -n hw.machine_arch 2>/dev/null || \ + echo unknown)` + case $UNAME_MACHINE_ARCH in + aarch64eb) machine=aarch64_be-unknown ;; + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + sh5el) machine=sh5le-unknown ;; + earmv*) + arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` + machine=${arch}${endian}-unknown + ;; + *) machine=$UNAME_MACHINE_ARCH-unknown ;; + esac + # The Operating System including object format, if it has switched + # to ELF recently (or will in the future) and ABI. + case $UNAME_MACHINE_ARCH in + earm*) + os=netbsdelf + ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + set_cc_for_build + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ELF__ + then + # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). + # Return netbsd for either. FIX? + os=netbsd + else + os=netbsdelf + fi + ;; + *) + os=netbsd + ;; + esac + # Determine ABI tags. + case $UNAME_MACHINE_ARCH in + earm*) + expr='s/^earmv[0-9]/-eabi/;s/eb$//' + abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` + ;; + esac + # The OS release + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case $UNAME_VERSION in + Debian*) + release='-gnu' + ;; + *) + release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` + ;; + esac + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. + GUESS=$machine-${os}${release}${abi-} + ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-bitrig$UNAME_RELEASE + ;; + *:OpenBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-openbsd$UNAME_RELEASE + ;; + *:SecBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/SecBSD.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-secbsd$UNAME_RELEASE + ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-libertybsd$UNAME_RELEASE + ;; + *:MidnightBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-midnightbsd$UNAME_RELEASE + ;; + *:ekkoBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-ekkobsd$UNAME_RELEASE + ;; + *:SolidBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-solidbsd$UNAME_RELEASE + ;; + *:OS108:*:*) + GUESS=$UNAME_MACHINE-unknown-os108_$UNAME_RELEASE + ;; + macppc:MirBSD:*:*) + GUESS=powerpc-unknown-mirbsd$UNAME_RELEASE + ;; + *:MirBSD:*:*) + GUESS=$UNAME_MACHINE-unknown-mirbsd$UNAME_RELEASE + ;; + *:Sortix:*:*) + GUESS=$UNAME_MACHINE-unknown-sortix + ;; + *:Twizzler:*:*) + GUESS=$UNAME_MACHINE-unknown-twizzler + ;; + *:Redox:*:*) + GUESS=$UNAME_MACHINE-unknown-redox + ;; + mips:OSF1:*.*) + GUESS=mips-dec-osf1 + ;; + alpha:OSF1:*:*) + # Reset EXIT trap before exiting to avoid spurious non-zero exit code. + trap '' 0 + case $UNAME_RELEASE in + *4.0) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case $ALPHA_CPU_TYPE in + "EV4 (21064)") + UNAME_MACHINE=alpha ;; + "EV4.5 (21064)") + UNAME_MACHINE=alpha ;; + "LCA4 (21066/21068)") + UNAME_MACHINE=alpha ;; + "EV5 (21164)") + UNAME_MACHINE=alphaev5 ;; + "EV5.6 (21164A)") + UNAME_MACHINE=alphaev56 ;; + "EV5.6 (21164PC)") + UNAME_MACHINE=alphapca56 ;; + "EV5.7 (21164PC)") + UNAME_MACHINE=alphapca57 ;; + "EV6 (21264)") + UNAME_MACHINE=alphaev6 ;; + "EV6.7 (21264A)") + UNAME_MACHINE=alphaev67 ;; + "EV6.8CB (21264C)") + UNAME_MACHINE=alphaev68 ;; + "EV6.8AL (21264B)") + UNAME_MACHINE=alphaev68 ;; + "EV6.8CX (21264D)") + UNAME_MACHINE=alphaev68 ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE=alphaev69 ;; + "EV7 (21364)") + UNAME_MACHINE=alphaev7 ;; + "EV7.9 (21364A)") + UNAME_MACHINE=alphaev79 ;; + esac + # A Pn.n version is a patched version. + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + OSF_REL=`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + GUESS=$UNAME_MACHINE-dec-osf$OSF_REL + ;; + Amiga*:UNIX_System_V:4.0:*) + GUESS=m68k-unknown-sysv4 + ;; + *:[Aa]miga[Oo][Ss]:*:*) + GUESS=$UNAME_MACHINE-unknown-amigaos + ;; + *:[Mm]orph[Oo][Ss]:*:*) + GUESS=$UNAME_MACHINE-unknown-morphos + ;; + *:OS/390:*:*) + GUESS=i370-ibm-openedition + ;; + *:z/VM:*:*) + GUESS=s390-ibm-zvmoe + ;; + *:OS400:*:*) + GUESS=powerpc-ibm-os400 + ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + GUESS=arm-acorn-riscix$UNAME_RELEASE + ;; + arm*:riscos:*:*|arm*:RISCOS:*:*) + GUESS=arm-unknown-riscos + ;; + SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) + GUESS=hppa1.1-hitachi-hiuxmpp + ;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + case `(/bin/universe) 2>/dev/null` in + att) GUESS=pyramid-pyramid-sysv3 ;; + *) GUESS=pyramid-pyramid-bsd ;; + esac + ;; + NILE*:*:*:dcosx) + GUESS=pyramid-pyramid-svr4 + ;; + DRS?6000:unix:4.0:6*) + GUESS=sparc-icl-nx6 + ;; + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) GUESS=sparc-icl-nx7 ;; + esac + ;; + s390x:SunOS:*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=$UNAME_MACHINE-ibm-solaris2$SUN_REL + ;; + sun4H:SunOS:5.*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-hal-solaris2$SUN_REL + ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-sun-solaris2$SUN_REL + ;; + i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) + GUESS=i386-pc-auroraux$UNAME_RELEASE + ;; + i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) + set_cc_for_build + SUN_ARCH=i386 + # If there is a compiler, see if it is configured for 64-bit objects. + # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. + # This test works for both compilers. + if test "$CC_FOR_BUILD" != no_compiler_found; then + if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + SUN_ARCH=x86_64 + fi + fi + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=$SUN_ARCH-pc-solaris2$SUN_REL + ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-sun-solaris3$SUN_REL + ;; + sun4*:SunOS:*:*) + case `/usr/bin/arch -k` in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like '4.1.3-JL'. + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'` + GUESS=sparc-sun-sunos$SUN_REL + ;; + sun3*:SunOS:*:*) + GUESS=m68k-sun-sunos$UNAME_RELEASE + ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 + case `/bin/arch` in + sun3) + GUESS=m68k-sun-sunos$UNAME_RELEASE + ;; + sun4) + GUESS=sparc-sun-sunos$UNAME_RELEASE + ;; + esac + ;; + aushp:SunOS:*:*) + GUESS=sparc-auspex-sunos$UNAME_RELEASE + ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + GUESS=m68k-milan-mint$UNAME_RELEASE + ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + GUESS=m68k-hades-mint$UNAME_RELEASE + ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + GUESS=m68k-unknown-mint$UNAME_RELEASE + ;; + m68k:machten:*:*) + GUESS=m68k-apple-machten$UNAME_RELEASE + ;; + powerpc:machten:*:*) + GUESS=powerpc-apple-machten$UNAME_RELEASE + ;; + RISC*:Mach:*:*) + GUESS=mips-dec-mach_bsd4.3 + ;; + RISC*:ULTRIX:*:*) + GUESS=mips-dec-ultrix$UNAME_RELEASE + ;; + VAX*:ULTRIX*:*:*) + GUESS=vax-dec-ultrix$UNAME_RELEASE + ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + GUESS=clipper-intergraph-clix$UNAME_RELEASE + ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && + dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`"$dummy" "$dummyarg"` && + { echo "$SYSTEM_NAME"; exit; } + GUESS=mips-mips-riscos$UNAME_RELEASE + ;; + Motorola:PowerMAX_OS:*:*) + GUESS=powerpc-motorola-powermax + ;; + Motorola:*:4.3:PL8-*) + GUESS=powerpc-harris-powermax + ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + GUESS=powerpc-harris-powermax + ;; + Night_Hawk:Power_UNIX:*:*) + GUESS=powerpc-harris-powerunix + ;; + m88k:CX/UX:7*:*) + GUESS=m88k-harris-cxux7 + ;; + m88k:*:4*:R4*) + GUESS=m88k-motorola-sysv4 + ;; + m88k:*:3*:R3*) + GUESS=m88k-motorola-sysv3 + ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if test "$UNAME_PROCESSOR" = mc88100 || test "$UNAME_PROCESSOR" = mc88110 + then + if test "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx || \ + test "$TARGET_BINARY_INTERFACE"x = x + then + GUESS=m88k-dg-dgux$UNAME_RELEASE + else + GUESS=m88k-dg-dguxbcs$UNAME_RELEASE + fi + else + GUESS=i586-dg-dgux$UNAME_RELEASE + fi + ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + GUESS=m88k-dolphin-sysv3 + ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + GUESS=m88k-motorola-sysv3 + ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + GUESS=m88k-tektronix-sysv3 + ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + GUESS=m68k-tektronix-bsd + ;; + *:IRIX*:*:*) + IRIX_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/g'` + GUESS=mips-sgi-irix$IRIX_REL + ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + GUESS=romp-ibm-aix # uname -m gives an 8 hex-code CPU id + ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i*86:AIX:*:*) + GUESS=i386-ibm-aix + ;; + ia64:AIX:*:*) + if test -x /usr/bin/oslevel ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=$UNAME_VERSION.$UNAME_RELEASE + fi + GUESS=$UNAME_MACHINE-ibm-aix$IBM_REV + ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` + then + GUESS=$SYSTEM_NAME + else + GUESS=rs6000-ibm-aix3.2.5 + fi + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + GUESS=rs6000-ibm-aix3.2.4 + else + GUESS=rs6000-ibm-aix3.2 + fi + ;; + *:AIX:*:[4567]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` + if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if test -x /usr/bin/lslpp ; then + IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | \ + awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` + else + IBM_REV=$UNAME_VERSION.$UNAME_RELEASE + fi + GUESS=$IBM_ARCH-ibm-aix$IBM_REV + ;; + *:AIX:*:*) + GUESS=rs6000-ibm-aix + ;; + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) + GUESS=romp-ibm-bsd4.4 + ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and + GUESS=romp-ibm-bsd$UNAME_RELEASE # 4.3 with uname added to + ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + GUESS=rs6000-bull-bosx + ;; + DPX/2?00:B.O.S.:*:*) + GUESS=m68k-bull-sysv3 + ;; + 9000/[34]??:4.3bsd:1.*:*) + GUESS=m68k-hp-bsd + ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + GUESS=m68k-hp-bsd4.4 + ;; + 9000/[34678]??:HP-UX:*:*) + HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` + case $UNAME_MACHINE in + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + if test -x /usr/bin/getconf; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case $sc_cpu_version in + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case $sc_kernel_bits in + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 + esac ;; + esac + fi + if test "$HP_ARCH" = ""; then + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" + + #define _HPUX_SOURCE + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; + esac + if test "$HP_ARCH" = hppa2.0w + then + set_cc_for_build + + # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating + # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler + # generating 64-bit code. GNU and HP use different nomenclature: + # + # $ CC_FOR_BUILD=cc ./config.guess + # => hppa2.0w-hp-hpux11.23 + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | + grep -q __LP64__ + then + HP_ARCH=hppa2.0w + else + HP_ARCH=hppa64 + fi + fi + GUESS=$HP_ARCH-hp-hpux$HPUX_REV + ;; + ia64:HP-UX:*:*) + HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` + GUESS=ia64-hp-hpux$HPUX_REV + ;; + 3050*:HI-UX:*:*) + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && + { echo "$SYSTEM_NAME"; exit; } + GUESS=unknown-hitachi-hiuxwe2 + ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) + GUESS=hppa1.1-hp-bsd + ;; + 9000/8??:4.3bsd:*:*) + GUESS=hppa1.0-hp-bsd + ;; + *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) + GUESS=hppa1.0-hp-mpeix + ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) + GUESS=hppa1.1-hp-osf + ;; + hp8??:OSF1:*:*) + GUESS=hppa1.0-hp-osf + ;; + i*86:OSF1:*:*) + if test -x /usr/sbin/sysversion ; then + GUESS=$UNAME_MACHINE-unknown-osf1mk + else + GUESS=$UNAME_MACHINE-unknown-osf1 + fi + ;; + parisc*:Lites*:*:*) + GUESS=hppa1.1-hp-lites + ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + GUESS=c1-convex-bsd + ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + GUESS=c34-convex-bsd + ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + GUESS=c38-convex-bsd + ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + GUESS=c4-convex-bsd + ;; + CRAY*Y-MP:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=ymp-cray-unicos$CRAY_REL + ;; + CRAY*[A-Z]90:*:*:*) + echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ + -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*TS:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=t90-cray-unicos$CRAY_REL + ;; + CRAY*T3E:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=alphaev5-cray-unicosmk$CRAY_REL + ;; + CRAY*SV1:*:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=sv1-cray-unicos$CRAY_REL + ;; + *:UNICOS/mp:*:*) + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=craynv-cray-unicosmp$CRAY_REL + ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` + GUESS=${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} + ;; + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` + GUESS=sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} + ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + GUESS=$UNAME_MACHINE-pc-bsdi$UNAME_RELEASE + ;; + sparc*:BSD/OS:*:*) + GUESS=sparc-unknown-bsdi$UNAME_RELEASE + ;; + *:BSD/OS:*:*) + GUESS=$UNAME_MACHINE-unknown-bsdi$UNAME_RELEASE + ;; + arm:FreeBSD:*:*) + UNAME_PROCESSOR=`uname -p` + set_cc_for_build + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabi + else + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabihf + fi + ;; + *:FreeBSD:*:*) + UNAME_PROCESSOR=`/usr/bin/uname -p` + case $UNAME_PROCESSOR in + amd64) + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; + esac + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL + ;; + i*:CYGWIN*:*) + GUESS=$UNAME_MACHINE-pc-cygwin + ;; + *:MINGW64*:*) + GUESS=$UNAME_MACHINE-pc-mingw64 + ;; + *:MINGW*:*) + GUESS=$UNAME_MACHINE-pc-mingw32 + ;; + *:MSYS*:*) + GUESS=$UNAME_MACHINE-pc-msys + ;; + i*:PW*:*) + GUESS=$UNAME_MACHINE-pc-pw32 + ;; + *:SerenityOS:*:*) + GUESS=$UNAME_MACHINE-pc-serenity + ;; + *:Interix*:*) + case $UNAME_MACHINE in + x86) + GUESS=i586-pc-interix$UNAME_RELEASE + ;; + authenticamd | genuineintel | EM64T) + GUESS=x86_64-unknown-interix$UNAME_RELEASE + ;; + IA64) + GUESS=ia64-unknown-interix$UNAME_RELEASE + ;; + esac ;; + i*:UWIN*:*) + GUESS=$UNAME_MACHINE-pc-uwin + ;; + amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) + GUESS=x86_64-pc-cygwin + ;; + prep*:SunOS:5.*:*) + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=powerpcle-unknown-solaris2$SUN_REL + ;; + *:GNU:*:*) + # the GNU system + GNU_ARCH=`echo "$UNAME_MACHINE" | sed -e 's,[-/].*$,,'` + GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's,/.*$,,'` + GUESS=$GNU_ARCH-unknown-$LIBC$GNU_REL + ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + GNU_SYS=`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"` + GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC + ;; + x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*) + GUESS="$UNAME_MACHINE-pc-managarm-mlibc" + ;; + *:[Mm]anagarm:*:*) + GUESS="$UNAME_MACHINE-unknown-managarm-mlibc" + ;; + *:Minix:*:*) + GUESS=$UNAME_MACHINE-unknown-minix + ;; + aarch64:Linux:*:*) + set_cc_for_build + CPU=$UNAME_MACHINE + LIBCABI=$LIBC + if test "$CC_FOR_BUILD" != no_compiler_found; then + ABI=64 + sed 's/^ //' << EOF > "$dummy.c" + #ifdef __ARM_EABI__ + #ifdef __ARM_PCS_VFP + ABI=eabihf + #else + ABI=eabi + #endif + #endif +EOF + cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` + eval "$cc_set_abi" + case $ABI in + eabi | eabihf) CPU=armv8l; LIBCABI=$LIBC$ABI ;; + esac + fi + GUESS=$CPU-unknown-linux-$LIBCABI + ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + arc:Linux:*:* | arceb:Linux:*:* | arc32:Linux:*:* | arc64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + arm*:Linux:*:*) + set_cc_for_build + if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_EABI__ + then + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + else + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabi + else + GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabihf + fi + fi + ;; + avr32*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + cris:Linux:*:*) + GUESS=$UNAME_MACHINE-axis-linux-$LIBC + ;; + crisv32:Linux:*:*) + GUESS=$UNAME_MACHINE-axis-linux-$LIBC + ;; + e2k:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + frv:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + hexagon:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + i*86:Linux:*:*) + GUESS=$UNAME_MACHINE-pc-linux-$LIBC + ;; + ia64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + k1om:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + kvx:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + kvx:cos:*:*) + GUESS=$UNAME_MACHINE-unknown-cos + ;; + kvx:mbr:*:*) + GUESS=$UNAME_MACHINE-unknown-mbr + ;; + loongarch32:Linux:*:* | loongarch64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + m32r*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + m68*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + mips:Linux:*:* | mips64:Linux:*:*) + set_cc_for_build + IS_GLIBC=0 + test x"${LIBC}" = xgnu && IS_GLIBC=1 + sed 's/^ //' << EOF > "$dummy.c" + #undef CPU + #undef mips + #undef mipsel + #undef mips64 + #undef mips64el + #if ${IS_GLIBC} && defined(_ABI64) + LIBCABI=gnuabi64 + #else + #if ${IS_GLIBC} && defined(_ABIN32) + LIBCABI=gnuabin32 + #else + LIBCABI=${LIBC} + #endif + #endif + + #if ${IS_GLIBC} && defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa64r6 + #else + #if ${IS_GLIBC} && !defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa32r6 + #else + #if defined(__mips64) + CPU=mips64 + #else + CPU=mips + #endif + #endif + #endif + + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + MIPS_ENDIAN=el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + MIPS_ENDIAN= + #else + MIPS_ENDIAN= + #endif + #endif +EOF + cc_set_vars=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU\|^MIPS_ENDIAN\|^LIBCABI'` + eval "$cc_set_vars" + test "x$CPU" != x && { echo "$CPU${MIPS_ENDIAN}-unknown-linux-$LIBCABI"; exit; } + ;; + mips64el:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + openrisc*:Linux:*:*) + GUESS=or1k-unknown-linux-$LIBC + ;; + or32:Linux:*:* | or1k*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + padre:Linux:*:*) + GUESS=sparc-unknown-linux-$LIBC + ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + GUESS=hppa64-unknown-linux-$LIBC + ;; + parisc:Linux:*:* | hppa:Linux:*:*) + # Look for CPU level + case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in + PA7*) GUESS=hppa1.1-unknown-linux-$LIBC ;; + PA8*) GUESS=hppa2.0-unknown-linux-$LIBC ;; + *) GUESS=hppa-unknown-linux-$LIBC ;; + esac + ;; + ppc64:Linux:*:*) + GUESS=powerpc64-unknown-linux-$LIBC + ;; + ppc:Linux:*:*) + GUESS=powerpc-unknown-linux-$LIBC + ;; + ppc64le:Linux:*:*) + GUESS=powerpc64le-unknown-linux-$LIBC + ;; + ppcle:Linux:*:*) + GUESS=powerpcle-unknown-linux-$LIBC + ;; + riscv32:Linux:*:* | riscv32be:Linux:*:* | riscv64:Linux:*:* | riscv64be:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + s390:Linux:*:* | s390x:Linux:*:*) + GUESS=$UNAME_MACHINE-ibm-linux-$LIBC + ;; + sh64*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + sh*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + sparc:Linux:*:* | sparc64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + tile*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + vax:Linux:*:*) + GUESS=$UNAME_MACHINE-dec-linux-$LIBC + ;; + x86_64:Linux:*:*) + set_cc_for_build + CPU=$UNAME_MACHINE + LIBCABI=$LIBC + if test "$CC_FOR_BUILD" != no_compiler_found; then + ABI=64 + sed 's/^ //' << EOF > "$dummy.c" + #ifdef __i386__ + ABI=x86 + #else + #ifdef __ILP32__ + ABI=x32 + #endif + #endif +EOF + cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` + eval "$cc_set_abi" + case $ABI in + x86) CPU=i686 ;; + x32) LIBCABI=${LIBC}x32 ;; + esac + fi + GUESS=$CPU-pc-linux-$LIBCABI + ;; + xtensa*:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + i*86:DYNIX/ptx:4*:*) + # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. + # earlier versions are messed up and put the nodename in both + # sysname and nodename. + GUESS=i386-sequent-sysv4 + ;; + i*86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION + ;; + i*86:OS/2:*:*) + # If we were able to find 'uname', then EMX Unix compatibility + # is probably installed. + GUESS=$UNAME_MACHINE-pc-os2-emx + ;; + i*86:XTS-300:*:STOP) + GUESS=$UNAME_MACHINE-unknown-stop + ;; + i*86:atheos:*:*) + GUESS=$UNAME_MACHINE-unknown-atheos + ;; + i*86:syllable:*:*) + GUESS=$UNAME_MACHINE-pc-syllable + ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) + GUESS=i386-unknown-lynxos$UNAME_RELEASE + ;; + i*86:*DOS:*:*) + GUESS=$UNAME_MACHINE-pc-msdosdjgpp + ;; + i*86:*:4.*:*) + UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + GUESS=$UNAME_MACHINE-univel-sysv$UNAME_REL + else + GUESS=$UNAME_MACHINE-pc-sysv$UNAME_REL + fi + ;; + i*86:*:5:[678]*) + # UnixWare 7.x, OpenUNIX and OpenServer 6. + case `/bin/uname -X | grep "^Machine"` in + *486*) UNAME_MACHINE=i486 ;; + *Pentium) UNAME_MACHINE=i586 ;; + *Pent*|*Celeron) UNAME_MACHINE=i686 ;; + esac + GUESS=$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + ;; + i*86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + GUESS=$UNAME_MACHINE-pc-sco$UNAME_REL + else + GUESS=$UNAME_MACHINE-pc-sysv32 + fi + ;; + pc:*:*:*) + # Left here for compatibility: + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub + # prints for the "djgpp" host, or else GDB configure will decide that + # this is a cross-build. + GUESS=i586-pc-msdosdjgpp + ;; + Intel:Mach:3*:*) + GUESS=i386-pc-mach3 + ;; + paragon:*:*:*) + GUESS=i860-intel-osf1 + ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + GUESS=i860-stardent-sysv$UNAME_RELEASE # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + GUESS=i860-unknown-sysv$UNAME_RELEASE # Unknown i860-SVR4 + fi + ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + GUESS=m68010-convergent-sysv + ;; + mc68k:UNIX:SYSTEM5:3.51m) + GUESS=m68k-convergent-sysv + ;; + M680?0:D-NIX:5.3:*) + GUESS=m68k-diab-dnix + ;; + M68*:*:R3V[5678]*:*) + test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; + NCR*:*:4.2:* | MPRAS*:*:4.2:*) + OS_REL='.3' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } + /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; + m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) + GUESS=m68k-unknown-lynxos$UNAME_RELEASE + ;; + mc68030:UNIX_System_V:4.*:*) + GUESS=m68k-atari-sysv4 + ;; + TSUNAMI:LynxOS:2.*:*) + GUESS=sparc-unknown-lynxos$UNAME_RELEASE + ;; + rs6000:LynxOS:2.*:*) + GUESS=rs6000-unknown-lynxos$UNAME_RELEASE + ;; + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) + GUESS=powerpc-unknown-lynxos$UNAME_RELEASE + ;; + SM[BE]S:UNIX_SV:*:*) + GUESS=mips-dde-sysv$UNAME_RELEASE + ;; + RM*:ReliantUNIX-*:*:*) + GUESS=mips-sni-sysv4 + ;; + RM*:SINIX-*:*:*) + GUESS=mips-sni-sysv4 + ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + GUESS=$UNAME_MACHINE-sni-sysv4 + else + GUESS=ns32k-sni-sysv + fi + ;; + PENTIUM:*:4.0*:*) # Unisys 'ClearPath HMP IX 4000' SVR4/MP effort + # says + GUESS=i586-unisys-sysv4 + ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + GUESS=hppa1.1-stratus-sysv4 + ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + GUESS=i860-stratus-sysv4 + ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + GUESS=$UNAME_MACHINE-stratus-vos + ;; + *:VOS:*:*) + # From Paul.Green@stratus.com. + GUESS=hppa1.1-stratus-vos + ;; + mc68*:A/UX:*:*) + GUESS=m68k-apple-aux$UNAME_RELEASE + ;; + news*:NEWS-OS:6*:*) + GUESS=mips-sony-newsos6 + ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if test -d /usr/nec; then + GUESS=mips-nec-sysv$UNAME_RELEASE + else + GUESS=mips-unknown-sysv$UNAME_RELEASE + fi + ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + GUESS=powerpc-be-beos + ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + GUESS=powerpc-apple-beos + ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + GUESS=i586-pc-beos + ;; + BePC:Haiku:*:*) # Haiku running on Intel PC compatible. + GUESS=i586-pc-haiku + ;; + ppc:Haiku:*:*) # Haiku running on Apple PowerPC + GUESS=powerpc-apple-haiku + ;; + *:Haiku:*:*) # Haiku modern gcc (not bound by BeOS compat) + GUESS=$UNAME_MACHINE-unknown-haiku + ;; + SX-4:SUPER-UX:*:*) + GUESS=sx4-nec-superux$UNAME_RELEASE + ;; + SX-5:SUPER-UX:*:*) + GUESS=sx5-nec-superux$UNAME_RELEASE + ;; + SX-6:SUPER-UX:*:*) + GUESS=sx6-nec-superux$UNAME_RELEASE + ;; + SX-7:SUPER-UX:*:*) + GUESS=sx7-nec-superux$UNAME_RELEASE + ;; + SX-8:SUPER-UX:*:*) + GUESS=sx8-nec-superux$UNAME_RELEASE + ;; + SX-8R:SUPER-UX:*:*) + GUESS=sx8r-nec-superux$UNAME_RELEASE + ;; + SX-ACE:SUPER-UX:*:*) + GUESS=sxace-nec-superux$UNAME_RELEASE + ;; + Power*:Rhapsody:*:*) + GUESS=powerpc-apple-rhapsody$UNAME_RELEASE + ;; + *:Rhapsody:*:*) + GUESS=$UNAME_MACHINE-apple-rhapsody$UNAME_RELEASE + ;; + arm64:Darwin:*:*) + GUESS=aarch64-apple-darwin$UNAME_RELEASE + ;; + *:Darwin:*:*) + UNAME_PROCESSOR=`uname -p` + case $UNAME_PROCESSOR in + unknown) UNAME_PROCESSOR=powerpc ;; + esac + if command -v xcode-select > /dev/null 2> /dev/null && \ + ! xcode-select --print-path > /dev/null 2> /dev/null ; then + # Avoid executing cc if there is no toolchain installed as + # cc will be a stub that puts up a graphical alert + # prompting the user to install developer tools. + CC_FOR_BUILD=no_compiler_found + else + set_cc_for_build + fi + if test "$CC_FOR_BUILD" != no_compiler_found; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc + fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # uname -m returns i386 or x86_64 + UNAME_PROCESSOR=$UNAME_MACHINE + fi + GUESS=$UNAME_PROCESSOR-apple-darwin$UNAME_RELEASE + ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = x86; then + UNAME_PROCESSOR=i386 + UNAME_MACHINE=pc + fi + GUESS=$UNAME_PROCESSOR-$UNAME_MACHINE-nto-qnx$UNAME_RELEASE + ;; + *:QNX:*:4*) + GUESS=i386-pc-qnx + ;; + NEO-*:NONSTOP_KERNEL:*:*) + GUESS=neo-tandem-nsk$UNAME_RELEASE + ;; + NSE-*:NONSTOP_KERNEL:*:*) + GUESS=nse-tandem-nsk$UNAME_RELEASE + ;; + NSR-*:NONSTOP_KERNEL:*:*) + GUESS=nsr-tandem-nsk$UNAME_RELEASE + ;; + NSV-*:NONSTOP_KERNEL:*:*) + GUESS=nsv-tandem-nsk$UNAME_RELEASE + ;; + NSX-*:NONSTOP_KERNEL:*:*) + GUESS=nsx-tandem-nsk$UNAME_RELEASE + ;; + *:NonStop-UX:*:*) + GUESS=mips-compaq-nonstopux + ;; + BS2000:POSIX*:*:*) + GUESS=bs2000-siemens-sysv + ;; + DS/*:UNIX_System_V:*:*) + GUESS=$UNAME_MACHINE-$UNAME_SYSTEM-$UNAME_RELEASE + ;; + *:Plan9:*:*) + # "uname -m" is not consistent, so use $cputype instead. 386 + # is converted to i386 for consistency with other x86 + # operating systems. + if test "${cputype-}" = 386; then + UNAME_MACHINE=i386 + elif test "x${cputype-}" != x; then + UNAME_MACHINE=$cputype + fi + GUESS=$UNAME_MACHINE-unknown-plan9 + ;; + *:TOPS-10:*:*) + GUESS=pdp10-unknown-tops10 + ;; + *:TENEX:*:*) + GUESS=pdp10-unknown-tenex + ;; + KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) + GUESS=pdp10-dec-tops20 + ;; + XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) + GUESS=pdp10-xkl-tops20 + ;; + *:TOPS-20:*:*) + GUESS=pdp10-unknown-tops20 + ;; + *:ITS:*:*) + GUESS=pdp10-unknown-its + ;; + SEI:*:*:SEIUX) + GUESS=mips-sei-seiux$UNAME_RELEASE + ;; + *:DragonFly:*:*) + DRAGONFLY_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_MACHINE-unknown-dragonfly$DRAGONFLY_REL + ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case $UNAME_MACHINE in + A*) GUESS=alpha-dec-vms ;; + I*) GUESS=ia64-dec-vms ;; + V*) GUESS=vax-dec-vms ;; + esac ;; + *:XENIX:*:SysV) + GUESS=i386-pc-xenix + ;; + i*86:skyos:*:*) + SKYOS_REL=`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'` + GUESS=$UNAME_MACHINE-pc-skyos$SKYOS_REL + ;; + i*86:rdos:*:*) + GUESS=$UNAME_MACHINE-pc-rdos + ;; + i*86:Fiwix:*:*) + GUESS=$UNAME_MACHINE-pc-fiwix + ;; + *:AROS:*:*) + GUESS=$UNAME_MACHINE-unknown-aros + ;; + x86_64:VMkernel:*:*) + GUESS=$UNAME_MACHINE-unknown-esx + ;; + amd64:Isilon\ OneFS:*:*) + GUESS=x86_64-unknown-onefs + ;; + *:Unleashed:*:*) + GUESS=$UNAME_MACHINE-unknown-unleashed$UNAME_RELEASE + ;; +esac + +# Do we have a guess based on uname results? +if test "x$GUESS" != x; then + echo "$GUESS" + exit +fi + +# No uname command or uname output not recognized. +set_cc_for_build +cat > "$dummy.c" < +#include +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined (vax) || defined (__vax) || defined (__vax__) || defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#include +#if defined(_SIZE_T_) || defined(SIGLOST) +#include +#endif +#endif +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); +#endif + +#if defined (vax) +#if !defined (ultrix) +#include +#if defined (BSD) +#if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +#else +#if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#endif +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#else +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname un; + uname (&un); + printf ("vax-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname *un; + uname (&un); + printf ("mips-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("mips-dec-ultrix\n"); exit (0); +#endif +#endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null && SYSTEM_NAME=`"$dummy"` && + { echo "$SYSTEM_NAME"; exit; } + +# Apollos put the system type in the environment. +test -d /usr/apollo && { echo "$ISP-apollo-$SYSTYPE"; exit; } + +echo "$0: unable to guess system type" >&2 + +case $UNAME_MACHINE:$UNAME_SYSTEM in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <&2 <&2 </dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null` + +hostinfo = `(hostinfo) 2>/dev/null` +/bin/universe = `(/bin/universe) 2>/dev/null` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` +/bin/arch = `(/bin/arch) 2>/dev/null` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` + +UNAME_MACHINE = "$UNAME_MACHINE" +UNAME_RELEASE = "$UNAME_RELEASE" +UNAME_SYSTEM = "$UNAME_SYSTEM" +UNAME_VERSION = "$UNAME_VERSION" +EOF +fi + +exit 1 + +# Local variables: +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/config.sub b/config.sub new file mode 100644 index 0000000..aad6288 --- /dev/null +++ b/config.sub @@ -0,0 +1,1895 @@ +#! /bin/sh +# Configuration validation subroutine script. +# Copyright 1992-2023 Free Software Foundation, Inc. + +# shellcheck disable=SC2006,SC2268 # see below for rationale + +timestamp='2023-07-31' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). + + +# Please send patches to . +# +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# You can get the latest version of this script from: +# https://git.savannah.gnu.org/cgit/config.git/plain/config.sub + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +# The "shellcheck disable" line above the timestamp inhibits complaints +# about features and limitations of the classic Bourne shell that were +# superseded or lifted in POSIX. However, this script identifies a wide +# variety of pre-POSIX systems that do not have POSIX shells at all, and +# even some reasonably current systems (Solaris 10 as case-in-point) still +# have a pre-POSIX /bin/sh. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS + +Canonicalize a configuration name. + +Options: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.sub ($timestamp) + +Copyright 1992-2023 Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try '$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + + *local*) + # First pass through any local machine types. + echo "$1" + exit ;; + + * ) + break ;; + esac +done + +case $# in + 0) echo "$me: missing argument$help" >&2 + exit 1;; + 1) ;; + *) echo "$me: too many arguments$help" >&2 + exit 1;; +esac + +# Split fields of configuration type +# shellcheck disable=SC2162 +saved_IFS=$IFS +IFS="-" read field1 field2 field3 field4 <&2 + exit 1 + ;; + *-*-*-*) + basic_machine=$field1-$field2 + basic_os=$field3-$field4 + ;; + *-*-*) + # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two + # parts + maybe_os=$field2-$field3 + case $maybe_os in + nto-qnx* | linux-* | uclinux-uclibc* \ + | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ + | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ + | storm-chaos* | os2-emx* | rtmk-nova* | managarm-* \ + | windows-* ) + basic_machine=$field1 + basic_os=$maybe_os + ;; + android-linux) + basic_machine=$field1-unknown + basic_os=linux-android + ;; + *) + basic_machine=$field1-$field2 + basic_os=$field3 + ;; + esac + ;; + *-*) + # A lone config we happen to match not fitting any pattern + case $field1-$field2 in + decstation-3100) + basic_machine=mips-dec + basic_os= + ;; + *-*) + # Second component is usually, but not always the OS + case $field2 in + # Prevent following clause from handling this valid os + sun*os*) + basic_machine=$field1 + basic_os=$field2 + ;; + zephyr*) + basic_machine=$field1-unknown + basic_os=$field2 + ;; + # Manufacturers + dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ + | att* | 7300* | 3300* | delta* | motorola* | sun[234]* \ + | unicom* | ibm* | next | hp | isi* | apollo | altos* \ + | convergent* | ncr* | news | 32* | 3600* | 3100* \ + | hitachi* | c[123]* | convex* | sun | crds | omron* | dg \ + | ultra | tti* | harris | dolphin | highlevel | gould \ + | cbm | ns | masscomp | apple | axis | knuth | cray \ + | microblaze* | sim | cisco \ + | oki | wec | wrs | winbond) + basic_machine=$field1-$field2 + basic_os= + ;; + *) + basic_machine=$field1 + basic_os=$field2 + ;; + esac + ;; + esac + ;; + *) + # Convert single-component short-hands not valid as part of + # multi-component configurations. + case $field1 in + 386bsd) + basic_machine=i386-pc + basic_os=bsd + ;; + a29khif) + basic_machine=a29k-amd + basic_os=udi + ;; + adobe68k) + basic_machine=m68010-adobe + basic_os=scout + ;; + alliant) + basic_machine=fx80-alliant + basic_os= + ;; + altos | altos3068) + basic_machine=m68k-altos + basic_os= + ;; + am29k) + basic_machine=a29k-none + basic_os=bsd + ;; + amdahl) + basic_machine=580-amdahl + basic_os=sysv + ;; + amiga) + basic_machine=m68k-unknown + basic_os= + ;; + amigaos | amigados) + basic_machine=m68k-unknown + basic_os=amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + basic_os=sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + basic_os=sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + basic_os=bsd + ;; + aros) + basic_machine=i386-pc + basic_os=aros + ;; + aux) + basic_machine=m68k-apple + basic_os=aux + ;; + balance) + basic_machine=ns32k-sequent + basic_os=dynix + ;; + blackfin) + basic_machine=bfin-unknown + basic_os=linux + ;; + cegcc) + basic_machine=arm-unknown + basic_os=cegcc + ;; + convex-c1) + basic_machine=c1-convex + basic_os=bsd + ;; + convex-c2) + basic_machine=c2-convex + basic_os=bsd + ;; + convex-c32) + basic_machine=c32-convex + basic_os=bsd + ;; + convex-c34) + basic_machine=c34-convex + basic_os=bsd + ;; + convex-c38) + basic_machine=c38-convex + basic_os=bsd + ;; + cray) + basic_machine=j90-cray + basic_os=unicos + ;; + crds | unos) + basic_machine=m68k-crds + basic_os= + ;; + da30) + basic_machine=m68k-da30 + basic_os= + ;; + decstation | pmax | pmin | dec3100 | decstatn) + basic_machine=mips-dec + basic_os= + ;; + delta88) + basic_machine=m88k-motorola + basic_os=sysv3 + ;; + dicos) + basic_machine=i686-pc + basic_os=dicos + ;; + djgpp) + basic_machine=i586-pc + basic_os=msdosdjgpp + ;; + ebmon29k) + basic_machine=a29k-amd + basic_os=ebmon + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + basic_os=ose + ;; + gmicro) + basic_machine=tron-gmicro + basic_os=sysv + ;; + go32) + basic_machine=i386-pc + basic_os=go32 + ;; + h8300hms) + basic_machine=h8300-hitachi + basic_os=hms + ;; + h8300xray) + basic_machine=h8300-hitachi + basic_os=xray + ;; + h8500hms) + basic_machine=h8500-hitachi + basic_os=hms + ;; + harris) + basic_machine=m88k-harris + basic_os=sysv3 + ;; + hp300 | hp300hpux) + basic_machine=m68k-hp + basic_os=hpux + ;; + hp300bsd) + basic_machine=m68k-hp + basic_os=bsd + ;; + hppaosf) + basic_machine=hppa1.1-hp + basic_os=osf + ;; + hppro) + basic_machine=hppa1.1-hp + basic_os=proelf + ;; + i386mach) + basic_machine=i386-mach + basic_os=mach + ;; + isi68 | isi) + basic_machine=m68k-isi + basic_os=sysv + ;; + m68knommu) + basic_machine=m68k-unknown + basic_os=linux + ;; + magnum | m3230) + basic_machine=mips-mips + basic_os=sysv + ;; + merlin) + basic_machine=ns32k-utek + basic_os=sysv + ;; + mingw64) + basic_machine=x86_64-pc + basic_os=mingw64 + ;; + mingw32) + basic_machine=i686-pc + basic_os=mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + basic_os=mingw32ce + ;; + monitor) + basic_machine=m68k-rom68k + basic_os=coff + ;; + morphos) + basic_machine=powerpc-unknown + basic_os=morphos + ;; + moxiebox) + basic_machine=moxie-unknown + basic_os=moxiebox + ;; + msdos) + basic_machine=i386-pc + basic_os=msdos + ;; + msys) + basic_machine=i686-pc + basic_os=msys + ;; + mvs) + basic_machine=i370-ibm + basic_os=mvs + ;; + nacl) + basic_machine=le32-unknown + basic_os=nacl + ;; + ncr3000) + basic_machine=i486-ncr + basic_os=sysv4 + ;; + netbsd386) + basic_machine=i386-pc + basic_os=netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + basic_os=linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + basic_os=newsos + ;; + news1000) + basic_machine=m68030-sony + basic_os=newsos + ;; + necv70) + basic_machine=v70-nec + basic_os=sysv + ;; + nh3000) + basic_machine=m68k-harris + basic_os=cxux + ;; + nh[45]000) + basic_machine=m88k-harris + basic_os=cxux + ;; + nindy960) + basic_machine=i960-intel + basic_os=nindy + ;; + mon960) + basic_machine=i960-intel + basic_os=mon960 + ;; + nonstopux) + basic_machine=mips-compaq + basic_os=nonstopux + ;; + os400) + basic_machine=powerpc-ibm + basic_os=os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + basic_os=ose + ;; + os68k) + basic_machine=m68k-none + basic_os=os68k + ;; + paragon) + basic_machine=i860-intel + basic_os=osf + ;; + parisc) + basic_machine=hppa-unknown + basic_os=linux + ;; + psp) + basic_machine=mipsallegrexel-sony + basic_os=psp + ;; + pw32) + basic_machine=i586-unknown + basic_os=pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + basic_os=rdos + ;; + rdos32) + basic_machine=i386-pc + basic_os=rdos + ;; + rom68k) + basic_machine=m68k-rom68k + basic_os=coff + ;; + sa29200) + basic_machine=a29k-amd + basic_os=udi + ;; + sei) + basic_machine=mips-sei + basic_os=seiux + ;; + sequent) + basic_machine=i386-sequent + basic_os= + ;; + sps7) + basic_machine=m68k-bull + basic_os=sysv2 + ;; + st2000) + basic_machine=m68k-tandem + basic_os= + ;; + stratus) + basic_machine=i860-stratus + basic_os=sysv4 + ;; + sun2) + basic_machine=m68000-sun + basic_os= + ;; + sun2os3) + basic_machine=m68000-sun + basic_os=sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + basic_os=sunos4 + ;; + sun3) + basic_machine=m68k-sun + basic_os= + ;; + sun3os3) + basic_machine=m68k-sun + basic_os=sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + basic_os=sunos4 + ;; + sun4) + basic_machine=sparc-sun + basic_os= + ;; + sun4os3) + basic_machine=sparc-sun + basic_os=sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + basic_os=sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + basic_os=solaris2 + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + basic_os= + ;; + sv1) + basic_machine=sv1-cray + basic_os=unicos + ;; + symmetry) + basic_machine=i386-sequent + basic_os=dynix + ;; + t3e) + basic_machine=alphaev5-cray + basic_os=unicos + ;; + t90) + basic_machine=t90-cray + basic_os=unicos + ;; + toad1) + basic_machine=pdp10-xkl + basic_os=tops20 + ;; + tpf) + basic_machine=s390x-ibm + basic_os=tpf + ;; + udi29k) + basic_machine=a29k-amd + basic_os=udi + ;; + ultra3) + basic_machine=a29k-nyu + basic_os=sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + basic_os=none + ;; + vaxv) + basic_machine=vax-dec + basic_os=sysv + ;; + vms) + basic_machine=vax-dec + basic_os=vms + ;; + vsta) + basic_machine=i386-pc + basic_os=vsta + ;; + vxworks960) + basic_machine=i960-wrs + basic_os=vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + basic_os=vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + basic_os=vxworks + ;; + xbox) + basic_machine=i686-pc + basic_os=mingw32 + ;; + ymp) + basic_machine=ymp-cray + basic_os=unicos + ;; + *) + basic_machine=$1 + basic_os= + ;; + esac + ;; +esac + +# Decode 1-component or ad-hoc basic machines +case $basic_machine in + # Here we handle the default manufacturer of certain CPU types. It is in + # some cases the only manufacturer, in others, it is the most popular. + w89k) + cpu=hppa1.1 + vendor=winbond + ;; + op50n) + cpu=hppa1.1 + vendor=oki + ;; + op60c) + cpu=hppa1.1 + vendor=oki + ;; + ibm*) + cpu=i370 + vendor=ibm + ;; + orion105) + cpu=clipper + vendor=highlevel + ;; + mac | mpw | mac-mpw) + cpu=m68k + vendor=apple + ;; + pmac | pmac-mpw) + cpu=powerpc + vendor=apple + ;; + + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + cpu=m68000 + vendor=att + ;; + 3b*) + cpu=we32k + vendor=att + ;; + bluegene*) + cpu=powerpc + vendor=ibm + basic_os=cnk + ;; + decsystem10* | dec10*) + cpu=pdp10 + vendor=dec + basic_os=tops10 + ;; + decsystem20* | dec20*) + cpu=pdp10 + vendor=dec + basic_os=tops20 + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + cpu=m68k + vendor=motorola + ;; + dpx2*) + cpu=m68k + vendor=bull + basic_os=sysv3 + ;; + encore | umax | mmax) + cpu=ns32k + vendor=encore + ;; + elxsi) + cpu=elxsi + vendor=elxsi + basic_os=${basic_os:-bsd} + ;; + fx2800) + cpu=i860 + vendor=alliant + ;; + genix) + cpu=ns32k + vendor=ns + ;; + h3050r* | hiux*) + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + cpu=hppa1.0 + vendor=hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + cpu=m68000 + vendor=hp + ;; + hp9k3[2-9][0-9]) + cpu=m68k + vendor=hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + cpu=hppa1.0 + vendor=hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + cpu=hppa1.1 + vendor=hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + cpu=hppa1.1 + vendor=hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + cpu=hppa1.1 + vendor=hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + cpu=hppa1.1 + vendor=hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + cpu=hppa1.0 + vendor=hp + ;; + i*86v32) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv32 + ;; + i*86v4*) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv4 + ;; + i*86v) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv + ;; + i*86sol2) + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=solaris2 + ;; + j90 | j90-cray) + cpu=j90 + vendor=cray + basic_os=${basic_os:-unicos} + ;; + iris | iris4d) + cpu=mips + vendor=sgi + case $basic_os in + irix*) + ;; + *) + basic_os=irix4 + ;; + esac + ;; + miniframe) + cpu=m68000 + vendor=convergent + ;; + *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) + cpu=m68k + vendor=atari + basic_os=mint + ;; + news-3600 | risc-news) + cpu=mips + vendor=sony + basic_os=newsos + ;; + next | m*-next) + cpu=m68k + vendor=next + case $basic_os in + openstep*) + ;; + nextstep*) + ;; + ns2*) + basic_os=nextstep2 + ;; + *) + basic_os=nextstep3 + ;; + esac + ;; + np1) + cpu=np1 + vendor=gould + ;; + op50n-* | op60c-*) + cpu=hppa1.1 + vendor=oki + basic_os=proelf + ;; + pa-hitachi) + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 + ;; + pbd) + cpu=sparc + vendor=tti + ;; + pbb) + cpu=m68k + vendor=tti + ;; + pc532) + cpu=ns32k + vendor=pc532 + ;; + pn) + cpu=pn + vendor=gould + ;; + power) + cpu=power + vendor=ibm + ;; + ps2) + cpu=i386 + vendor=ibm + ;; + rm[46]00) + cpu=mips + vendor=siemens + ;; + rtpc | rtpc-*) + cpu=romp + vendor=ibm + ;; + sde) + cpu=mipsisa32 + vendor=sde + basic_os=${basic_os:-elf} + ;; + simso-wrs) + cpu=sparclite + vendor=wrs + basic_os=vxworks + ;; + tower | tower-32) + cpu=m68k + vendor=ncr + ;; + vpp*|vx|vx-*) + cpu=f301 + vendor=fujitsu + ;; + w65) + cpu=w65 + vendor=wdc + ;; + w89k-*) + cpu=hppa1.1 + vendor=winbond + basic_os=proelf + ;; + none) + cpu=none + vendor=none + ;; + leon|leon[3-9]) + cpu=sparc + vendor=$basic_machine + ;; + leon-*|leon[3-9]-*) + cpu=sparc + vendor=`echo "$basic_machine" | sed 's/-.*//'` + ;; + + *-*) + # shellcheck disable=SC2162 + saved_IFS=$IFS + IFS="-" read cpu vendor <&2 + exit 1 + ;; + esac + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $vendor in + digital*) + vendor=dec + ;; + commodore*) + vendor=cbm + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if test x$basic_os != x +then + +# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just +# set os. +case $basic_os in + gnu/linux*) + kernel=linux + os=`echo "$basic_os" | sed -e 's|gnu/linux|gnu|'` + ;; + os2-emx) + kernel=os2 + os=`echo "$basic_os" | sed -e 's|os2-emx|emx|'` + ;; + nto-qnx*) + kernel=nto + os=`echo "$basic_os" | sed -e 's|nto-qnx|qnx|'` + ;; + *-*) + # shellcheck disable=SC2162 + saved_IFS=$IFS + IFS="-" read kernel os <&2 + exit 1 + ;; +esac + +# As a final step for OS-related things, validate the OS-kernel combination +# (given a valid OS), if there is a kernel. +case $kernel-$os in + linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \ + | linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* ) + ;; + uclinux-uclibc* ) + ;; + managarm-mlibc* | managarm-kernel* ) + ;; + windows*-gnu* | windows*-msvc*) + ;; + -dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* ) + # These are just libc implementations, not actual OSes, and thus + # require a kernel. + echo "Invalid configuration '$1': libc '$os' needs explicit kernel." 1>&2 + exit 1 + ;; + -kernel* ) + echo "Invalid configuration '$1': '$os' needs explicit kernel." 1>&2 + exit 1 + ;; + *-kernel* ) + echo "Invalid configuration '$1': '$kernel' does not support '$os'." 1>&2 + exit 1 + ;; + *-msvc* ) + echo "Invalid configuration '$1': '$os' needs 'windows'." 1>&2 + exit 1 + ;; + kfreebsd*-gnu* | kopensolaris*-gnu*) + ;; + vxworks-simlinux | vxworks-simwindows | vxworks-spe) + ;; + nto-qnx*) + ;; + os2-emx) + ;; + *-eabi* | *-gnueabi*) + ;; + none-coff* | none-elf*) + # None (no kernel, i.e. freestanding / bare metal), + # can be paired with an output format "OS" + ;; + -*) + # Blank kernel with real OS is always fine. + ;; + *-*) + echo "Invalid configuration '$1': Kernel '$kernel' not known to work with OS '$os'." 1>&2 + exit 1 + ;; +esac + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +case $vendor in + unknown) + case $cpu-$os in + *-riscix*) + vendor=acorn + ;; + *-sunos*) + vendor=sun + ;; + *-cnk* | *-aix*) + vendor=ibm + ;; + *-beos*) + vendor=be + ;; + *-hpux*) + vendor=hp + ;; + *-mpeix*) + vendor=hp + ;; + *-hiux*) + vendor=hitachi + ;; + *-unos*) + vendor=crds + ;; + *-dgux*) + vendor=dg + ;; + *-luna*) + vendor=omron + ;; + *-genix*) + vendor=ns + ;; + *-clix*) + vendor=intergraph + ;; + *-mvs* | *-opened*) + vendor=ibm + ;; + *-os400*) + vendor=ibm + ;; + s390-* | s390x-*) + vendor=ibm + ;; + *-ptx*) + vendor=sequent + ;; + *-tpf*) + vendor=ibm + ;; + *-vxsim* | *-vxworks* | *-windiss*) + vendor=wrs + ;; + *-aux*) + vendor=apple + ;; + *-hms*) + vendor=hitachi + ;; + *-mpw* | *-macos*) + vendor=apple + ;; + *-*mint | *-mint[0-9]* | *-*MiNT | *-MiNT[0-9]*) + vendor=atari + ;; + *-vos*) + vendor=stratus + ;; + esac + ;; +esac + +echo "$cpu-$vendor-${kernel:+$kernel-}$os" +exit + +# Local variables: +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/disable-doclint-by-default.patch b/disable-doclint-by-default.patch new file mode 100644 index 0000000..55be3c1 --- /dev/null +++ b/disable-doclint-by-default.patch @@ -0,0 +1,41 @@ +--- a/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/toolkit/BaseConfiguration.java ++++ b/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/toolkit/BaseConfiguration.java +@@ -767,7 +767,7 @@ public abstract class BaseConfiguration { + } + } else { + // no -Xmsgs options of any kind, use default +- doclintOpts.add(DocLint.XMSGS_OPTION); ++ return; + } + + if (!customTagNames.isEmpty()) { +--- a/test/langtools/jdk/javadoc/tool/doclint/DocLintTest.java ++++ b/test/langtools/jdk/javadoc/tool/doclint/DocLintTest.java +@@ -155,12 +155,12 @@ public class DocLintTest { + files = List.of(new TestJFO("Test.java", code)); + + test(List.of(htmlVersion), +- Main.Result.ERROR, +- EnumSet.of(Message.DL_ERR9A, Message.DL_WRN12A)); ++ Main.Result.OK, ++ EnumSet.of(Message.JD_WRN10, Message.JD_WRN13)); + + test(List.of(htmlVersion, rawDiags), +- Main.Result.ERROR, +- EnumSet.of(Message.DL_ERR9, Message.DL_WRN12)); ++ Main.Result.OK, ++ EnumSet.of(Message.JD_WRN10, Message.JD_WRN13)); + + // test(List.of("-Xdoclint:none"), + // Main.Result.OK, +@@ -183,8 +183,8 @@ public class DocLintTest { + EnumSet.of(Message.DL_WRN12)); + + test(List.of(htmlVersion, rawDiags, "-private"), +- Main.Result.ERROR, +- EnumSet.of(Message.DL_ERR6, Message.DL_ERR9, Message.DL_WRN12)); ++ Main.Result.OK, ++ EnumSet.of(Message.JD_WRN10, Message.JD_WRN13)); + + test(List.of(htmlVersion, rawDiags, "-Xdoclint:missing,syntax", "-private"), + Main.Result.ERROR, diff --git a/fips.patch b/fips.patch new file mode 100644 index 0000000..802cb95 --- /dev/null +++ b/fips.patch @@ -0,0 +1,5859 @@ +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,87 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) ++ ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) ++]) +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -844,6 +844,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) ++ + ################################################################################ + # Create the symbols file for static builds. + +--- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +@@ -25,13 +25,12 @@ + + package com.sun.crypto.provider; + +-import java.util.Arrays; +- + import javax.crypto.SecretKey; + import javax.crypto.spec.SecretKeySpec; +-import javax.crypto.spec.PBEParameterSpec; ++import javax.crypto.spec.PBEKeySpec; + import java.security.*; + import java.security.spec.*; ++import sun.security.util.PBEUtil; + + /** + * This is an implementation of the HMAC algorithms as defined +@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { + */ + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- char[] passwdChars; +- byte[] salt = null; +- int iCount = 0; +- if (key instanceof javax.crypto.interfaces.PBEKey) { +- javax.crypto.interfaces.PBEKey pbeKey = +- (javax.crypto.interfaces.PBEKey) key; +- passwdChars = pbeKey.getPassword(); +- salt = pbeKey.getSalt(); // maybe null if unspecified +- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified +- } else if (key instanceof SecretKey) { +- byte[] passwdBytes; +- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || +- (passwdBytes = key.getEncoded()) == null) { +- throw new InvalidKeyException("Missing password"); +- } +- passwdChars = new char[passwdBytes.length]; +- for (int i=0; i attrs = new HashMap<>(3); ++ if (!systemFipsEnabled) { + attrs.put("SupportedModes", "ECB"); + attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" + + "|OAEPWITHMD5ANDMGF1PADDING" +@@ -422,6 +428,7 @@ public final class SunJCE extends Provider { + psA("KeyPairGenerator", "DiffieHellman", + "com.sun.crypto.provider.DHKeyPairGenerator", + null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,6 +437,7 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + ++ if (!systemFipsEnabled) { + /* + * Key Agreement engines + */ +@@ -439,6 +447,7 @@ public final class SunJCE extends Provider { + psA("KeyAgreement", "DiffieHellman", + "com.sun.crypto.provider.DHKeyAgreement", + attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -610,6 +619,7 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); + ++ if (!systemFipsEnabled) { + // PBKDF2 + psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", + "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +@@ -723,6 +733,7 @@ public final class SunJCE extends Provider { + "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", + List.of("SunTls12RsaPremasterSecret"), null); + } ++ } + + // Return the instance of this class or create one if needed. + static SunJCE getInstance() { +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -33,6 +33,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -57,6 +58,11 @@ import sun.security.jca.*; + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -74,6 +80,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -97,6 +116,7 @@ public final class Security { + private static void initialize() { + props = new Properties(); + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -117,6 +137,60 @@ public final class Security { + } + loadProps(null, extraPropFile, overrideAll); + } ++ ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ if (systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.suse.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.suse.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.suse.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -124,10 +198,9 @@ public final class Security { + props.getProperty(key)); + } + } +- + } + +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,232 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.suse.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.suse.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.suse.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -40,6 +40,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -83,6 +84,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -457,4 +459,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -152,6 +152,8 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.cryptoki, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.jfr, +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,6 +99,7 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + ++ if (!systemFipsEnabled) { + /* + * SecureRandom engines + */ +@@ -177,6 +183,8 @@ public final class SunEntries { + "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); + add(p, "Signature", "SHA3-512withDSAinP1363Format", + "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ } ++ + /* + * Key Pair Generator engines + */ +@@ -184,9 +192,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only + ++ if (!systemFipsEnabled) { + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -201,6 +211,7 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + ++ if (!systemFipsEnabled) { + /* + * Key factories + */ +@@ -235,6 +246,7 @@ public final class SunEntries { + "sun.security.provider.SHA3$SHA384", attrs); + addWithAlias(p, "MessageDigest", "SHA3-512", + "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -63,6 +68,8 @@ public final class SunRsaSignEntries { + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); ++ ++ if (!systemFipsEnabled) { + add(p, "KeyPairGenerator", "RSA", + "sun.security.rsa.RSAKeyPairGenerator$Legacy", + getAliases("PKCS1"), null); +@@ -92,13 +99,18 @@ public final class SunRsaSignEntries { + "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); + addA(p, "Signature", "SHA3-512withRSA", + "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); ++ ++ if (!systemFipsEnabled) { + addA(p, "KeyPairGenerator", "RSASSA-PSS", + "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); + addA(p, "Signature", "RSASSA-PSS", + "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +--- /dev/null ++++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java +@@ -0,0 +1,297 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.util; ++ ++import java.security.AlgorithmParameters; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.Key; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidParameterSpecException; ++import java.util.Arrays; ++import javax.crypto.Cipher; ++import javax.crypto.SecretKey; ++import javax.crypto.spec.IvParameterSpec; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++public final class PBEUtil { ++ ++ // Used by SunJCE and SunPKCS11 ++ public final static class PBES2Helper { ++ private int iCount; ++ private byte[] salt; ++ private IvParameterSpec ivSpec; ++ private final int defaultSaltLength; ++ private final int defaultCount; ++ ++ public PBES2Helper(int defaultSaltLength, int defaultCount) { ++ this.defaultSaltLength = defaultSaltLength; ++ this.defaultCount = defaultCount; ++ } ++ ++ public IvParameterSpec getIvSpec() { ++ return ivSpec; ++ } ++ ++ public AlgorithmParameters getAlgorithmParameters( ++ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { ++ AlgorithmParameters params = null; ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if (ivSpec == null) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ PBEParameterSpec pbeSpec = new PBEParameterSpec( ++ salt, iCount, ivSpec); ++ try { ++ params = (p == null) ? ++ AlgorithmParameters.getInstance(pbeAlgo) : ++ AlgorithmParameters.getInstance(pbeAlgo, p); ++ params.init(pbeSpec); ++ } catch (NoSuchAlgorithmException nsae) { ++ // should never happen ++ throw new RuntimeException("AlgorithmParameters for " ++ + pbeAlgo + " not configured"); ++ } catch (InvalidParameterSpecException ipse) { ++ // should never happen ++ throw new RuntimeException("PBEParameterSpec not supported"); ++ } ++ return params; ++ } ++ ++ public PBEKeySpec getPBEKeySpec( ++ int blkSize, int keyLength, int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ ++ if (key == null) { ++ throw new InvalidKeyException("Null key"); ++ } ++ ++ byte[] passwdBytes = key.getEncoded(); ++ char[] passwdChars = null; ++ PBEKeySpec pbeSpec; ++ try { ++ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( ++ true, 0, "PBE", 0, 3))) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ ++ // TBD: consolidate the salt, ic and IV parameter checks below ++ ++ // Extract salt and iteration count from the key, if present ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); ++ if (salt != null && salt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ iCount = ((javax.crypto.interfaces.PBEKey)key) ++ .getIterationCount(); ++ if (iCount == 0) { ++ iCount = defaultCount; ++ } else if (iCount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ } ++ ++ // Extract salt, iteration count and IV from the params, ++ // if present ++ if (params == null) { ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ } else { ++ if (!(params instanceof PBEParameterSpec)) { ++ throw new InvalidAlgorithmParameterException ++ ("Wrong parameter type: PBE expected"); ++ } ++ // salt and iteration count from the params take precedence ++ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); ++ if (specSalt != null && specSalt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ salt = specSalt; ++ int specICount = ((PBEParameterSpec) params) ++ .getIterationCount(); ++ if (specICount == 0) { ++ specICount = defaultCount; ++ } else if (specICount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ iCount = specICount; ++ ++ AlgorithmParameterSpec specParams = ++ ((PBEParameterSpec) params).getParameterSpec(); ++ if (specParams != null) { ++ if (specParams instanceof IvParameterSpec) { ++ ivSpec = (IvParameterSpec)specParams; ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: IV expected"); ++ } ++ } else if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Missing parameter type: IV expected"); ++ } ++ } ++ ++ passwdChars = new char[passwdBytes.length]; ++ for (int i = 0; i < passwdChars.length; i++) ++ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); ++ ++ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); ++ // password char[] was cloned in PBEKeySpec constructor, ++ // so we can zero it out here ++ } finally { ++ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); ++ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); ++ } ++ return pbeSpec; ++ } ++ ++ public static AlgorithmParameterSpec getParameterSpec( ++ AlgorithmParameters params) ++ throws InvalidAlgorithmParameterException { ++ AlgorithmParameterSpec pbeSpec = null; ++ if (params != null) { ++ try { ++ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); ++ } catch (InvalidParameterSpecException ipse) { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: PBE expected"); ++ } ++ } ++ return pbeSpec; ++ } ++ } ++ ++ // Used by SunJCE and SunPKCS11 ++ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ char[] passwdChars; ++ byte[] salt = null; ++ int iCount = 0; ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ javax.crypto.interfaces.PBEKey pbeKey = ++ (javax.crypto.interfaces.PBEKey) key; ++ passwdChars = pbeKey.getPassword(); ++ salt = pbeKey.getSalt(); // maybe null if unspecified ++ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified ++ } else if (key instanceof SecretKey) { ++ byte[] passwdBytes; ++ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || ++ (passwdBytes = key.getEncoded()) == null) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ passwdChars = new char[passwdBytes.length]; ++ for (int i=0; i ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -329,6 +381,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -123,6 +123,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -132,6 +133,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; +@@ -142,6 +144,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,457 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; + */ + abstract class P11Key implements Key, Length { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final long serialVersionUID = -2575874101938349339L; + + private static final String PUBLIC = "public"; +@@ -393,9 +398,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + +- boolean keySensitive = +- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) || +- attrs[1].getBoolean() || !attrs[2].getBoolean(); ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && ++ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + switch (algorithm) { + case "RSA": +@@ -450,7 +456,8 @@ abstract class P11Key implements Key, Length { + + public String getFormat() { + token.ensureValid(); +- if (sensitive || !extractable || (isNSS && tokenObject)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || !extractable || (isNSS && tokenObject))) { + return null; + } else { + return "RAW"; +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +@@ -29,14 +29,17 @@ import java.nio.ByteBuffer; + + import java.security.*; + import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; + + import javax.crypto.MacSpi; ++import javax.crypto.spec.PBEKeySpec; + + import sun.nio.ch.DirectBuffer; + + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.util.PBEUtil; + + /** + * MAC implementation class. This class currently supports HMAC using +@@ -202,12 +205,23 @@ final class P11Mac extends MacSpi { + // see JCE spec + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { ++ if (algorithm.startsWith("HmacPBE")) { ++ PBEKeySpec pbeSpec = PBEUtil.getPBAKeySpec(key, params); ++ reset(true); ++ try { ++ p11Key = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, algorithm); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ } else { + if (params != null) { + throw new InvalidAlgorithmParameterException + ("Parameters not supported"); + } + reset(true); + p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); ++ } + try { + initialize(); + } catch (PKCS11Exception e) { +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java +@@ -0,0 +1,200 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.security.AlgorithmParameters; ++import java.security.Key; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.NoSuchAlgorithmException; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; ++import javax.crypto.BadPaddingException; ++import javax.crypto.CipherSpi; ++import javax.crypto.IllegalBlockSizeException; ++import javax.crypto.NoSuchPaddingException; ++import javax.crypto.ShortBufferException; ++import javax.crypto.spec.PBEKeySpec; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.util.PBEUtil; ++ ++final class P11PBECipher extends CipherSpi { ++ ++ private static final int DEFAULT_SALT_LENGTH = 20; ++ private static final int DEFAULT_COUNT = 4096; ++ ++ private final Token token; ++ private final String pbeAlg; ++ private final P11Cipher cipher; ++ private final int blkSize; ++ private final int keyLen; ++ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( ++ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); ++ ++ P11PBECipher(Token token, String pbeAlg, long cipherMech) ++ throws PKCS11Exception, NoSuchAlgorithmException { ++ super(); ++ String cipherTrans; ++ if (cipherMech == CKM_AES_CBC_PAD || cipherMech == CKM_AES_CBC) { ++ cipherTrans = "AES/CBC/PKCS5Padding"; ++ } else { ++ throw new NoSuchAlgorithmException( ++ "Cipher transformation not supported."); ++ } ++ cipher = new P11Cipher(token, cipherTrans, cipherMech); ++ blkSize = cipher.engineGetBlockSize(); ++ assert P11Util.kdfDataMap.get(pbeAlg) != null; ++ keyLen = P11Util.kdfDataMap.get(pbeAlg).keyLen; ++ this.pbeAlg = pbeAlg; ++ this.token = token; ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetMode(String mode) ++ throws NoSuchAlgorithmException { ++ cipher.engineSetMode(mode); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetPadding(String padding) ++ throws NoSuchPaddingException { ++ cipher.engineSetPadding(padding); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetBlockSize() { ++ return cipher.engineGetBlockSize(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetOutputSize(int inputLen) { ++ return cipher.engineGetOutputSize(inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineGetIV() { ++ return cipher.engineGetIV(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected AlgorithmParameters engineGetParameters() { ++ return pbes2Helper.getAlgorithmParameters( ++ blkSize, pbeAlg, null, JCAUtil.getSecureRandom()); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ SecureRandom random) throws InvalidKeyException { ++ try { ++ engineInit(opmode, key, (AlgorithmParameterSpec) null, random); ++ } catch (InvalidAlgorithmParameterException e) { ++ throw new InvalidKeyException("requires PBE parameters", e); ++ } ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ ++ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLen, ++ opmode, key, params, random); ++ ++ Key derivedKey; ++ try { ++ derivedKey = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, pbeAlg); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ cipher.engineInit(opmode, derivedKey, pbes2Helper.getIvSpec(), random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameters params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), ++ random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineUpdate(byte[] input, int inputOffset, ++ int inputLen) { ++ return cipher.engineUpdate(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineUpdate(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException { ++ return cipher.engineUpdate(input, inputOffset, inputLen, ++ output, outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineDoFinal(byte[] input, int inputOffset, ++ int inputLen) ++ throws IllegalBlockSizeException, BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineDoFinal(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException, IllegalBlockSizeException, ++ BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen, output, ++ outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetKeySize(Key key) ++ throws InvalidKeyException { ++ return cipher.engineGetKeySize(key); ++ } ++ ++} +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.spec.*; + + import javax.crypto.*; ++import javax.crypto.interfaces.PBEKey; + import javax.crypto.spec.*; + + import static sun.security.pkcs11.TemplateManager.*; +@@ -194,6 +195,130 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + return p11Key; + } + ++ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) ++ throws InvalidKeySpecException { ++ token.ensureValid(); ++ if (keySpec == null) { ++ throw new InvalidKeySpecException("PBEKeySpec must not be null"); ++ } ++ Session session = null; ++ try { ++ session = token.getObjSession(); ++ P11Util.KDFData kdfData = P11Util.kdfDataMap.get(algo); ++ CK_MECHANISM ckMech; ++ char[] password = keySpec.getPassword(); ++ byte[] salt = keySpec.getSalt(); ++ int itCount = keySpec.getIterationCount(); ++ int keySize = keySpec.getKeyLength(); ++ if (kdfData.keyLen != -1) { ++ if (keySize == 0) { ++ keySize = kdfData.keyLen; ++ } else if (keySize != kdfData.keyLen) { ++ throw new InvalidKeySpecException( ++ "Key length is invalid for " + algo); ++ } ++ } ++ ++ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { ++ CK_INFO p11Info = token.p11.getInfo(); ++ CK_VERSION p11Ver = (p11Info != null ? p11Info.cryptokiVersion ++ : null); ++ if (P11Util.isNSS(token) || p11Ver != null && (p11Ver.major < ++ 2 || p11Ver.major == 2 && p11Ver.minor < 40)) { ++ // NSS keeps using the old structure beyond PKCS #11 v2.40 ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS(password, salt, ++ itCount, kdfData.prfMech)); ++ } else { ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS2(password, salt, ++ itCount, kdfData.prfMech)); ++ } ++ } else { ++ // PKCS #12 "General Method" PBKD (RFC 7292, Appendix B.2) ++ if (P11Util.isNSS(token)) { ++ // According to PKCS #11, "password" in CK_PBE_PARAMS has ++ // a CK_UTF8CHAR_PTR type. This suggests that it is encoded ++ // in UTF-8. However, NSS expects the password to be encoded ++ // as BMPString with a NULL terminator when C_GenerateKey ++ // is called for a PKCS #12 "General Method" derivation ++ // (see RFC 7292, Appendix B.1). ++ // ++ // The char size in Java is 2 bytes. When a char is ++ // converted to a CK_UTF8CHAR, the high-order byte is ++ // discarded (see jCharArrayToCKUTF8CharArray in ++ // p11_util.c). In order to have a BMPString passed to ++ // C_GenerateKey, we need to account for that and expand: ++ // the high and low parts of each char are split into 2 ++ // chars. As an example, this is the transformation for ++ // a NULL terminated password "a": ++ // char[] => [ 0x0061, 0x0000 ] ++ // / \ / \ ++ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] ++ // | | | | ++ // BMPString => [ 0x00, 0x61, 0x00, 0x00] ++ // ++ int inputLength = (password == null) ? 0 : password.length; ++ char[] expPassword = new char[inputLength * 2 + 2]; ++ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { ++ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); ++ expPassword[j + 1] = (char) (password[i] & 0xFF); ++ } ++ password = expPassword; ++ } ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PBE_PARAMS(password, salt, itCount)); ++ } ++ ++ long keyType = getKeyType(kdfData.keyAlgo); ++ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ ++ switch (kdfData.op) { ++ case ENCRYPTION, AUTHENTICATION -> 4; ++ case GENERIC -> 5; ++ }]; ++ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); ++ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); ++ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); ++ switch (kdfData.op) { ++ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; ++ case GENERIC -> { ++ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; ++ } ++ } ++ CK_ATTRIBUTE[] attr = token.getAttributes( ++ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); ++ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); ++ return (P11Key)P11Key.secretKey( ++ session, keyID, kdfData.keyAlgo, keySize, attr); ++ } catch (PKCS11Exception e) { ++ throw new InvalidKeySpecException("Could not create key", e); ++ } finally { ++ token.releaseSession(session); ++ } ++ } ++ ++ static P11Key derivePBEKey(Token token, PBEKey key, String algo) ++ throws InvalidKeyException { ++ token.ensureValid(); ++ if (key == null) { ++ throw new InvalidKeyException("PBEKey must not be null"); ++ } ++ P11Key p11Key = token.secretCache.get(key); ++ if (p11Key != null) { ++ return p11Key; ++ } ++ try { ++ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), ++ key.getSalt(), key.getIterationCount()), algo); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ token.secretCache.put(key, p11Key); ++ return p11Key; ++ } ++ + static void fixDESParity(byte[] key, int offset) { + for (int i = 0; i < 8; i++) { + int b = key[offset] & 0xfe; +@@ -320,6 +445,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + keySpec = new SecretKeySpec(keyBytes, "DESede"); + return engineGenerateSecret(keySpec); + } ++ } else if (keySpec instanceof PBEKeySpec) { ++ return (SecretKey)derivePBEKey(token, ++ (PBEKeySpec)keySpec, algorithm); + } + throw new InvalidKeySpecException + ("Unsupported spec: " + keySpec.getClass().getName()); +@@ -373,6 +501,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + // see JCE spec + protected SecretKey engineTranslateKey(SecretKey key) + throws InvalidKeyException { ++ if (key instanceof PBEKey) { ++ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); ++ } + return (SecretKey)convertKey(token, key, algorithm); + } + +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +@@ -27,6 +27,10 @@ package sun.security.pkcs11; + + import java.math.BigInteger; + import java.security.*; ++import java.util.HashMap; ++import java.util.Map; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * Collection of static utility methods. +@@ -40,6 +44,93 @@ public final class P11Util { + + private static volatile Provider sun, sunRsaSign, sunJce; + ++ // Used by PBE ++ static final class KDFData { ++ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} ++ public long kdfMech; ++ public long prfMech; ++ public String keyAlgo; ++ public int keyLen; ++ public Operation op; ++ KDFData(long kdfMech, long prfMech, String keyAlgo, ++ int keyLen, Operation op) { ++ this.kdfMech = kdfMech; ++ this.prfMech = prfMech; ++ this.keyAlgo = keyAlgo; ++ this.keyLen = keyLen; ++ this.op = op; ++ } ++ ++ public static void addPbkdf2Data(String algo, long kdfMech, ++ long prfMech) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "Generic", -1, Operation.GENERIC)); ++ } ++ ++ public static void addPbkdf2AesData(String algo, long kdfMech, ++ long prfMech, int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "AES", keyLen, Operation.ENCRYPTION)); ++ } ++ ++ public static void addPkcs12KDData(String algo, long kdfMech, ++ int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, -1, ++ "Generic", keyLen, Operation.AUTHENTICATION)); ++ } ++ } ++ ++ static final Map kdfDataMap = new HashMap<>(); ++ ++ static { ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); ++ ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); ++ ++ KDFData.addPkcs12KDData("HmacPBESHA1", ++ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); ++ KDFData.addPkcs12KDData("HmacPBESHA224", ++ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); ++ KDFData.addPkcs12KDData("HmacPBESHA256", ++ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); ++ KDFData.addPkcs12KDData("HmacPBESHA384", ++ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); ++ KDFData.addPkcs12KDData("HmacPBESHA512", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/224", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/256", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ } ++ + private P11Util() { + // empty + } +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +- CK_INFO p11Info = p11.C_GetInfo(); ++ CK_INFO p11Info = p11.getInfo(); + if (p11Info.cryptokiVersion.major < 2) { + throw new ProviderException("Only PKCS#11 v2.0 and later " + + "supported, library version is v" + p11Info.cryptokiVersion); +@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { + final String className; + final List aliases; + final int[] mechanisms; ++ final int[] requiredMechs; + ++ // mechanisms is a list of possible mechanisms that implement the ++ // algorithm, at least one of them must be available. requiredMechs ++ // is a list of auxiliary mechanisms, all of them must be available + private Descriptor(String type, String algorithm, String className, +- List aliases, int[] mechanisms) { ++ List aliases, int[] mechanisms, int[] requiredMechs) { + this.type = type; + this.algorithm = algorithm; + this.className = className; + this.aliases = aliases; + this.mechanisms = mechanisms; ++ this.requiredMechs = requiredMechs; + } + private P11Service service(Token token, int mechanism) { + return new P11Service +@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { + + private static void d(String type, String algorithm, String className, + int[] m) { +- register(new Descriptor(type, algorithm, className, null, m)); ++ register(new Descriptor(type, algorithm, className, null, m, null)); + } + + private static void d(String type, String algorithm, String className, + List aliases, int[] m) { +- register(new Descriptor(type, algorithm, className, aliases, m)); ++ register(new Descriptor(type, algorithm, className, aliases, m, null)); ++ } ++ ++ private static void d(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, null, m, ++ requiredMechs)); ++ } ++ private static void dA(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, ++ getAliases(algorithm), m, requiredMechs)); + } + + private static void dA(String type, String algorithm, String className, + int[] m) { + register(new Descriptor(type, algorithm, className, +- getAliases(algorithm), m)); ++ getAliases(algorithm), m, null)); + } + + private static void register(Descriptor d) { +@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { + String P11Cipher = "sun.security.pkcs11.P11Cipher"; + String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; + String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; ++ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; + String P11Signature = "sun.security.pkcs11.P11Signature"; + String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; + +@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { + d(MAC, "SslMacSHA1", P11Mac, + m(CKM_SSL3_SHA1_MAC)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBA HMacs ++ * ++ * KeyDerivationMech must be supported ++ * for these services to be available. ++ * ++ */ ++ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ } ++ + d(KPG, "RSA", P11KeyPairGenerator, + getAliases("PKCS1"), + m(CKM_RSA_PKCS_KEY_PAIR_GEN)); +@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { + d(SKF, "ChaCha20", P11SecretKeyFactory, + m(CKM_CHACHA20_POLY1305)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Secret Key Factories ++ * ++ * KeyDerivationPrf must be supported for these services ++ * to be available. ++ * ++ */ ++ d(SKF, "PBEWithHmacSHA1AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ d(SKF, "PBEWithHmacSHA1AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ /* ++ * PBA Secret Key Factories ++ */ ++ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ /* ++ * PBKDF2 Secret Key Factories ++ */ ++ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ } ++ + // XXX attributes for Ciphers (supported modes, padding) + dA(CIP, "ARCFOUR", P11Cipher, + m(CKM_RC4)); +@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { + d(CIP, "RSA/ECB/NoPadding", P11RSACipher, + m(CKM_RSA_X_509)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Ciphers ++ * ++ * KeyDerivationMech and KeyDerivationPrf must be supported ++ * for these services to be available. ++ * ++ */ ++ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ } ++ + d(SIG, "RawDSA", P11Signature, + List.of("NONEwithDSA"), + m(CKM_DSA)); +@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider { + if (ds == null) { + continue; + } ++ descLoop: + for (Descriptor d : ds) { + Integer oldMech = supportedAlgs.get(d); + if (oldMech == null) { ++ if (d.requiredMechs != null) { ++ // Check that other mechanisms required for the ++ // service are supported before listing it as ++ // available for the first time. ++ for (int requiredMech : d.requiredMechs) { ++ if (token.getMechanismInfo( ++ requiredMech & 0xFFFFFFFFL) == null) { ++ continue descLoop; ++ } ++ } ++ } + supportedAlgs.put(d, integerMech); + continue; + } +@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (token.isValid() == false) { + throw new NoSuchAlgorithmException("Token has been removed"); + } ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ ++ try { ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); ++ } ++ } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider { + } else if (algorithm.endsWith("GCM/NoPadding") || + algorithm.startsWith("ChaCha20-Poly1305")) { + return new P11AEADCipher(token, algorithm, mechanism); ++ } else if (algorithm.startsWith("PBE")) { ++ return new P11PBECipher(token, algorithm, mechanism); + } else { + return new P11Cipher(token, algorithm, mechanism); + } +@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + private static final long serialVersionUID = 2541527649100571747L; + +@@ -114,6 +118,10 @@ class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -232,9 +240,14 @@ class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (isLoggedIn(session) == false) { ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { + provider.login(null, null); + } + } ++ } + + // return whether this token object is valid (i.e. token not removed) + // returns value from last check, does not perform new check +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { + } + + /** +- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. ++ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. + * +- * @return the string representation of CK_PKCS5_PBKD2_PARAMS ++ * @return the string representation of CK_ECDH1_DERIVE_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +@@ -160,6 +160,18 @@ public class CK_MECHANISM { + init(mechanism, params); + } + ++ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { ++ init(mechanism, params); ++ } ++ + // For PSS. the parameter may be set multiple times, use the + // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) + // methods instead of creating yet another constructor +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; + + + /** +- * class CK_PBE_PARAMS provides all of the necessary information required byte ++ * class CK_PBE_PARAMS provides all the necessary information required by + * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

+ * PKCS#11 structure: + * 

+  * typedef struct CK_PBE_PARAMS {
+- *   CK_CHAR_PTR pInitVector;
+- *   CK_CHAR_PTR pPassword;
++ *   CK_BYTE_PTR pInitVector;
++ *   CK_UTF8CHAR_PTR pPassword;
+  *   CK_ULONG ulPasswordLen;
+- *   CK_CHAR_PTR pSalt;
++ *   CK_BYTE_PTR pSalt;
+  *   CK_ULONG ulSaltLen;
+  *   CK_ULONG ulIteration;
+  * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pInitVector;
++     *   CK_BYTE_PTR pInitVector;
+      * 

+      */
+-    public char[] pInitVector;
++    public byte[] pInitVector;
+ 
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pPassword;
++     *   CK_UTF8CHAR_PTR pPassword;
+      *   CK_ULONG ulPasswordLen;
+      * 

+      */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pSalt
++     *   CK_BYTE_PTR pSalt
+      *   CK_ULONG ulSaltLen;
+      * 

+      */
+-    public char[] pSalt;
++    public byte[] pSalt;
+ 
+     /**
+      * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+      */
+     public long ulIteration;
+ 
++    public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++         this.pPassword = pPassword;
++         this.pSalt = pSalt;
++         this.ulIteration = ulIteration;
++     }
++
+     /**
+      * Returns the string representation of CK_PBE_PARAMS.
+      *
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+ 
+ package sun.security.pkcs11.wrapper;
+ 
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
+ /**
+  * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+  * PKCS#11 structure:
+  * 
+  * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+  *   CK_VOID_PTR pSaltSourceData;
+  *   CK_ULONG ulSaltSourceDataLen;
+  *   CK_ULONG iterations;
+  *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+  *   CK_VOID_PTR pPrfData;
+  *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG_PTR ulPasswordLen;
+  * } CK_PKCS5_PBKD2_PARAMS;
+  * 

+  *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+      */
+     public byte[] pPrfData;
+ 
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG_PTR ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
+     /**
+      * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+      *
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.

++ * PKCS#11 structure:
++ * 
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *   CK_VOID_PTR pSaltSourceData;
++ *   CK_ULONG ulSaltSourceDataLen;
++ *   CK_ULONG iterations;
++ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *   CK_VOID_PTR pPrfData;
++ *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ * 

++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++     * 

++     */
++    public long saltSource;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pSaltSourceData;
++     *   CK_ULONG ulSaltSourceDataLen;
++     * 

++     */
++    public byte[] pSaltSourceData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_ULONG iterations;
++     * 

++     */
++    public long iterations;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++     * 

++     */
++    public long prf;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pPrfData;
++     *   CK_ULONG ulPrfDataLen;
++     * 

++     */
++    public byte[] pPrfData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
++    /**
++     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++     *
++     * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++     */
++    public String toString() {
++        StringBuilder sb = new StringBuilder();
++
++        sb.append(Constants.INDENT);
++        sb.append("saltSource: ");
++        sb.append(saltSource);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pSaltSourceData: ");
++        sb.append(Functions.toHexString(pSaltSourceData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulSaltSourceDataLen: ");
++        sb.append(pSaltSourceData.length);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("iterations: ");
++        sb.append(iterations);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("prf: ");
++        sb.append(prf);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pPrfData: ");
++        sb.append(Functions.toHexString(pPrfData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulPrfDataLen: ");
++        sb.append(pPrfData.length);
++
++        return sb.toString();
++    }
++
++}
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+     public byte[] pPublicData;
+ 
+     /**
+-     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++     * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+      *
+-     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++     * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+      */
+     public String toString() {
+         StringBuilder sb = new StringBuilder();
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+ 
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+ 
+ import java.security.AccessController;
+@@ -113,6 +116,8 @@ public class PKCS11 {
+ 
+     private long pNativeData;
+ 
++    private volatile CK_INFO pInfo;
++
+     /**
+      * This method does the initialization of the native library. It is called
+      * exactly once for this class.
+@@ -145,24 +150,49 @@ public class PKCS11 {
+      * @postconditions
+      */
+     PKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         connect(pkcs11ModulePath, functionListName);
+         this.pkcs11ModulePath = pkcs11ModulePath;
+     }
+ 
++    /*
++     * Compatibility wrapper to allow this method to work as before
++     * when FIPS mode support is not active.
++     */
+     public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+             String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+             boolean omitInitialize) throws IOException, PKCS11Exception {
++        return getInstance(pkcs11ModulePath, functionList,
++                           pInitArgs, omitInitialize, null, null);
++    }
++
++    public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++            String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++            boolean omitInitialize, MethodHandle fipsKeyImporter,
++            MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
+         // we may only call C_Initialize once per native .so/.dll
+         // so keep a cache using the (non-canonicalized!) path
+         PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+         if (pkcs11 == null) {
++            boolean nssFipsMode = fipsKeyImporter != null &&
++                    fipsKeyExporter != null;
+             if ((pInitArgs != null)
+                     && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
++                if (nssFipsMode) {
++                    pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++                            fipsKeyImporter, fipsKeyExporter);
++                } else {
+                 pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++                }
++            } else {
++                if (nssFipsMode) {
++                    pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++                            functionList, fipsKeyImporter, fipsKeyExporter);
+             } else {
+                 pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+             }
++            }
+             if (omitInitialize == false) {
+                 try {
+                     pkcs11.C_Initialize(pInitArgs);
+@@ -179,6 +209,28 @@ public class PKCS11 {
+         return pkcs11;
+     }
+ 
++    /**
++     * Returns the CK_INFO structure fetched at initialization with
++     * C_GetInfo. This structure represent Cryptoki library information.
++     */
++    public CK_INFO getInfo() {
++        CK_INFO lPInfo = pInfo;
++        if (lPInfo == null) {
++            synchronized (this) {
++                lPInfo = pInfo;
++                if (lPInfo == null) {
++                    try {
++                        lPInfo = C_GetInfo();
++                        pInfo = lPInfo;
++                    } catch (PKCS11Exception e) {
++                        // Some PKCS #11 tokens require initialization first.
++                    }
++                }
++            }
++        }
++        return lPInfo;
++    }
++
+     /**
+      * Connects this object to the specified PKCS#11 library. This method is for
+      * internal use only.
+@@ -1625,7 +1677,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+ 
+     SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         super(pkcs11ModulePath, functionListName);
+     }
+ 
+@@ -1911,4 +1963,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+         super.C_GenerateRandom(hSession, randomData);
+     }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++    private MethodHandle fipsKeyImporter;
++    private MethodHandle fipsKeyExporter;
++    private MethodHandle hC_GetAttributeValue;
++    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
++        super(pkcs11ModulePath, functionListName);
++        this.fipsKeyImporter = fipsKeyImporter;
++        this.fipsKeyExporter = fipsKeyExporter;
++        try {
++            hC_GetAttributeValue = MethodHandles.insertArguments(
++                    MethodHandles.lookup().findSpecial(PKCS11.class,
++                            "C_GetAttributeValue", MethodType.methodType(
++                                    void.class, long.class, long.class,
++                                    CK_ATTRIBUTE[].class),
++                            FIPSPKCS11.class), 0, this);
++        } catch (Throwable t) {
++            throw new RuntimeException(
++                    "sun.security.pkcs11.wrapper.PKCS11" +
++                    "::C_GetAttributeValue method not found.", t);
++        }
++    }
++
++    public long C_CreateObject(long hSession,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        // Creating sensitive key objects from plain key material in a
++        // FIPS-configured NSS Software Token is not allowed. We apply
++        // a key-unwrapping scheme to achieve so.
++        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++            try {
++                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++                        .longValue();
++            } catch (Throwable t) {
++                if (t instanceof PKCS11Exception) {
++                    throw (PKCS11Exception)t;
++                }
++                throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                        t.getMessage());
++            }
++        }
++        return super.C_CreateObject(hSession, pTemplate);
++    }
++
++    public void C_GetAttributeValue(long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++                fipsKeyExporter, hSession, hObject, pTemplate);
++    }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++    private MethodHandle fipsKeyImporter;
++    private MethodHandle fipsKeyExporter;
++    private MethodHandle hC_GetAttributeValue;
++    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++                    throws IOException, PKCS11Exception {
++        super(pkcs11ModulePath, functionListName);
++        this.fipsKeyImporter = fipsKeyImporter;
++        this.fipsKeyExporter = fipsKeyExporter;
++        try {
++            hC_GetAttributeValue = MethodHandles.insertArguments(
++                    MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++                            "C_GetAttributeValue", MethodType.methodType(
++                                    void.class, long.class, long.class,
++                                    CK_ATTRIBUTE[].class),
++                            SynchronizedFIPSPKCS11.class), 0, this);
++        } catch (Throwable t) {
++            throw new RuntimeException(
++                    "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++                    "::C_GetAttributeValue method not found.", t);
++        }
++    }
++
++    public synchronized long C_CreateObject(long hSession,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        // See FIPSPKCS11::C_CreateObject.
++        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++            try {
++                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++                        .longValue();
++            } catch (Throwable t) {
++                if (t instanceof PKCS11Exception) {
++                    throw (PKCS11Exception)t;
++                }
++                throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                        t.getMessage());
++            }
++        }
++        return super.C_CreateObject(hSession, pTemplate);
++    }
++
++    public synchronized void C_GetAttributeValue(long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++                fipsKeyExporter, hSession, hObject, pTemplate);
++    }
++}
++
++private static class FIPSPKCS11Helper {
++    static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++        for (CK_ATTRIBUTE attr : pTemplate) {
++            if (attr.type == CKA_CLASS &&
++                    (attr.getLong() == CKO_PRIVATE_KEY ||
++                    attr.getLong() == CKO_SECRET_KEY)) {
++                return true;
++            }
++        }
++        return false;
++    }
++    static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++            MethodHandle fipsKeyExporter, long hSession, long hObject,
++            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++        Map sensitiveAttrs = new HashMap<>();
++        List nonSensitiveAttrs = new LinkedList<>();
++        FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++                sensitiveAttrs, nonSensitiveAttrs);
++        try {
++            if (sensitiveAttrs.size() > 0) {
++                long keyClass = -1L;
++                long keyType = -1L;
++                try {
++                    // Secret and private keys have both class and type
++                    // attributes, so we can query them at once.
++                    CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++                            new CK_ATTRIBUTE(CKA_CLASS),
++                            new CK_ATTRIBUTE(CKA_KEY_TYPE),
++                    };
++                    hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++                    keyClass = queryAttrs[0].getLong();
++                    keyType = queryAttrs[1].getLong();
++                } catch (PKCS11Exception e) {
++                    // If the query fails, the object is neither a secret nor a
++                    // private key. As this case won't be handled with the FIPS
++                    // Key Exporter, we keep keyClass initialized to -1L.
++                }
++                if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++                    fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++                            sensitiveAttrs);
++                    if (nonSensitiveAttrs.size() > 0) {
++                        CK_ATTRIBUTE[] pNonSensitiveAttrs =
++                                new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++                        int i = 0;
++                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++                            pNonSensitiveAttrs[i++] = nonSensAttr;
++                        }
++                        hC_GetAttributeValue.invoke(hSession, hObject,
++                                pNonSensitiveAttrs);
++                        // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++                        // update the reference on the previous CK_ATTRIBUTEs
++                        i = 0;
++                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++                            nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++                        }
++                    }
++                    return;
++                }
++            }
++            hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++        } catch (Throwable t) {
++            if (t instanceof PKCS11Exception) {
++                throw (PKCS11Exception)t;
++            }
++            throw new PKCS11Exception(CKR_GENERAL_ERROR,
++                    t.getMessage());
++        }
++    }
++    private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++            Map sensitiveAttrs,
++            List nonSensitiveAttrs) {
++        for (CK_ATTRIBUTE attr : pTemplate) {
++            long type = attr.type;
++            // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++            if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++                    type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++                    type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++                    type == CKA_COEFFICIENT) {
++                sensitiveAttrs.put(type, attr);
++            } else {
++                nonSensitiveAttrs.add(attr);
++            }
++        }
++    }
++}
+ }
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+     public static final long  CKD_BLAKE2B_384_KDF      = 0x00000019L;
+     public static final long  CKD_BLAKE2B_512_KDF      = 0x0000001aL;
+ 
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
+-
+-    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
+-
+     public static final long  CK_OTP_VALUE            = 0x00000000L;
+     public static final long  CK_OTP_PIN              = 0x00000001L;
+     public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+     public static final long  CKF_HKDF_SALT_KEY    = 0x00000004L;
+     */
+ 
++    // PBKDF2 support, used in P11Util
++    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
++
+     // private NSS attribute (for DSA and DH private keys)
+     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
+ 
+     // base number of NSS private attributes
+     public static final long  CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+-                                                      = 0xCE534350L;
++    /*          now known as CKM_NSS ^        */      = 0xCE534350L;
+ 
+     // object type for NSS trust
+     public static final long  CKO_NETSCAPE_TRUST      = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+                                                              = 0xCE534355L;
+     public static final long  CKT_NETSCAPE_VALID             = 0xCE53435AL;
+     public static final long  CKT_NETSCAPE_VALID_DELEGATOR   = 0xCE53435BL;
++
++    // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++    public static final long  CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 29) */ = 0xCE53436DL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 30) */ = 0xCE53436EL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 31) */ = 0xCE53436FL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+         case CKM_PBE_SHA1_DES3_EDE_CBC:
+         case CKM_PBE_SHA1_DES2_EDE_CBC:
+         case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+             ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+             break;
+         case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+     // retrieve java values
+     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+     if (jPbeParamsClass == NULL) { return NULL; }
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+     if (fieldID == NULL) { return NULL; }
+     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ 
+     // populate using java values
+     ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+-    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++    jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++    jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++    jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+     }
+ }
+ 
++#define PBKD2_PARAM_SET(member, value)                              \
++    do {                                                            \
++        if(ckParamPtr->version == PARAMS) {                         \
++            ckParamPtr->params.v1.member = value;                   \
++        } else {                                                    \
++            ckParamPtr->params.v2.member = value;                   \
++        }                                                           \
++    } while(0)
++
++#define PBKD2_PARAM_ADDR(member)                                    \
++    (                                                               \
++        (ckParamPtr->version == PARAMS) ?                           \
++        (void*) &ckParamPtr->params.v1.member :                     \
++        (void*) &ckParamPtr->params.v2.member                       \
++    )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+  * pointer
+  *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+  * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+  */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+-    CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++    VersionedPbkd2ParamsPtr ckParamPtr;
++    ParamVersion paramVersion;
++    CK_ULONG_PTR pUlPasswordLen;
+     jclass jPkcs5Pbkd2ParamsClass;
+     jfieldID fieldID;
+     jlong jSaltSource, jIteration, jPrf;
+-    jobject jSaltSourceData, jPrfData;
++    jobject jSaltSourceData, jPrfData, jPassword;
+ 
+     if (pLength != NULL) {
+         *pLength = 0L;
+     }
+ 
+     // retrieve java values
+-    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+-    if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++    if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS;
++    } else if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS2;
++    } else {
++        return NULL;
++    }
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+     if (fieldID == NULL) { return NULL; }
+     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++    fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++    if (fieldID == NULL) { return NULL; }
++    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+ 
+-    // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+-    ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++    // allocate memory for VersionedPbkd2Params and store the structure version
++    ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+     if (ckParamPtr == NULL) {
+         throwOutOfMemoryError(env, 0);
+         return NULL;
+     }
++    ckParamPtr->version = paramVersion;
+ 
+     // populate using java values
+-    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+-    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++    PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++    jByteArrayToCKByteArray(env, jSaltSourceData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++            PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    ckParamPtr->iterations = jLongToCKULong(jIteration);
+-    ckParamPtr->prf = jLongToCKULong(jPrf);
+-    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++    PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++    PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++    jByteArrayToCKByteArray(env, jPrfData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++            PBKD2_PARAM_ADDR(ulPrfDataLen));
++    if ((*env)->ExceptionCheck(env)) {
++        goto cleanup;
++    }
++    if (ckParamPtr->version == PARAMS) {
++        pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++        if (pUlPasswordLen == NULL) {
++            throwOutOfMemoryError(env, 0);
++            goto cleanup;
++        }
++        ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++    } else {
++        pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++    }
++    jCharArrayToCKUTF8CharArray(env, jPassword,
++            (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++            pUlPasswordLen);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+ 
+     if (pLength != NULL) {
+-        *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++        *pLength = (ckParamPtr->version == PARAMS ?
++            sizeof(ckParamPtr->params.v1) :
++            sizeof(ckParamPtr->params.v2));
+     }
++    // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+     return ckParamPtr;
+ cleanup:
+-    free(ckParamPtr->pSaltSourceData);
+-    free(ckParamPtr->pPrfData);
++    FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+     free(ckParamPtr);
+     return NULL;
+ 
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+                  case CKM_CAMELLIA_CTR:
+                      // params do not contain pointers
+                      break;
++                 case CKM_PKCS5_PBKD2:
++                     // get the versioned structure from behind memory
++                     TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++                             "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++                             "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++                     FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++                     break;
++                 case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++                 case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++                     break;
+                  default:
+                      // currently unsupported mechs by SunPKCS11 provider
+                      // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+                      // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+-                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+                      // PBE mechs, WTLS mechs, CMS mechs,
+                      // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+                      // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+     jboolean* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+     jbyte* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+     jlong* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+     jchar* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+     jchar* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+ 
+ #define CKA_NETSCAPE_BASE                       (0x80000000 + 0x4E534350)
++/*             ^ now known as CKM_NSS   (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE                 (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH          (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH          (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB                         0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL                 0x80000373
+ 
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 32)
++
+ /*
+ 
+  Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+ 
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+     jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ 
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++    union {
++        CK_PKCS5_PBKD2_PARAMS v1;
++        CK_PKCS5_PBKD2_PARAMS2 v2;
++    } params;
++    ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr)                  \
++    do {                                                            \
++        if ((verParamsPtr)->version == PARAMS) {                    \
++            free((verParamsPtr)->params.v1.pSaltSourceData);        \
++            free((verParamsPtr)->params.v1.pPrfData);               \
++            free((verParamsPtr)->params.v1.pPassword);              \
++            free((verParamsPtr)->params.v1.ulPasswordLen);          \
++        } else {                                                    \
++            free((verParamsPtr)->params.v2.pSaltSourceData);        \
++            free((verParamsPtr)->params.v2.pPrfData);               \
++            free((verParamsPtr)->params.v2.pPassword);              \
++        }                                                           \
++    } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+ 
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+ 
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+ 
+     private static final long serialVersionUID = -2279741672933606418L;
+ 
++    private static final boolean systemFipsEnabled =
++            SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++            .isSystemFipsEnabled();
++
+     private static class ProviderServiceA extends ProviderService {
+         ProviderServiceA(Provider p, String type, String algo, String cn,
+             HashMap attrs) {
+@@ -249,7 +254,7 @@ public final class SunEC extends Provider {
+ 
+         putXDHEntries();
+         putEdDSAEntries();
+-
++        if (!systemFipsEnabled) {
+         /*
+          * Signature engines
+          */
+@@ -329,6 +334,7 @@ public final class SunEC extends Provider {
+         putService(new ProviderService(this, "KeyAgreement",
+             "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
+     }
++    }
+ 
+     private void putXDHEntries() {
+ 
+@@ -344,6 +350,7 @@ public final class SunEC extends Provider {
+             "X448", "sun.security.ec.XDHKeyFactory.X448",
+             ATTRS));
+ 
++        if (!systemFipsEnabled) {
+         putService(new ProviderService(this, "KeyPairGenerator",
+             "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+         putService(new ProviderServiceA(this, "KeyPairGenerator",
+@@ -362,6 +369,7 @@ public final class SunEC extends Provider {
+             "X448", "sun.security.ec.XDHKeyAgreement.X448",
+             ATTRS));
+     }
++    }
+ 
+     private void putEdDSAEntries() {
+ 
+@@ -375,6 +383,7 @@ public final class SunEC extends Provider {
+         putService(new ProviderServiceA(this, "KeyFactory",
+             "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+ 
++        if (!systemFipsEnabled) {
+         putService(new ProviderService(this, "KeyPairGenerator",
+             "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+         putService(new ProviderServiceA(this, "KeyPairGenerator",
+@@ -390,6 +399,7 @@ public final class SunEC extends Provider {
+             "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+         putService(new ProviderServiceA(this, "Signature",
+             "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++        }
+ 
+     }
+ }
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java
+@@ -0,0 +1,233 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.math.BigInteger;
++import java.security.AlgorithmParameters;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.SecureRandom;
++import java.security.Security;
++import java.util.Map;
++
++import javax.crypto.Cipher;
++import javax.crypto.SecretKey;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.interfaces.PBEKey;
++import javax.crypto.spec.IvParameterSpec;
++import javax.crypto.spec.PBEKeySpec;
++import javax.crypto.spec.PBEParameterSpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test password based encryption on SunPKCS11's Cipher service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @run main/othervm/timeout=30 PBECipher
++ */
++
++public final class PBECipher {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        PBECipher2.main(args);
++    }
++}
++
++final class PBECipher2 extends PKCS11Test {
++    private static final char[] password = "123456".toCharArray();
++    private static final byte[] salt = "abcdefgh".getBytes();
++    private static final byte[] iv = new byte[16];
++    private static final int iterations = 1000;
++    private static final String plainText = "This is a know plain text!";
++    private static final String sep =
++    "=========================================================================";
++
++    private static enum Configuration {
++        // Provide salt and iterations through a PBEParameterSpec instance
++        PBEParameterSpec,
++
++        // Provide salt and iterations through a AlgorithmParameters instance
++        AlgorithmParameters,
++
++        // Provide salt and iterations through an anonymous class implementing
++        // the javax.crypto.interfaces.PBEKey interface
++        AnonymousPBEKey,
++    }
++
++    private static Provider sunJCE = Security.getProvider("SunJCE");
++
++    // Generated with SunJCE
++    private static final Map assertionData = Map.of(
++            "PBEWithHmacSHA1AndAES_128", new BigInteger("8eebe98a580fb09d026" +
++                    "dbfe60b3733b079e0de9ea7b0b1ccba011a1652d1e257", 16),
++            "PBEWithHmacSHA224AndAES_128", new BigInteger("1cbabdeb5d483af4a" +
++                    "841942f4b1095b7d6f60e46fabfd2609c015adc38cc227", 16),
++            "PBEWithHmacSHA256AndAES_128", new BigInteger("4d82f6591df3508d2" +
++                    "4531f06cdc4f90f4bdab7aeb07fbb57a3712e999d5b6f59", 16),
++            "PBEWithHmacSHA384AndAES_128", new BigInteger("3a0ed0959d51f40b9" +
++                    "ba9f506a5277f430521f2fbe1ba94bae368835f221b6cb9", 16),
++            "PBEWithHmacSHA512AndAES_128", new BigInteger("1388287a446009309" +
++                    "1418f4eca3ba1735b1fa025423d74ced36ce578d8ebf9da", 16),
++            "PBEWithHmacSHA1AndAES_256", new BigInteger("80f8208daab27ed02dd" +
++                    "8a354ef6f23ff7813c84dd1c8a1b081d6f4dee27182a2", 16),
++            "PBEWithHmacSHA224AndAES_256", new BigInteger("7e3b9ce20aec2e52f" +
++                    "f6c781602d4f79a55a88495b5217f1e22e1a068268e6247", 16),
++            "PBEWithHmacSHA256AndAES_256", new BigInteger("9d6a8b6a351dfd0dd" +
++                    "9e9f45924b2860dca7719c4c07e207a64ebc1acd16cc157", 16),
++            "PBEWithHmacSHA384AndAES_256", new BigInteger("6f1b386cee3a8e2d9" +
++                    "8c2e81828da0467dec8b989d22258efeab5932580d01d53", 16),
++            "PBEWithHmacSHA512AndAES_256", new BigInteger("30aaa346b2edd394f" +
++                    "50916187876ac32f1287b19d55c5eea6f7ef9b84aaf291e", 16)
++            );
++
++    private static final class NoRandom extends SecureRandom {
++        @Override
++        public void nextBytes(byte[] bytes) {
++            return;
++        }
++    }
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        for (Configuration conf : Configuration.values()) {
++            testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", conf);
++            testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", conf);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    private void testWith(Provider sunPKCS11, String algorithm,
++            Configuration conf) throws Exception {
++        System.out.println(sep + System.lineSeparator() + algorithm
++                + " (with " + conf.name() + ")");
++
++        Cipher pbeCipher = getCipher(sunPKCS11, algorithm, conf);
++        BigInteger cipherText = new BigInteger(1, pbeCipher.doFinal(
++                plainText.getBytes()));
++        printByteArray("Cipher Text", cipherText);
++
++        BigInteger expectedCipherText = null;
++        if (sunJCE != null) {
++            Cipher c = getCipher(sunJCE, algorithm, conf);
++            if (c != null) {
++                expectedCipherText = new BigInteger(1, c.doFinal(
++                        plainText.getBytes()));
++            } else {
++                // Move to assertionData as it's unlikely that any of
++                // the algorithms are available.
++                sunJCE = null;
++            }
++        }
++        if (expectedCipherText == null) {
++            // If SunJCE or the algorithm are not available, assertionData
++            // is used instead.
++            expectedCipherText = assertionData.get(algorithm);
++        }
++
++        if (!cipherText.equals(expectedCipherText)) {
++            printByteArray("Expected Cipher Text", expectedCipherText);
++            throw new Exception("Expected Cipher Text did not match");
++        }
++    }
++
++    private Cipher getCipher(Provider p, String algorithm,
++            Configuration conf) throws Exception {
++        Cipher pbeCipher = null;
++        try {
++            pbeCipher = Cipher.getInstance(algorithm, p);
++        } catch (NoSuchAlgorithmException e) {
++            return null;
++        }
++        switch (conf) {
++            case PBEParameterSpec, AlgorithmParameters -> {
++                SecretKey key = getPasswordOnlyPBEKey();
++                PBEParameterSpec paramSpec = new PBEParameterSpec(
++                        salt, iterations, new IvParameterSpec(iv));
++                switch (conf) {
++                    case PBEParameterSpec -> {
++                        pbeCipher.init(Cipher.ENCRYPT_MODE, key, paramSpec);
++                    }
++                    case AlgorithmParameters -> {
++                        AlgorithmParameters algoParams =
++                                AlgorithmParameters.getInstance("PBES2");
++                        algoParams.init(paramSpec);
++                        pbeCipher.init(Cipher.ENCRYPT_MODE, key, algoParams);
++                    }
++                }
++            }
++            case AnonymousPBEKey -> {
++                SecretKey key = getPasswordSaltIterationsPBEKey();
++                pbeCipher.init(Cipher.ENCRYPT_MODE, key, new NoRandom());
++            }
++        }
++        return pbeCipher;
++    }
++
++    private static SecretKey getPasswordOnlyPBEKey() throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password);
++        SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
++        SecretKey skey = skFac.generateSecret(keySpec);
++        keySpec.clearPassword();
++        return skey;
++    }
++
++    private static SecretKey getPasswordSaltIterationsPBEKey() {
++        return new PBEKey() {
++            public byte[] getSalt() { return salt.clone(); }
++            public int getIterationCount() { return iterations; }
++            public String getAlgorithm() { return "PBE"; }
++            public String getFormat() { return "RAW"; }
++            public char[] getPassword() { return null; } // unused in PBE Cipher
++            public byte[] getEncoded() {
++                byte[] passwdBytes = new byte[password.length];
++                for (int i = 0; i < password.length; i++)
++                    passwdBytes[i] = (byte) (password[i] & 0x7f);
++                return passwdBytes;
++            }
++        };
++    }
++
++    private static void printByteArray(String title, BigInteger b) {
++        String repr = (b == null) ? "buffer is null" : b.toString(16);
++        System.out.println(title + ": " + repr + System.lineSeparator());
++    }
++
++    public static void main(String[] args) throws Exception {
++        PBECipher2 test = new PBECipher2();
++        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++        if (p != null) {
++            test.main(p);
++        } else {
++            main(test);
++        }
++    }
++}
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java
+@@ -0,0 +1,137 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.io.ByteArrayInputStream;
++import java.io.ByteArrayOutputStream;
++import java.security.Key;
++import java.security.KeyStore;
++import java.security.KeyStoreException;
++import java.security.MessageDigest;
++import java.security.Provider;
++import java.security.Security;
++
++import javax.crypto.spec.SecretKeySpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test SunPKCS11's password based privacy and integrity
++ *          applied to PKCS#12 keystores
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @modules java.base/sun.security.util
++ * @run main/othervm/timeout=30 -Dcom.suse.fips=false -DNO_DEFAULT=true ImportKeyToP12
++ */
++
++public final class ImportKeyToP12 {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        ImportKeyToP122.main(args);
++    }
++}
++
++final class ImportKeyToP122 extends PKCS11Test {
++    private static final String alias = "alias";
++    private static final char[] password = "123456".toCharArray();
++    private static final Key key = new SecretKeySpec(new byte[] {
++            0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,
++            0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf }, "AES");
++    private static final String[] pbeCipherAlgs = new String[] {
++            "PBEWithHmacSHA1AndAES_128", "PBEWithHmacSHA224AndAES_128",
++            "PBEWithHmacSHA256AndAES_128", "PBEWithHmacSHA384AndAES_128",
++            "PBEWithHmacSHA512AndAES_128", "PBEWithHmacSHA1AndAES_256",
++            "PBEWithHmacSHA224AndAES_256", "PBEWithHmacSHA256AndAES_256",
++            "PBEWithHmacSHA384AndAES_256", "PBEWithHmacSHA512AndAES_256"
++    };
++    private static final String[] pbeMacAlgs = new String[] {
++            "HmacPBESHA1", "HmacPBESHA224", "HmacPBESHA256",
++            "HmacPBESHA384", "HmacPBESHA512"
++    };
++    private static final KeyStore p12;
++    private static final String sep =
++    "=========================================================================";
++
++    static {
++        KeyStore tP12 = null;
++        try {
++            tP12 = KeyStore.getInstance("PKCS12");
++        } catch (KeyStoreException e) {}
++        p12 = tP12;
++    }
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        // Test all privacy PBE algorithms with an integrity algorithm fixed
++        for (String pbeCipherAlg : pbeCipherAlgs) {
++            testWith(sunPKCS11, pbeCipherAlg, pbeMacAlgs[0]);
++        }
++        // Test all integrity PBE algorithms with a privacy algorithm fixed
++        for (String pbeMacAlg : pbeMacAlgs) {
++            testWith(sunPKCS11, pbeCipherAlgs[0], pbeMacAlg);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    /*
++     * Consistency test: 1) store a secret key in a PKCS#12 keystore using
++     * PBE algorithms from SunPKCS11 and, 2) read the secret key from the
++     * PKCS#12 keystore using PBE algorithms from other security providers
++     * such as SunJCE.
++     */
++    private void testWith(Provider sunPKCS11, String pbeCipherAlg,
++            String pbeMacAlg) throws Exception {
++        System.out.println(sep + System.lineSeparator() +
++                "Cipher PBE: " + pbeCipherAlg + System.lineSeparator() +
++                "Mac PBE: " + pbeMacAlg);
++
++        System.setProperty("keystore.pkcs12.macAlgorithm", pbeMacAlg);
++        System.setProperty("keystore.pkcs12.keyProtectionAlgorithm",
++                pbeCipherAlg);
++
++        // Create an empty PKCS#12 keystore
++        ByteArrayOutputStream baos = new ByteArrayOutputStream();
++        p12.load(null, password);
++
++        // Use PBE privacy and integrity algorithms from SunPKCS11 to store
++        // the secret key
++        Security.insertProviderAt(sunPKCS11, 1);
++        p12.setKeyEntry(alias, key, password, null);
++        p12.store(baos, password);
++
++        // Use PBE privacy and integrity algorithms from other security
++        // providers, such as SunJCE, to read the secret key
++        Security.removeProvider(sunPKCS11.getName());
++        p12.load(new ByteArrayInputStream(baos.toByteArray()), password);
++        Key k = p12.getKey(alias, password);
++
++        if (!MessageDigest.isEqual(key.getEncoded(), k.getEncoded())) {
++            throw new Exception("Keys differ. Consistency check failed.");
++        }
++        System.out.println("Secret key import successful" + System.lineSeparator() + sep);
++    }
++
++    public static void main(String[] args) throws Exception {
++        main(new ImportKeyToP122());
++    }
++}
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java
+@@ -0,0 +1,187 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.math.BigInteger;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Map;
++
++import javax.crypto.Mac;
++import javax.crypto.SecretKey;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.interfaces.PBEKey;
++import javax.crypto.spec.PBEKeySpec;
++import javax.crypto.spec.PBEParameterSpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test password based authentication on SunPKCS11's Mac service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @run main/othervm/timeout=30 PBAMac
++ */
++
++public final class PBAMac {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        PBAMac2.main(args);
++    }
++}
++
++final class PBAMac2 extends PKCS11Test {
++    private static final char[] password = "123456".toCharArray();
++    private static final byte[] salt = "abcdefgh".getBytes();
++    private static final int iterations = 1000;
++    private static final String plainText = "This is a know plain text!";
++    private static final String sep =
++    "=========================================================================";
++
++    private static enum Configuration {
++        // Provide salt & iterations through a PBEParameterSpec instance
++        PBEParameterSpec,
++
++        // Provide salt & iterations through an anonymous class implementing
++        // the javax.crypto.interfaces.PBEKey interface
++        AnonymousPBEKey,
++    }
++
++    // Generated with SunJCE
++    private static final Map assertionData = Map.of(
++            "HmacPBESHA1", new BigInteger("febd26da5d63ce819770a2af1fc2857e" +
++                    "e2c9c41c", 16),
++            "HmacPBESHA224", new BigInteger("aa6a3a1c35a4b266fea62d1a871508" +
++                    "bd45f8ec326bcf16e09699063", 16),
++            "HmacPBESHA256", new BigInteger("af4d71121fd4e9d52eb42944d99b77" +
++                    "8ff64376fcf6af8d1dca3ec688dfada5c8", 16),
++            "HmacPBESHA384", new BigInteger("5d6d37764205985ffca7e4a6222752" +
++                    "a8bbd0520858da08ecafdc57e6246894675e375b9ba084f9ce7142" +
++                    "35f202cc3452", 16),
++            "HmacPBESHA512", new BigInteger("f586c2006cc2de73fd5743e5cca701" +
++                    "c942d3741a7a54a2a649ea36898996cf3c483f2d734179b47751db" +
++                    "e8373c980b4072136d2e2810f4e7276024a3e9081cc1", 16)
++            );
++
++    private static Provider sunJCE = Security.getProvider("SunJCE");
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        for (Configuration conf : Configuration.values()) {
++            testWith(sunPKCS11, "HmacPBESHA1", conf);
++            testWith(sunPKCS11, "HmacPBESHA224", conf);
++            testWith(sunPKCS11, "HmacPBESHA256", conf);
++            testWith(sunPKCS11, "HmacPBESHA384", conf);
++            testWith(sunPKCS11, "HmacPBESHA512", conf);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    private void testWith(Provider sunPKCS11, String algorithm,
++            Configuration conf) throws Exception {
++        System.out.println(sep + System.lineSeparator() + algorithm
++                + " (with " + conf.name() + ")");
++
++        BigInteger macResult = computeMac(sunPKCS11, algorithm, conf);
++        printByteArray("HMAC Result", macResult);
++
++        BigInteger expectedMacResult = computeExpectedMac(algorithm, conf);
++
++        if (!macResult.equals(expectedMacResult)) {
++            printByteArray("Expected HMAC Result", expectedMacResult);
++            throw new Exception("Expected HMAC Result did not match");
++        }
++    }
++
++    private BigInteger computeMac(Provider p, String algorithm,
++            Configuration conf) throws Exception {
++        Mac pbaMac;
++        try {
++            pbaMac = Mac.getInstance(algorithm, p);
++        } catch (NoSuchAlgorithmException e) {
++            return null;
++        }
++        switch (conf) {
++            case PBEParameterSpec -> {
++                SecretKey key = getPasswordOnlyPBEKey();
++                pbaMac.init(key, new PBEParameterSpec(salt, iterations));
++            }
++            case AnonymousPBEKey -> {
++                SecretKey key = getPasswordSaltIterationsPBEKey();
++                pbaMac.init(key);
++            }
++        }
++        return new BigInteger(1, pbaMac.doFinal(plainText.getBytes()));
++    }
++
++    private BigInteger computeExpectedMac(String algorithm, Configuration conf)
++            throws Exception {
++        if (sunJCE != null) {
++            BigInteger macResult = computeMac(sunJCE, algorithm, conf);
++            if (macResult != null) {
++                return macResult;
++            }
++            // Move to assertionData as it's unlikely that any of
++            // the algorithms are available.
++            sunJCE = null;
++        }
++        // If SunJCE or the algorithm are not available, assertionData
++        // is used instead.
++        return assertionData.get(algorithm);
++    }
++
++    private static SecretKey getPasswordOnlyPBEKey() throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password);
++        SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE");
++        SecretKey skey = skFac.generateSecret(keySpec);
++        keySpec.clearPassword();
++        return skey;
++    }
++
++    private static SecretKey getPasswordSaltIterationsPBEKey() {
++        return new PBEKey() {
++            public byte[] getSalt() { return salt.clone(); }
++            public int getIterationCount() { return iterations; }
++            public String getAlgorithm() { return "PBE"; }
++            public String getFormat() { return "RAW"; }
++            public char[] getPassword() { return password.clone(); }
++            public byte[] getEncoded() { return null; } // unused in PBA Mac
++        };
++    }
++
++    private static void printByteArray(String title, BigInteger b) {
++        String repr = (b == null) ? "buffer is null" : b.toString(16);
++        System.out.println(title + ": " + repr + System.lineSeparator());
++    }
++
++    public static void main(String[] args) throws Exception {
++        PBAMac2 test = new PBAMac2();
++        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++        if (p != null) {
++            test.main(p);
++        } else {
++            main(test);
++        }
++    }
++}
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java
+@@ -0,0 +1,296 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Field;
++import java.lang.reflect.Method;
++import java.math.BigInteger;
++import java.security.NoSuchAlgorithmException;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.spec.PBEKeySpec;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary test key derivation on SunPKCS11's SecretKeyFactory service
++ * @requires (jdk.version.major >= 8)
++ * @library /test/lib ..
++ * @modules java.base/com.sun.crypto.provider:open
++ * @run main/othervm/timeout=30 TestPBKD
++ */
++
++public final class TestPBKD {
++    public static void main(String[] args) throws Exception {
++        java.security.Security.getProviders();
++        TestPBKD2.main(args);
++    }
++}
++
++final class TestPBKD2 extends PKCS11Test {
++    private static final char[] password = "123456".toCharArray();
++    private static final byte[] salt = "abcdefgh".getBytes();
++    private static final int iterations = 1000;
++    private static final String sep =
++    "=========================================================================";
++
++    private static Provider sunJCE = Security.getProvider("SunJCE");
++
++    // Generated with SunJCE
++    private static final Map assertionData =
++            new HashMap<>() {{
++                put("HmacPBESHA1", new BigInteger("5f7d1c360d1703cede76f47db" +
++                        "2fa3facc62e7694", 16));
++                put("HmacPBESHA224", new BigInteger("289563f799b708f522ab2a3" +
++                        "8d283d0afa8fc1d3d227fcb9236c3a035", 16));
++                put("HmacPBESHA256", new BigInteger("888defcf4ef37eb0647014a" +
++                        "d172dd6fa3b3e9d024b962dba47608eea9b9c4b79", 16));
++                put("HmacPBESHA384", new BigInteger("f5464b34253fadab8838d0d" +
++                        "b11980c1787a99bf6f6304f2d8c942e30bada523494f9d5a0f3" +
++                        "741e411de21add8b5718a8", 16));
++                put("HmacPBESHA512", new BigInteger("18ae94337b132c68c611bc2" +
++                        "e723ac24dcd44a46d900dae2dd6170380d4c34f90fef7bdeb5f" +
++                        "6fddeb0d2230003e329b7a7eefcd35810d364ba95d31b68bb61" +
++                        "e52", 16));
++                put("PBEWithHmacSHA1AndAES_128", new BigInteger("fdb3dcc2e81" +
++                        "244d4d56bf7ec8dd61dd7", 16));
++                put("PBEWithHmacSHA224AndAES_128", new BigInteger("5ef9e5c6f" +
++                        "df7c355f3b424233a9f24c2", 16));
++                put("PBEWithHmacSHA256AndAES_128", new BigInteger("c5af597b0" +
++                        "1b4f6baac8f62ff6f22bfb1", 16));
++                put("PBEWithHmacSHA384AndAES_128", new BigInteger("c3208ebc5" +
++                        "d6db88858988ec00153847d", 16));
++                put("PBEWithHmacSHA512AndAES_128", new BigInteger("b27e8f7fb" +
++                        "6a4bd5ebea892cd9a7f5043", 16));
++                put("PBEWithHmacSHA1AndAES_256", new BigInteger("fdb3dcc2e81" +
++                        "244d4d56bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2ccde" +
++                        "98", 16));
++                put("PBEWithHmacSHA224AndAES_256", new BigInteger("5ef9e5c6f" +
++                        "df7c355f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8d" +
++                        "f64d", 16));
++                put("PBEWithHmacSHA256AndAES_256", new BigInteger("c5af597b0" +
++                        "1b4f6baac8f62ff6f22bfb1f319c3278c8b31cc616294716d4e" +
++                        "ab08", 16));
++                put("PBEWithHmacSHA384AndAES_256", new BigInteger("c3208ebc5" +
++                        "d6db88858988ec00153847d5b1b7a8723640a022dc332bcaefe" +
++                        "b356", 16));
++                put("PBEWithHmacSHA512AndAES_256", new BigInteger("b27e8f7fb" +
++                        "6a4bd5ebea892cd9a7f5043cefff9c38b07e599721e8d116189" +
++                        "5482", 16));
++                put("PBKDF2WithHmacSHA1", new BigInteger("fdb3dcc2e81244d4d5" +
++                        "6bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2cc", 16));
++                put("PBKDF2WithHmacSHA224", new BigInteger("5ef9e5c6fdf7c355" +
++                        "f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8df64d1a0" +
++                        "736ec1c69eef1c7b2", 16));
++                put("PBKDF2WithHmacSHA256", new BigInteger("c5af597b01b4f6ba" +
++                        "ac8f62ff6f22bfb1f319c3278c8b31cc616294716d4eab080b9" +
++                        "add9db34a42ceb2fea8d27adc00f4", 16));
++                put("PBKDF2WithHmacSHA384", new BigInteger("c3208ebc5d6db888" +
++                        "58988ec00153847d5b1b7a8723640a022dc332bcaefeb356995" +
++                        "d076a949d35c42c7e1e1ca936c12f8dc918e497edf279a522b7" +
++                        "c99580e2613846b3919af637da", 16));
++                put("PBKDF2WithHmacSHA512", new BigInteger("b27e8f7fb6a4bd5e" +
++                        "bea892cd9a7f5043cefff9c38b07e599721e8d1161895482da2" +
++                        "55746844cc1030be37ba1969df10ff59554d1ac5468fa9b7297" +
++                        "7bb7fd52103a0a7b488cdb8957616c3e23a16bca92120982180" +
++                        "c6c11a4f14649b50d0ade3a", 16));
++                }};
++
++    static interface AssertData {
++        BigInteger derive(String pbAlgo, PBEKeySpec keySpec) throws Exception;
++    }
++
++    static final class P12PBKDAssertData implements AssertData {
++        private final int outLen;
++        private final String kdfAlgo;
++        private final int blockLen;
++
++        P12PBKDAssertData(int outLen, String kdfAlgo, int blockLen) {
++            this.outLen = outLen;
++            this.kdfAlgo = kdfAlgo;
++            this.blockLen = blockLen;
++        }
++
++        @Override
++        public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
++                throws Exception {
++            // Since we need to access an internal SunJCE API, we use reflection
++            Class PKCS12PBECipherCore = Class.forName(
++                    "com.sun.crypto.provider.PKCS12PBECipherCore");
++
++            Field macKeyField = PKCS12PBECipherCore.getDeclaredField("MAC_KEY");
++            macKeyField.setAccessible(true);
++            int MAC_KEY = (int) macKeyField.get(null);
++
++            Method deriveMethod = PKCS12PBECipherCore.getDeclaredMethod(
++                    "derive", char[].class, byte[].class, int.class,
++                    int.class, int.class, String.class, int.class);
++            deriveMethod.setAccessible(true);
++
++            return new BigInteger(1, (byte[]) deriveMethod.invoke(null,
++                    keySpec.getPassword(), keySpec.getSalt(),
++                    keySpec.getIterationCount(), this.outLen,
++                    MAC_KEY, this.kdfAlgo, this.blockLen));
++        }
++    }
++
++    static final class PBKD2AssertData implements AssertData {
++        private final String kdfAlgo;
++        private final int keyLen;
++
++        PBKD2AssertData(String kdfAlgo, int keyLen) {
++            // Key length is pinned by the algorithm name (not kdfAlgo,
++            // but the algorithm under test: PBEWithHmacSHA*AndAES_*)
++            this.kdfAlgo = kdfAlgo;
++            this.keyLen = keyLen;
++        }
++
++        PBKD2AssertData(String kdfAlgo) {
++            // Key length is variable for the algorithm under test
++            // (kdfAlgo is the algorithm under test: PBKDF2WithHmacSHA*)
++            this(kdfAlgo, -1);
++        }
++
++        @Override
++        public BigInteger derive(String pbAlgo, PBEKeySpec keySpec)
++                throws Exception {
++            if (this.keyLen != -1) {
++                keySpec = new PBEKeySpec(
++                        keySpec.getPassword(), keySpec.getSalt(),
++                        keySpec.getIterationCount(), this.keyLen);
++            }
++            if (sunJCE != null) {
++                try {
++                    return new BigInteger(1, SecretKeyFactory.getInstance(
++                            this.kdfAlgo, sunJCE).generateSecret(keySpec)
++                            .getEncoded());
++                } catch (NoSuchAlgorithmException e) {
++                    // Move to assertionData as it's unlikely that any of
++                    // the algorithms are available.
++                    sunJCE = null;
++                }
++            }
++            // If SunJCE or the algorithm are not available, assertionData
++            // is used instead.
++            return assertionData.get(pbAlgo);
++        }
++    }
++
++    public void main(Provider sunPKCS11) throws Exception {
++        System.out.println("SunPKCS11: " + sunPKCS11.getName());
++        testWith(sunPKCS11, "HmacPBESHA1",
++                new P12PBKDAssertData(20, "SHA-1", 64));
++        testWith(sunPKCS11, "HmacPBESHA224",
++                new P12PBKDAssertData(28, "SHA-224", 64));
++        testWith(sunPKCS11, "HmacPBESHA256",
++                new P12PBKDAssertData(32, "SHA-256", 64));
++        testWith(sunPKCS11, "HmacPBESHA384",
++                new P12PBKDAssertData(48, "SHA-384", 128));
++        testWith(sunPKCS11, "HmacPBESHA512",
++                new P12PBKDAssertData(64, "SHA-512", 128));
++
++        testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA1", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA224", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA256", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA384", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128",
++                new PBKD2AssertData("PBKDF2WithHmacSHA512", 128));
++        testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA1", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA224", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA256", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA384", 256));
++        testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256",
++                new PBKD2AssertData("PBKDF2WithHmacSHA512", 256));
++
++        // Use 1,5 * digest size as the testing derived key length (in bits)
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA1", 240,
++                new PBKD2AssertData("PBKDF2WithHmacSHA1"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA224", 336,
++                new PBKD2AssertData("PBKDF2WithHmacSHA224"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA256", 384,
++                new PBKD2AssertData("PBKDF2WithHmacSHA256"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA384", 576,
++                new PBKD2AssertData("PBKDF2WithHmacSHA384"));
++        testWith(sunPKCS11, "PBKDF2WithHmacSHA512", 768,
++                new PBKD2AssertData("PBKDF2WithHmacSHA512"));
++
++        System.out.println("TEST PASS - OK");
++    }
++
++    private static void testWith(Provider sunPKCS11, String algorithm,
++            AssertData assertData) throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations);
++        testWith(sunPKCS11, algorithm, keySpec, assertData);
++    }
++
++    private static void testWith(Provider sunPKCS11, String algorithm,
++            int keyLen, AssertData assertData) throws Exception {
++        PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations, keyLen);
++        testWith(sunPKCS11, algorithm, keySpec, assertData);
++    }
++
++    private static void testWith(Provider sunPKCS11, String algorithm,
++            PBEKeySpec keySpec, AssertData assertData) throws Exception {
++        System.out.println(sep + System.lineSeparator() + algorithm);
++
++        SecretKeyFactory skFac = SecretKeyFactory.getInstance(
++                algorithm, sunPKCS11);
++        BigInteger derivedKey = new BigInteger(1,
++                skFac.generateSecret(keySpec).getEncoded());
++        printByteArray("Derived Key", derivedKey);
++
++        BigInteger expectedDerivedKey = assertData.derive(algorithm, keySpec);
++
++        if (!derivedKey.equals(expectedDerivedKey)) {
++            printByteArray("Expected Derived Key", expectedDerivedKey);
++            throw new Exception("Expected Derived Key did not match");
++        }
++    }
++
++    private static void printByteArray(String title, BigInteger b) {
++        String repr = (b == null) ? "buffer is null" : b.toString(16);
++        System.out.println(title + ": " + repr + System.lineSeparator());
++    }
++
++    public static void main(String[] args) throws Exception {
++        TestPBKD2 test = new TestPBKD2();
++        Provider p = Security.getProvider("SunPKCS11-NSS-FIPS");
++        if (p != null) {
++            test.main(p);
++        } else {
++            main(test);
++        }
++    }
++}
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java
+@@ -0,0 +1,349 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.lang.reflect.Method;
++import java.nio.charset.StandardCharsets;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.security.KeyStore;
++import java.security.Provider;
++import java.security.Security;
++import java.util.Arrays;
++import java.util.function.Consumer;
++import java.util.List;
++import javax.crypto.Cipher;
++import javax.crypto.spec.SecretKeySpec;
++
++import jdk.test.lib.process.Proc;
++import jdk.test.lib.util.FileUtils;
++
++/*
++ * @test
++ * @bug 9999999
++ * @summary
++ *   Test that the fips.nssdb.path and fips.nssdb.pin properties can be used
++ *   for a successful login into an NSS DB. Some additional unitary testing
++ *   is then performed. This test depends on NSS modutil and must be run in
++ *   FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available).
++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open
++ * @library /test/lib
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=600 NssdbPin
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class NssdbPin {
++
++    // Public properties and names
++    private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path";
++    private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin";
++    private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS";
++    private static final String NSSDB_TOKEN_NAME =
++            "NSS FIPS 140-2 Certificate DB";
++
++    // Data to be tested
++    private static final String[] PINS_TO_TEST =
++            new String[] {
++                    "",
++                    "1234567890abcdef1234567890ABCDEF\uA4F7"
++            };
++    private static enum PropType { SYSTEM, SECURITY }
++    private static enum LoginType { IMPLICIT, EXPLICIT }
++
++    // Internal test fields
++    private static final boolean DEBUG = true;
++    private static class TestContext {
++        String pin;
++        PropType propType;
++        Path workspace;
++        String nssdbPath;
++        Path nssdbPinFile;
++        LoginType loginType;
++        TestContext(String pin, Path workspace) {
++            this.pin = pin;
++            this.workspace = workspace;
++            this.nssdbPath = "sql:" + workspace;
++            this.loginType = LoginType.IMPLICIT;
++        }
++    }
++
++    public static void main(String[] args) throws Throwable {
++        if (args.length == 3) {
++            // Executed by a child process.
++            mainChild(args[0], args[1], LoginType.valueOf(args[2]));
++        } else if (args.length == 0) {
++            // Executed by the parent process.
++            mainLauncher();
++            // Test defaults
++            mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT);
++            System.out.println("TEST PASS - OK");
++        } else {
++            throw new Exception("Unexpected number of arguments.");
++        }
++    }
++
++    private static void mainChild(String expectedPath, String expectedPin,
++            LoginType loginType) throws Throwable {
++        if (DEBUG) {
++            for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP,
++                    FIPS_NSSDB_PIN_PROP)) {
++                System.out.println(prop + " (System): " +
++                        System.getProperty(prop));
++                System.out.println(prop + " (Security): " +
++                        Security.getProperty(prop));
++            }
++        }
++
++        /*
++         * Functional cross-test against an NSS DB generated by modutil
++         * with the same PIN. Check that we can perform a crypto operation
++         * that requires a login. The login might be explicit or implicit.
++         */
++        Provider p = Security.getProvider(FIPS_PROVIDER_NAME);
++        if (DEBUG) {
++            System.out.println(FIPS_PROVIDER_NAME + ": " + p);
++        }
++        if (p == null) {
++            throw new Exception(FIPS_PROVIDER_NAME + " initialization failed.");
++        }
++        if (DEBUG) {
++            System.out.println("Login type: " + loginType);
++        }
++        if (loginType == LoginType.EXPLICIT) {
++            // Do the expansion to account for truncation, so C_Login in
++            // the NSS Software Token gets a UTF-8 encoded PIN.
++            byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8);
++            char[] pinChar = new char[pinUtf8.length];
++            for (int i = 0; i < pinChar.length; i++) {
++                pinChar[i] = (char)(pinUtf8[i] & 0xFF);
++            }
++            KeyStore.getInstance("PKCS11", p).load(null, pinChar);
++            if (DEBUG) {
++                System.out.println("Explicit login succeeded.");
++            }
++        }
++        if (DEBUG) {
++            System.out.println("Trying a crypto operation...");
++        }
++        final int blockSize = 16;
++        Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p);
++        cipher.init(Cipher.ENCRYPT_MODE,
++                new SecretKeySpec(new byte[blockSize], "AES"));
++        if (cipher.doFinal(new byte[blockSize]).length != blockSize) {
++            throw new Exception("Could not perform a crypto operation.");
++        }
++        if (DEBUG) {
++            if (loginType == LoginType.IMPLICIT) {
++                System.out.println("Implicit login succeeded.");
++            }
++            System.out.println("Crypto operation after login succeeded.");
++        }
++
++        if (loginType == LoginType.IMPLICIT) {
++            /*
++             * Additional unitary testing. Expected to succeed at this point.
++             */
++            if (DEBUG) {
++                System.out.println("Trying unitary test...");
++            }
++            String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP);
++            if (DEBUG) {
++                System.out.println("Path value (as a System property): " +
++                        sysPathProp);
++            }
++            if (!expectedPath.equals(sysPathProp)) {
++                throw new Exception("Path is different than expected: " +
++                        sysPathProp + " (actual) vs " + expectedPath +
++                        " (expected).");
++            }
++            Class c = Class
++                    .forName("sun.security.pkcs11.FIPSTokenLoginHandler");
++            Method m = c.getDeclaredMethod("getFipsNssdbPin");
++            m.setAccessible(true);
++            String pin = null;
++            char[] pinChar = (char[]) m.invoke(c);
++            if (pinChar != null) {
++                byte[] pinUtf8 = new byte[pinChar.length];
++                for (int i = 0; i < pinUtf8.length; i++) {
++                    pinUtf8[i] = (byte) pinChar[i];
++                }
++                pin = new String(pinUtf8, StandardCharsets.UTF_8);
++            }
++            if (!expectedPin.isEmpty() && !expectedPin.equals(pin) ||
++                    expectedPin.isEmpty() && pin != null) {
++                throw new Exception("PIN is different than expected: '" + pin +
++                         "' (actual) vs '" + expectedPin + "' (expected).");
++            }
++            if (DEBUG) {
++                System.out.println("PIN value: " + pin);
++                System.out.println("Unitary test succeeded.");
++            }
++        }
++    }
++
++    private static void mainLauncher() throws Throwable {
++        for (String pin : PINS_TO_TEST) {
++            Path workspace = Files.createTempDirectory(null);
++            try {
++                TestContext ctx = new TestContext(pin, workspace);
++                createNSSDB(ctx);
++                {
++                    ctx.loginType = LoginType.IMPLICIT;
++                    for (PropType propType : PropType.values()) {
++                        ctx.propType = propType;
++                        pinLauncher(ctx);
++                        envLauncher(ctx);
++                        fileLauncher(ctx);
++                    }
++                }
++                explicitLoginLauncher(ctx);
++            } finally {
++                FileUtils.deleteFileTreeWithRetry(workspace);
++            }
++        }
++    }
++
++    private static void pinLauncher(TestContext ctx) throws Throwable {
++        launchTest(p -> {}, "pin:" + ctx.pin, ctx);
++    }
++
++    private static void envLauncher(TestContext ctx) throws Throwable {
++        final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR";
++        launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin),
++                "env:" + NSSDB_PIN_ENV_VAR, ctx);
++    }
++
++    private static void fileLauncher(TestContext ctx) throws Throwable {
++        // The file containing the PIN (ctx.nssdbPinFile) was created by the
++        // generatePinFile method, called from createNSSDB.
++        launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx);
++    }
++
++    private static void explicitLoginLauncher(TestContext ctx)
++            throws Throwable {
++        ctx.loginType = LoginType.EXPLICIT;
++        ctx.propType = PropType.SYSTEM;
++        launchTest(p -> {}, "Invalid PIN, must be ignored", ctx);
++    }
++
++    private static void launchTest(Consumer procCb, String pinPropVal,
++            TestContext ctx) throws Throwable {
++        if (DEBUG) {
++            System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP +
++                    "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP +
++                    "=" + pinPropVal);
++        }
++        Proc p = Proc.create(NssdbPin.class.getName())
++                .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name());
++        if (ctx.propType == PropType.SYSTEM) {
++            p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++            p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++            // Make sure that Security properties defaults are not used.
++            p.secprop(FIPS_NSSDB_PATH_PROP, "");
++            p.secprop(FIPS_NSSDB_PIN_PROP, "");
++        } else if (ctx.propType == PropType.SECURITY) {
++            p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath);
++            pinPropVal = escapeForPropsFile(pinPropVal);
++            p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal);
++        } else {
++            throw new Exception("Unsupported property type.");
++        }
++        if (DEBUG) {
++            p.inheritIO();
++            p.prop("java.security.debug", "sunpkcs11");
++            p.debug(NssdbPin.class.getName());
++
++            // Need the launched process to connect to a debugger?
++            //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" +
++            //         "transport=dt_socket,address=localhost:8000,suspend=y");
++        } else {
++            p.nodump();
++        }
++        procCb.accept(p);
++        p.start().waitFor(0);
++    }
++
++    private static String escapeForPropsFile(String str) throws Throwable {
++        StringBuffer sb = new StringBuffer();
++        for (int i = 0; i < str.length(); i++) {
++            int cp = str.codePointAt(i);
++            if (Character.UnicodeBlock.of(cp)
++                    == Character.UnicodeBlock.BASIC_LATIN) {
++                sb.append(Character.toChars(cp));
++            } else {
++                sb.append("\\u").append(String.format("%04X", cp));
++            }
++        }
++        return sb.toString();
++    }
++
++    private static void createNSSDB(TestContext ctx) throws Throwable {
++        ProcessBuilder pb = getModutilPB(ctx, "-create");
++        if (DEBUG) {
++            System.out.println("Creating an NSS DB in " + ctx.workspace +
++                    "...");
++            System.out.println("cmd: " + String.join(" ", pb.command()));
++        }
++        if (pb.start().waitFor() != 0) {
++            throw new Exception("NSS DB creation failed.");
++        }
++        generatePinFile(ctx);
++        pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME,
++                "-newpwfile", ctx.nssdbPinFile.toString());
++        if (DEBUG) {
++            System.out.println("NSS DB created.");
++            System.out.println("Changing NSS DB PIN...");
++            System.out.println("cmd: " + String.join(" ", pb.command()));
++        }
++        if (pb.start().waitFor() != 0) {
++            throw new Exception("NSS DB PIN change failed.");
++        }
++        if (DEBUG) {
++            System.out.println("NSS DB PIN changed.");
++        }
++    }
++
++    private static ProcessBuilder getModutilPB(TestContext ctx, String... args)
++            throws Throwable {
++        ProcessBuilder pb = new ProcessBuilder("modutil", "-force");
++        List pbCommand = pb.command();
++        if (args != null) {
++            pbCommand.addAll(Arrays.asList(args));
++        }
++        pbCommand.add("-dbdir");
++        pbCommand.add(ctx.nssdbPath);
++        if (DEBUG) {
++            pb.inheritIO();
++        } else {
++            pb.redirectError(ProcessBuilder.Redirect.INHERIT);
++        }
++        return pb;
++    }
++
++    private static void generatePinFile(TestContext ctx) throws Throwable {
++        ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null);
++        Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() +
++                "2nd line with garbage");
++    }
++}
+--- /dev/null
++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java
+@@ -0,0 +1,77 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++import java.security.Provider;
++import java.security.Security;
++
++/*
++ * @test
++ * @bug 9999999
++ * @requires (jdk.version.major >= 8)
++ * @run main/othervm/timeout=30 VerifyMissingAttributes
++ * @author Martin Balao (mbalao@redhat.com)
++ */
++
++public final class VerifyMissingAttributes {
++
++    private static final String[] svcAlgImplementedIn = {
++            "AlgorithmParameterGenerator.DSA",
++            "AlgorithmParameters.DSA",
++            "CertificateFactory.X.509",
++            "KeyStore.JKS",
++            "KeyStore.CaseExactJKS",
++            "KeyStore.DKS",
++            "CertStore.Collection",
++            "CertStore.com.sun.security.IndexedCollection"
++    };
++
++    public static void main(String[] args) throws Throwable {
++        Provider sunProvider = Security.getProvider("SUN");
++        for (String svcAlg : svcAlgImplementedIn) {
++            String filter = svcAlg + " ImplementedIn:Software";
++            doQuery(sunProvider, filter);
++        }
++        if (Double.parseDouble(
++                System.getProperty("java.specification.version")) >= 17) {
++            String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" +
++                    "java.security.interfaces.RSAPublicKey" +
++                    "|java.security.interfaces.RSAPrivateKey";
++            doQuery(Security.getProvider("SunRsaSign"), filter);
++        }
++        System.out.println("TEST PASS - OK");
++    }
++
++    private static void doQuery(Provider expectedProvider, String filter)
++            throws Exception {
++        if (expectedProvider == null) {
++            throw new Exception("Provider not found.");
++        }
++        Provider[] providers = Security.getProviders(filter);
++        if (providers == null || providers.length != 1 ||
++                providers[0] != expectedProvider) {
++            throw new Exception("Failure retrieving the provider with this" +
++                    " query: " + filter);
++        }
++    }
++}
+-- 
+2.45.2
+
diff --git a/implicit-pointer-decl.patch b/implicit-pointer-decl.patch
new file mode 100644
index 0000000..4365b43
--- /dev/null
+++ b/implicit-pointer-decl.patch
@@ -0,0 +1,10 @@
+--- jdk10/src/java.instrument/share/native/libinstrument/JarFacade.c	2014-10-02 10:59:00.105666221 +0200
++++ jdk10/src/java.instrument/share/native/libinstrument/JarFacade.c	2014-10-02 11:59:03.355452975 +0200
+@@ -23,6 +23,7 @@
+  * questions.
+  */
+ 
++#include 
+ #include 
+ #include 
+ 
diff --git a/java-17-openjdk.changes b/java-17-openjdk.changes
new file mode 100644
index 0000000..bd5069c
--- /dev/null
+++ b/java-17-openjdk.changes
@@ -0,0 +1,6108 @@
+-------------------------------------------------------------------
+Fri Nov  1 11:13:53 UTC 2024 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.13+11 (October 2024 CPU)
+  * Security fixes
+    + JDK-8307383: Enhance DTLS connections
+    + JDK-8290367, JDK-8332643: Update default value and extend the
+      scope of com.sun.jndi.ldap.object.trustSerialData system
+      property
+    + JDK-8328286, CVE-2024-21208, bsc#1231702: Enhance HTTP client
+    + JDK-8328544, CVE-2024-21210, bsc#1231711: Improve handling of
+      vectorization
+    + JDK-8328726: Better Kerberos support
+    + JDK-8331446, CVE-2024-21217, bsc#1231716: Improve
+      deserialization support
+    + JDK-8332644, CVE-2024-21235, bsc#1231719: Improve graph
+      optimizations
+    + JDK-8335713: Enhance vectorization analysis
+  * Other changes
+    + JDK-7022325: TEST_BUG: test/java/util/zip/ZipFile/
+      /ReadLongZipFileName.java leaks files if it fails
+    + JDK-7026262: HttpServer: improve handling of finished HTTP
+      exchanges
+    + JDK-7124313: [macosx] Swing Popups should overlap taskbar
+    + JDK-8005885: enhance PrintCodeCache to print more data
+    + JDK-8051959: Add thread and timestamp options to
+      java.security.debug system property
+    + JDK-8170817: G1: Returning MinTLABSize from
+      unsafe_max_tlab_alloc causes TLAB flapping
+    + JDK-8183227: read/write APIs in class os shall return ssize_t
+    + JDK-8193547: Regression automated test '/open/test/jdk/java/
+      /awt/Toolkit/DesktopProperties/rfe4758438.java' fails
+    + JDK-8222884: ConcurrentClassDescLookup.java times out
+      intermittently
+    + JDK-8233725: ProcessTools.startProcess() has output issues
+      when using an OutputAnalyzer at the same time
+    + JDK-8238169: BasicDirectoryModel getDirectories and
+      DoChangeContents.run can deadlock
+    + JDK-8241550: [macOS] SSLSocketImpl/ReuseAddr.java failed due
+      to "BindException: Address already in use"
+    + JDK-8255898: Test java/awt/FileDialog/FilenameFilterTest/
+      /FilenameFilterTest.java fails on Mac OS
+    + JDK-8256291: RunThese30M fails "assert(_class_unload ? true :
+      ((((JfrTraceIdBits::load(class_loader_klass)) &
+      ((1 << 4) << 8)) != 0))) failed: invariant"
+    + JDK-8257540: javax/swing/JFileChooser/8041694/bug8041694.java
+      failed with "RuntimeException: The selected directory name is
+      not the expected 'd ' but 'D '."
+    + JDK-8259866: two java.util tests failed with "IOException:
+      There is not enough space on the disk"
+    + JDK-8260633: [macos] java/awt/dnd/MouseEventAfterStartDragTest/
+      /MouseEventAfterStartDragTest.html test failed
+    + JDK-8261433: Better pkcs11 performance for
+      libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit
+    + JDK-8263031: HttpClient throws Exception if it receives a
+      Push Promise that is too large
+    + JDK-8265919: RunThese30M fails
+      "assert((!(((((JfrTraceIdBits::load(value)) & ((1 << 4) << 8))
+      != 0))))) failed: invariant"
+    + JDK-8269428: java/util/concurrent/ConcurrentHashMap/
+      /ToArray.java timed out
+    + JDK-8269657: Test java/nio/channels/DatagramChannel/
+      /Loopback.java failed: Unexpected message
+    + JDK-8272232: javax/swing/JTable/4275046/bug4275046.java
+      failed with "Expected value in the cell: 'rededited' but found
+      'redEDITED'."
+    + JDK-8272558: IR Test Framework README misses some flags
+    + JDK-8272777: Clean up remaining AccessController warnings in
+      test library
+    + JDK-8273216: JCMD does not work across container boundaries
+      with Podman
+    + JDK-8273430: Suspicious duplicate condition in
+      java.util.regex.Grapheme#isExcludedSpacingMark
+    + JDK-8273541: Cleaner Thread creates with normal priority
+      instead of MAX_PRIORITY - 2
+    + JDK-8275851: Deproblemlist open/test/jdk/javax/swing/
+      /JComponent/6683775/bug6683775.java
+    + JDK-8276660: Scalability bottleneck in
+      java.security.Provider.getService()
+    + JDK-8277042: add test for 8276036 to compiler/codecache
+    + JDK-8279068: IGV: Update to work with JDK 16 and 17
+    + JDK-8279164: Disable TLS_ECDH_* cipher suites
+    + JDK-8279222: Incorrect legacyMap.get in
+      java.security.Provider after JDK-8276660
+    + JDK-8279337: The MToolkit is still referenced in a few places
+    + JDK-8279641: Create manual JTReg tests for Swing accessibility
+    + JDK-8279878: java/awt/font/JNICheck/JNICheck.sh test fails on
+      Ubuntu 21.10
+    + JDK-8280034: ProblemList jdk/jfr/api/consumer/recordingstream/
+      /TestOnEvent.java on linux-x64
+    + JDK-8280392: java/awt/Focus/NonFocusableWindowTest/
+      /NonfocusableOwnerTest.java failed with "RuntimeException:
+      Test failed."
+    + JDK-8280970: Cleanup dead code in java.security.Provider
+    + JDK-8280982: [Wayland] [XWayland] java.awt.Robot taking
+      screenshots
+    + JDK-8280988: [XWayland] Click on title to request focus test
+      failures
+    + JDK-8280990: [XWayland] XTest emulated mouse click does not
+      bring window to front
+    + JDK-8280993: [XWayland] Popup is not closed on click outside
+      of area controlled by XWayland
+    + JDK-8280994: [XWayland] Drag and Drop does not work in java
+      -> wayland app direction
+    + JDK-8281944: JavaDoc throws java.lang.IllegalStateException:
+      ERRONEOUS
+    + JDK-8282354: Remove dependancy of TestHttpServer,
+      HttpTransaction, HttpCallback from open/test/jdk/ tests
+    + JDK-8282526: Default icon is not painted properly
+    + JDK-8283728: jdk.hotspot.agent: Wrong location for
+      RISCV64ThreadContext.java
+    + JDK-8284316: Support accessibility ManualTestFrame.java for
+      non SwingSet tests
+    + JDK-8284585: PushPromiseContinuation test fails
+      intermittently in timeout
+    + JDK-8285497: Add system property for Java SE specification
+      maintenance version
+    + JDK-8288568: Reduce runtime of java.security microbenchmarks
+    + JDK-8289182: NMT: MemTracker::baseline should return void
+    + JDK-8290966: G1: Record number of PLAB filled and number of
+      direct allocations
+    + JDK-8291760: PipelineLeaksFD.java still fails: More or fewer
+      pipes than expected
+    + JDK-8292044: HttpClient doesn't handle 102 or 103 properly
+    + JDK-8292739: Invalid legacy entries may be returned by
+      Provider.getServices() call
+    + JDK-8292948: JEditorPane ignores font-size styles in external
+      linked css-file
+    + JDK-8293862: javax/swing/JFileChooser/8046391/bug8046391.java
+      failed with 'Cannot invoke
+      "java.awt.Image.getWidth(java.awt.image.ImageObserver)"
+      because "retVal" is null'
+    + JDK-8293872: Make runtime/Thread/ThreadCountLimit.java more
+      robust
+    + JDK-8294148: Support JSplitPane for instructions and test UI
+    + JDK-8294691: dynamicArchive/RelativePath.java is running
+      other test case
+    + JDK-8294994: Update Jarsigner and Keytool i18n tests to
+      validate i18n compliance
+    + JDK-8295111: dpkg appears to have problems resolving
+      symbolically linked native libraries
+    + JDK-8296410: HttpClient throws java.io.IOException: no
+      statuscode in response for HTTP2
+    + JDK-8296812: sprintf is deprecated in Xcode 14
+    + JDK-8297878: KEM: Implementation
+    + JDK-8298381: Improve handling of session tickets for multiple
+      SSLContexts
+    + JDK-8298596: vmTestbase/nsk/sysdict/vm/stress/chain/chain008/
+      /chain008.java fails with "NoClassDefFoundError: Could not
+      initialize class java.util.concurrent.ThreadLocalRandom"
+    + JDK-8298809: Clean up vm/compiler/InterfaceCalls JMH
+    + JDK-8299058: AssertionError in sun.net.httpserver.ServerImpl
+      when connection is idle
+    + JDK-8299254: Support dealing with standard assert macro
+    + JDK-8299378: sprintf is deprecated in Xcode 14
+    + JDK-8299395: Remove metaprogramming/removeCV.hpp
+    + JDK-8299396: Remove metaprogramming/removeExtent.hpp
+    + JDK-8299397: Remove metaprogramming/isFloatingPoint.hpp
+    + JDK-8299398: Remove metaprogramming/isConst.hpp
+    + JDK-8299399: Remove metaprogramming/isArray.hpp
+    + JDK-8299402: Remove metaprogramming/isVolatile.hpp
+    + JDK-8299479: Remove metaprogramming/decay.hpp
+    + JDK-8299481: Remove metaprogramming/removePointer.hpp
+    + JDK-8299482: Remove metaprogramming/isIntegral.hpp
+    + JDK-8299487: Test java/net/httpclient/whitebox/
+      /SSLTubeTestDriver.java timed out
+    + JDK-8299635: Hotspot update for deprecated sprintf in Xcode 14
+    + JDK-8299779: Test tools/jpackage/share/jdk/jpackage/tests/
+      /MainClassTest.java timed out
+    + JDK-8299813: java/nio/channels/DatagramChannel/Disconnect.java
+      fails with jtreg test timeout due to lost datagram
+    + JDK-8299971: Remove metaprogramming/conditional.hpp
+    + JDK-8299972: Remove metaprogramming/removeReference.hpp
+    + JDK-8300169: Build failure with clang-15
+    + JDK-8300260: Remove metaprogramming/isSame.hpp
+    + JDK-8300264: Remove metaprogramming/isPointer.hpp
+    + JDK-8300265: Remove metaprogramming/isSigned.hpp
+    + JDK-8300806: Update googletest to v1.13.0
+    + JDK-8300910: Remove metaprogramming/integralConstant.hpp
+    + JDK-8301132: Test update for deprecated sprintf in Xcode 14
+    + JDK-8301200: Don't scale timeout stress with timeout factor
+    + JDK-8301274: update for deprecated sprintf for security
+      components
+    + JDK-8301279: update for deprecated sprintf for management
+      components
+    + JDK-8301686: TLS 1.3 handshake fails if server_name doesn't
+      match resuming session
+    + JDK-8301704: Shorten the number of GCs in UnloadingTest.java
+      to verify a class loader not being unloaded
+    + JDK-8302495: update for deprecated sprintf for java.desktop
+    + JDK-8302800: Augment NaN handling tests of FDLIBM methods
+    + JDK-8303216: Prefer ArrayList to LinkedList in
+      sun.net.httpserver.ServerImpl
+    + JDK-8303466: C2: failed: malformed control flow. Limit type
+      made precise with MaxL/MinL
+    + JDK-8303527: update for deprecated sprintf for
+      jdk.hotspot.agent
+    + JDK-8303617: update for deprecated sprintf for jdk.jdwp.agent
+    + JDK-8303830: update for deprecated sprintf for
+      jdk.accessibility
+    + JDK-8303891: Speed up Zip64SizeTest using a small ZIP64 file
+    + JDK-8303920: Avoid calling out to python in
+      DataDescriptorSignatureMissing test
+    + JDK-8303942: os::write should write completely
+    + JDK-8303965: java.net.http.HttpClient should reset the stream
+      if response headers contain malformed header fields
+    + JDK-8304375: jdk/jfr/api/consumer/filestream/TestOrdered.java
+      failed with "Expected at least some events to be out of order!
+      Reuse = false"
+    + JDK-8304962: sun/net/www/http/KeepAliveCache/B5045306.java:
+      java.lang.RuntimeException: Failed: Initial Keep Alive
+      Connection is not being reused
+    + JDK-8304963: HttpServer closes connection after processing
+      HEAD after JDK-7026262
+    + JDK-8305072: Win32ShellFolder2.compareTo is inconsistent
+    + JDK-8305079: Remove finalize() from compiler/c2/Test719030
+    + JDK-8305081: Remove finalize() from
+      test/hotspot/jtreg/compiler/runtime/Test8168712
+    + JDK-8305825: getBounds API returns wrong value resulting in
+      multiple Regression Test Failures on Ubuntu 23.04
+    + JDK-8305959: x86: Improve itable_stub
+    + JDK-8306583: Add JVM crash check in CDSTestUtils.executeAndLog
+    + JDK-8306929: Avoid CleanClassLoaderDataMetaspaces safepoints
+      when previous versions are shared
+    + JDK-8306946: jdk/test/lib/process/
+      /ProcessToolsStartProcessTest.java fails with "wrong number of
+      lines in OutputAnalyzer output"
+    + JDK-8307091: A few client tests intermittently throw
+      ConcurrentModificationException
+    + JDK-8307193: Several Swing jtreg tests use class.forName on
+      L&F classes
+    + JDK-8307352: AARCH64: Improve itable_stub
+    + JDK-8307448: Test RedefineSharedClassJFR fail due to wrong
+      assumption
+    + JDK-8307779: Relax the java.awt.Robot specification
+    + JDK-8307848: update for deprecated sprintf for jdk.attach
+    + JDK-8307850: update for deprecated sprintf for jdk.jdi
+    + JDK-8308022: update for deprecated sprintf for java.base
+    + JDK-8308144: Uncontrolled memory consumption in
+      SSLFlowDelegate.Reader
+    + JDK-8308184: Launching java with large number of jars in
+      classpath with java.protocol.handler.pkgs system property set
+      can lead to StackOverflowError
+    + JDK-8308801: update for deprecated sprintf for libnet in
+      java.base
+    + JDK-8308891: TestCDSVMCrash.java needs @requires vm.cds
+    + JDK-8309241: ClassForNameLeak fails intermittently as the
+      class loader hasn't been unloaded
+    + JDK-8309621: [XWayland][Screencast] screen capture failure
+      with sun.java2d.uiScale other than 1
+    + JDK-8309703: AIX build fails after JDK-8280982
+    + JDK-8309756: Occasional crashes with pipewire screen capture
+      on Wayland
+    + JDK-8309934: Update GitHub Actions to use JDK 17 for building
+      jtreg
+    + JDK-8310070: Test:
+      javax/net/ssl/DTLS/DTLSWontNegotiateV10.java timed out
+    + JDK-8310108: Skip ReplaceCriticalClassesForSubgraphs when
+      EnableJVMCI is specified
+    + JDK-8310201: Reduce verbose locale output in -XshowSettings
+      launcher option
+    + JDK-8310334: [XWayland][Screencast] screen capture error
+      message in debug
+    + JDK-8310628: GcInfoBuilder.c missing JNI Exception checks
+    + JDK-8310683: Refactor StandardCharset/standard.java to use
+      JUnit
+    + JDK-8311208: Improve CDS Support
+    + JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
+    + JDK-8312049: runtime/logging/ClassLoadUnloadTest can be
+      improved
+    + JDK-8312140: jdk/jshell tests failed with JDI socket timeouts
+    + JDK-8312229: Crash involving yield, switch and anonymous
+      classes
+    + JDK-8313256: Exclude failing multicast tests on AIX
+    + JDK-8313394: Array Elements in OldObjectSample event has the
+      incorrect description
+    + JDK-8313674: (fc) java/nio/channels/FileChannel/
+      /BlockDeviceSize.java should test for more block devices
+    + JDK-8313697: [XWayland][Screencast] consequent getPixelColor
+      calls are slow
+    + JDK-8313873: java/nio/channels/DatagramChannel/
+      /SendReceiveMaxSize.java fails on AIX due to small default
+      RCVBUF size and different IPv6 Header interpretation
+    + JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/
+      /CodeCacheFullCountTest.java fails with
+      java.lang.VirtualMachineError
+    + JDK-8314476: TestJstatdPortAndServer.java failed with
+      "java.rmi.NoSuchObjectException: no such object in table"
+    + JDK-8314614: jdk/jshell/ImportTest.java failed with
+      "InternalError: Failed remote listen"
+    + JDK-8314837: 5 compiled/codecache tests ignore VM flags
+    + JDK-8315024: Vector API FP reduction tests should not test
+      for exact equality
+    + JDK-8315362: NMT: summary diff reports threads count
+      incorrectly
+    + JDK-8315422: getSoTimeout() would be in try block in
+      SSLSocketImpl
+    + JDK-8315437: Enable parallelism in
+      vmTestbase/nsk/monitoring/stress/classload tests
+    + JDK-8315442: Enable parallelism in
+      vmTestbase/nsk/monitoring/stress/thread tests
+    + JDK-8315559: Delay TempSymbol cleanup to avoid symbol table
+      churn
+    + JDK-8315576: compiler/codecache/CodeCacheFullCountTest.java
+      fails after JDK-8314837
+    + JDK-8315651: Stop hiding AIX specific multicast socket errors
+      via NetworkConfiguration (aix)
+    + JDK-8315684: Parallelize
+      sun/security/util/math/TestIntegerModuloP.java
+    + JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading
+      tests
+    + JDK-8315804: Open source several Swing JTabbedPane JTextArea
+      JTextField tests
+    + JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java
+      test
+    + JDK-8315965: Open source various AWT applet tests
+    + JDK-8316104: Open source several Swing SplitPane and
+      RadioButton related tests
+    + JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java
+      java.lang.Exception: Could not find leak
+    + JDK-8316211: Open source several manual applet tests
+    + JDK-8316240: Open source several add/remove MenuBar manual
+      tests
+    + JDK-8316285: Opensource JButton manual tests
+    + JDK-8316306: Open source and convert manual Swing test
+    + JDK-8316328: Test jdk/jfr/event/oldobject/
+      /TestSanityDefault.java times out for some heap sizes
+    + JDK-8316387: Exclude more failing multicast tests on AIX
+      after JDK-8315651
+    + JDK-8316389: Open source few AWT applet tests
+    + JDK-8316468: os::write incorrectly handles partial write
+    + JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm
+    + JDK-8317112: Add screenshot for Frame/DefaultSizeTest.java
+    + JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm
+    + JDK-8317288: [macos] java/awt/Window/Grab/GrabTest.java:
+      Press on the outside area didn't cause ungrab
+    + JDK-8317316: G1: Make TestG1PercentageOptions use
+      createTestJvm
+    + JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm
+    + JDK-8317358: G1: Make TestMaxNewSize use createTestJvm
+    + JDK-8317360: Missing null checks in JfrCheckpointManager and
+      JfrStringPool initialization routines
+    + JDK-8317372: Refactor some NumberFormat tests to use JUnit
+    + JDK-8317635: Improve GetClassFields test to verify
+      correctness of field order
+    + JDK-8317831: compiler/codecache/CheckLargePages.java fails on
+      OL 8.8 with unexpected memory string
+    + JDK-8318039: GHA: Bump macOS and Xcode versions
+    + JDK-8318089: Class space not marked as such with NMT when CDS
+      is off
+    + JDK-8318474: Fix memory reporter for thread_count
+    + JDK-8318479: [jmh] the test security.CacheBench  failed for
+      multiple threads run
+    + JDK-8318605: Enable parallelism in
+      vmTestbase/nsk/stress/stack tests
+    + JDK-8318696: Do not use LFS64 symbols on Linux
+    + JDK-8318986: Improve GenericWaitBarrier performance
+    + JDK-8319103: Popups that request focus are not shown on Linux
+      with Wayland
+    + JDK-8319197: Exclude hb-subset and hb-style from compilation
+    + JDK-8319406: x86: Shorter movptr(reg, imm) for 32-bit
+      immediates
+    + JDK-8319713: Parallel: Remove
+      PSAdaptiveSizePolicy::should_full_GC
+    + JDK-8320079: The ArabicBox.java test has no control buttons
+    + JDK-8320379: C2: Sort spilling/unspilling sequence for better
+      ld/st merging into ldp/stp on AArch64
+    + JDK-8320602: Lock contention in SchemaDVFactory.getInstance()
+    + JDK-8320608: Many jtreg printing tests are missing the
+      @printer keyword
+    + JDK-8320655: awt screencast robot spin and sync issues with
+      native libpipewire api
+    + JDK-8320692: Null icon returned for .exe without custom icon
+    + JDK-8320945: problemlist tests failing on latest Windows 11
+      update
+    + JDK-8321025: Enable Neoverse N1 optimizations for Neoverse V2
+    + JDK-8321176: [Screencast] make a second attempt on screencast
+      failure
+    + JDK-8321220: JFR: RecordedClass reports incorrect modifiers
+    + JDK-8322008: Exclude some CDS tests from running with
+      -Xshare:off
+    + JDK-8322330: JavadocHelperTest.java OOMEs with Parallel GC
+      and ZGC
+    + JDK-8322726: C2: Unloaded signature class kills argument value
+    + JDK-8322971: KEM.getInstance() should check if a 3rd-party
+      security provider is signed
+    + JDK-8323122: AArch64: Increase itable stub size estimate
+    + JDK-8323584: AArch64: Unnecessary ResourceMark in
+      NativeCall::set_destination_mt_safe
+    + JDK-8323670: A few client tests intermittently throw
+      ConcurrentModificationException
+    + JDK-8323801:  tag doesn't strikethrough the text
+    + JDK-8324577: [REDO] - [IMPROVE] OPEN_MAX is no longer the max
+      limit on macOS >= 10.6 for RLIMIT_NOFILE
+    + JDK-8324646: Avoid Class.forName in SecureRandom constructor
+    + JDK-8324648: Avoid NoSuchMethodError when instantiating
+      NativePRNG
+    + JDK-8324668: JDWP process management needs more efficient
+      file descriptor handling
+    + JDK-8324753: [AIX] adjust os_posix after JDK-8318696
+    + JDK-8324755: Enable parallelism in
+      vmTestbase/gc/gctests/LargeObjects tests
+    + JDK-8324933: ConcurrentHashTable::statistics_calculate
+      synchronization is expensive
+    + JDK-8325022: Incorrect error message on client authentication
+    + JDK-8325179: Race in BasicDirectoryModel.validateFileCache
+    + JDK-8325194: GHA: Add macOS M1 testing
+    + JDK-8325384: sun/security/ssl/SSLSessionImpl/
+      /ResumptionUpdateBoundValues.java failing intermittently when
+      main thread is a virtual thread
+    + JDK-8325444: GHA: JDK-8325194 causes a regression
+    + JDK-8325567: jspawnhelper without args fails with segfault
+    + JDK-8325620: HTMLReader uses ConvertAction instead of
+      specified CharacterAction for , , 
+    + JDK-8325621: Improve jspawnhelper version checks
+    + JDK-8325754: Dead AbstractQueuedSynchronizer$ConditionNodes
+      survive minor garbage collections
+    + JDK-8326106: Write and clear stack trace table outside of
+      safepoint
+    + JDK-8326332: Unclosed inline tags cause misalignment in
+      summary tables
+    + JDK-8326446: The User and System of jdk.CPULoad on Apple M1
+      are inaccurate
+    + JDK-8326734: text-decoration applied to  lost when
+      mixed with  or 
+    + JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java
+      fails
+    + JDK-8327137: Add test for ConcurrentModificationException in
+      BasicDirectoryModel
+    + JDK-8327312: [17u] Problem list
+      ReflectionCallerCacheTest.java due to 8324978
+    + JDK-8327424: ProblemList serviceability/sa/TestJmapCore.java
+      on all platforms with ZGC
+    + JDK-8327650: Test java/nio/channels/DatagramChannel/
+      /StressNativeSignal.java timed out
+    + JDK-8327787: Convert javax/swing/border/Test4129681.java
+      applet test to main
+    + JDK-8327840: Automate javax/swing/border/Test4129681.java
+    + JDK-8328011: Convert java/awt/Frame/GetBoundsResizeTest/
+      /GetBoundsResizeTest.java applet test to main
+    + JDK-8328075: Shenandoah: Avoid forwarding when objects don't
+      move in full-GC
+    + JDK-8328110: Allow simultaneous use of PassFailJFrame with
+      split UI and additional windows
+    + JDK-8328115: Convert java/awt/font/TextLayout/
+      /TestJustification.html applet test to main
+    + JDK-8328158: Convert java/awt/Choice/NonFocusablePopupMenuTest
+      to automatic main test
+    + JDK-8328218: Delete test
+      java/awt/Window/FindOwner/FindOwner.html
+    + JDK-8328234: Remove unused nativeUtils files
+    + JDK-8328238: Convert few closed manual applet tests to main
+    + JDK-8328269: NonFocusablePopupMenuTest.java should be marked
+      as headful
+    + JDK-8328273: sun/management/jmxremote/bootstrap/
+      /RmiRegistrySslTest.java failed with
+      java.rmi.server.ExportException: Port already in use
+    + JDK-8328560: java/awt/event/MouseEvent/ClickDuringKeypress/
+      /ClickDuringKeypress.java imports Applet
+    + JDK-8328561: test java/awt/Robot/ManualInstructions/
+      /ManualInstructions.java isn't used
+    + JDK-8328642: Convert applet test
+      MouseDraggedOutCauseScrollingTest.html to main
+    + JDK-8328647: TestGarbageCollectorMXBean.java fails with
+      C1-only and -Xcomp
+    + JDK-8328896: Fontmetrics for large Fonts has zero width
+    + JDK-8328953: JEditorPane.read throws ChangedCharSetException
+    + JDK-8328999: Update GIFlib to 5.2.2
+    + JDK-8329004: Update Libpng to 1.6.43
+    + JDK-8329103: assert(!thread->in_asgct()) failed during
+      multi-mode profiling
+    + JDK-8329109: Threads::print_on() tries to print CPU time for
+      terminated GC threads
+    + JDK-8329126: No native wrappers generated anymore with
+      -XX:-TieredCompilation after JDK-8251462
+    + JDK-8329134: Reconsider TLAB zapping
+    + JDK-8329510: Update ProblemList for
+      JFileChooser/8194044/FileSystemRootTest.java
+    + JDK-8329559: Test javax/swing/JFrame/bug4419914.java failed
+      because The End and Start buttons are not placed correctly and
+      Tab focus does not move as expected
+    + JDK-8329605: hs errfile generic events - move memory
+      protections and nmethod flushes to separate sections
+    + JDK-8329663: hs_err file event log entry for thread
+      adding/removing should print current thread
+    + JDK-8329667: [macos] Issue with JTree related fix for
+      JDK-8317771
+    + JDK-8329995: Restricted access to `/proc` can cause JFR
+      initialization to crash
+    + JDK-8330063: Upgrade jQuery to 3.7.1
+    + JDK-8330524: Linux ppc64le compile warning with clang in
+      os_linux_ppc.cpp
+    + JDK-8330611: AES-CTR vector intrinsic may read out of bounds
+      (x86_64, AVX-512)
+    + JDK-8330615: avoid signed integer overflows in zip_util.c
+      readCen / hashN
+    + JDK-8331011: [XWayland] TokenStorage fails under Security
+      Manager
+    + JDK-8331063: Some HttpClient tests don't report leaks
+    + JDK-8331077: nroff man page update for jar tool
+    + JDK-8331164: createJMHBundle.sh download jars fail when url
+      needed to be redirected
+    + JDK-8331265: Bump update version for OpenJDK: jdk-17.0.13
+    + JDK-8331331: :tier1 target explanation in doc/testing.md is
+      incorrect
+    + JDK-8331466: Problemlist serviceability/dcmd/gc/
+      /RunFinalizationTest.java on generic-all
+    + JDK-8331605:
+      jdk/test/lib/TestMutuallyExclusivePlatformPredicates.java test
+      failure
+    + JDK-8331746: Create a test to verify that the cmm id is not
+      ignored
+    + JDK-8331798: Remove unused arg of checkErgonomics() in
+      TestMaxHeapSizeTools.java
+    + JDK-8331885: C2: meet between unloaded and speculative types
+      is not symmetric
+    + JDK-8332008: Enable issuestitle check
+    + JDK-8332113: Update nsk.share.Log to be always verbose
+    + JDK-8332174: Remove 2 (unpaired) RLO Unicode characters in
+      ff_Adlm.xml
+    + JDK-8332248: (fc) java/nio/channels/FileChannel/
+      /BlockDeviceSize.java failed with RuntimeException
+    + JDK-8332424: Update IANA Language Subtag Registry to Version
+      2024-05-16
+    + JDK-8332524: Instead of printing "TLSv1.3," it is showing
+      "TLS13"
+    + JDK-8332898: failure_handler: log directory of commands
+    + JDK-8332936: Test vmTestbase/metaspace/gc/watermark_70_80/
+      /TestDescription.java fails with no GC's recorded
+    + JDK-8333270: HandlersOnComplexResetUpdate and
+      HandlersOnComplexUpdate tests fail with "Unexpected reference"
+      if timeoutFactor is less than 1/3
+    + JDK-8333353: Delete extra empty line in CodeBlob.java
+    + JDK-8333398: Uncomment the commented test in test/jdk/java/
+      /util/jar/JarFile/mrjar/MultiReleaseJarAPI.java
+    + JDK-8333477: Delete extra empty spaces in Makefiles
+    + JDK-8333698: [17u] TestJstatdRmiPort fails after JDK-8333667
+    + JDK-8333716: Shenandoah: Check for disarmed method before
+      taking the nmethod lock
+    + JDK-8333724: Problem list security/infra/java/security/cert/
+      /CertPathValidator/certification/CAInterop.java
+      #teliasonerarootcav1
+    + JDK-8333804: java/net/httpclient/ForbiddenHeadTest.java threw
+      an exception with 0 failures
+    + JDK-8334166: Enable binary check
+    + JDK-8334297: (so) java/nio/channels/SocketChannel/OpenLeak.java
+      should not depend on SecurityManager
+    + JDK-8334332: TestIOException.java fails if run by root
+    + JDK-8334333: MissingResourceCauseTestRun.java fails if run by
+      root
+    + JDK-8334335: [TESTBUG] Backport of 8279164 to 11u & 17u
+      includes elements of JDK-8163327
+    + JDK-8334339: Test java/nio/file/attribute/
+      /BasicFileAttributeView/CreationTime.java fails on alinux3
+    + JDK-8334418: Update IANA Language Subtag Registry to Version
+      2024-06-14
+    + JDK-8334482: Shenandoah: Deadlock when safepoint is pending
+      during nmethods iteration
+    + JDK-8334600: TEST java/net/MulticastSocket/IPMulticastIF.java
+      fails on linux-aarch64
+    + JDK-8334653: ISO 4217 Amendment 177 Update
+    + JDK-8334769: Shenandoah: Move CodeCache_lock close to its use
+      in ShenandoahConcurrentNMethodIterator
+    + JDK-8335536: Fix assertion failure in IdealGraphPrinter when
+      append is true
+    + JDK-8335775: Remove extraneous 's' in comment of
+      rawmonitor.cpp test file
+    + JDK-8335808: update for deprecated sprintf for jfrTypeSetUtils
+    + JDK-8335918: update for deprecated sprintf for jvmti
+    + JDK-8335967: "text-decoration: none" does not work with "A"
+      HTML tags
+    + JDK-8336301: test/jdk/java/nio/channels/
+      /AsyncCloseAndInterrupt.java leaves around a FIFO file upon
+      test completion
+    + JDK-8336928: GHA: Bundle artifacts removal broken
+    + JDK-8337038: Test java/nio/file/attribute/
+      /BasicFileAttributeView/CreationTime.java shoud set as /native
+    + JDK-8337283: configure.log is truncated when build dir is on
+      different filesystem
+    + JDK-8337664: Distrust TLS server certificates issued after
+      Oct 2024 and anchored by Entrust Root CAs
+    + JDK-8337669: [17u] Backport of JDK-8284047 missed to delete a
+      file
+    + JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods
+      are inconsistent with their setVerbose methods
+    + JDK-8338696: (fs) BasicFileAttributes.creationTime() falls
+      back to epoch if birth time is unavailable (Linux)
+    + JDK-8339869: [21u] Test CreationTime.java fails with
+      UnsatisfiedLinkError after 8334339
+    + JDK-8341057: Add 2 SSL.com TLS roots
+    + JDK-8341059: Change Entrust TLS distrust date to November 12,
+      2024
+    + JDK-8341673: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.13
+- Removed patch:
+  * JDK-8282944.patch
+    + fixed in this version differently
+
+-------------------------------------------------------------------
+Thu Jul 18 04:44:09 UTC 2024 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.12+7 (July 2024 CPU)
+  * Security fixes
+    + JDK-8314794, CVE-2024-21131, bsc#1228046: Improve UTF8 String
+      supports
+    + JDK-8319859, CVE-2024-21138, bsc#1228047: Better symbol
+      storage
+    + JDK-8320097: Improve Image transformations
+    + JDK-8320548, CVE-2024-21140, bsc#1228048: Improved loop
+      handling
+    + JDK-8323231, CVE-2024-21147, bsc#1228052: Improve array
+      management
+    + JDK-8323390: Enhance mask blit functionality
+    + JDK-8324559, CVE-2024-21145, bsc#1228051: Improve 2D image
+      handling
+    + JDK-8325600: Better symbol storage
+    + JDK-8327413: Enhance compilation efficiency
+  * Other fixes
+    + JDK-8015739: Background of JInternalFrame is located out of
+      JInternalFrame
+    + JDK-8042380: Test javax/swing/JFileChooser/4524490/
+      /bug4524490.java fails with InvocationTargetException
+    + JDK-8159927: Add a test to verify JMOD files created in the
+      images do not have debug symbols
+    + JDK-8163229: several regression tests have a main method that
+      is never executed
+    + JDK-8163921: HttpURLConnection default Accept header is
+      malformed according to HTTP/1.1 RFC
+    + JDK-8177107: Reduce memory footprint of
+      java.lang.reflect.Constructor/Method
+    + JDK-8185862: AWT Assertion Failure in ::GetDIBits(hBMDC, hBM,
+      0, 1, 0, gpBitmapInfo, 0) 'awt_Win32GraphicsDevice.cpp', at
+      line 185
+    + JDK-8187759: Background not refreshed when painting over a
+      transparent JFrame
+    + JDK-8213714: AttachingConnector/attach/attach001 failed due
+      to "bind failed: Address already in use"
+    + JDK-8223696: java/net/httpclient/MaxStreams.java failed with
+      didn't finish within the time-out
+    + JDK-8256660: Disable DTLS 1.0
+    + JDK-8260540: serviceability/jdwp/AllModulesCommandTest.java
+      failed with "Debuggee error: 'ERROR: transport error 202: bind
+      failed: Address already in use'"
+    + JDK-8263940: NPE when creating default file system when
+      default file system provider is packaged as JAR file on class
+      path
+    + JDK-8264322: Generate CDS archive when creating custom JDK
+      image
+    + JDK-8266242: java/awt/GraphicsDevice/CheckDisplayModes.java
+      failing on macOS 11 ARM
+    + JDK-8267796: vmTestbase/nsk/jvmti/scenarios/hotswap/HS201/
+      /hs201t002/TestDescription.java fails with NoClassDefFoundError
+    + JDK-8268974: GetJREPath() JLI function fails to locate
+      libjava.so if not standard Java launcher is used
+    + JDK-8269914: Factor out heap printing for G1 young and full gc
+    + JDK-8270018: Add scoped object for g1 young gc JFR
+      notification
+    + JDK-8272315: Improve assert_different_registers
+    + JDK-8272651: G1 heap region info print order changed by
+      JDK-8269914
+    + JDK-8272903: Missing license header in ArenaAllocator.java
+    + JDK-8272916: Copyright year was modified unintentionally in
+      jlink.properties and ImagePluginStack.java
+    + JDK-8273153: Consolidate file_exists into os:file_exists
+    + JDK-8273774: CDSPluginTest should only expect
+      classes_nocoops.jsa exists on supported 64-bit platforms
+    + JDK-8275334: Move class loading Events to a separate section
+      in hs_err files
+    + JDK-8275868: ciReplay: Inlining fails with "unloaded
+      signature classes" due to wrong protection domains
+    + JDK-8276227: ciReplay: SIGSEGV if classfile for replay
+      compilation is not present after JDK-8275868
+    + JDK-8278893: Parallel: Remove GCWorkerDelayMillis
+    + JDK-8280030: [REDO] Parallel: More precise boundary in
+      ObjectStartArray::object_starts_in_range
+    + JDK-8280056: gtest/LargePageGtests.java#use-large-pages
+      failed "os.release_one_mapping_multi_commits_vm"
+    + JDK-8280113: (dc) DatagramSocket.receive does not always
+      throw when the channel is closed
+    + JDK-8280377: MethodHandleProxies does not correctly invoke
+      default methods with varags
+    + JDK-8280546: Remove hard-coded 127.0.0.1 loopback address
+    + JDK-8280835: jdk/javadoc/tool/CheckManPageOptions.java
+      depends on source hierarchy
+    + JDK-8281658: Add a security category to the java
+      -XshowSettings option
+    + JDK-8282094: [REDO] Parallel: Refactor
+      PSCardTable::scavenge_contents_parallel
+    + JDK-8283349: Robustness improvements to
+      java/util/prefs/AddNodeChangeListener.jar
+    + JDK-8285452: Add a new test library API to replace a file
+      content using FileUtils.java
+    + JDK-8286045: Use ForceGC for cleaner test cases
+    + JDK-8286311: remove boilerplate from use of runTests
+    + JDK-8286490: JvmtiEventControllerPrivate::set_event_callbacks
+      CLEARING_MASK computation is incorrect
+    + JDK-8286740: JFR: Active Setting event emitted incorrectly
+    + JDK-8286781: Replace the deprecated/obsolete gethostbyname
+      and inet_addr calls
+    + JDK-8289401: Add dump output to TestRawRSACipher.java
+    + JDK-8289643: File descriptor leak with
+      ProcessBuilder.startPipeline
+    + JDK-8290126: Add a check in JavadocTester for "javadoc should
+      not crash"
+    + JDK-8290885: java/lang/ProcessBuilder/PipelineLeaksFD.java
+      fail: More or fewer pipes than expected
+    + JDK-8290901: Reduce use of -source in langtools tests
+    + JDK-8291753: Add JFR event for GC CPU Time
+    + JDK-8294137: Review running times of java.math tests
+    + JDK-8294156: Allow PassFailJFrame.Builder to create test UI
+    + JDK-8294699: Launcher causes lingering busy cursor
+    + JDK-8295026: Remove unused fields in StyleSheet
+    + JDK-8295343: sun/security/pkcs11 tests fail on Linux RHEL 8.6
+      and newer
+    + JDK-8295944: Move the Http2TestServer and related classes
+      into a package of its own
+    + JDK-8296137: diags-examples.xml is broken
+    + JDK-8296190: TestMD5Intrinsics and
+      TestMD5MultiBlockIntrinsics don't test the intrinsics
+    + JDK-8296610: java/net/HttpURLConnection/SetAuthenticator/
+      /HTTPSetAuthenticatorTest.java failed with "BindException:
+      Address already in use: connect"
+    + JDK-8297082: Remove sun/tools/jhsdb/BasicLauncherTest.java
+      from problem list
+    + JDK-8297292: java/nio/channels/FileChannel/
+      /FileExtensionAndMap.java is too slow
+    + JDK-8297445: PPC64: Represent Registers as values
+    + JDK-8297449: Update JInternalFrame Metal Border code
+    + JDK-8297645: Drop the test/jdk/java/net/httpclient/
+      /reactivestreams-tck-tests/TckDriver.java test
+    + JDK-8297695: Fix typos in test/langtools files
+    + JDK-8298413: [s390] CPUInfoTest fails due to uppercase
+      feature string
+    + JDK-8298939: Refactor open/test/jdk/javax/rmi/ssl/
+      /SSLSocketParametersTest.sh to jtreg java test
+    + JDK-8299023: TestPLABResize.java and TestPLABPromotion.java
+      are failing intermittently
+    + JDK-8299858: [Metrics] Swap memory limit reported incorrectly
+      when too large
+    + JDK-8301183: (zipfs) jdk/jdk/nio/zipfs/
+      /TestLocOffsetFromZip64EF.java failing with ZipException:R0 on
+      OL9
+    + JDK-8301381: Verify DTLS 1.0 cannot be negotiated
+    + JDK-8301753: AppendFile/WriteFile has differences between
+      make 3.81 and 4+
+    + JDK-8302069: javax/management/remote/mandatory/notif/
+      /NotifReconnectDeadlockTest.java update
+    + JDK-8302512: Update IANA Language Subtag Registry to Version
+      2023-02-14
+    + JDK-8302907: [PPC64] Use more constexpr in class Register
+    + JDK-8303457: Introduce convenience test library APIs for
+      creating test servers for tests in test/jdk/java/net/httpclient
+    + JDK-8303466: C2: failed: malformed control flow. Limit type
+      made precise with MaxL/MinL
+    + JDK-8303972: (zipfs) Make test/jdk/jdk/nio/zipfs/
+      /TestLocOffsetFromZip64EF.java independent of the zip command
+      line
+    + JDK-8304761: Update IANA Language Subtag Registry to Version
+      2023-03-22
+    + JDK-8304927: Update java/net/httpclient/BasicAuthTest.java to
+      check basic auth over HTTP/2
+    + JDK-8305169: java/security/cert/CertPathValidator/OCSP/
+      /GetAndPostTests.java -- test server didn't start in timely
+      manner
+    + JDK-8305645: System Tray icons get corrupted when Windows
+      primary monitor changes
+    + JDK-8305819: LogConfigurationTest intermittently fails on
+      AArch64
+    + JDK-8305874: Open source AWT Key, Text Event related tests
+    + JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java
+      failed with "Expected chains but found none"
+    + JDK-8305942: Open source several AWT Focus related tests
+    + JDK-8305943: Open source few AWT Focus related tests
+    + JDK-8306031: Update IANA Language Subtag Registry to Version
+      2023-04-13
+    + JDK-8306040: HttpResponseInputStream.available() returns 1 on
+      empty stream
+    + JDK-8306067: Open source AWT Graphics,GridBagLayout related
+      tests
+    + JDK-8306634: Open source AWT Event related tests
+    + JDK-8306714: Open source few Swing event and AbstractAction
+      tests
+    + JDK-8306838: GetGraphicsTest needs to be headful
+    + JDK-8307411: Test java/foreign/channels/
+      /TestAsyncSocketChannels.java failed: IllegalStateException:
+      Already closed
+    + JDK-8307423: [s390x] Represent Registers as values
+    + JDK-8308021: Update IANA Language Subtag Registry to Version
+      2023-05-11
+    + JDK-8309409: Update HttpInputStreamTest and
+      BodyProcessorInputStreamTest to use hg.openjdk.org
+    + JDK-8309527: Improve test proxy performance
+    + JDK-8309630: Clean up tests that reference deploy modules
+    + JDK-8309763: Move tests in test/jdk/sun/misc/URLClassPath
+      directory to test/jdk/jdk/internal/loader
+    + JDK-8309890: TestStringDeduplicationInterned.java waits for
+      the wrong condition
+    + JDK-8310031: Parallel: Implement better work distribution for
+      large object arrays in old gen
+    + JDK-8310818: Refactor more Locale tests to use JUnit
+    + JDK-8311893: Interactive component with ARIA role 'tabpanel'
+      does not have a programmatically associated name
+    + JDK-8311964: Some jtreg tests failing on x86 with error
+      'unrecognized VM options' (C2 flags)
+    + JDK-8312194: test/hotspot/jtreg/applications/ctw/modules/
+      /jdk_crypto_ec.java cannot handle empty modules
+    + JDK-8312320: Remove javax/rmi/ssl/SSLSocketParametersTest.sh
+      from ProblemList
+    + JDK-8312383: Log X509ExtendedKeyManager implementation class
+      name in TLS/SSL connection
+    + JDK-8312916: Remove remaining usages of -Xdebug from
+      test/hotspot/jtreg
+    + JDK-8313307: java/util/Formatter/Padding.java fails on some
+      Locales
+    + JDK-8313702: Update IANA Language Subtag Registry to Version
+      2023-08-02
+    + JDK-8314283: Support for NSS tests on aarch64 platforms
+    + JDK-8314832: Few runtime/os tests ignore vm flags
+    + JDK-8314835: gtest wrappers should be marked as flagless
+    + JDK-8315071: Modify TrayIconScalingTest.java,
+      PrintLatinCJKTest.java to use new PassFailJFrame's builder
+      pattern usage
+    + JDK-8315117: Update Zlib Data Compression Library to Version
+      1.3
+    + JDK-8315609: Open source few more swing text/html tests
+    + JDK-8315652: RISC-V: Features string uses wrong separator for
+      jtreg
+    + JDK-8315663: Open source misc awt tests
+    + JDK-8315677: Open source few swing JFileChooser and other
+      tests
+    + JDK-8315726: Open source several AWT applet tests
+    + JDK-8315741: Open source few swing JFormattedTextField and
+      JPopupMenu tests
+    + JDK-8315824: Open source several Swing Text/HTML related tests
+    + JDK-8315834: Open source several Swing JSpinner related tests
+    + JDK-8315889: Open source several Swing HTMLDocument related
+      tests
+    + JDK-8315898: Open source swing JMenu tests
+    + JDK-8316017: Refactor timeout handler in PassFailJFrame
+    + JDK-8316053: Open some swing tests 3
+    + JDK-8316138: Add GlobalSign 2 TLS root certificates
+    + JDK-8316142: Enable parallelism in
+      vmTestbase/nsk/monitoring/stress/lowmem tests
+    + JDK-8316154: Opensource JTextArea manual tests
+    + JDK-8316164: Opensource JMenuBar manual test
+    + JDK-8316186: RISC-V: Remove PlatformCmpxchg<4>
+    + JDK-8316242: Opensource SwingGraphics manual test
+    + JDK-8316462: sun/jvmstat/monitor/MonitoredVm/
+      /MonitorVmStartTerminate.java ignores VM flags
+    + JDK-8316563: test tools/jpackage/linux/LinuxResourceTest.java
+      fails on CentOS Linux release 8.5.2111 and Fedora 27
+    + JDK-8316608: Enable parallelism in vmTestbase/gc/vector tests
+    + JDK-8317287: [macos14] InterJVMGetDropSuccessTest.java: Child
+      VM: abnormal termination
+    + JDK-8318322: Update IANA Language Subtag Registry to Version
+      2023-10-16
+    + JDK-8318580: "javax/swing/MultiMonitor/MultimonVImage.java
+      failing with Error. Can't find library: /open/test/jdk/java/
+      /awt/regtesthelpers" after JDK-8316053
+    + JDK-8318599: HttpURLConnection cache issues leading to
+      crashes in JGSS w/ native GSS introduced by 8303809
+    + JDK-8318727: Enable parallelism in
+      vmTestbase/vm/gc/concurrent tests
+    + JDK-8318809: java/util/concurrent/ConcurrentLinkedQueue/
+      /WhiteBox.java shows intermittent failures on linux ppc64le
+      and aarch64
+    + JDK-8318854: [macos14] Running any AWT app prints Secure
+      coding warning
+    + JDK-8319048: Monitor deflation unlink phase prolongs time to
+      safepoint
+    + JDK-8319128: sun/security/pkcs11 tests fail on OL 7.9 aarch64
+    + JDK-8319136: Skip pkcs11 tests on linux-aarch64
+    + JDK-8319268: Build failure with GCC8.3.1 after 8313643
+    + JDK-8319338: tools/jpackage/share/RuntimeImageTest.java fails
+      with -XX:+UseZGC
+    + JDK-8319372: C2 compilation fails with "Bad immediate
+      dominator info"
+    + JDK-8320005: Allow loading of shared objects with .a
+      extension on AIX
+    + JDK-8320113: [macos14] : ShapeNotSetSometimes.java fails
+      intermittently on macOS 14
+    + JDK-8320129: "top" command during jtreg failure handler does
+      not display CPU usage on OSX
+    + JDK-8320303: Allow PassFailJFrame to accept single window
+      creator
+    + JDK-8320342: Use PassFailJFrame for
+      TruncatedPopupMenuTest.java
+    + JDK-8320570: NegativeArraySizeException decoding >1G UTF8
+      bytes with non-ascii characters
+    + JDK-8320681: [macos] Test tools/jpackage/macosx/
+      /MacAppStoreJlinkOptionsTest.java timed out on macOS
+    + JDK-8320712: Rewrite BadFactoryTest in pure Java
+    + JDK-8320943: Files/probeContentType/Basic.java fails on
+      latest Windows 11 - content type mismatch
+    + JDK-8321107: Add more test cases for JDK-8319372
+    + JDK-8321489: Update LCMS to 2.16
+    + JDK-8321925: sun/security/mscapi/KeytoolChangeAlias.java
+      fails with "Alias <246810> does not exist"
+    + JDK-8322239: [macos] a11y : java.lang.NullPointerException is
+      thrown when focus is moved on the JTabbedPane
+    + JDK-8322503: Shenandoah: Clarify gc state usage
+    + JDK-8322858: compiler/c2/aarch64/TestFarJump.java fails on
+      AArch64 due to unexpected PrintAssembly output
+    + JDK-8322920: Some ProcessTools.execute* functions are
+      declared to throw Throwable
+    + JDK-8323210: Update the usage of cmsFLAGS_COPY_ALPHA
+    + JDK-8323519: Add applications/ctw/modules to Hotspot tiered
+      testing
+    + JDK-8323717: Introduce test keyword for tests that need
+      external dependencies
+    + JDK-8323994: gtest runner repeats test name for every single
+      gtest assertion
+    + JDK-8324050: Issue store-store barrier after re-materializing
+      objects during deoptimization
+    + JDK-8324238: [macOS] java/awt/Frame/ShapeNotSetSometimes/
+      /ShapeNotSetSometimes.java fails with the shape has not been
+      applied msg
+    + JDK-8324243: Compilation failures in java.desktop module with
+      gcc 14
+    + JDK-8324598: use mem_unit when working with sysinfo memory
+      and swap related information
+    + JDK-8324632: Update Zlib Data Compression Library to Version
+      1.3.1
+    + JDK-8324723: GHA: Upgrade some actions to avoid deprecated
+      Node 16
+    + JDK-8324733: [macos14] Problem list tests which fail due to
+      macOS bug described in JDK-8322653
+    + JDK-8324824: AArch64: Detect Ampere-1B core and update
+      default options for Ampere CPUs
+    + JDK-8325137: com/sun/management/ThreadMXBean/
+      /ThreadCpuTimeArray.java can fail in Xcomp with out of
+      expected range
+    + JDK-8325203: System.exit(0) kills the launched 3rd party
+      application
+    + JDK-8325213: Flags introduced by configure script are not
+      passed to ADLC build
+    + JDK-8325254: CKA_TOKEN private and secret keys are not
+      necessarily sensitive
+    + JDK-8325326: [PPC64] Don't relocate in case of allocation
+      failure
+    + JDK-8325372: Shenandoah: SIGSEGV crash in unnecessary_acquire
+      due to LoadStore split through phi
+    + JDK-8325432: enhance assert message "relocation addr must be
+      in this section"
+    + JDK-8325496: Make TrimNativeHeapInterval a product switch
+    + JDK-8325579: Inconsistent behavior in
+      com.sun.jndi.ldap.Connection::createSocket
+    + JDK-8325862: set -XX:+ErrorFileToStderr when executing java
+      in containers for some container related jtreg tests
+    + JDK-8325876: crashes in docker container tests on
+      Linuxppc64le Power8 machines
+    + JDK-8325972: Add -x to bash for building with LOG=debug
+    + JDK-8326006: Allow TEST_VM_FLAGLESS to set flagless mode
+    + JDK-8326101: [PPC64] Need to bailout cleanly if creation of
+      stubs fails when code cache is out of space
+    + JDK-8326140: src/jdk.accessibility/windows/native/
+      /libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp
+      ReleaseStringChars might be missing in early returns
+    + JDK-8326201: [S390] Need to bailout cleanly if creation of
+      stubs fails when code cache is out of space
+    + JDK-8326351: Update the Zlib version in
+      open/src/java.base/share/legal/zlib.md to 1.3.1
+    + JDK-8326521: JFR: CompilerPhase event test fails on windows
+      32 bit
+    + JDK-8326529: JFR: Test for CompilerCompile events fails due
+      to time out
+    + JDK-8326591: New test JmodExcludedFiles.java fails on Windows
+      when --with-external-symbols-in-bundles=public is used
+    + JDK-8326638: Crash in
+      PhaseIdealLoop::remix_address_expressions due to unexpected
+      Region instead of Loop
+    + JDK-8326643: JDK server does not send a dummy
+      change_cipher_spec record after HelloRetryRequest message
+    + JDK-8326661: sun/java2d/cmm/ColorConvertOp/ColConvTest.java
+      assumes profiles were generated by LCMS
+    + JDK-8326794: Bump update version for OpenJDK: jdk-17.0.12
+    + JDK-8326891: Prefer RPATH over RUNPATH for $ORIGIN rpaths in
+      internal JDK binaries
+    + JDK-8326936: RISC-V: Shenandoah GC crashes due to incorrect
+      atomic memory operations
+    + JDK-8326942: [17u] Backout "8325254: CKA_TOKEN private and
+      secret keys are not necessarily sensitive"
+    + JDK-8326960: GHA: RISC-V sysroot cannot be debootstrapped due
+      to ongoing Debian t64 transition
+    + JDK-8327036: [macosx-aarch64] SIGBUS in
+      MarkActivationClosure::do_code_blob reached from
+      Unsafe_CopySwapMemory0
+    + JDK-8327059: os::Linux::print_proc_sys_info add swappiness
+      information
+    + JDK-8327136: javax/management/remote/mandatory/notif/
+      /NotifReconnectDeadlockTest.java fails on libgraal
+    + JDK-8327631: Update IANA Language Subtag Registry to Version
+      2024-03-07
+    + JDK-8327989: java/net/httpclient/ManyRequest.java should not
+      use "localhost" in URIs
+    + JDK-8327998: Enable java/lang/ProcessBuilder/
+      /JspawnhelperProtocol.java on Mac
+    + JDK-8328066: WhiteBoxResizeTest failure on linux-x86: Could
+      not reserve enough space for 2097152KB object heap
+    + JDK-8328165: improve assert(idx < _maxlrg) failed: oob
+    + JDK-8328166: Epsilon: 'EpsilonHeap::allocate_work' misuses
+      the parameter 'size' as size in bytes
+    + JDK-8328168: Epsilon: Premature OOM when allocating object
+      larger than uncommitted heap size
+    + JDK-8328194: Add a test to check default rendering engine
+    + JDK-8328524: [x86] StringRepeat.java failure on linux-x86:
+      Could not reserve enough space for 2097152KB object heap
+    + JDK-8328540: test javax/swing/JSplitPane/4885629/
+      /bug4885629.java fails on windows hidpi
+    + JDK-8328638: Fallback option for POST-only OCSP requests
+    + JDK-8328705: GHA: Cross-compilation jobs do not require build
+      JDK
+    + JDK-8328812: Update and move siphash license
+    + JDK-8328825: Google CAInterop test failures
+    + JDK-8328948: GHA: Restoring sysroot from cache skips the
+      build after JDK-8326960
+    + JDK-8328988: [macos14] Problem list LightweightEventTest.java
+      which fails due to macOS bug described in JDK-8322653
+    + JDK-8328997: Remove unnecessary template parameter lists in
+      GrowableArray
+    + JDK-8329013: StackOverflowError when starting Apache Tomcat
+      with signed jar
+    + JDK-8329213: Better validation for com.sun.security.ocsp.useget option
+    + JDK-8329223: Parallel: Parallel GC resizes heap even if -Xms
+      = -Xmx
+    + JDK-8329570: G1: Excessive is_obj_dead_cond calls in
+      verification
+    + JDK-8329823: RISC-V: Need to sync CPU features with related
+      JVM flags
+    + JDK-8330094: RISC-V: Save and restore FRM in the call stub
+    + JDK-8330156: RISC-V: Range check auipc + signed 12 imm
+      instruction
+    + JDK-8330242: RISC-V: Simplify and remove
+      CORRECT_COMPILER_ATOMIC_SUPPORT in atomic_linux_riscv.hpp
+    + JDK-8330523: Reduce runtime and improve efficiency of
+      KeepAliveTest
+    + JDK-8330815: Use pattern matching for instanceof in
+      KeepAliveCache
+    + JDK-8331113: createJMHBundle.sh support configurable maven
+      repo mirror
+    + JDK-8331352: error: template-id not allowed for
+      constructor/destructor in C++20
+    + JDK-8331641: [17u]: Bump GHA bootstrap JDK to 17.0.11
+    + JDK-8331942: On Linux aarch64, CDS archives should be using
+      64K alignment by default
+    + JDK-8334441: Mark tests in jdk_security_infra group as manual
+    + JDK-8335963: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.12
+- Modified patch:
+  * fips.patch
+    + rediff to changed context
+
+-------------------------------------------------------------------
+Thu Jul  4 09:18:00 UTC 2024 - Fridrich Strba 
+
+- Require file for posttrans phase of the headless subpackage
+  (bsc#1227298)
+
+-------------------------------------------------------------------
+Thu Jun  6 17:02:14 UTC 2024 - Fridrich Strba 
+
+- Added patch:
+  * reproducible-jlink.patch
+    + make the timestamp in jmods reproducible
+
+-------------------------------------------------------------------
+Thu Apr 18 14:19:16 UTC 2024 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.11+9 (April 2024 CPU)
+  * Security fixes
+    + JDK-8315708, CVE-2024-21012, bsc#1222987: Enhance HTTP/2
+      client usage
+    + JDK-8317507, JDK-8325348, CVE-2024-21094, bsc#1222986: C2
+      compilation fails with "Exceeded _node_regs array"
+    + JDK-8318340: Improve RSA key implementations
+    + JDK-8319851, CVE-2024-21011, bsc#1222979: Improve exception
+      logging
+    + JDK-8322122, CVE-2024-21068, bsc#1222983: Enhance generation
+      of addresses
+  * Other changes
+    + JDK-6928542: Chinese characters in RTF are not decoded
+    + JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/
+      /bug4517214.java fails on MacOS
+    + JDK-7148092: [macosx] When Alt+down arrow key is pressed, the
+      combobox popup does not appear.
+    + JDK-7167356: (javac) investigate failing tests in
+      JavacParserTest
+    + JDK-8054022: HttpURLConnection timeouts with Expect:
+      100-Continue and no chunking
+    + JDK-8054572: [macosx] JComboBox paints the border incorrectly
+    + JDK-8169475: WheelModifier.java fails by timeout
+    + JDK-8205076: [17u] Inet6AddressImpl.c: `lookupIfLocalHost`
+      accesses `int InetAddress.preferIPv6Address` as a boolean
+    + JDK-8209595: MonitorVmStartTerminate.java timed out
+    + JDK-8210410: Refactor java.util.Currency:i18n shell tests to
+      plain java tests
+    + JDK-8261404: Class.getReflectionFactory() is not thread-safe
+    + JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from
+    + JDK-8263256: Test java/net/Inet6Address/serialize/
+      /Inet6AddressSerializationTest.java fails due to dynamic
+      reconfigurations of network interface during test
+    + JDK-8269258: java/net/httpclient/ManyRequestsLegacy.java
+      failed with connection timeout
+    + JDK-8271118: C2: StressGCM should have higher priority than
+      frequency-based policy
+    + JDK-8271616: oddPart in MutableBigInteger::mutableModInverse
+      contains info on final result
+    + JDK-8272811: Document the effects of building with
+      _GNU_SOURCE in os_posix.hpp
+    + JDK-8272853: improve `JavadocTester.runTests`
+    + JDK-8273454: C2: Transform (-a)*(-b) into a*b
+    + JDK-8274060: C2: Incorrect computation after JDK-8273454
+    + JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java
+      fails in Windows 11
+    + JDK-8274621: NullPointerException because listenAddress[0] is
+      null
+    + JDK-8274632: Possible pointer overflow in PretouchTask chunk
+      claiming
+    + JDK-8274634: Use String.equals instead of String.compareTo in
+      java.desktop
+    + JDK-8276125: RunThese24H.java SIGSEGV in
+      JfrThreadGroup::thread_group_id
+    + JDK-8278028: [test-library] Warnings cleanup of the test
+      library
+    + JDK-8278312: Update SimpleSSLContext keystore to use SANs for
+      localhost IP addresses
+    + JDK-8278363: Create extented container test groups
+    + JDK-8280241: (aio) AsynchronousSocketChannel init fails in
+      IPv6 only Windows env
+    + JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/
+      /ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from
+      problemlist.
+    + JDK-8281543: Remove unused code/headerfile dtraceAttacher.hpp
+    + JDK-8281585: Remove unused imports under test/lib and jtreg/gc
+    + JDK-8283400: [macos] a11y : Screen magnifier does not reflect
+      JRadioButton value change
+    + JDK-8283626: AArch64: Set relocInfo::offset_unit to 4
+    + JDK-8283994: Make Xerces DatatypeException stackless
+    + JDK-8286312: Stop mixing signed and unsigned types in bit
+      operations
+    + JDK-8286846: test/jdk/javax/swing/plaf/aqua/
+      /CustomComboBoxFocusTest.java fails on mac aarch64
+    + JDK-8287832: jdk/jfr/event/runtime/TestActiveSettingEvent.java
+      failed with "Expected two batches of Active Setting events"
+    + JDK-8288663: JFR: Disabling the JfrThreadSampler commits only
+      a partially disabled state
+    + JDK-8288846: misc tests fail "assert(ms < 1000) failed:
+      Un-interruptable sleep, short time use only"
+    + JDK-8289764: gc/lock tests failed with "OutOfMemoryError:
+      Java heap space: failed reallocation of scalar replaced
+      objects"
+    + JDK-8290041: ModuleDescriptor.hashCode is inconsistent
+    + JDK-8290203: ProblemList vmTestbase/nsk/jvmti/scenarios/
+      /capability/CM03/cm03t001/TestDescription.java on linux-all
+    + JDK-8290399: [macos] Aqua LAF does not fire an action event
+      if combo box menu is displayed
+    + JDK-8292458: Atomic operations on scoped enums don't build
+      with clang
+    + JDK-8292946: GC lock/jni/jnilock001 test failed
+      "assert(gch->gc_cause() == GCCause::_scavenge_alot ||
+      !gch->incremental_collection_failed()) failed: Twice in a row"
+    + JDK-8293117: Add atomic bitset functions
+    + JDK-8293547: Add relaxed add_and_fetch for macos aarch64
+      atomics
+    + JDK-8294158: HTML formatting for PassFailJFrame instructions
+    + JDK-8294254: [macOS] javax/swing/plaf/aqua/
+      /CustomComboBoxFocusTest.java failure
+    + JDK-8294535: Add screen capture functionality to
+      PassFailJFrame
+    + JDK-8295068: SSLEngine throws NPE parsing CertificateRequests
+    + JDK-8295124: Atomic::add to pointer type may return wrong
+      value
+    + JDK-8295274: HelidonAppTest.java fails
+      "assert(event->should_commit()) failed: invariant" from
+      compiled frame"
+    + JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
+    + JDK-8297968: Crash in PrintOptoAssembly
+    + JDK-8298087: XML Schema Validation reports an required
+      attribute twice via ErrorHandler
+    + JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java
+      failed: ExceptionInInitializerError: target class not found
+    + JDK-8300269: The selected item in an editable JComboBox with
+      titled border is not visible in Aqua LAF
+    + JDK-8301306: java/net/httpclient/* fail with -Xcomp
+    + JDK-8301310: The SendRawSysexMessage test may cause a JVM
+      crash
+    + JDK-8301787: java/net/httpclient/SpecialHeadersTest failing
+      after JDK-8301306
+    + JDK-8301846: Invalid TargetDataLine after screen lock when
+      using JFileChooser or COM library
+    + JDK-8302017: Allocate BadPaddingException only if it will be
+      thrown
+    + JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/
+      /TestAMEnotNPE.java
+    + JDK-8303605: Memory leaks in Metaspace gtests
+    + JDK-8304074: [JMX] Add an approximation of total bytes
+      allocated on the Java heap by the JVM
+    + JDK-8304696: Duplicate class names in dynamicArchive tests
+      can lead to test failure
+    + JDK-8305356: Fix ignored bad CompileCommands in tests
+    + JDK-8305900: Use loopback IP addresses in security policy
+      files of httpclient tests
+    + JDK-8305906: HttpClient may use incorrect key when finding
+      pooled HTTP/2 connection for IPv6 address
+    + JDK-8305962: update jcstress to 0.16
+    + JDK-8305972: Update XML Security for Java to 3.0.2
+    + JDK-8306014: Update javax.net.ssl TLS tests to use
+      SSLContextTemplate or SSLEngineTemplate
+    + JDK-8306408: Fix the format of several tables in building.md
+    + JDK-8307185: pkcs11 native libraries make JNI calls into java
+      code while holding GC lock
+    + JDK-8307926: Support byte-sized atomic bitset operations
+    + JDK-8307955: Prefer to PTRACE_GETREGSET instead of
+      PTRACE_GETREGS in method 'ps_proc.c::process_get_lwp_regs'
+    + JDK-8307990: jspawnhelper must close its writing side of a
+      pipe before reading from it
+    + JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC
+      while allocating
+    + JDK-8308245: Add -proc:full to describe current default
+      annotation processing policy
+    + JDK-8308336: Test java/net/HttpURLConnection/
+      /HttpURLConnectionExpectContinueTest.java failed:
+      java.net.BindException: Address already in use
+    + JDK-8309302: java/net/Socket/Timeouts.java fails with
+      AssertionError on test temporal post condition
+    + JDK-8309305: sun/security/ssl/SSLSocketImpl/
+      /BlockedAsyncClose.java fails with jtreg test timeout
+    + JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/
+      /agentthr001/TestDescription.java crashing due to empty while
+      loop
+    + JDK-8309733: [macOS, Accessibility] VoiceOver: Incorrect
+      announcements of JRadioButton
+    + JDK-8309870: Using -proc:full should be considered requesting
+      explicit annotation processing
+    + JDK-8310106: sun.security.ssl.SSLHandshake
+      .getHandshakeProducer() incorrectly checks handshakeConsumers
+    + JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/
+      /bug6889007.java fails
+    + JDK-8310380: Handle problems in core-related tests on macOS
+      when codesign tool does not work
+    + JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is
+      spuriously passing
+    + JDK-8310807: java/nio/channels/DatagramChannel/Connect.java
+      timed out
+    + JDK-8310838: Correct range notations in MethodTypeDesc
+      specification
+    + JDK-8310844: [AArch64] C1 compilation fails because monitor
+      offset in OSR buffer is too large for immediate
+    + JDK-8310923: Refactor Currency tests to use JUnit
+    + JDK-8311081: KeytoolReaderP12Test.java fail on localized
+      Windows platform
+    + JDK-8311160: [macOS, Accessibility] VoiceOver: No
+      announcements on JRadioButtonMenuItem and JCheckBoxMenuItem
+    + JDK-8311581: Remove obsolete code and comments in TestLVT.java
+    + JDK-8311645: Memory leak in jspawnhelper spawnChild after
+      JDK-8307990
+    + JDK-8311986: Disable runtime/os/TestTracePageSizes.java for
+      ShenandoahGC
+    + JDK-8312428: PKCS11 tests fail with NSS 3.91
+    + JDK-8312434: SPECjvm2008/xml.transform with CDS fails with
+      "can't seal package nu.xom"
+    + JDK-8313081: MonitoringSupport_lock should be unconditionally
+      initialized after 8304074
+    + JDK-8313082: Enable CreateCoredumpOnCrash for testing in
+      makefiles
+    + JDK-8313206: PKCS11 tests silently skip execution
+    + JDK-8313575: Refactor PKCS11Test tests
+    + JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/
+      /TestFloatingDecimal should use RandomFactory
+    + JDK-8313643: Update HarfBuzz to 8.2.2
+    + JDK-8313816: Accessing jmethodID might lead to spurious
+      crashes
+    + JDK-8314164: java/net/HttpURLConnection/
+      /HttpURLConnectionExpectContinueTest.java fails intermittently
+      in timeout
+    + JDK-8314220: Configurable InlineCacheBuffer size
+    + JDK-8314830: runtime/ErrorHandling/ tests ignore external VM
+      flags
+    + JDK-8315034: File.mkdirs() occasionally fails to create
+      folders on Windows shared folder
+    + JDK-8315042: NPE in PKCS7.parseOldSignedData
+    + JDK-8315594: Open source few headless Swing misc tests
+    + JDK-8315600: Open source few more headless Swing misc tests
+    + JDK-8315602: Open source swing security manager test
+    + JDK-8315611: Open source swing text/html and tree test
+    + JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should
+      run with -Xbatch
+    + JDK-8315731: Open source several Swing Text related tests
+    + JDK-8315761: Open source few swing JList and JMenuBar tests
+    + JDK-8315920: C2: "control input must dominate current
+      control" assert failure
+    + JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/
+      /bug4654927.java: component must be showing on the screen to
+      determine its location
+    + JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use
+      createTestJvm
+    + JDK-8316028: Update FreeType to 2.13.2
+    + JDK-8316030: Update Libpng to 1.6.40
+    + JDK-8316106: Open source few swing JInternalFrame and
+      JMenuBar tests
+    + JDK-8316304: (fs) Add support for BasicFileAttributes
+      .creationTime() for Linux
+    + JDK-8316392: compiler/interpreter/
+      /TestVerifyStackAfterDeopt.java failed with SIGBUS in
+      PcDescContainer::find_pc_desc_internal
+    + JDK-8316414: C2: large byte array clone triggers "failed:
+      malformed control flow" assertion failure on linux-x86
+    + JDK-8316415: Parallelize
+      sun/security/rsa/SignedObjectChain.java subtests
+    + JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java
+      get OOM killed with Parallel GC
+    + JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/
+      /CheckOrigin.java as vm.flagless
+    + JDK-8316679: C2 SuperWord: wrong result, load should not be
+      moved before store if not comparable
+    + JDK-8316693: Simplify at-requires checkDockerSupport()
+    + JDK-8316929: Shenandoah: Shenandoah degenerated GC and full
+      GC need to cleanup old OopMapCache entries
+    + JDK-8316947: Write a test to check textArea triggers
+      MouseEntered/MouseExited events properly
+    + JDK-8317039: Enable specifying the JDK used to run jtreg
+    + JDK-8317144: Exclude sun/security/pkcs11/sslecc/
+      /ClientJSSEServerJSSE.java on Linux ppc64le
+    + JDK-8317307: test/jdk/com/sun/jndi/ldap/
+      /LdapPoolTimeoutTest.java fails with ConnectException:
+      Connection timed out: no further information
+    + JDK-8317603: Improve exception messages thrown by
+      sun.nio.ch.Net native methods (win)
+    + JDK-8317771: [macos14] Expand/collapse a JTree using keyboard
+      freezes the application in macOS 14 Sonoma
+    + JDK-8317807: JAVA_FLAGS removed from jtreg running in
+      JDK-8317039
+    + JDK-8317960: [17u] Excessive CPU usage on
+      AbstractQueuedSynchronized.isEnqueued
+    + JDK-8318154: Improve stability of WheelModifier.java test
+    + JDK-8318183: C2: VM may crash after hitting node limit
+    + JDK-8318410: jdk/java/lang/instrument/BootClassPath/
+      /BootClassPathTest.sh fails on Japanese Windows
+    + JDK-8318468: compiler/tiered/LevelTransitionTest.java fails
+      with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1
+    + JDK-8318490: Increase timeout for JDK tests that are close to
+      the limit when run with libgraal
+    + JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java
+    + JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni
+      tests
+    + JDK-8318608: Enable parallelism in
+      vmTestbase/nsk/stress/threads tests
+    + JDK-8318689: jtreg is confused when folder name is the same
+      as the test name
+    + JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with
+      "transport error 202: bind failed: Address already in use"
+    + JDK-8318951: Additional negative value check in JPEG decoding
+    + JDK-8318955: Add ReleaseIntArrayElements in
+      Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to
+      early return
+    + JDK-8318957: Enhance agentlib:jdwp help output by info about
+      allow option
+    + JDK-8318961: increase javacserver connection timeout values
+      and max retry attempts
+    + JDK-8318971: Better Error Handling for Jar Tool When
+      Processing Non-existent Files
+    + JDK-8318983: Fix comment typo in PKCS12Passwd.java
+    + JDK-8319124: Update XML Security for Java to 3.0.3
+    + JDK-8319213: Compatibility.java reads both stdout and stderr
+      of JdkUtils
+    + JDK-8319436: Proxy.newProxyInstance throws NPE if loader is
+      null and interface not visible from class loader
+    + JDK-8319456: jdk/jfr/event/gc/collection/
+      /TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker
+      Initiated GC' not in the valid causes
+    + JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh
+    + JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21
+    + JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks
+    + JDK-8320001: javac crashes while adding type annotations to
+      the return type of a constructor
+    + JDK-8320168: handle setsocktopt return values
+    + JDK-8320208: Update Public Suffix List to b5bf572
+    + JDK-8320300: Adjust hs_err output in malloc/mmap error cases
+    + JDK-8320363: ppc64 TypeEntries::type_unknown logic looks
+      wrong, missed optimization opportunity
+    + JDK-8320597: RSA signature verification fails on signed data
+      that does not encode params correctly
+    + JDK-8320798: Console read line with zero out should zero out
+      underlying buffer
+    + JDK-8320885: Bump update version for OpenJDK: jdk-17.0.11
+    + JDK-8320921: GHA: Parallelize hotspot_compiler test jobs
+    + JDK-8320937: support latest VS2022 MSC_VER in
+      abstract_vm_version.cpp
+    + JDK-8321151: JDK-8294427 breaks Windows L&F on all older
+      Windows versions
+    + JDK-8321215: Incorrect x86 instruction encoding for VSIB
+      addressing mode
+    + JDK-8321408: Add Certainly roots R1 and E1
+    + JDK-8321480: ISO 4217 Amendment 176 Update
+    + JDK-8321599: Data loss in AVX3 Base64 decoding
+    + JDK-8321815: Shenandoah: gc state should be synchronized to
+      java threads only once per safepoint
+    + JDK-8321972: test runtime/Unsafe/InternalErrorTest.java
+      timeout on linux-riscv64 platform
+    + JDK-8322098: os::Linux::print_system_memory_info enhance the
+      THP output with
+      /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
+    + JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces
+    + JDK-8322417: Console read line with zero out should zero out
+      when throwing exception
+    + JDK-8322583: RISC-V: Enable fast class initialization checks
+    + JDK-8322725: (tz) Update Timezone Data to 2023d
+    + JDK-8322750: Test "api/java_awt/interactive/
+      /SystemTrayTests.html" failed because A blue ball icon is
+      added outside of the system tray
+    + JDK-8322772: Clean up code after JDK-8322417
+    + JDK-8322783: prioritize /etc/os-release over
+      /etc/SuSE-release in hs_err/info output
+    + JDK-8322968: [17u] Amend Atomics gtest with 1-byte tests
+    + JDK-8323008: filter out harmful -std* flags added by autoconf
+      from CXX
+    + JDK-8323021: Shenandoah: Encountered reference count always
+      attributed to first worker thread
+    + JDK-8323086: Shenandoah: Heap could be corrupted by oom
+      during evacuation
+    + JDK-8323243: JNI invocation of an abstract instance method
+      corrupts the stack
+    + JDK-8323331: fix typo hpage_pdm_size
+    + JDK-8323428: Shenandoah: Unused memory in regions compacted
+      during a full GC should be mangled
+    + JDK-8323515: Create test alias "all" for all test roots
+    + JDK-8323637: Capture hotspot replay files in GHA
+    + JDK-8323640: [TESTBUG]testMemoryFailCount in
+      jdk/internal/platform/docker/TestDockerMemoryMetrics.java
+      always fail because OOM killed
+    + JDK-8323806: [17u] VS2017 build fails with warning after
+      8293117.
+    + JDK-8324184: Windows VS2010 build failed with "error C2275:
+      'int64_t'"
+    + JDK-8324280: RISC-V: Incorrect implementation in
+      VM_Version::parse_satp_mode
+    + JDK-8324347: Enable "maybe-uninitialized" warning for
+      FreeType 2.13.1
+    + JDK-8324514: ClassLoaderData::print_on should print address
+      of class loader
+    + JDK-8324647: Invalid test group of lib-test after JDK-8323515
+    + JDK-8324659: GHA: Generic jtreg errors are not reported
+    + JDK-8324937: GHA: Avoid multiple test suites per job
+    + JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/
+      /AKISerialNumber.java is failing
+    + JDK-8325150: (tz) Update Timezone Data to 2024a
+    + JDK-8325585: Remove no longer necessary calls to
+      set/unset-in-asgct flag in JDK 17
+    + JDK-8326000: Remove obsolete comments for class
+      sun.security.ssl.SunJSSE
+    + JDK-8327036: [macosx-aarch64] SIGBUS in
+      MarkActivationClosure::do_code_blob reached from
+      Unsafe_CopySwapMemory0
+    + JDK-8327391: Add SipHash attribution file
+    + JDK-8329836: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.11
+
+-------------------------------------------------------------------
+Thu Mar  7 12:44:28 UTC 2024 - Fridrich Strba 
+
+- Removed patch:
+  * alternative-tzdb_dat.patch
+    + Remove the possibility to use the system timezone-java. It
+      creates more problems then it solves (bsc#1213470)
+
+-------------------------------------------------------------------
+Tue Feb 20 15:41:01 UTC 2024 - Fridrich Strba 
+
+- Use %patch -P N instead of deprecated %patchN.
+
+-------------------------------------------------------------------
+Wed Feb  7 14:14:46 UTC 2024 - Fridrich Strba 
+
+- Recommend mozilla-nss-sysinit in order to have available the
+  /etc/pki/nssdb directory and its content, required in fips mode
+  (bsc#1219662)
+- Do not install our crafted nss.fips.cfg file, but use the one that
+  the build produces with our fips.patch applied
+- Removed patch:
+  * nss-security-provider.patch
+    + this DISABLED nss security provider was not used for years and
+      is largely rendered obsolete by the NSS-FIPS provider
+- Modified patch:
+  * fips.patch
+    + adapt to the removal of the nss security provider
+
+-------------------------------------------------------------------
+Wed Jan 17 14:03:44 UTC 2024 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.10+7 (January 2024 CPU)
+  * CVEs
+    + CVE-2024-20918, bsc#1218907
+    + CVE-2024-20919, bsc#1218903
+    + CVE-2024-20921, bsc#1218905
+    + CVE-2024-20932, bsc#1218908
+    + CVE-2024-20945, bsc#1218909
+    + CVE-2024-20952, bsc#1218911
+  * Security fixes
+    + JDK-8276123, JDK-8316613: ZipFile::getEntry will not return a
+      file entry when there is a directory entry of the same name
+      within a Zip File
+    + JDK-8308204: Enhanced certificate processing
+    + JDK-8314295: Enhance verification of verifier
+    + JDK-8314307: Improve loop handling
+    + JDK-8314468: Improve Compiler loops
+    + JDK-8316976: Improve signature handling
+    + JDK-8317547: Enhance TLS connection support
+  * Other changes
+    + JDK-6445283: ProgressMonitorInputStream not large file aware
+      (>2GB)
+    + JDK-8041447: Test javax/swing/dnd/7171812/bug7171812.java
+      fails with java.lang.RuntimeException: Test failed, scroll on
+      drag doesn't work
+    + JDK-8061729: Update java/net tests to eliminate dependency on
+      sun.net.www.MessageHeader and some other internal APIs
+    + JDK-8161536: sun/security/pkcs11/sslecc/
+      /ClientJSSEServerJSSE.java fails with ProviderException
+    + JDK-8168469: Memory leak in JceSecurity
+    + JDK-8176567: nsk/jdi/ReferenceType/instances/instances002:
+      TestFailure: Unexpected size of referenceType
+      .instances(nsk.share.jdi.TestInterfaceImplementer1): 11,
+      expected: 10
+    + JDK-8193543: Regression automated test '/open/test/jdk/java/
+      /awt/TrayIcon/SystemTrayInstance/SystemTrayInstanceTest.java'
+      fails
+    + JDK-8198668: MemoryPoolMBean/isUsageThresholdExceeded/
+      /isexceeded001/TestDescription.java still failing
+    + JDK-8202790: DnD test DisposeFrameOnDragTest.java does not
+      clean up
+    + JDK-8202931: [macos] java/awt/Choice/ChoicePopupLocation/
+      /ChoicePopupLocation.java fails
+    + JDK-8207166: jdk/jshell/
+      /JdiHangingLaunchExecutionControlTest.java - launch timeout
+    + JDK-8225313: serviceability/jvmti/HeapMonitor/MyPackage/
+      /HeapMonitorStatObjectCorrectnessTest.java failed with
+      Unexpected high difference percentage
+    + JDK-8228990: JFR: TestNetworkUtilizationEvent.java expects 2+
+      Network interfaces on Linux but finding 1
+    + JDK-8232839: JDI AfterThreadDeathTest.java failed due to
+      "FAILED: Did not get expected IllegalThreadStateException on a
+      StepRequest.enable()"
+    + JDK-8232933: Javac inferred type does not conform to equality
+      constraint
+    + JDK-8239801: [macos] java/awt/Focus/UnaccessibleChoice/
+      /AccessibleChoiceTest.java fails
+    + JDK-8244289: fatal error: Possible safepoint reached by
+      thread that does not allow it
+    + JDK-8247351: [aarch64] NullPointerException during stack
+      walking (clhsdb "where -a")
+    + JDK-8249826: 5 javax/net/ssl/SSLEngine tests use @ignore w/o
+      bug-id
+    + JDK-8258951: java/net/httpclient/HandshakeFailureTest.java
+      failed with "RuntimeException: Not found expected
+      SSLHandshakeException in java.io.IOException"
+    + JDK-8262186: Call X509KeyManager.chooseClientAlias once for
+      all key types
+    + JDK-8262901: [macos_aarch64] NativeCallTest
+      expected:<-3.8194101E18> but was:<3.02668882E10>
+    + JDK-8265586: [windows] last button is not shown in AWT Frame
+      with BorderLayout and MenuBar set.
+    + JDK-8266593: vmTestbase/nsk/jvmti/PopFrame/popframe011 fails
+      with "assert(java_thread == _state->get_thread()) failed: Must be"
+    + JDK-8268433: serviceability/dcmd/framework/VMVersionTest.java
+      fails with Unable to send object throw not established PipeIO
+      Listener Thread connection
+    + JDK-8268916: Tests for AffirmTrust roots
+    + JDK-8269425: 2 jdk/jfr/api/consumer/streaming tests failed to
+      attach
+    + JDK-8270199: Most SA tests are skipped on macosx-aarch64
+      because all executables are signed
+    + JDK-8270447: [IR Framework] Add missing compilation level
+      restriction when using FlipC1C2 stress option
+    + JDK-8271073: Improve testing with VM option
+      VerifyArchivedFields
+    + JDK-8271566: DSA signature length value is not accurate in
+      P11Signature
+    + JDK-8271824: mark hotspot runtime/CompressedOops tests which
+      ignore external VM flags
+    + JDK-8271826: mark hotspot runtime/condy tests which ignore
+      external VM flags
+    + JDK-8271828: mark hotspot runtime/classFileParserBug tests
+      which ignore external VM flags
+    + JDK-8271829: mark hotspot runtime/Throwable tests which
+      ignore external VM flags
+    + JDK-8271886: mark hotspot runtime/InvocationTests tests which
+      ignore external VM flags
+    + JDK-8271887: mark hotspot runtime/CDSCompressedKPtrs tests
+      which ignore external VM flags
+    + JDK-8271890: mark hotspot runtime/Dictionary tests which
+      ignore external VM flags
+    + JDK-8271891: mark hotspot runtime/Safepoint tests which
+      ignore external VM flags
+    + JDK-8271892: mark hotspot runtime/PrintStringTableStats/
+      /PrintStringTableStatsTest.java test as ignoring external VM
+      flags
+    + JDK-8271893: mark hotspot runtime/PerfMemDestroy/
+      /PerfMemDestroy.java test as ignoring external VM flags
+    + JDK-8271904: mark hotspot runtime/ClassFile tests which
+      ignore external VM flags
+    + JDK-8271905: mark hotspot runtime/Metaspace tests which
+      ignore external VM flags
+    + JDK-8272099: mark hotspot runtime/Monitor tests which ignore
+      external VM flags
+    + JDK-8272291: mark hotspot runtime/logging tests which ignore
+      external VM flags
+    + JDK-8272551: mark hotspot runtime/modules tests which ignore
+      external VM flags
+    + JDK-8272552: mark hotspot runtime/cds tests which ignore
+      external VM flags
+    + JDK-8272998: ImageIO.read() throws incorrect exception type
+    + JDK-8273456: Do not hold ttyLock around stack walking
+    + JDK-8273522: Rename test property vm.cds.archived.java.heap
+      to vm.cds.write.archived.java.heap
+    + JDK-8273629: compiler/uncommontrap/TestDeoptOOM.java fails
+      with release VMs
+    + JDK-8273831: PrintServiceLookup spawns 2 threads in the
+      current classloader, getting orphaned
+    + JDK-8273921: Refactor NSK/JDI tests to create thread using
+      factory
+    + JDK-8274211: Test man page that options are documented
+    + JDK-8274345: make build-test-lib is broken
+    + JDK-8275329: ZGC: vmTestbase/gc/gctests/SoftReference/soft004/
+      /soft004.java fails with assert(_phases->length() <= 1000)
+      failed: Too many recored phases?
+    + JDK-8275333: Print count in "Too many recored phases?" assert
+    + JDK-8275440: Remove VirtualSpaceList::is_full()
+    + JDK-8275509: ModuleDescriptor.hashCode isn't reproducible
+      across builds
+    + JDK-8276036: The value of full_count in the message of
+      insufficient codecache is wrong
+    + JDK-8276054: JMH benchmarks for Fences
+    + JDK-8276711: compiler/codecache/cli tests failing when
+      SegmentedCodeCache used with -Xint
+    + JDK-8276819: javax/print/PrintServiceLookup/
+      /FlushCustomClassLoader.java fails to free
+    + JDK-8277307: Pre shared key sent under both session_ticket
+      and pre_shared_key extensions
+    + JDK-8279856: Parallel: Use PreservedMarks to record
+      promotion-failed objects
+    + JDK-8281015: Further simplify NMT backend
+    + JDK-8281149: (fs) java/nio/file/FileStore/Basic.java  fails
+      with java.lang.RuntimeException: values differ by more than
+      1GB
+    + JDK-8281874: Can't unpack msi installers from test/jdk/tools/
+      /jpackage/windows/test/jdk/tools/jpackage/windows/
+      /WinShortcutPromptTest.java test
+    + JDK-8282011: test/jdk/tools/jpackage/windows/WinL10nTest.java
+      test fails if light.exe is not in %PATH%
+    + JDK-8282017: sun/net/www/protocol/https/HttpsURLConnection/
+      /B6216082.java fails with "SocketException: Unexpected end of
+      file from server"
+    + JDK-8283670: gtest os.release_multi_mappings_vm is still racy
+    + JDK-8284047: Harmonize/Standardize the
+      SSLSocket/SSLEngine/SSLSocketSSLEngine test templates
+    + JDK-8285516: clearPassword should be called in a finally try
+      block
+    + JDK-8285785: CheckCleanerBound test fails with
+      PasswordCallback object is not released
+    + JDK-8285867: Convert applet manual tests
+      SelectionVisible.java to Frame and automate
+    + JDK-8286430: make test TEST="gtest:" exits with
+      error when it shouldn't
+    + JDK-8286473: Drop --enable-preview from Record related tests
+    + JDK-8286474: Drop --enable-preview from Sealed Classes
+      related tests
+    + JDK-8286475: Drop --enable-preview from instanceof pattern
+      matching related tests
+    + JDK-8286969: Add a new test library API to execute kinit in
+      SecurityTools.java
+    + JDK-8287596: Reorg jdk.test.lib.util.ForceGC
+    + JDK-8287671: Adjust ForceGC to invoke System::gc fewer times
+      for negative case
+    + JDK-8287867: Bad merge of jdk/test/lib/util/ForceGC.java
+      causing test compilation error
+    + JDK-8288325: [windows] Actual and Preferred Size of AWT
+      Non-resizable frame are different
+    + JDK-8288961: jpackage: test MSI installation fix
+    + JDK-8288993: Make AwtFramePackTest generic by removing
+      @requires tag
+    + JDK-8289584: (fs) Print size values in java/nio/file/
+      /FileStore/Basic.java when they differ by > 1GiB
+    + JDK-8289745: JfrStructCopyFailed uses heap words instead of
+      bytes for object sizes
+    + JDK-8290909: MemoryPoolMBean/isUsageThresholdExceeded tests
+      failed with "isUsageThresholdExceeded() returned false, and is
+      still false, while threshold = MMMMMMM and used
+      peak = NNNNNNN"
+    + JDK-8291154: Create a non static nested class without
+      enclosing class throws VerifyError
+    + JDK-8291550: RISC-V: jdk uses misaligned memory access when
+      AvoidUnalignedAccess enabled
+    + JDK-8291911: java/io/File/GetXSpace.java fails with
+      "53687091200 != 161051996160"
+    + JDK-8292067: Convert test/sun/management/jmxremote/bootstrap
+      shell tests to java version
+    + JDK-8292072: NMT: repurpose Tracking overhead counter as
+      global malloc counter
+    + JDK-8292261: adjust timeouts in JLI
+      GetObjectSizeIntrinsicsTest.java
+    + JDK-8292381: java/net/httpclient/SpecialHeadersTest.java
+      fails with "ERROR: Shutting down connection: HTTP/2 client
+      stopped"
+    + JDK-8292636: (dc) Problem listing of java/nio/channels/
+      /DatagramChannel/Unref.java has incorrect issue ID
+    + JDK-8292717: Clean up checking of testing requirements in
+      configure
+    + JDK-8293156: Dcmd VM.classloaders fails to print the full
+      hierarchy
+    + JDK-8293335: sun/management/jmxremote/bootstrap/
+      /RmiBootstrapTest.java#id1failed with "Agent communication
+      error: java.io.EOFException"
+    + JDK-8293343: sun/management/jmxremote/bootstrap/
+      /RmiSslNoKeyStoreTest.java failed with "Agent communication
+      error: java.io.EOFException"
+    + JDK-8293563: [macos-aarch64] SA core file tests failing with
+      sun.jvm.hotspot.oops.UnknownOopException
+    + JDK-8293579: tools/jpackage/share/jdk/jpackage/tests/
+      /UnicodeArgsTest.java fails on Japanese Windows platform
+    + JDK-8294402: Add diagnostic logging to
+      VMProps.checkDockerSupport
+    + JDK-8294427: Check boxes and radio buttons have rendering
+      issues on Windows in High DPI env
+    + JDK-8294881: test/hotspot/jtreg/vmTestbase/nsk/jdi(
+      /VirtualMachine/dispose/dispose003/TestDescription.java fails
+    + JDK-8295229: Try to verify gtest version
+    + JDK-8295424: adjust timeout for another JLI
+      GetObjectSizeIntrinsicsTest.java subtest
+    + JDK-8296275: Write a test to verify setAccelerator  method of
+      JMenuItem
+    + JDK-8296437: NMT incurs costs if disabled
+    + JDK-8296821: compiler/jvmci/jdk.vm.ci.code.test/src/jdk/vm/ci/
+      /code/test/NativeCallTest.java fails after JDK-8262901
+    + JDK-8297142: jdk/jfr/event/runtime/TestShutdown.java fails on
+      Linux ppc64le and Linux aarch64
+    + JDK-8297296: java/awt/Mouse/EnterExitEvents/
+      /DragWindowTest.java fails with "No MouseReleased event on
+      label!"
+    + JDK-8297367: disable TestRedirectLinks.java in slowdebug mode
+    + JDK-8297640: Increase buffer size for buf
+      (insert_features_names) in
+      Abstract_VM_Version::insert_features_names
+    + JDK-8297798: Timeout with DTLSOverDatagram test template
+    + JDK-8297958: NMT: Display peak values
+    + JDK-8298298: NMT: count deltas are printed with 32-bit signed
+      size
+    + JDK-8298619: java/io/File/GetXSpace.java is failing
+    + JDK-8298735: Some tools/jpackage/windows/* tests fails with
+      jtreg test timeout
+    + JDK-8298867: Basics.java fails with SSL handshake exception
+    + JDK-8298868: Update EngineCloseOnAlert.java for changes to
+      TLS implementation
+    + JDK-8298869: Update ConnectionTest.java for changes to TLS
+      implementation
+    + JDK-8298872: Update CheckStatus.java for changes to TLS
+      implementation
+    + JDK-8298873: Update IllegalRecordVersion.java for changes to
+      TLS implementation
+    + JDK-8298874: Update TestAllSuites.java for TLS v1.2 and 1.3
+    + JDK-8298905: Test "java/awt/print/PrinterJob/ImagePrinting/
+      /PrintARGBImage.java" fails because the frames of instruction
+      does not display
+    + JDK-8299075: TestStringDeduplicationInterned.java fails
+      because extra deduplication
+    + JDK-8299207: [Testbug] Add back test/jdk/java/awt/Graphics2D/
+      /DrawPrimitivesTest.java
+    + JDK-8299241: jdk/jfr/api/consumer/streaming/TestJVMCrash.java
+      generates unnecessary core file
+    + JDK-8299255: Unexpected round errors in FreetypeFontScaler
+    + JDK-8299677: Formatter.format might take a long time to
+      format an integer or floating-point
+    + JDK-8299748: java/util/zip/Deinflate.java failing on s390x
+    + JDK-8300259: Add test coverage for processing of pending
+      block files in signed JARs
+    + JDK-8300272: Improve readability of the test
+      JarWithOneNonDisabledDigestAlg
+    + JDK-8300727: java/awt/List/ListGarbageCollectionTest/
+      /AwtListGarbageCollectionTest.java failed with "List wasn't
+      garbage collected"
+    + JDK-8300997: Add curl support to createJMHBundle.sh
+    + JDK-8301065: Handle control characters in
+      java_lang_String::print
+    + JDK-8301189: validate-source fails after JDK-8298873
+    + JDK-8301247: JPackage app-image exe launches multiple exe's
+      in JDK 17+
+    + JDK-8301377: adjust timeout for JLI
+      GetObjectSizeIntrinsicsTest.java subtest again
+    + JDK-8301455: comments in TestTypeAnnotations still refer to
+      resolved JDK-8068737
+    + JDK-8301457: Code in SendPortZero.java is uncommented even
+      after JDK-8236852 was fixed
+    + JDK-8301489: C1: ShortLoopOptimizer might lift instructions
+      before their inputs
+    + JDK-8301570: Test  runtime/jni/nativeStack/ needs to detach
+      the native thread
+    + JDK-8301701: java/net/DatagramSocket/
+      /DatagramSocketMulticasting.java should be hardened
+    + JDK-8302017: Allocate BadPaddingException only if it will be
+      thrown
+    + JDK-8302109: Trivial fixes to btree tests
+    + JDK-8302525: Write a test to check various components send
+      Events while mouse and key are used simultaneously
+    + JDK-8302607: increase timeout for
+      ContinuousCallSiteTargetChange.java
+    + JDK-8303607: SunMSCAPI provider leaks memory and keys
+    + JDK-8303922: build-test-lib target is broken
+    + JDK-8304174: Remove delays from httpserver tests
+    + JDK-8304954: SegmentedCodeCache fails when using large pages
+    + JDK-8305502: adjust timeouts in three more M&M tests
+    + JDK-8305505: NPE in javazic compiler
+    + JDK-8305646: compile error on Alpine with gcc12 after 8298619
+      in libGetXSpace.c
+    + JDK-8306280: Open source several choice AWT tests
+    + JDK-8307123: Fix deprecation warnings in DPrinter
+    + JDK-8307311: Timeouts on one macOS 12.6.1 host of two Swing
+      JTableHeader tests
+    + JDK-8307403: java/util/zip/DeInflate.java timed out
+    + JDK-8307732: build-test-lib is broken
+    + JDK-8308047: java/util/concurrent/ScheduledThreadPoolExecutor/
+      /BasicCancelTest.java timed out and also had jcmd pipe errors
+    + JDK-8308103: Massive (up to ~30x) increase in C2 compilation
+      time since JDK 17
+    + JDK-8308116: jdk.test.lib.compiler
+      .InMemoryJavaCompiler.compile does not close files
+    + JDK-8308223: failure handler missed jcmd.vm.info command
+    + JDK-8308592: Framework for CA interoperability testing
+    + JDK-8308593: Add KEEPALIVE Extended Socket Options Support
+      for Windows
+    + JDK-8308910: Allow executeAndLog to accept running process
+    + JDK-8309032: jpackage does not work for module projects
+      unless --module-path is specified
+    + JDK-8309104: [JVMCI] compiler/unsafe/
+      /UnsafeGetStableArrayElement test asserts wrong values with
+      Graal
+    + JDK-8309216: Cast from jchar* to char* in test
+      java/io/GetXSpace.java
+    + JDK-8309258: RISC-V: Add riscv_hwprobe syscall
+    + JDK-8309502: RISC-V: String.indexOf intrinsic may produce
+      misaligned memory loads
+    + JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when
+      using second test directory
+    + JDK-8309974: some JVMCI tests fail when VM options include
+      -XX:+EnableJVMCI
+    + JDK-8310233: Fix THP detection on Linux
+    + JDK-8310265: (process) jspawnhelper should not use argv[0]
+    + JDK-8310268: RISC-V: misaligned memory access in
+      String.Compare intrinsic
+    + JDK-8310321: make JDKOPT_CHECK_CODESIGN_PARAMS more verbose
+    + JDK-8310656: RISC-V: __builtin___clear_cache can fail
+      silently.
+    + JDK-8310687: JDK-8303215 is incomplete
+    + JDK-8311511: Improve description of NativeLibrary JFR event
+    + JDK-8311514: Incorrect regex in TestMetaSpaceLog.java
+    + JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java
+    + JDK-8311592: ECKeySizeParameterSpec causes too many
+      exceptions on third party providers
+    + JDK-8311631: When multiple users run tools/jpackage/share/
+      /LicenseTest.java, Permission denied for writing
+      /var/tmp/*.files
+    + JDK-8311813: C1: Uninitialized PhiResolver::_loop field
+    + JDK-8312065: Socket.connect does not timeout when profiling
+    + JDK-8312078: [PPC] JcmdScale.java Failing on AIX
+    + JDK-8312126: NullPointerException in CertStore.getCRLs after
+      8297955
+    + JDK-8312182: THPs cause huge RSS due to thread start timing
+      issue
+    + JDK-8312394: [linux] SIGSEGV if kernel was built without
+      hugepage support
+    + JDK-8312395: Improve assertions in growableArray
+    + JDK-8312440: assert(cast != nullptr) failed: must have added
+      a cast to pin the node
+    + JDK-8312467: relax the builddir check in
+      make/autoconf/basic.m4
+    + JDK-8312489: Increase jdk.jar.maxSignatureFileSize default
+      which is too low for JARs such as WhiteSource/Mend unified agent jar
+    + JDK-8312535: MidiSystem.getSoundbank() throws unexpected
+      SecurityException
+    + JDK-8312573: Failure during CompileOnly parsing leads to
+      ShouldNotReachHere
+    + JDK-8312585: Rename DisableTHPStackMitigation flag to
+      THPStackMitigation
+    + JDK-8312592: New parentheses warnings after HarfBuzz 7.2.0
+      update
+    + JDK-8312612: handle WideCharToMultiByte return values
+    + JDK-8312620: WSL Linux build crashes after JDK-8310233
+    + JDK-8312625: Test serviceability/dcmd/vm/TrimLibcHeapTest.java
+      failed: RSS use increased
+    + JDK-8312909: C1 should not inline through interface calls
+      with non-subtype receiver
+    + JDK-8312974: Bump update version for OpenJDK: jdk-17.0.10
+    + JDK-8313164: src/java.desktop/windows/native/libawt/windows/
+      /awt_Robot.cpp GetRGBPixels adjust releasing of resources
+    + JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground
+      release resources in early returns
+    + JDK-8313322: RISC-V: implement MD5 intrinsic
+    + JDK-8313626: C2 crash due to unexpected exception control flow
+    + JDK-8313657: com.sun.jndi.ldap.Connection.cleanup does not
+      close connections on SocketTimeoutErrors
+    + JDK-8313691: use close after failing os::fdopen in vmError
+      and ciEnv
+    + JDK-8313779: RISC-V: use andn / orn in the MD5 instrinsic
+    + JDK-8313781: Add regression tests for large page logging and
+      user-facing error messages
+    + JDK-8313782: Add user-facing warning if THPs are enabled but
+      cannot be used
+    + JDK-8313792: Verify 4th party information in
+      src/jdk.internal.le/share/legal/jline.md
+    + JDK-8314024: SIGSEGV in
+      PhaseIdealLoop::build_loop_late_post_work due to bad immediate
+      dominator info
+    + JDK-8314045: ArithmeticException in GaloisCounterMode
+    + JDK-8314063: The socket is not closed in
+      Connection::createSocket when the handshake failed for LDAP
+      connection
+    + JDK-8314094: java/lang/ProcessHandle/InfoTest.java fails on
+      Windows when run as user with Administrator privileges
+    + JDK-8314121: test tools/jpackage/share/
+      /RuntimePackageTest.java#id0 fails on RHEL8
+    + JDK-8314139: TEST_BUG: runtime/os/
+      /THPsInThreadStackPreventionTest.java could fail on machine with
+      large number of cores
+    + JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to
+      extra concurrent mark with -Xcomp
+    + JDK-8314242: Update applications/scimark/Scimark.java to
+      accept VM flags
+    + JDK-8314263: Signed jars triggering Logger finder recursion
+      and StackOverflowError
+    + JDK-8314495: Update to use jtreg 7.3.1
+    + JDK-8314679: SA fails to properly attach to JVM after having
+      just detached from a different JVM
+    + JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0
+      write result errno in missing case
+    + JDK-8315020: The macro definition for LoongArch64 zero build
+      is not accurate.
+    + JDK-8315062: [GHA] get-bootjdk action should return the
+      abolute path
+    + JDK-8315195: RISC-V: Update hwprobe query for new extensions
+    + JDK-8315206: RISC-V: hwprobe query is_set return wrong value
+    + JDK-8315214: Do not run sun/tools/jhsdb tests concurrently
+    + JDK-8315377: C2: assert(u->find_out_with(Op_AddP) == nullptr)
+      failed: more than 2 chained AddP nodes?
+    + JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some
+      cases
+    + JDK-8315499: build using devkit on Linux ppc64le RHEL puts
+      path to devkit into libsplashscreen
+    + JDK-8315549: CITime misreports code/total nmethod sizes
+    + JDK-8315606: Open source few swing text/html tests
+    + JDK-8315644: increase timeout of
+      sun/security/tools/jarsigner/Warning.java
+    + JDK-8315683: Parallelize
+      java/util/concurrent/tck/JSR166TestCase.java
+    + JDK-8315692: Parallelize
+      gc/stress/TestStressRSetCoarsening.java test
+    + JDK-8315696: SignedLoggerFinderTest.java test failed
+    + JDK-8315751: RandomTestBsi1999 fails often with timeouts on
+      Linux ppc64le
+    + JDK-8315766: Parallelize
+      gc/stress/TestStressIHOPMultiThread.java test
+    + JDK-8315770: serviceability/sa/TestJmapCoreMetaspace.java
+      should run with -XX:-VerifyDependencies
+    + JDK-8315863: [GHA] Update checkout action to use v4
+    + JDK-8315937: Enable parallelism in
+      vmTestbase/nsk/stress/numeric tests
+    + JDK-8316087: Test SignedLoggerFinderTest.java is still failing
+    + JDK-8316178: Better diagnostic header for CodeBlobs
+    + JDK-8316206: Test StretchedFontTest.java fails for Baekmuk
+      font
+    + JDK-8316461: Fix: make test outputs TEST SUCCESS after
+      unsuccessful exit
+    + JDK-8316514: Better diagnostic header for VtableStub
+    + JDK-8316566: RISC-V: Zero extended narrow oop passed to
+      Atomic::cmpxchg
+    + JDK-8316645: RISC-V: Remove dependency on libatomic by adding
+      cmpxchg 1b
+    + JDK-8316710: Exclude java/awt/font/Rotate/RotatedTextTest.java
+    + JDK-8316743: RISC-V: Change UseVectorizedMismatchIntrinsic
+      option result to warning
+    + JDK-8316746: Top of lock-stack does not match the unlocked
+      object
+    + JDK-8316778: test hprof lib: invalid array element type from
+      JavaValueArray.elementSize
+    + JDK-8316859: RISC-V: Disable detection of V through HWCAP
+    + JDK-8316906: Clarify TLABWasteTargetPercent flag
+    + JDK-8317121: vector_masked_load instruction is moved too
+      early after JDK-8286941
+    + JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js
+    + JDK-8317373: Add Telia Root CA v2
+    + JDK-8317374: Add Let's Encrypt ISRG Root X2
+    + JDK-8317705: ProblemList sun/tools/jstat/jstatLineCountsX.sh
+      on linux-ppc64le and aix due to JDK-8248691
+    + JDK-8317706: Exclude
+      java/awt/Graphics2D/DrawString/RotTransText.java on linux
+    + JDK-8317772: NMT: Make peak values available in release builds
+    + JDK-8317834: java/lang/Thread/IsAlive.java timed out
+    + JDK-8317920: JDWP-agent sends broken exception event with
+      onthrow option
+    + JDK-8317967: Enhance
+      test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java to
+      handle default cases
+    + JDK-8318669: Target OS detection in 'test-prebuilt' makefile
+      target is incorrect when running on MSYS2
+    + JDK-8318705: [macos] ProblemList java/rmi/registry/
+      /multipleRegistries/MultipleRegistries.java
+    + JDK-8318759: Add four DigiCert root certificates
+    + JDK-8318855: Extra file added by mistake during the backport
+      of JDK-8283326
+    + JDK-8318889: C2: add bailout after assert Bad graph detected
+      in build_loop_late
+    + JDK-8318953: RISC-V: Small refactoring for
+      MacroAssembler::test_bit
+    + JDK-8319184: RISC-V: improve MD5 intrinsic
+    + JDK-8319187: Add three eMudhra emSign roots
+    + JDK-8319525: RISC-V: Rename *_riscv64.ad files to *_riscv.ad
+      under riscv/gc
+    + JDK-8319958: test/jdk/java/io/File/libGetXSpace.c does not
+      compile on Windows 32-bit
+    + JDK-8320053: GHA: Cross-compile gtest code
+    + JDK-8320209: VectorMaskGen clobbers rflags on x86_64
+    + JDK-8320597: RSA signature verification fails on signed data
+      that does not encode params correctly
+    + JDK-8320601: ProblemList java/lang/invoke/lambda/
+      /LambdaFileEncodingSerialization.java on linux-all
+    + JDK-8323422: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.10
+- Modified patch:
+  * fips.patch
+    + regenerate to fix one file with substantial changes
+
+-------------------------------------------------------------------
+Thu Oct 19 08:32:39 UTC 2023 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.9+9 (October 2023 CPU)
+  * Security fixes
+    + JDK-8286503, JDK-8312367: Enhance security classes
+    + JDK-8296581: Better system proxy support
+    + JDK-8297856: Improve handling of Bidi characters
+    + JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
+    + JDK-8306881, JDK-8307286: Update FreeType to 2.13.0
+    + JDK-8309966, CVE-2023-22081, bsc#1216374: Enhanced TLS
+      connections
+    + JDK-8312248: Enhanced archival support redux
+    + JDK-8314649: Enhanced archival support redux
+    + JDK-8317121, CVE-2023-22025, bsc#1216339: vector_masked_load
+      instruction is moved too early after JDK-8286941
+  * New features
+    + JDK-8276799: Implementation of JEP 422: Linux/RISC-V Port
+  * Other changes
+    + JDK-6176679: Application freezes when copying an animated gif 
+      image to the system clipboard
+    + JDK-6381945: (cal) Japanese calendar unit test system should 
+      avoid multiple static imports
+    + JDK-8040793: vmTestbase/nsk/monitoring/stress/lowmem fails on 
+      calling isCollectionUsageThresholdExceeded()
+    + JDK-8153837: AArch64: Handle special cases for MaxINode & 
+      MinINode
+    + JDK-8156889: ListKeychainStore.sh fails in some virtualized 
+      environments
+    + JDK-8171221: Remove -XX:+CheckMemoryInitialization
+    + JDK-8180266: Convert sun/security/provider/KeyStore/DKSTest.sh
+      to Java Jtreg Test
+    + JDK-8195589: T6587786.java failed after JDK-8189997
+    + JDK-8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh 
+      failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
+    + JDK-8225012: sanity/client/SwingSet/src/ToolTipDemoTest.java 
+      fails on Windows
+    + JDK-8229147: Linux os::create_thread() overcounts guardpage 
+      size with newer glibc (>=2.27)
+    + JDK-8252713: jtreg time out of CtrlASCII.java seems to hang 
+      the Xserver.
+    + JDK-8255548: Missing coverage for 
+      javax.xml.crypto.dom.DOMCryptoContext
+    + JDK-8263044: jdk/jfr/jvm/TestDumpOnCrash.java timed out
+    + JDK-8267188: gc/stringdedup/
+      /TestStringDeduplicationInterned.java fails with Shenandoah
+    + JDK-8267341: macos attempt_reserve_memory_at(arg1, arg2, 
+      true) failure
+    + JDK-8267517: async logging for stdout and stderr
+    + JDK-8267860: Off-by-one bug when searching arrays in 
+      AlpnGreaseTest
+    + JDK-8268852: AsyncLogWriter should not overide 
+      is_Named_thread()
+    + JDK-8269091: javax/sound/sampled/Clip/SetPositionHang.java 
+      failed with ArrayIndexOutOfBoundsException: Array index out of 
+      range: -4
+    + JDK-8269466: Factor out the common code for initializing and 
+      starting internal VM JavaThreads
+    + JDK-8270331: [TESTBUG] Error: Not a test or directory 
+      containing tests: java/awt/print/PrinterJob/InitToBlack.java
+    + JDK-8270794: Avoid loading Klass* twice in 
+      TypeArrayKlass::oop_size()
+    + JDK-8270894: Use acquire semantics in 
+      ObjectSynchronizer::read_stable_mark()
+    + JDK-8271707: migrate tests to use jdk.test.whitebox.WhiteBox
+    + JDK-8271898: disable os.release_multi_mappings_vm on macOS-X64
+    + JDK-8272586: emit abstract machine code in hs-err logs
+    + JDK-8272654: Mark word accesses should not use Access API
+    + JDK-8273092: Sort classlist in JDK image
+    + JDK-8273803: Zero: Handle "zero" variant in 
+      CommandLineOptionTest.java
+    + JDK-8274986: max code printed in hs-err logs should be 
+      configurable
+    + JDK-8275031: runtime/ErrorHandling/
+      /MachCodeFramesInErrorFile.java fails when hsdis is present
+    + JDK-8275303: sun/java2d/pipe/InterpolationQualityTest.java 
+      fails with D3D basic render driver
+    + JDK-8275415: Prepare Leak Profiler for Lilliput
+    + JDK-8275662: remove test/lib/sun/hotspot
+    + JDK-8276333: jdk/jfr/event/oldobject/TestLargeRootSet.java 
+      failed "assert(!contains(edge->reference())) failed:
+      invariant"
+    + JDK-8276651: java/lang/ProcessHandle tests fail with 
+      "RuntimeException: Input/output error" in 
+      java.lang.ProcessHandleImpl$Info.info0
+    + JDK-8276696: ParallelObjectIterator freed at the wrong time 
+      in VM_HeapDumper
+    + JDK-8277102: Dubious PrintCompilation output
+    + JDK-8277353: java/security/MessageDigest/ThreadSafetyTest.java
+       test times out
+    + JDK-8277417: C1 LIR instruction for load-klass
+    + JDK-8277427: Update jib-profiles.js to use JMH 1.33 devkit
+    + JDK-8277654: Shenandoah: Don't produce new memory state in C2 
+      LRB runtime call
+    + JDK-8277860: PPC: Remove duplicate info != NULL check
+    + JDK-8278141: LIR_OpLoadKlass::_info shadows the field of the 
+      same name from LIR_Op
+    + JDK-8278456: Define jtreg jdk_desktop test group time-based 
+      sub-tasks for use by headful testing.
+    + JDK-8279545: Buffer overrun in reverse_words of 
+      sharedRuntime_x86_64.cpp:3517
+    + JDK-8280032: Update jib-profiles.js to use JMH 1.34 devkit
+    + JDK-8280396: G1: Full gc mark stack draining should prefer to 
+      make work available to other threads
+    + JDK-8280885: Shenandoah: Some tests failed with "EA: missing 
+      allocation reference path"
+    + JDK-8281507: Two javac tests have bad jtreg `@clean` tags
+    + JDK-8281717: Cover logout method for several LoginModule
+    + JDK-8282404: DrawStringWithInfiniteXform.java failed with 
+      "RuntimeException: drawString with InfiniteXform transform 
+      takes long time"
+    + JDK-8282651: ZGC: vmTestbase/gc/ArrayJuggle/ tests fails 
+      intermittently with exit code 97
+    + JDK-8282665: [REDO] ByteBufferTest.java: replace endless 
+      recursion with RuntimeException in void ck(double x, double y)
+    + JDK-8283056: show abstract machine code in hs-err for all VM 
+      crashes
+    + JDK-8283276: java/io/ObjectStreamClass/
+      /ObjectStreamClassCaching.java fails with various GCs
+    + JDK-8283326: Implement SafeFetch statically
+    + JDK-8283724: Incorrect description for jtreg-failure-handler 
+      option
+    + JDK-8283756: (zipfs) ZipFSOutputStreamTest.testOutputStream 
+      should only check inflated bytes
+    + JDK-8283865: riscv: Break down -XX:+UseRVB into seperate 
+      options for each bitmanip extension
+    + JDK-8283929: GHA: Add RISC-V build config
+    + JDK-8284068: riscv: should call Atomic::release_store in 
+      JavaThread::set_thread_state
+    + JDK-8284090: com/sun/security/auth/module/AllPlatforms.java 
+      fails to compile
+    + JDK-8284273: Early crashes in os::print_context on AArch64
+    + JDK-8284760: Correct type/array element offset in 
+      LibraryCallKit::get_state_from_digest_object()
+    + JDK-8284772: GHA: Use GCC Major Version Dependencies Only
+    + JDK-8284910: Buffer clean in PasswordCallback
+    + JDK-8284937: riscv: should not allocate special register for 
+      temp
+    + JDK-8284997: arm32 build crashes since JDK-8283326
+    + JDK-8285303: riscv: Incorrect register mask in 
+      call_native_base
+    + JDK-8285437: riscv: Fix MachNode size mismatch for 
+      MacroAssembler::verify_oops*
+    + JDK-8285630: Fix a configure error in RISC-V cross build
+    + JDK-8285675: Temporary fix for arm32 SafeFetch
+    + JDK-8285699: riscv: Provide information when hitting a 
+      HaltNode
+    + JDK-8285711: riscv: RVC: Support disassembler show-bytes 
+      option
+    + JDK-8285756: clean up use of bad arguments for `@clean` in 
+      langtools tests
+    + JDK-8285980: Several tests in compiler/c2/irTests miss 
+      @requires vm.compiler2.enabled
+    + JDK-8286481: Exception printed to stdout on Windows when 
+      storing transparent image in clipboard
+    + JDK-8286620: Create regression test for verifying setMargin() 
+      of JRadioButton
+    + JDK-8286623: Bundle zlib by default with JDK on macos aarch64
+    + JDK-8287227: Shenandoah: A couple of virtual thread tests 
+      failed with iu mode even without Loom enabled.
+    + JDK-8287418: riscv: Fix correctness issue of 
+      MacroAssembler::movptr
+    + JDK-8287552: riscv: Fix comment typo in li64
+    + JDK-8287970: riscv: jdk/incubator/vector/*VectorTests failing
+    + JDK-8288719: [arm32] SafeFetch32 thumb interleaving causes 
+      random crashes
+    + JDK-8289077: Add manual tests to open
+    + JDK-8289238: Refactoring changes to PassFailJFrame Test 
+      Framework
+    + JDK-8289510: Improve test coverage for XPath Axes: namespace
+    + JDK-8289512: Fix GCC 12 warnings for adlc output_c.cpp
+    + JDK-8289547: Update javax/swing/Popup/TaskbarPositionTest.java
+    + JDK-8289646: configure script failed on WSL
+    + JDK-8289688: jfr command hangs when it processes invalid file
+    + JDK-8289748: C2 compiled code crashes with SIGFPE with 
+      -XX:+StressLCM and -XX:+StressGCM
+    + JDK-8289797: tools/launcher/I18NArgTest.java fails on 
+      Japanese Windows environment
+    + JDK-8289917: Metadata for regionsRefilled of 
+      G1EvacuationStatistics event is wrong
+    + JDK-8290137: riscv: small refactoring for add_memory_int32/64
+    + JDK-8290164: compiler/runtime/TestConstantsInError.java fails 
+      on riscv
+    + JDK-8290464: Optimize ResourceArea zapping on ResourceMark 
+      release
+    + JDK-8290469: Add new positioning options to PassFailJFrame 
+      test framework
+    + JDK-8290496: riscv: Fix build warnings-as-errors with GCC 11
+    + JDK-8291444: GHA builds/tests won't run manually if disabled 
+      from automatic running
+    + JDK-8291830: jvmti/RedefineClasses/StressRedefine failed: 
+      assert(!is_null(v)) failed: narrow klass value can never be zero
+    + JDK-8291893: riscv: remove fence.i used in user space
+    + JDK-8291947: riscv: fail to build after JDK-8290840
+    + JDK-8291952: riscv: Remove PRAGMA_NONNULL_IGNORED
+    + JDK-8292182: [TESTLIB] Enhance JAXPPolicyManager to setup 
+      required permissions for jtreg version 7 jar
+    + JDK-8292315: Tests should not rely on specific JAR file names 
+      (hotspot)
+    + JDK-8292316: Tests should not rely on specific JAR file names 
+      (jpackage)
+    + JDK-8292683: Remove BadKeyUsageTest.java from Problem List
+    + JDK-8292698: Improve performance of DataInputStream
+    + JDK-8292716: Configure should check that jtreg is of the 
+      required version
+    + JDK-8292763: JDK-8292716 breaks configure without jtreg
+    + JDK-8292867: RISC-V: Simplify weak CAS return value handling
+    + JDK-8293012: ConstantPool::print_on can crash if _cache is 
+      NULL
+    + JDK-8293050: RISC-V: Remove redundant non-null assertions 
+      about macro-assembler
+    + JDK-8293098: GHA: Harmonize GCC version handling for host and 
+      cross builds
+    + JDK-8293100: RISC-V: Need to save and restore callee-saved 
+      FloatRegisters in StubGenerator::generate_call_stub
+    + JDK-8293107: GHA: Bump to Ubuntu 22.04
+    + JDK-8293114: JVM should trim the native heap
+    + JDK-8293166: jdk/jfr/jvm/TestDumpOnCrash.java fails on Linux 
+      ppc64le and Linux aarch64
+    + JDK-8293177: Verify version numbers in legal files
+    + JDK-8293180: JQuery UI license file not updated
+    + JDK-8293252: Shenandoah: ThreadMXBean synchronizer tests 
+      crash with aggressive heuristics
+    + JDK-8293361: GHA: dump config.log in case of configure failure
+    + JDK-8293474: RISC-V: Unify the way of moving function pointer
+    + JDK-8293524: RISC-V: Use macro-assembler functions as 
+      appropriate
+    + JDK-8293566: RISC-V: Clean up push and pop registers
+    + JDK-8293811: Provide a reason for PassFailJFrame.forceFail
+    + JDK-8293851: hs_err should print more stack in hex dump
+    + JDK-8294012: RISC-V: get/put_native_u8 missing the case when 
+      address&7 is 6
+    + JDK-8294083: RISC-V: Minimal build failed with 
+      --disable-precompiled-headers
+    + JDK-8294086: RISC-V: Cleanup InstructionMark usages in the 
+      backend
+    + JDK-8294087: RISC-V: RVC: Fix a potential alignment issue and 
+      add more alignment assertions for the patchable calls/nops
+    + JDK-8294149: JMH 1.34 and later requires jopt-simple 5.0.4
+    + JDK-8294187: RISC-V: Unify all relocations for the backend 
+      into AbstractAssembler::relocate()
+    + JDK-8294366: RISC-V: Partially mark out incompressible regions
+    + JDK-8294430: RISC-V: Small refactoring for movptr_with_offset
+    + JDK-8294492: RISC-V: Use li instead of patchable movptr at 
+      non-patchable callsites
+    + JDK-8294679: RISC-V: Misc crash dump improvements
+    + JDK-8294941: GHA: Cut down cross-compilation sysroots
+    + JDK-8294956: GHA: qemu-debootstrap is deprecated, use the 
+      regular one
+    + JDK-8295110: RISC-V: Mark out relocations as incompressible
+    + JDK-8295213: Run GHA manually with user-specified make and 
+      configure arguments
+    + JDK-8295270: RISC-V: Clean up and refactoring for assembler 
+      functions
+    + JDK-8295396: RISC-V: Cleanup useless CompressibleRegions
+    + JDK-8295657: SA: Allow larger object alignments
+    + JDK-8295737: macOS: Print content cut off when width > height 
+      with portrait orientation
+    + JDK-8295811: serviceability/sa/TestObjectAlignment.java fails 
+      on x86_32
+    + JDK-8295812: Skip the "half float" support in LittleCMS 
+      during the build
+    + JDK-8295894: Remove SECOM certificate that is expiring in 
+      September 2023
+    + JDK-8295926: RISC-V: C1: Fix LIRGenerator::do_LibmIntrinsic
+    + JDK-8295968: RISC-V: Rename some assembler intrinsic 
+      functions for RVV 1.0
+    + JDK-8296384: [TESTBUG] sun/security/provider/SecureRandom/
+      /AbstractDrbg/SpecTest.java intermittently timeout
+    + JDK-8296435: RISC-V: Small refactoring for increment/decrement
+    + JDK-8296447: RISC-V: Make the operands order of 
+      vrsub_vx/vrsub_vi consistent with RVV 1.0 spec
+    + JDK-8296448: RISC-V: Fix temp usages of heapbase register 
+      killed by MacroAssembler::en/decode_klass_not_null
+    + JDK-8296602: RISC-V: improve performance of copy_memory stub
+    + JDK-8296771: RISC-V: C2: assert(false) failed: bad AD file
+    + JDK-8296796: Provide clean, platform-agnostic interface to 
+      C-heap trimming
+    + JDK-8296916: RISC-V: Move some small macro-assembler 
+      functions to header file
+    + JDK-8297350: Update JMH devkit to 1.36
+    + JDK-8297359: RISC-V: improve performance of floating Max Min 
+      intrinsics
+    + JDK-8297476: Increase InlineSmallCode default from 1000 to 
+      2500 for RISC-V
+    + JDK-8297644: RISC-V: Compilation error when shenandoah is 
+      disabled
+    + JDK-8297681: Unnecessary color conversion during 
+      4BYTE_ABGR_PRE to INT_ARGB_PRE blit
+    + JDK-8297697: RISC-V: Add support for SATP mode detection
+    + JDK-8297715: RISC-V: C2: Use single-bit instructions from the 
+      Zbs extension
+    + JDK-8297887: Update Siphash
+    + JDK-8297923: java.awt.ScrollPane broken after multiple scroll 
+      up/down
+    + JDK-8298138: Shenandoah: HdrSeq asserts "sub-bucket index 
+      (512) overflow for value (    1.00)"
+    + JDK-8298921: Create a regression test for JDK-8139581
+    + JDK-8298974: Add ftcolor.c to imported freetype sources
+    + JDK-8299158: Improve MD5 intrinsic on AArch64
+    + JDK-8299168: RISC-V: Fix MachNode size mismatch for 
+      MacroAssembler::_verify_oops*
+    + JDK-8299330: Minor improvements in MSYS2 Workflow handling
+    + JDK-8299617: CurrencySymbols.properties is missing the 
+      copyright notice
+    + JDK-8299658: C1 compilation crashes in 
+      LinearScan::resolve_exception_edge
+    + JDK-8299713: Test javax/swing/JTableHeader/6889007/
+      /bug6889007.java failed: Wrong type of cursor
+    + JDK-8299827: Add resolved IP address in connection exception 
+      for sockets
+    + JDK-8299847: RISC-V: Improve PrintOptoAssembly output of 
+      CMoveI/L nodes
+    + JDK-8299962: Speed up compiler/intrinsics/unsafe/
+      /DirectByteBufferTest.java and HeapByteBufferTest.java
+    + JDK-8300053: Shenandoah: Handle more GCCauses in 
+      ShenandoahControlThread::request_gc
+    + JDK-8300098: java/util/concurrent/ConcurrentHashMap/
+      /ConcurrentAssociateTest.java fails with internal timeout when
+      executed with TieredCompilation1/3
+    + JDK-8300109: RISC-V: Improve code generation for MinI/MaxI 
+      nodes
+    + JDK-8300405: Screen capture for test 
+      JFileChooserSetLocationTest.java, failure case
+    + JDK-8300584: Accelerate AVX-512 CRC32C for small buffers
+    + JDK-8300659: Refactor TestMemoryAwareness to use WhiteBox api 
+      for host values
+    + JDK-8300693: Lower the compile threshold and reduce the 
+      iterations of warmup loop in VarHandles tests
+    + JDK-8301033: RISC-V: Handle special cases for MinI/MaxI nodes 
+      for Zbb
+    + JDK-8301036: RISC-V: Factor out functions baseOffset & 
+      baseOffset32 from MacroAssembler
+    + JDK-8301067: RISC-V: better error message when reporting 
+      unsupported satp modes
+    + JDK-8301074: Replace NULL with nullptr in share/opto/
+    + JDK-8301097: Update GHA XCode to 12.5.1
+    + JDK-8301153: RISC-V: pipeline class for several instructions 
+      is not set correctly
+    + JDK-8301167: Update VerifySignedJar to actually exercise and 
+      test verification
+    + JDK-8301187: Memory leaks in OopMapCache
+    + JDK-8301269: Update Commons BCEL to Version 6.7.0
+    + JDK-8301313: RISC-V: C2: assert(false) failed: bad AD file 
+      due to missing match rule
+    + JDK-8301367: Add exception handler method to the 
+      BaseLdapServer
+    + JDK-8301628: RISC-V: c2 fix pipeline class for several 
+      instructions
+    + JDK-8301700: Increase the default TLS Diffie-Hellman group 
+      size from 1024-bit to 2048-bit
+    + JDK-8301818: RISC-V: Factor out function mvw from 
+      MacroAssembler
+    + JDK-8301852: RISC-V: Optimize class atomic when order is 
+      memory_order_relaxed
+    + JDK-8301959: Compile command in 
+      compiler.loopopts.TestRemoveEmptyCountedLoop does not work
+    + JDK-8302114: RISC-V: Several foreign jtreg tests fail with 
+      debug build after JDK-8301818
+    + JDK-8302150: Speed up compiler/codegen/Test7100757.java
+    + JDK-8302161: Upgrade jQuery UI to version 1.13.2
+    + JDK-8302182: Update Public Suffix List to 88467c9
+    + JDK-8302289: RISC-V: Use bgez instruction in 
+      arraycopy_simple_check when possible
+    + JDK-8302736: Major performance regression in Math.log on 
+      aarch64
+    + JDK-8302776: RISC-V: Fix typo CSR_INSTERT to CSR_INSTRET
+    + JDK-8303047: avoid NULL after 8301661
+    + JDK-8303154: Investigate and improve instruction cache 
+      flushing during compilation
+    + JDK-8303215: Make thread stacks not use huge pages
+    + JDK-8303279: C2: crash in SubTypeCheckNode::sub() at IGVN 
+      split if
+    + JDK-8304293: RISC-V: JDK-8276799 missed atomic intrinsic 
+      support for C1
+    + JDK-8304314: StackWalkTest.java fails after CODETOOLS-7903373
+    + JDK-8304353: Add lib-test tier1 testing in GHA
+    + JDK-8304725: AsyncGetCallTrace can cause SIGBUS on M1
+    + JDK-8304845: Update PCSC-Lite for Suse Linux to 1.9.9 and fix 
+      incomplete license wording
+    + JDK-8304976: Optimize 
+      DateTimeFormatterBuilder.ZoneTextPrinterParser.getTree()
+    + JDK-8305006: Use correct register in riscv_enc_fast_unlock()
+    + JDK-8305008: RISC-V: Factor out immediate checking functions 
+      from assembler_riscv.inline.hpp
+    + JDK-8305112: RISC-V: Typo fix for RVC description
+    + JDK-8305236: Some LoadLoad barriers in the interpreter are 
+      unnecessary after JDK-8220051
+    + JDK-8305421: Work around JDK-8305420 in CDSJDITest.java
+    + JDK-8305425: Thread.isAlive0 doesn't need to call into the VM
+    + JDK-8305512: RISC-V: Enable RVC extension by default on 
+      supported hardware
+    + JDK-8305670: Performance regression in LockSupport.unpark 
+      with lots of idle threads
+    + JDK-8305728: RISC-V: Use bexti instruction to do single-bit 
+      testing
+    + JDK-8305763: Parsing a URI with an underscore goes through a 
+      silent exception, negatively impacting performance
+    + JDK-8305766: ProblemList runtime/CompressedOops/
+      /CompressedClassPointers.java
+    + JDK-8305858: Resolve multiple definition of 
+      'handleSocketError' when statically linking with JDK native 
+      libraries
+    + JDK-8305950: Have -XshowSettings option display tzdata version
+    + JDK-8305995: Footprint regression from JDK-8224957
+    + JDK-8306060: Open source few AWT Insets related tests
+    + JDK-8306076: Open source AWT misc tests
+    + JDK-8306134: Open source some AWT tests relating to Button 
+      and a few other classes
+    + JDK-8306135: Clean up and open source some AWT tests
+    + JDK-8306137: Open source several AWT ScrollPane related tests
+    + JDK-8306281: function isWsl() returns false on WSL2
+    + JDK-8306372: Open source AWT CardLayout and Checkbox tests
+    + JDK-8306428: RunThese30M.java crashed with 
+      assert(early->flag() == current->flag() || early->flag() ==
+      mtNone)
+    + JDK-8306430: Open source some AWT tests related to 
+      TextComponent and Toolkit
+    + JDK-8306435: Juggle04/TestDescription.java should be a 
+      booleanArr test and not a byteArr one
+    + JDK-8306484: Open source several AWT Choice jtreg tests
+    + JDK-8306566: Open source several clipboard AWT tests
+    + JDK-8306575: Clean up and open source four Dialog related 
+      tests
+    + JDK-8306636: Disable compiler/c2/Test6905845.java with 
+      -XX:TieredStopAtLevel=3
+    + JDK-8306638: Open source some AWT tests related to 
+      datatransfer and Toolkit
+    + JDK-8306667: RISC-V: Fix storeImmN0 matching rule by using zr 
+      register
+    + JDK-8306682: Open source a few more AWT Choice tests
+    + JDK-8306718: Optimize and opensource some old AWT tests
+    + JDK-8306738: Select num workers for safepoint 
+      ParallelCleanupTask
+    + JDK-8306765: Some client related jtreg problem list entries 
+      are malformed
+    + JDK-8306812: Open source several AWT Miscellaneous tests
+    + JDK-8307067: remove broken EnableThreadSMRExtraValidityChecks 
+      option
+    + JDK-8307068: store a JavaThread* in the java.lang.Thread 
+      object after the JavaThread* is added to the main ThreadsList
+    + JDK-8307078: Opensource and clean up five more AWT Focus 
+      related tests
+    + JDK-8307079: Update test java/awt/Choice/DragOffNoSelect.java
+    + JDK-8307083: Open source some drag and drop tests 3
+    + JDK-8307147: [x86] Dangling pointer warning for 
+      Assembler::_attributes
+    + JDK-8307150: RISC-V: Remove remaining StoreLoad barrier with 
+      UseCondCardMark for Serial/Parallel GC
+    + JDK-8307156: native_thread not protected by TLH
+    + JDK-8307165: java/awt/dnd/NoFormatsDropTest/
+      /NoFormatsDropTest.java timed out
+    + JDK-8307299: Move more DnD tests to open
+    + JDK-8307301: Update HarfBuzz to 7.2.0
+    + JDK-8307348: Parallelize heap walk for ObjectCount(AfterGC) 
+      JFR event collection
+    + JDK-8307395: Add missing STS to Shenandoah
+    + JDK-8307446: RISC-V: Improve performance of floating point to 
+      integer conversion
+    + JDK-8307526: [JFR] Better handling of tampered JFR repository
+    + JDK-8307555: Reduce memory reads in x86 MD5 intrinsic
+    + JDK-8307569: Build with gcc8 is broken after JDK-8307301
+    + JDK-8307572: AArch64: Vector registers are clobbered by some 
+      macroassemblers
+    + JDK-8307603: [AIX] Broken build after JDK-8307301
+    + JDK-8307604: gcc12 based Alpine build broken build after 
+      JDK-8307301
+    + JDK-8307651: RISC-V: stringL_indexof_char instruction has 
+      wrong format string
+    + JDK-8307653: Adjust delay time and gc log argument in 
+      TestAbortOnVMOperationTimeout
+    + JDK-8307683: Loop Predication should not hoist range checks 
+      with trap on success projection by negating their condition
+    + JDK-8307766: Linux: Provide the option to override the timer 
+      slack
+    + JDK-8308089: [riscv-port-jdk17u] Intrinsify 
+      Unsafe.storeStoreFence
+    + JDK-8308090: Add container tests for on-the-fly resource 
+      quota updates
+    + JDK-8308152: PropertyDescriptor should work with overridden 
+      generic getter method
+    + JDK-8308156: VerifyCACerts.java misses blank in error output
+    + JDK-8308192: Error in parsing replay file when staticfield is 
+      an array of single dimension
+    + JDK-8308232: nsk/jdb tests don't pass -verbose flag to the 
+      debuggee
+    + JDK-8308277: RISC-V: Improve vectorization of Match.sqrt() on 
+      floats
+    + JDK-8308283: Build failure with GCC12 & GCC13
+    + JDK-8308300: enhance exceptions in MappedMemoryUtils.c
+    + JDK-8308643: Incorrect value of 'used' jvmstat counter
+    + JDK-8308766: TLAB initialization may cause div by zero
+    + JDK-8308803: Improve java/util/UUID/UUIDTest.java
+    + JDK-8308872: enhance logging and some exception in 
+      krb5/Config.java
+    + JDK-8308997: RISC-V: Sign extend when comparing 32-bit value 
+      with zero instead of testing the sign bit
+    + JDK-8309088: security/infra/java/security/cert/
+      /CertPathValidator/certification/AmazonCA.java fails
+    + JDK-8309095: Remove UTF-8 character from 
+      TaskbarPositionTest.java
+    + JDK-8309107: Bump update version for OpenJDK: jdk-17.0.9
+    + JDK-8309119: [17u/11u] Redo JDK-8297951: C2: Create skeleton 
+      predicates for all If nodes in loop predication
+    + JDK-8309138: Fix container tests for jdks with symlinked conf 
+      dir
+    + JDK-8309228: Clarify EXPERIMENTAL flags comment in 
+      hotspot/share/runtime/globals.hpp
+    + JDK-8309254: Implement fast-path for ASCII-compatible 
+      CharsetEncoders on RISC-V
+    + JDK-8309266: C2: assert(final_con == (jlong)final_int) 
+      failed: final value should be integer
+    + JDK-8309297: Adjust ShenandoahHeap print_heap_regions_on
+    + JDK-8309340: Provide sctpHandleSocketErrorWithMessage
+    + JDK-8309427: [riscv-port-jdk17u] Remove unused 
+      RoundDoubleModeV C2 node
+    + JDK-8309550: jdk.jfr.internal.Utils::formatDataAmount method 
+      should gracefully handle amounts equal to Long.MIN_VALUE
+    + JDK-8309591: Socket.setOption(TCP_QUICKACK) uses wrong level
+    + JDK-8309613: [Windows] hs_err files sometimes miss 
+      information about the code containing the error
+    + JDK-8309746: Reconfigure check should include 
+      make/conf/version-numbers.conf
+    + JDK-8309862: Unsafe list operations in JfrStringPool
+    + JDK-8309956: Shenandoah: Strengthen the mark word check in 
+      string dedup
+    + JDK-8309959: JFR: Display N/A for missing data amount
+    + JDK-8310054: ScrollPane insets are incorrect
+    + JDK-8310126: C1: Missing receiver null check in 
+      Reference::get intrinsic
+    + JDK-8310259: Pin msys2/setup-msys2 github action to a 
+      specific commit
+    + JDK-8310549: avoid potential leaks in KeystoreImpl.m related 
+      to JNU_CHECK_EXCEPTION early returns
+    + JDK-8310551: vmTestbase/nsk/jdb/interrupt/interrupt001/
+      /interrupt001.java timed out due to missing prompt
+    + JDK-8310873: Re-enable locked_create_entry symbol check in 
+      runtime/NMT/CheckForProperDetailStackTrace.java for RISC-V
+    + JDK-8311033: [macos] PrinterJob does not take into account 
+      Sides attribute
+    + JDK-8311249: Remove unused MemAllocator::obj_memory_range
+    + JDK-8311285: report some fontconfig related environment 
+      variables in hs_err file
+    + JDK-8311689: Wrong visible amount in Adjustable of ScrollPane
+    + JDK-8311862: RISC-V: small improvements to shift immediate 
+      instructions
+    + JDK-8311923: TestIRMatching.java fails on RISC-V
+    + JDK-8312029: Add CriticalNative tests to ProblemList for 
+      8312028
+    + JDK-8312511: GHA: Bump cross-compile runner to Ubuntu 22.04
+    + JDK-8312525: New test runtime/os/TestTrimNative.java#trimNative
+      is failing: did not see the expected RSS reduction
+    + JDK-8312555: Ideographic characters aren't stretched by 
+      AffineTransform.scale(2, 1)
+    + JDK-8313262: C2:  Sinking node may cause required cast to be 
+      dropped
+    + JDK-8313402: C1: Incorrect LoadIndexed value numbering
+    + JDK-8313428: GHA: Bump GCC versions for July 2023 updates
+    + JDK-8313576: GCC 7 reports compiler warning in bundled 
+      freetype 2.13.0
+    + JDK-8313676: Amend TestLoadIndexedMismatch test to target 
+      intrinsic directly
+    + JDK-8313678: SymbolTable can leak Symbols during cleanup
+    + JDK-8313701: GHA: RISC-V should use the official repository 
+      for bootstrap
+    + JDK-8313707: GHA: Bootstrap sysroots with --variant=minbase
+    + JDK-8313796: AsyncGetCallTrace crash on unreadable 
+      interpreter method pointer
+    + JDK-8313815: The exception messages printed by jcmd 
+      ManagementAgent.start are corrupted on Japanese Windows
+    + JDK-8313874: JNI NewWeakGlobalRef throws exception for null 
+      arg
+    + JDK-8314020: Print instruction blocks in byte units
+    + JDK-8314117: RISC-V: Incorrect VMReg encoding in 
+      RISCV64Frame.java
+    + JDK-8314118: Update JMH devkit to 1.37
+    + JDK-8314262: GHA: Cut down cross-compilation sysroots deeper
+    + JDK-8314426: runtime/os/TestTrimNative.java is failing on 
+      slow machines
+    + JDK-8314501: Shenandoah: sun/tools/jhsdb/heapconfig/
+      /JMapHeapConfigTest.java fails
+    + JDK-8314517: some tests fail in case ipv6 is disabled on the 
+      machine
+    + JDK-8314552: Fix javadoc tests to work with jtreg 7
+    + JDK-8314658: [17u] GHA: Sync up debian-version for 
+      cross-builds
+    + JDK-8314730: GHA: Drop libfreetype6-dev transitional package 
+      in favor of libfreetype-dev
+    + JDK-8314960: Add Certigna Root CA - 2
+    + JDK-8317040: Exclude cleaner test failing on older releases
+    + JDK-8317643: [17u] Remove designator 
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.9
+- Modified patches:
+  * nss-security-provider.patch
+  * fips.patch
+    + rediff
+
+-------------------------------------------------------------------
+Wed Oct 18 09:42:22 UTC 2023 - Andreas Schwab 
+
+- Enable JIT on riscv64
+
+-------------------------------------------------------------------
+Wed Oct 18 05:05:07 UTC 2023 - Fridrich Strba 
+
+- Compiler flags to realign stack on ix86 (bsc#1214790)
+
+-------------------------------------------------------------------
+Thu Sep 14 07:58:44 UTC 2023 - Fridrich Strba 
+
+- Added patch:
+  * reproducible-properties.patch
+    + use SOURCE_DATE_EPOCH for timestamp in the generated
+      properties files
+
+-------------------------------------------------------------------
+Wed Aug 23 06:27:50 UTC 2023 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.8.1+1 (August 2023 emergency
+  release fixing a regression in July 2023 CPU)
+  * Changes:
+    + JDK-8313765: Invalid CEN header (invalid zip64 extra data
+      field size)
+    + JDK-8314677: Bump update version for OpenJDK: jdk-17.0.8.1
+
+-------------------------------------------------------------------
+Fri Aug  4 15:49:22 UTC 2023 - Fridrich Strba 
+
+- Added patch:
+  * reproducible-javadoc-timestamp.patch
+    + use SOURCE_DATE_EPOCH in javadoc and make the javadoc
+      generation more reproducible
+
+-------------------------------------------------------------------
+Tue Jul 25 06:21:18 UTC 2023 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.8+7 (July 2023 CPU)
+  * CVEs
+    + CVE-2023-22006, bsc#1213473
+    + CVE-2023-22036, bsc#1213474
+    + CVE-2023-22041, bsc#1213475
+    + CVE-2023-22044, bsc#1213479
+    + CVE-2023-22045, bsc#1213481
+    + CVE-2023-22049, bsc#1213482
+    + CVE-2023-25193, bsc#1207922
+  * Security fixes
+    + JDK-8294323: Improve Shared Class Data
+    + JDK-8296565: Enhanced archival support
+    + JDK-8298676, JDK-8300891: Enhanced Look and Feel
+    + JDK-8300285: Enhance TLS data handling
+    + JDK-8300596: Enhance Jar Signature validation
+    + JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
+    + JDK-8302475: Enhance HTTP client file downloading
+    + JDK-8302483: Enhance ZIP performance
+    + JDK-8303376: Better launching of JDI
+    + JDK-8304460: Improve array usages
+    + JDK-8304468: Better array usages
+    + JDK-8305312: Enhanced path handling
+    + JDK-8308682: Enhance AES performance
+  * Other changes
+    + JDK-8178806: Better exception logging in crypto code
+    + JDK-8201516: DebugNonSafepoints generates incorrect
+      information
+    + JDK-8224768: Test ActalisCA.java fails
+    + JDK-8227060: Optimize safepoint cleanup subtask order
+    + JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java
+      fails with AssertionError
+    + JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
+    + JDK-8244976: vmTestbase/nsk/jdi/Event/request/request001.java
+      doesn' initialize eName
+    + JDK-8245877: assert(_value != __null) failed: resolving NULL
+      _value in JvmtiExport::post_compiled_method_load
+    + JDK-8248001: javadoc generates invalid HTML pages whose
+      ftp:// links are broken
+    + JDK-8252990: Intrinsify Unsafe.storeStoreFence
+    + JDK-8254711: Add java.security.Provider.getService JFR Event
+    + JDK-8257856: Make ClassFileVersionsTest.java robust to JDK
+      version updates
+    + JDK-8261495: Shenandoah: reconsider update references memory
+      ordering
+    + JDK-8268288: jdk/jfr/api/consumer/streaming/
+      /TestOutOfProcessMigration.java fails with "Error:
+      ShouldNotReachHere()"
+    + JDK-8268298: jdk/jfr/api/consumer/log/TestVerbosity.java
+      fails: unexpected log message
+    + JDK-8268582: javadoc throws NPE with --ignore-source-errors
+      option
+    + JDK-8269821: Remove is-queue-active check in inner loop of
+      write_ref_array_pre_work
+    + JDK-8270434: JDI+UT: Unexpected event in JDI tests
+    + JDK-8270859: Post JEP 411 refactoring: client libs with
+      maximum covering > 10K
+    + JDK-8270869: G1ServiceThread may not terminate
+    + JDK-8271519: java/awt/event/SequencedEvent/
+      /MultipleContextsFunctionalTest.java failed with "Total [200]
+      - Expected [400]"
+    + JDK-8273909: vmTestbase/nsk/jdi/Event/request/request001 can
+      still fail with "ERROR: new event is not ThreadStartEvent"
+    + JDK-8274243: Implement fast-path for ASCII-compatible
+      CharsetEncoders on aarch64
+    + JDK-8274615: Support relaxed atomic add for linux-aarch64
+    + JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
+    + JDK-8275233: Incorrect line number reported in exception
+      stack trace thrown from a lambda expression
+    + JDK-8275287: Relax memory ordering constraints on updating
+      instance class and array class counters
+    + JDK-8275721: Name of UTC timezone in a locale changes
+      depending on previous code
+    + JDK-8275735: [linux] Remove deprecated Metrics api (kernel
+      memory limit)
+    + JDK-8276058: Some swing test fails on specific CI macos system
+    + JDK-8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/
+      /bug6276188.java fails to compile after JDK-8276058
+    + JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java -
+      add 4357905
+    + JDK-8278146: G1: Rework VM_G1Concurrent VMOp to clearly
+      identify it as pause
+    + JDK-8278434: timeouts in test  java/time/test/java/time/
+      /format/TestZoneTextPrinterParser.java
+    + JDK-8278834: Error "Cannot read field "sym" because
+      "this.lvar[od]" is null" when compiling
+    + JDK-8282077: PKCS11 provider C_sign() impl should handle
+      CKR_BUFFER_TOO_SMALL error
+    + JDK-8282201: Consider removal of expiry check in
+      VerifyCACerts.java test
+    + JDK-8282227: Locale information for nb is not working properly
+    + JDK-8282704: runtime/Thread/StopAtExit.java may leak memory
+    + JDK-8283057: Update GCC to version 11.2.0 for Oracle builds
+      on Linux
+    + JDK-8283062: Uninitialized warnings in libgtest with GCC 11.2
+    + JDK-8283520: JFR: Memory leak in dcmd_arena
+    + JDK-8283566: G1: Improve G1BarrierSet::enqueue performance
+    + JDK-8284331: Add sanity check for signal handler modification
+      warning.
+    + JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java
+      failed with Default Button not pressed for L&F:
+      com.sun.java.swing.plaf.motif.MotifLookAndFeel
+    + JDK-8285987: executing shell scripts without #! fails on
+      Alpine linux
+    + JDK-8286191: misc tests fail due to JDK-8285987
+    + JDK-8286287: Reading file as UTF-16 causes Error which
+      "shouldn't happen"
+    + JDK-8286331: jni_GetStringUTFChars() uses wrong heap allocator
+    + JDK-8286346: 3-parameter version of AllocateHeap should not
+      ignore AllocFailType
+    + JDK-8286398: Address possibly lossy conversions in
+      jdk.internal.le
+    + JDK-8287007: [cgroups] Consistently use stringStream
+      throughout parsing code
+    + JDK-8287246: DSAKeyValue should check for missing params
+      instead of relying on KeyFactory provider
+    + JDK-8287541: Files.writeString fails to throw IOException for
+      charset "windows-1252"
+    + JDK-8287854: Dangling reference in ClassVerifier::verify_class
+    + JDK-8287876: The recently de-problemlisted
+      TestTitledBorderLeak test is unstable
+    + JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md
+      with information on 4th party dependencies
+    + JDK-8288589: Files.readString ignores encoding errors for
+      UTF-16
+    + JDK-8289509: Improve test coverage for XPath Axes:
+      descendant, descendant-or-self, following, following-sibling
+    + JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
+    + JDK-8289949: Improve test coverage for XPath: operators
+    + JDK-8290822: C2: assert in PhaseIdealLoop::do_unroll() is
+      subject to undefined behavior
+    + JDK-8291226: Create Test Cases to cover scenarios for
+      JDK-8278067
+    + JDK-8291637: HttpClient default keep alive timeout not
+      followed if server sends invalid value
+    + JDK-8291638: Keep-Alive timeout of 0 should close connection
+      immediately
+    + JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage()
+      is lower than expected
+    + JDK-8292301: [REDO v2] C2 crash when allocating array of size
+      too large
+    + JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests
+      resilience under spurious failures
+    + JDK-8292713: Unsafe.allocateInstance should be intrinsified
+      without UseUnalignedAccesses
+    + JDK-8292755: Non-default method in interface leads to a stack
+      overflow in JShell
+    + JDK-8292990: Improve test coverage for XPath Axes: parent
+    + JDK-8293295: Add type check asserts to
+      java_lang_ref_Reference accessors
+    + JDK-8293492: ShenandoahControlThread missing from hs-err log
+      and thread dump
+    + JDK-8293858: Change PKCS7 code to use default SecureRandom
+      impl instead of SHA1PRNG
+    + JDK-8293887: AArch64 build failure with GCC 12 due to
+      maybe-uninitialized warning in libfdlibm k_rem_pio2.c
+    + JDK-8294183: AArch64: Wrong macro check in
+      SharedRuntime::generate_deopt_blob
+    + JDK-8294281: Allow warnings to be disabled on a per-file basis
+    + JDK-8294673: JFR: Add SecurityProviderService#threshold to
+      TestActiveSettingEvent.java
+    + JDK-8294717: (bf) DirectByteBuffer constructor will leak if
+      allocating Deallocator or Cleaner fails with OOME
+    + JDK-8294906: Memory leak in PKCS11 NSS TLS server
+    + JDK-8295564: Norwegian Nynorsk Locale is missing formatting
+    + JDK-8295974: jni_FatalError and Xcheck:jni warnings should
+      print the native stack when there are no Java frames
+    + JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java
+      fails intermittently on a VM
+    + JDK-8296318: use-def assert: special case undetected loops
+      nested in infinite loops
+    + JDK-8296343: CPVE thrown on missing content-length in OCSP
+      response
+    + JDK-8296412: Special case infinite loops with unmerged
+      backedges in IdealLoopTree::check_safepts
+    + JDK-8296545: C2 Blackholes should allow load optimizations
+    + JDK-8296934: Write a test to verify whether Undecorated Frame
+      can be iconified or not
+    + JDK-8297000: [jib] Add more friendly warning for proxy issues
+    + JDK-8297154: Improve safepoint cleanup logging
+    + JDK-8297450: ScaledTextFieldBorderTest.java fails when run
+      with -show parameter
+    + JDK-8297587: Upgrade JLine to 3.22.0
+    + JDK-8297730: C2: Arraycopy intrinsic throws incorrect
+      exception
+    + JDK-8297955: LDAP CertStore should use LdapName and not
+      String for DNs
+    + JDK-8298488: [macos13] tools/jpackage tests failing with
+      "Exit code: 137" on macOS
+    + JDK-8298887: On the latest macOS+XCode the Robot API may
+      report wrong colors
+    + JDK-8299179: ArrayFill with store on backedge needs to reduce
+      length by 1
+    + JDK-8299259: C2: Div/Mod nodes without zero check could be
+      split through iv phi of loop resulting in SIGFPE
+    + JDK-8299544: Improve performance of CRC32C intrinsics
+      (non-AVX-512) for small inputs
+    + JDK-8299570: [JVMCI] Insufficient error handling when
+      CodeBuffer is exhausted
+    + JDK-8299959: C2: CmpU::Value must filter overflow computation
+      against local sub computation
+    + JDK-8300042: Improve CPU related JFR events descriptions
+    + JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy
+      due to constant NULL src argument
+    + JDK-8300823: UB: Compile::_phase_optimize_finished is
+      initialized too late
+    + JDK-8300939: sun/security/provider/certpath/OCSP/
+      /OCSPNoContentLength.java fails due to network errors
+    + JDK-8301050: Detect Xen Virtualization on Linux aarch64
+    + JDK-8301119: Support for GB18030-2022
+    + JDK-8301123: Enable Symbol refcounting underflow checks in
+      PRODUCT
+    + JDK-8301190: [vectorapi] The typeChar of LaneType is
+      incorrect when default locale is tr
+    + JDK-8301216: ForkJoinPool invokeAll() ignores timeout
+    + JDK-8301338: Identical branch conditions in
+      CompileBroker::print_heapinfo
+    + JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic
+      called with negative character argument
+    + JDK-8301637: ThreadLocalRandom.current().doubles().parallel()
+      contention
+    + JDK-8301661: Enhance os::pd_print_cpu_info on macOS and
+      Windows
+    + JDK-8302151: BMPImageReader throws an exception reading BMP
+      images
+    + JDK-8302172: [JVMCI] HotSpotResolvedJavaMethodImpl.canBeInlined
+      must respect ForceInline
+    + JDK-8302320: AsyncGetCallTrace obtains too few frames in
+      sanity test
+    + JDK-8302491: NoClassDefFoundError omits the original cause of
+      an error
+    + JDK-8302508: Add timestamp to the output TraceCompilerThreads
+    + JDK-8302594: use-after-free in Node::destruct
+    + JDK-8302595: use-after-free related to GraphKit::clone_map
+    + JDK-8302791: Add specific ClassLoader object to Proxy
+      IllegalArgumentException message
+    + JDK-8302849: SurfaceManager might expose partially
+      constructed object
+    + JDK-8303069: Memory leak in CompilerOracle::parse_from_line
+    + JDK-8303102: jcmd: ManagementAgent.status truncates the text
+      longer than O_BUFLEN
+    + JDK-8303130: Document required Accessibility permissions on
+      macOS
+    + JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m
+      needs CFRelease call in early potential CHECK_NULL return
+    + JDK-8303433: Bump update version for OpenJDK: jdk-17.0.8
+    + JDK-8303440: The "ZonedDateTime.parse" may not accept the
+      "UTC+XX" zone id
+    + JDK-8303465: KeyStore of type KeychainStore, provider Apple
+      does not show all trusted certificates
+    + JDK-8303476: Add the runtime version in the release file of a
+      JDK image
+    + JDK-8303482: Update LCMS to 2.15
+    + JDK-8303508: Vector.lane() gets wrong value on x86
+    + JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during
+      unrolling
+    + JDK-8303564: C2: "Bad graph detected in build_loop_late"
+      after a CMove is wrongly split thru phi
+    + JDK-8303575: adjust Xen handling on Linux aarch64
+    + JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs
+      CFRelease call in early potential CHECK_NULL return
+    + JDK-8303588: [JVMCI] make JVMCI source directories conform
+      with standard layout
+    + JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
+    + JDK-8303822: gtestMain should give more helpful output
+    + JDK-8303861: Error handling step timeouts should never be
+      blocked by OnError and others
+    + JDK-8303937: Corrupted heap dumps due to missing retries for
+      os::write()
+    + JDK-8303949: gcc10 warning Linux ppc64le - note: the layout
+      of aggregates containing vectors with 8-byte alignment has
+      changed in GCC 5
+    + JDK-8304054: Linux: NullPointerException from
+      FontConfiguration.getVersion in case no fonts are installed
+    + JDK-8304063: tools/jpackage/share/AppLauncherEnvTest.java
+      fails when checking LD_LIBRARY_PATH
+    + JDK-8304134: jib bootstrapper fails to quote filename when
+      checking download filetype
+    + JDK-8304291: [AIX] Broken build after JDK-8301998
+    + JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
+    + JDK-8304350: Font.getStringBounds calculates wrong width for
+      TextAttribute.TRACKING other than 0.0
+    + JDK-8304671: javac regression: Compilation with --release 8
+      fails on underscore in enum identifiers
+    + JDK-8304683: Memory leak in WB_IsMethodCompatible
+    + JDK-8304760: Add 2 Microsoft TLS roots
+    + JDK-8304867: Explicitly disable dtrace for ppc builds
+    + JDK-8304880: [PPC64] VerifyOops code in C1 doesn't work with
+      ZGC
+    + JDK-8305088: SIGSEGV in Method::is_method_handle_intrinsic
+    + JDK-8305113: (tz) Update Timezone Data to 2023c
+    + JDK-8305400: ISO 4217 Amendment 175 Update
+    + JDK-8305403: Shenandoah evacuation workers may deadlock
+    + JDK-8305481: gtest is_first_C_frame failing on ARM
+    + JDK-8305690: [X86] Do not emit two REX prefixes in
+      Assembler::prefix
+    + JDK-8305711: Arm: C2 always enters slowpath for monitorexit
+    + JDK-8305721: add `make compile-commands` artifacts to
+      .gitignore
+    + JDK-8305975: Add TWCA Global Root CA
+    + JDK-8305993: Add handleSocketErrorWithMessage to extend nio
+      Net.c exception message
+    + JDK-8305994: Guarantee eventual async monitor deflation
+    + JDK-8306072: Open source several AWT MouseInfo related tests
+    + JDK-8306133: Open source few AWT Drag & Drop related tests
+    + JDK-8306409: Open source AWT KeyBoardFocusManger,
+      LightWeightComponent related tests
+    + JDK-8306432: Open source several AWT Text Component related
+      tests
+    + JDK-8306466: Open source more AWT Drag & Drop related tests
+    + JDK-8306489: Open source AWT List related tests
+    + JDK-8306543: GHA: MSVC installation is failing
+    + JDK-8306640: Open source several AWT TextArea related tests
+    + JDK-8306652: Open source AWT MenuItem related tests
+    + JDK-8306658: GHA: MSVC installation could be optional since
+      it might already be pre-installed
+    + JDK-8306664: GHA: Update MSVC version to latest stepping
+    + JDK-8306681: Open source more AWT DnD related tests
+    + JDK-8306683: Open source several clipboard and color AWT tests
+    + JDK-8306752: Open source several container and component AWT
+      tests
+    + JDK-8306753: Open source several container AWT tests
+    + JDK-8306755: Open source few Swing JComponent and
+      AbstractButton tests
+    + JDK-8306768: CodeCache Analytics reports wrong threshold
+    + JDK-8306774: Make runtime/Monitor/
+      /GuaranteedAsyncDeflationIntervalTest.java more reliable
+    + JDK-8306825: Monitor deflation might be accidentally disabled
+      by zero intervals
+    + JDK-8306850: Open source AWT Modal related tests
+    + JDK-8306871: Open source more AWT Drag & Drop tests
+    + JDK-8306883: Thread stacksize is reported with wrong units in
+      os::create_thread logging
+    + JDK-8306941: Open source several datatransfer and dnd AWT
+      tests
+    + JDK-8306943: Open source several dnd AWT tests
+    + JDK-8306954: Open source five Focus related tests
+    + JDK-8306955: Open source several JComboBox jtreg tests
+    + JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
+    + JDK-8306996: Open source Swing MenuItem related tests
+    + JDK-8307080: Open source some more JComboBox jtreg tests
+    + JDK-8307128: Open source some drag and drop tests 4
+    + JDK-8307130: Open source few Swing JMenu tests
+    + JDK-8307133: Open source some JTable jtreg tests
+    + JDK-8307134: Add GTS root CAs
+    + JDK-8307135: java/awt/dnd/NotReallySerializableTest/
+      /NotReallySerializableTest.java failed
+    + JDK-8307331: Correctly update line maps when class redefine
+      rewrites bytecodes
+    + JDK-8307346: Add missing gc+phases logging for
+      ObjectCount(AfterGC) JFR event collection code
+    + JDK-8307347: serviceability/sa/ClhsdbDumpclass.java could
+      leave files owned by root on macOS
+    + JDK-8307378: Allow collectors to provide specific values for
+      GC notifications' actions
+    + JDK-8307381: Open Source JFrame, JIF related Swing Tests
+    + JDK-8307425: Socket input stream read burns CPU cycles with
+      back-to-back poll(0) calls
+    + JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has
+      invalid jtreg `@requires` clause
+    + JDK-8308554: [17u] Fix commit of 8286191. vm.musl was not
+      removed from ExternalEditorTest
+    + JDK-8308880: [17u] micro bench ZoneStrings missed in backport
+      of 8278434
+    + JDK-8308884: [17u/11u] Backout JDK-8297951
+    + JDK-8311467: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.8
+
+-------------------------------------------------------------------
+Wed May 24 13:47:09 UTC 2023 - Fridrich Strba 
+
+- Bring back our nss.fips.cfg file, since the variable expansion
+  in the upstream file does not work (fixes: bsc#1211679)
+
+-------------------------------------------------------------------
+Thu May 11 12:52:16 UTC 2023 - jsilva@suse.com
+
+- Fix for SG#65673, bsc#1210392:
+   * unsigned-sni-server-name.patch: In SSLSessionImpl, interpret
+     length of SNIServerName as an unsigned byte so that it can
+     have length up to 255 rather than 127.
+
+-------------------------------------------------------------------
+Thu May 11 07:26:21 UTC 2023 - Fridrich Strba 
+
+- Do not install a separate nss.fips.cfg file, since there is
+  now one in the tree and the install happens automatically
+- Modified patch:
+  * fips.patch
+    + enable system property file by default, without which the
+      FIPS mode would never get enabled (bsc#1211259)
+
+-------------------------------------------------------------------
+Wed Apr 26 11:29:03 UTC 2023 - Fridrich Strba 
+
+- Update to upstrem tag jdk-17.0.7+7 (April 2023 CPU)
+  * Security fixes:
+    + JDK-8287404: Improve ping times
+    + JDK-8288436: Improve Xalan supports
+    + JDK-8294474, CVE-2023-21930, bsc#1210628: Better AES support
+    + JDK-8295304, CVE-2023-21938, bsc#1210632: Runtime support
+      improvements
+    + JDK-8296676, CVE-2023-21937, bsc#1210631: Improve String
+      platform support
+    + JDK-8296684, CVE-2023-21937, bsc#1210631: Improve String
+      platform support
+    + JDK-8296692, CVE-2023-21937, bsc#1210631: Improve String
+      platform support
+    + JDK-8296832, CVE-2023-21939, bsc#1210634: Improve Swing
+      platform support
+    + JDK-8297371: Improve UTF8 representation redux
+    + JDK-8298191, CVE-2023-21954, bsc#1210635: Enhance object
+      reclamation process
+    + JDK-8298310, CVE-2023-21967, bsc#1210636: Enhance TLS session
+      negotiation
+    + JDK-8298667, CVE-2023-21968, bsc#1210637: Improved path
+      handling
+    + JDK-8299129: Enhance NameService lookups
+  * Fixes:
+    + JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
+    + JDK-6779701: Wrong defect ID in the code of test
+      LocalRMIServerSocketFactoryTest.java
+    + JDK-8008243: Zero: Implement fast bytecodes
+    + JDK-8048190: NoClassDefFoundError omits original
+      ExceptionInInitializerError
+    + JDK-8065097: [macosx] javax/swing/Popup/
+      /TaskbarPositionTest.java fails because Popup is one pixel off
+    + JDK-8144030: [macosx] test java/awt/Frame/
+      /ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again)
+    + JDK-8155246: Throw error if default java.security file is
+      missing
+    + JDK-8186765: Speed up test sun/net/www/protocol/https/
+      /HttpsClient/ProxyAuthTest.java
+    + JDK-8192931: Regression test java/awt/font/TextLayout/
+      /CombiningPerf.java fails
+    + JDK-8195809: [TESTBUG] jps and jcmd -l support for
+      containers is not tested
+    + JDK-8208077: File.listRoots performance degradation
+    + JDK-8209935: Test to cover CodeSource.getCodeSigners()
+    + JDK-8210927: JDB tests do not update source path after
+      doing a redefine class
+    + JDK-8212961: [TESTBUG] vmTestbase/nsk/stress/jni/
+      native code cleanup
+    + JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java
+      fails
+    + JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java
+      sometimes detect threads+1 connections
+    + JDK-8230374: maxOutputSize, instead of javatest.maxOutputSize,
+      should be used in TEST.properties
+    + JDK-8231491: JDI tc02x004 failed again due to wrong # of
+      breakpoints
+    + JDK-8235297: sun/security/ssl/SSLSessionImpl/
+      /ResumptionUpdateBoundValues.java fails intermittent
+    + JDK-8242115: C2 SATB barriers are not safepoint-safe
+    + JDK-8244669: convert clhsdb "mem" command from javascript to
+      java
+    + JDK-8245654: Add Certigna Root CA
+    + JDK-8251177: [macosx] The text "big" is truncated in
+      JTabbedPane
+    + JDK-8254267: javax/xml/crypto/dsig/LogParameters.java
+      failed with "RuntimeException: Unexpected log output:"
+    + JDK-8258512: serviceability/sa/TestJmapCore.java timed out on
+      macOS 10.13.6
+    + JDK-8262386: resourcehogs/serviceability/sa/
+      /TestHeapDumpForLargeArray.java timed out
+    + JDK-8266974: duplicate property key in java.sql.rowset
+      resource bundle
+    + JDK-8267038: Update IANA Language Subtag Registry to
+      Version 2022-03-02
+    + JDK-8270156: Add "randomness" and "stress" keys to
+      JTreg tests which use StressGCM, StressLCM and/or StressIGVN
+    + JDK-8270476: Make floating-point test infrastructure
+      more lambda and method reference friendly
+    + JDK-8271471: [IR Framework] Rare occurrence of "" in PrintIdeal/PrintOptoAssembly
+      can let tests fail
+    + JDK-8271838: AmazonCA.java interop test fails
+    + JDK-8272702: Resolving URI relative path with no / may
+      lead to incorrect toString
+    + JDK-8272985: Reference discovery is confused about
+      atomicity and degree of parallelism
+    + JDK-8273154: Provide a JavadocTester method for
+      non-overlapping, unordered output matching
+    + JDK-8273410: IR verification framework fails with
+      "Should find method name in validIrRulesMap"
+    + JDK-8274911: testlibrary_tests/ir_framework/tests/
+      /TestIRMatching.java fails with "java.lang.RuntimeException:
+      Should have thrown exception"
+    + JDK-8275173: testlibrary_tests/ir_framework/tests/
+      /TestCheckedTests.java fails after JDK-8274911
+    + JDK-8275320: NMT should perform buffer overrun checks
+    + JDK-8275301: Unify C-heap buffer overrun checks into NMT
+    + JDK-8275582: Don't purge metaspace mapping lists
+    + JDK-8275704: Metaspace::contains() should be threadsafe
+    + JDK-8275843: Random crashes while the UI code is
+      executed
+    + JDK-8276064: CheckCastPP with raw oop input floats
+      below a safepoint
+    + JDK-8276086: Increase size of metaspace mappings
+    + JDK-8277485: Zero: Fix _fast_{i,f}access_0 bytecodes
+      handling
+    + JDK-8277822: Remove debug-only heap overrun checks in
+      os::malloc and friends
+    + JDK-8277946: NMT: Remove VM.native_memory shutdown jcmd
+      command option
+    + JDK-8277990: NMT: Remove NMT shutdown capability
+    + JDK-8278961: Enable debug logging in java/net/
+      /DatagramSocket/SendDatagramToBadAddress.java
+    + JDK-8279024: Remove javascript references from
+      clhsdb.html
+    + JDK-8279119: src/jdk.hotspot.agent/doc/index.html file
+      contains references to scripts that no longer exist
+    + JDK-8279351: [TESTBUG] SADebugDTest.java does not
+      handle "Address already in use" error
+    + JDK-8279614: The left line of the TitledBorder is not
+      painted on 150 scale factor
+    + JDK-8280007: Enable Neoverse N1 optimizations for Arm
+      Neoverse V1 & N2
+    + JDK-8280048: Missing comma in copyright header
+    + JDK-8280132: Incorrect comparator com.sun.beans.introspect
+      .MethodInfo.MethodOrder
+    + JDK-8280166: Extend java/lang/instrument/
+      /GetObjectSizeIntrinsicsTest.java test cases
+    + JDK-8280553: resourcehogs/serviceability/sa/
+      /TestHeapDumpForLargeArray.java can fail if GC occurs
+    + JDK-8280703: CipherCore.doFinal(...) causes potentially
+      massive byte[] allocations during decryption
+    + JDK-8280784: VM_Cleanup unnecessarily processes all
+      thread oops
+    + JDK-8280868: LineBodyHandlerTest.java creates and
+      discards too many clients
+    + JDK-8280889: java/lang/instrument/
+      /GetObjectSizeIntrinsicsTest.java fails with
+      -XX:-UseCompressedOops
+    + JDK-8280896: java/nio/file/Files/probeContentType/
+      /Basic.java fails on Windows 11
+    + JDK-8281122: [IR Framework] Cleanup IR matching code in
+      preparation for JDK-8280378
+    + JDK-8281170: Test jdk/tools/jpackage/windows/
+      /WinInstallerIconTest always fails on Windows 11
+    + JDK-8282036: Change java/util/zip/ZipFile/DeleteTempJar.java
+      to stop HttpServer cleanly in case of exceptions
+    + JDK-8282143: Objects.requireNonNull should be
+      ForceInline
+    + JDK-8282577: ICC_Profile.setData(int, byte[])
+      invalidates the profile
+    + JDK-8282771: Create test case for JDK-8262981
+    + JDK-8282958: Rendering Issues with Borders on Windows
+      High-DPI systems
+    + JDK-8283606: Tests may fail with zh locale on MacOS
+    + JDK-8283717: vmTestbase/nsk/jdi/ThreadStartEvent/thread/
+      /thread001 failed due to SocketTimeoutException
+    + JDK-8283719: java/util/logging/CheckZombieLockTest.java
+      failing intermittently
+    + JDK-8283870: jdeprscan --help causes an exception when
+      the locale is ja, zh_CN or de
+    + JDK-8284115: [IR Framework] Compilation is not found due to
+      rare safepoint while dumping PrintIdeal/PrintOptoAssembly
+    + JDK-8284165: Add pid to process reaper thread name
+    + JDK-8284524: Create an automated test for JDK-4422362
+    + JDK-8284726: Print active locale settings in hs_err
+      reports and in VM.info
+    + JDK-8284767: Create an automated test for JDK-4422535
+    + JDK-8285399: JNI exception pending in
+      awt_GraphicsEnv.c:1432
+    + JDK-8285690: CloneableReference subtest should not
+      throw CloneNotSupportedException
+    + JDK-8285755: JDK-8285093 changed the default for
+      --with-output-sync
+    + JDK-8285835: SIGSEGV in
+      PhaseIdealLoop::build_loop_late_post_work
+    + JDK-8285919: Remove debug printout from JDK-8285093
+    + JDK-8285965: TestScenarios.java does not check for
+      "" correctly
+    + JDK-8286030: Avoid JVM crash when containers share the
+      same /tmp dir
+    + JDK-8286154: Fix 3rd party notices in test files
+    + JDK-8286562: GCC 12 reports some compiler warnings
+    + JDK-8286694: Incorrect argument processing in java
+      launcher
+    + JDK-8286705: GCC 12 reports use-after-free potential
+      bugs
+    + JDK-8286707: JFR: Don't commit JFR internal
+      jdk.JavaMonitorWait events
+    + JDK-8286800: Assert in PhaseIdealLoop::dump_real_LCA is
+      too strong
+    + JDK-8286844: com/sun/jdi/RedefineCrossEvent.java failed
+      with 1 threads completed while VM suspended
+    + JDK-8286873: Improve websocket test execution time
+    + JDK-8286962: java/net/httpclient/ServerCloseTest.java
+      failed once with ConnectException
+    + JDK-8287180: Update IANA Language Subtag Registry to
+      Version 2022-08-08
+    + JDK-8287217: C2: PhaseCCP: remove not visited nodes,
+      prevent type inconsistency
+    + JDK-8287491: compiler/jvmci/errors/TestInvalidDebugInfo.java
+      fails new assert:  assert((uint)t < T_CONFLICT + 1) failed:
+      invalid type #
+    + JDK-8287593: ShortResponseBody could be made more
+      resilient to rogue connections
+    + JDK-8287754: Update jib GNU make dependency on Windows
+      to latest cygwin build
+    + JDK-8288005: HotSpot build with disabled PCH fails for
+      Windows AArch64
+    + JDK-8288130: compiler error with AP and explicit record
+      accessor
+    + JDK-8288332: Tier1 validate-source fails after 8279614
+    + JDK-8288415: java/awt/PopupMenu/PopupMenuLocation.java
+      is unstable in MacOS machines
+    + JDK-8288854: getLocalGraphicsEnvironment() on for
+      multi-screen setups throws exception NPE
+    + JDK-8289400: Improve com/sun/jdi/TestScaffold error
+      reporting
+    + JDK-8289440: Remove vmTestbase/nsk/monitoring/MemoryPoolMBean/
+      /isCollectionUsageThresholdExceeded/isexceeded003 from
+      ProblemList.txt
+    + JDK-8289508: Improve test coverage for XPath Axes: ancestor,
+      ancestor-or-self, preceding, and preceding-sibling
+    + JDK-8289511: Improve test coverage for XPath Axes: child
+    + JDK-8289647: AssertionError during annotation
+      processing of record related tests
+    + JDK-8289948: Improve test coverage for XPath functions:
+      Node Set Functions
+    + JDK-8290067: Show stack dimensions in UL logging when
+      attaching threads
+    + JDK-8290083: ResponseBodyBeforeError: AssertionError or
+      SSLException: Unsupported or unrecognized SSL message
+    + JDK-8290197: test/jdk/java/nio/file/Files/probeContentType/
+      /Basic.java fails on some systems for the ".rar" extension
+    + JDK-8290322: Optimize Vector.rearrange over byte
+      vectors for AVX512BW targets.
+    + JDK-8290836: Improve test coverage for XPath functions:
+      String Functions
+    + JDK-8290837: Improve test coverage for XPath functions:
+      Boolean Functions
+    + JDK-8290838: Improve test coverage for XPath functions:
+      Number Functions
+    + JDK-8290850: C2: create_new_if_for_predicate() does not
+      clone pinned phi input nodes resulting in a broken graph
+    + JDK-8290899: java/lang/String/StringRepeat.java test
+      requests too much heap on windows x86
+    + JDK-8290964: C2 compilation fails with assert
+      "non-reduction loop contains reduction nodes"
+    + JDK-8291825: java/time/nontestng/java/time/zone/
+      /CustomZoneNameTest.java fails if defaultLocale and
+      defaultFormatLocale are different
+    + JDK-8292033: Move jdk.X509Certificate event logic to
+      JCA layer
+    + JDK-8292066: Convert TestInputArgument.sh and
+      TestSystemLoadAvg.sh to java version
+    + JDK-8292159: TYPE_USE annotations on generic type
+      arguments of record components discarded
+    + JDK-8292177: InitialSecurityProperty JFR event
+    + JDK-8292285: C2: remove unreachable block after
+      NeverBranch-to-Goto conversion
+    + JDK-8292297: Fix up loading of override java.security
+      properties file
+    + JDK-8292328: AccessibleActionsTest.java test
+      instruction for show popup on JLabel did not specify shift key
+    + JDK-8292443: Weak CAS VarHandle/Unsafe tests should
+      test always-failing cases
+    + JDK-8292602: ZGC: C2 late barrier analysis uses invalid
+      dominator information
+    + JDK-8292660: C2: blocks made unreachable by
+      NeverBranch-to-Goto conversion are removed incorrectly
+    + JDK-8292780: misc tests failed "assert(false) failed:
+      graph should be schedulable"
+    + JDK-8292877: java/util/concurrent/atomic/Serial.java uses
+      {Double,Long}Accumulator incorrectly
+    + JDK-8293000: Review running times of jshell regression tests
+    + JDK-8293326: jdk/sun/security/tools/jarsigner/compatibility/
+      /SignTwice.java slow on Windows
+    + JDK-8293466: libjsig should ignore non-modifying
+      sigaction calls
+    + JDK-8293493: Signal Handlers printout should show
+      signal block state
+    + JDK-8293531: C2: some vectorapi tests fail assert "Not
+      monotonic" with flag -XX:TypeProfileLevel=222
+    + JDK-8293562: KeepAliveCache Blocks Threads while
+      Closing Connections
+    + JDK-8293691: converting a defined BasicType value to a
+      string should not crash the VM
+    + JDK-8293767: AWT test TestSinhalaChar.java has old SCCS
+      markings
+    + JDK-8293819: sun/util/logging/PlatformLoggerTest.java
+      failed with "RuntimeException: Retrieved backing
+      PlatformLogger level null is not the expected CONFIG"
+    + JDK-8293965: Code signing warnings after JDK-8293550
+    + JDK-8293996: C2: fix and simplify
+      IdealLoopTree::do_remove_empty_loop
+    + JDK-8294160: misc crash dump improvements
+    + JDK-8294217: Assertion failure: parsing found no loops
+      but there are some
+    + JDK-8294310: compare.sh fails on macos after JDK-8293550
+    + JDK-8294378: URLPermission constructor exception when
+      using tr locale
+    + JDK-8294538: missing is_unloading() check in
+      SharedRuntime::fixup_callers_callsite()
+    + JDK-8294548: Problem list SA core file tests on
+      macosx-x64 due to JDK-8294316
+    + JDK-8294580: frame::interpreter_frame_print_on()
+      crashes if free BasicObjectLock exists in frame
+    + JDK-8294677: chunklevel::MAX_CHUNK_WORD_SIZE too small
+      for some applications
+    + JDK-8294705: Disable an assertion in test/jdk/java/util/
+      /DoubleStreamSums/CompensatedSums.java
+    + JDK-8294902: Undefined Behavior in C2 regalloc with
+      null references
+    + JDK-8294947: Use 64bit atomics in patch_verified_entry
+      on x86_64
+    + JDK-8294958: java/net/httpclient/ConnectTimeout tests
+      are slow
+    + JDK-8295000: java/util/Formatter/Basic test cleanup
+    + JDK-8295066: Folding of loads is broken in C2 after
+      JDK-8242115
+    + JDK-8295116: C2: assert(dead->outcnt() == 0 &&
+      !dead->is_top()) failed: node must be dead
+    + JDK-8295211: Fix autoconf 2.71 warning
+      "AC_CHECK_HEADERS: you should use literals"
+    + JDK-8295413: com/sun/jdi/EATests.java fails with
+      compiler flag -XX:+StressReflectiveCode
+    + JDK-8295414: [Aarch64] C2: assert(false) failed: bad AD
+      file
+    + JDK-8295530: Update Zlib Data Compression Library to
+      Version 1.2.13
+    + JDK-8295685: Update Libpng to 1.6.38
+    + JDK-8295724: VirtualMachineError: Out of space in
+      CodeCache for method handle intrinsic
+    + JDK-8298947: compiler/codecache/
+      /MHIntrinsicAllocFailureTest.java fails intermittently
+    + JDK-8295774: Write a test to verify List sends
+      ItemEvent/ActionEvent
+    + JDK-8295777: java/net/httpclient/ConnectExceptionTest.java
+      should not rely on system resolver
+    + JDK-8295788: C2 compilation hits "assert((mode ==
+      ControlAroundStripMined && use == sfpt) ||
+      !use->is_reachable_from_root()) failed: missed a node"
+    + JDK-8296136: Use correct register in
+      aarch64_enc_fast_unlock()
+    + JDK-8296239: ISO 4217 Amendment 174 Update
+    + JDK-8296329: jar validator doesn't account for minor
+      class file version
+    + JDK-8296389: C2: PhaseCFG::convert_NeverBranch_to_Goto
+      must handle both orders of successors 8298568: Fastdebug
+      build fails after JDK-8296389
+    + JDK-8296548: Improve MD5 intrinsic for x86_64
+    + JDK-8296611: Problemlist several sun/security tests
+      until JDK-8295343 is resolved
+    + JDK-8296619: Upgrade jQuery to 3.6.1
+    + JDK-8296675: Exclude linux-aarch64 in NSS tests
+    + JDK-8296878: Document Filter attached to JPasswordField
+      and setText("") is not cleared instead inserted characters
+      replaced with unicode null characters
+    + JDK-8296904: Improve handling of macos xcode toolchain
+    + JDK-8296912: C2: CreateExNode::Identity fails with
+      assert(i < _max) failed: oob: i=1, _max=1
+    + JDK-8296924: C2:
+      assert(is_valid_AArch64_address(dest.target())) failed: bad
+      address
+    + JDK-8297088: Update LCMS to 2.14
+    + JDK-8297211: Expensive fillInStackTrace operation in
+      HttpURLConnection.getOutputStream0 when no content-length in
+      response
+    + JDK-8297259: Bump update version for OpenJDK: jdk-17.0.7
+    + JDK-8297264: C2: Cast node is not processed again in
+      CCP and keeps a wrong too narrow type which is later replaced
+      by top
+    + JDK-8297431: [JVMCI] HotSpotJVMCIRuntime.encodeThrowable
+      should not throw an exception
+    + JDK-8297437: javadoc cannot link to old docs (with old
+      style anchors)
+    + JDK-8297480: GetPrimitiveArrayCritical in imageioJPEG
+      misses result - NULL check
+    + JDK-8297489: Modify TextAreaTextEventTest.java as to
+      verify the content change of TextComponent sends TextEvent
+    + JDK-8297523: Various GetPrimitiveArrayCritical miss
+      result - NULL check
+    + JDK-8297569: URLPermission constructor throws
+      IllegalArgumentException: Invalid characters in hostname
+      after JDK-8294378
+    + JDK-8297642: PhaseIdealLoop::only_has_infinite_loops
+      must detect all loops that never lead to termination
+    + JDK-8297951: C2: Create skeleton predicates for all If
+      nodes in loop predication
+    + JDK-8297959: Provide better descriptions for some
+      Operating System JFR events
+    + JDK-8297963: Partially fix string expansion issues in
+      UTIL_DEFUN_NAMED and related macros
+    + JDK-8298027: Remove SCCS id's from awt jtreg tests
+    + JDK-8298035: Provide better descriptions for JIT
+      compiler JFR events
+    + JDK-8298073: gc/metaspace/
+      /CompressedClassSpaceSizeInJmapHeap.java causes test task
+      timeout on macosx
+    + JDK-8241293: CompressedClassSpaceSizeInJmapHeap.java time out
+      after 8 minutes
+    + JDK-8298093: improve cleanup and error handling of
+      awt_parseColorModel in awt_parseImage.c
+    + JDK-8298108: Add a regression test for JDK-8297684
+    + JDK-8298129: Let checkpoint event sizes grow beyond u4
+      limit
+    + JDK-8298271: java/security/SignedJar/spi-calendar-provider/
+      /TestSPISigned.java failing on Windows
+    + JDK-8298459: Fix msys2 linking and handling out of tree
+      build directory for source zip creation
+    + JDK-8298472: AArch64: Detect Ampere-1 and Ampere-1A
+      CPUs and set default options
+    + JDK-8298527: Cygwin's uname -m returns different string
+      than before
+    + JDK-8298588: WebSockets: HandshakeUrlEncodingTest
+      unnecessarily depends on a response body
+    + JDK-8298649: JFR: RemoteRecordingStream support for
+      checkpoint event sizes beyond u4
+    + JDK-8298726: (fs) Change PollingWatchService to record
+      last modified time as FileTime rather than milliseconds
+    + JDK-8299015: Ensure that
+      HttpResponse.BodySubscribers.ofFile writes all bytes
+    + JDK-8299018: java/net/httpclient/HttpsTunnelAuthTest.java
+      fails with java.io.IOException: HTTP/1.1 header parser
+      received no bytes
+    + JDK-8299194: CustomTzIDCheckDST.java may fail at future
+      date
+    + JDK-8299296: Write a test to verify the components
+      selection sends ItemEvent
+    + JDK-8299388: java/util/regex/NegativeArraySize.java
+      fails on Alpine and sometimes Windows
+    + JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java
+      fails on SLES12 ppc64le when testing Memory and Swap Limit
+    + JDK-8299439: java/text/Format/NumberFormat/
+      /CurrencyFormat.java fails for hr_HR
+    + JDK-8299483: ProblemList java/text/Format/NumberFormat/
+      /CurrencyFormat.java
+    + JDK-8299470: sun/jvm/hotspot/SALauncher.java handling
+      of negative rmiport args
+    + JDK-8299497: Usage of constructors of primitive wrapper
+      classes should be avoided in java.desktop API docs
+    + JDK-8299520: TestPrintXML.java output error messages in
+      case compare fails
+    + JDK-8299597: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.7
+    + JDK-8299657: sun/tools/jhsdb/SAGetoptTest.java fails
+      after 8299470
+    + JDK-8299671: Speed up compiler/intrinsics/string/
+      /TestStringLatin1IndexOfChar.java
+    + JDK-8299789: Compilation of gtest causes build to fail
+      if runtime libraries are in different dirs
+    + JDK-8299957: Enhance error logging in instrument coding
+      with additional jplis_assert_msg
+    + JDK-8299970: Speed up compiler/arraycopy/
+      /TestArrayCopyConjoint.java
+    + JDK-8300119: CgroupMetrics.getTotalMemorySize0() can
+      report invalid results on 32 bit systems
+    + JDK-8300205: Swing test bug8078268 make latch timeout
+      configurable
+    + JDK-8300266: Detect Virtualization on Linux aarch64
+    + JDK-8300490: Spaces in name of MacOS Code Signing
+      Identity are not correctly handled after JDK-8293550
+    + JDK-8300590: [JVMCI] BytecodeFrame.equals is broken
+    + JDK-8300642: [17u,11u] Fix
+      DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
+    + JDK-8300692: GCC 12 reports some compiler warnings in
+      bundled freetype
+    + JDK-8300751: [17u] Remove duplicate entry in
+      javac.properties
+    + JDK-8300773: Address the inconsistency between the
+      constant array and pool size
+    + JDK-8301170: perfMemory_windows.cpp add
+      free_security_attr to early returns
+    + JDK-8301342: Prefer ArrayList to LinkedList in
+      LayoutComparator
+    + JDK-8301397: [11u, 17u] Bump jtreg to fix issue with
+      build JDK 11.0.18
+    + JDK-8301760: Fix possible leak in SpNegoContext dispose
+    + JDK-8301842: JFR: increase checkpoint event size for
+      stacktrace and string pool
+    + JDK-8302152: Speed up tests with infinite loops, sleep
+      less
+    + JDK-8302692: [17u] Update GHA Boot JDK to 17.0.6
+    + JDK-8302879: doc/building.md update link to jtreg builds
+    + JDK-8304871: Use default visibility for static library
+      builds
+- Modified patch:
+  * fips.patch
+    + refetch from git repository with our changes merged in
+- Added patch:
+  * JDK-8303509.patch
+    + upstream fix for JDK-8303509, bsc#1209333: Socket
+      setTrafficClass does not work for IPv4 connections when IPv6
+      is enabled
+
+-------------------------------------------------------------------
+Fri Feb 17 13:19:03 UTC 2023 - Fridrich Strba 
+
+- Remove the accessibility sub-package, since it was never really
+  working and creates another problems (bsc#1206549). It can
+  eventually be built as standalone if needed
+- Removed patches:
+  * jaw-jdk10.patch
+  * jaw-misc.patch
+  * jaw-nogtk.patch
+    + not needed after the removal of the accessibility sub-package
+
+-------------------------------------------------------------------
+Fri Feb 10 23:00:56 UTC 2023 - Fridrich Strba 
+
+- Modified patch:
+  * fips.patch
+    + avoid calling C_GetInfo() too early, before cryptoki is
+      initialized (bsc#1205916)
+
+-------------------------------------------------------------------
+Tue Feb  7 07:25:36 UTC 2023 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.6+10 (January 2023 CPU)
+  * CVEs
+    + CVE-2023-21835, bsc#1207246
+    + CVE-2023-21843, bsc#1207248
+  * Security fixes
+    + JDK-8286070: Improve UTF8 representation
+    + JDK-8286496: Improve Thread labels
+    + JDK-8287411: Enhance DTLS performance
+    + JDK-8288516: Enhance font creation
+    + JDK-8289350: Better media supports
+    + JDK-8293554: Enhanced DH Key Exchanges
+    + JDK-8293598: Enhance InetAddress address handling
+    + JDK-8293717: Objective view of ObjectView
+    + JDK-8293734: Improve BMP image handling
+    + JDK-8293742: Better Banking of Sounds
+    + JDK-8295687: Better BMP bounds
+  * Other changes
+    + JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/
+      /ScreenInsetsTest.java fails in Windows
+    + JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
+    + JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/
+      /Receiver/bug6186488.java fails
+    + JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/
+      /OnScreenRenderingResizeTest.java fails
+    + JDK-8029633: Raw inner class constructor ref should not
+      perform diamond inference
+    + JDK-8030121: java/awt/dnd/MissingDragExitEventTest/
+      /MissingDragExitEventTest.java fails
+    + JDK-8065422: Trailing dot in hostname causes TLS handshake to
+      fail with SNI disabled
+    + JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/
+      /RobotWheelTest.java fails
+    + JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/
+      /ModalInternalFrameTest.java
+    + JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/
+      /MultiresolutionIconTest.java
+    + JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java
+      failed with timeout
+    + JDK-8202836: [macosx] test
+      java/awt/Graphics/TextAAHintsTest.java fails
+    + JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails
+      to find '^\s+- waiting to
+      lock <0x[0-9a-f]+> \(a java\.lang\.Class ...'
+    + JDK-8222323: ChildAlwaysOnTopTest.java fails with
+      "RuntimeException: Failed to unset alwaysOnTop"
+    + JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on
+      macOs
+    + JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java
+      fails on macos
+    + JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on
+      macos
+    + JDK-8244670: convert clhsdb "whatis" command from javascript
+      to java
+    + JDK-8251466: test/java/io/File/GetXSpace.java fails on
+      Windows with mapped network drives.
+    + JDK-8255439: System Tray icons get corrupted when Windows
+      scaling changes
+    + JDK-8256811: Delayed/missed jdwp class unloading events
+    + JDK-8257722: Improve "keytool -printcert -jarfile" output
+    + JDK-8262721: Add Tests to verify single iteration loops are
+      properly optimized
+    + JDK-8265489: Stress test times out because of long
+      ObjectSynchronizer::monitors_iterate(...) operation
+    + JDK-8266082: AssertionError in Annotate.fromAnnotations with
+      -Xdoclint
+    + JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al
+    + JDK-8267138: Stray suffix when starting gtests via
+      GTestWrapper.java
+    + JDK-8268033: compiler/intrinsics/bmi/verifycode/
+      /BzhiTestI2L.java fails with "fatal error: Not compilable at
+      tier 3: CodeBuffer overflow"
+    + JDK-8268276: Base64 Decoding optimization for x86 using
+      AVX-512
+    + JDK-8268297: jdk/jfr/api/consumer/streaming/
+      /TestLatestEvent.java times out
+    + JDK-8268779: ZGC: runtime/InternalApi/
+      /ThreadCpuTimesDeadlock.java#id1 failed with
+      "OutOfMemoryError: Java heap space"
+    + JDK-8269029: compiler/codegen/TestCharVect2.java fails for
+      client VMs
+    + JDK-8269404: Base64 Encoding optimization enhancements for
+      x86 using AVX-512
+    + JDK-8269571: NMT should print total malloc bytes and
+      invocation count
+    + JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/
+      /stress/jni/nativeAndMH/Test.java crash with small heap
+      (-Xmx50m)
+    + JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using
+      the condy helper methods in the interpreter
+    + JDK-8270155: ARM32: Improve register dump in hs_err
+    + JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java
+      does not show instruction
+    + JDK-8270848: Redundant unsafe opmask register allocation in
+      some instruction patterns.
+    + JDK-8270947: AArch64: C1: use zero_words to initialize all
+      objects
+    + JDK-8271015: Split cds/SharedBaseAddress.java test into
+      smaller parts
+    + JDK-8271834: TestStringDeduplicationAgeThreshold intermittent
+      failures on Shenandoah
+    + JDK-8271956: AArch64: C1 build failed after JDK-8270947
+    + JDK-8272094: compiler/codecache/TestStressCodeBuffers.java
+      crashes with "failed to allocate space for trampoline"
+    + JDK-8272123: Problem list 4 jtreg tests which regularly fail
+      on macos-aarch64
+    + JDK-8272608: java_lang_System::allow_security_manager()
+      doesn't set its initialization flag
+    + JDK-8272776: NullPointerException not reported
+    + JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after
+      8270947
+    + JDK-8272809: JFR thread sampler SI_KERNEL SEGV in
+      metaspace::VirtualSpaceList::contains
+    + JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java
+    + JDK-8273108: RunThese24H crashes with SEGV in
+      markWord::displaced_mark_helper() after JDK-8268276
+    + JDK-8273236: keytool does not accurately warn about
+       algorithms that are disabled but have additional constraints
+    + JDK-8273380: ARM32: Default to {ldrexd,strexd} in
+      StubRoutines::atomic_{load|store}_long
+    + JDK-8273459: Update code segment alignment to 64 bytes
+    + JDK-8273497: building.md should link to both md and html
+    + JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also
+      has similar error of JDK-8253368
+    + JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails
+      on macOS 12
+    + JDK-8273685: Remove jtreg tag manual=yesno for
+      java/awt/Graphics/LCDTextAndGraphicsState.java & show test
+      instruction
+    + JDK-8273880: Zero: Print warnings when unsupported intrinsics
+      are enabled
+    + JDK-8273881: Metaspace: test repeated deallocations
+    + JDK-8274029: Remove jtreg tag manual=yesno for
+      java/awt/print/Dialog/DialogOrient.java
+    + JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/
+      /PrinterJob/ImagePrinting/ImageTypes.java & show test UI
+    + JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/
+      /Common.java delay is too high
+    + JDK-8274296: Update or Problem List tests which may fail with
+      uiScale=2 on macOS
+    + JDK-8274456: Remove jtreg tag manual=yesno
+      java/awt/print/PrinterJob/PageDialogTest.java
+    + JDK-8274527: Minimal VM build fails after JDK-8273459
+    + JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java
+      fails when GC cycles are not happening
+    + JDK-8274903: Zero: Support AsyncGetCallTrace
+    + JDK-8275170: Some jtreg sound tests should be marked with
+      sound keyword
+    + JDK-8275234: java/awt/GraphicsDevice/DisplayModes/
+      /CycleDMImage.java is entered twice in ProblemList
+    + JDK-8275535: Retrying a failed authentication on multiple
+      LDAP servers can lead to users blocked
+    + JDK-8275569: Add linux-aarch64 to test-make profiles
+    + JDK-8276108: Wrong instruction generation in aarch64 backend
+    + JDK-8276904: Optional.toString() is unnecessarily expensive
+    + JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default
+      fails with "RuntimeException: Committed seems high: NNNN
+      expected at most MMMM"
+    + JDK-8277346: ProblemList 7 serviceability/sa tests on
+      macosx-x64
+    + JDK-8277351: ProblemList runtime/jni/checked/
+      /TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64
+    + JDK-8277358: Accelerate CRC32-C
+    + JDK-8277411: C2 fast_unlock intrinsic on AArch64 has
+      unnecessary ownership check
+    + JDK-8277576: ProblemList runtime/ErrorHandling/
+      /CreateCoredumpOnCrash.java on macosx-X64
+    + JDK-8277577: ProblemList compiler/onSpinWait/
+      /TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64
+    + JDK-8277578: ProblemList applications/jcstress/acqrel.java on
+      linux-aarch64
+    + JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with
+      wrong initial heap size
+    + JDK-8277881: Missing SessionID in TLS1.3 resumption in
+      compatibility mode
+    + JDK-8277928: Fix compilation on macosx-aarch64 after 8276108
+    + JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/
+      /NoInvalidateSocketException.java fails with "tag mismatch"
+    + JDK-8278826: Print error if Shenandoah flags are empty
+      (instead of crashing)
+    + JDK-8279066: entries.remove(entry) is useless in
+      PKCS12KeyStore
+    + JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java
+      failed with "RuntimeException: getStopTime() > afterStop"
+    + JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed
+      out
+    + JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail
+      due to unexpected GC
+    + JDK-8279941: sun/security/pkcs11/Signature/
+      /TestDSAKeyLength.java fails when NSS version detection fails
+    + JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on
+      large machines
+    + JDK-8280124: Reduce branches decoding latin-1 chars from
+      UTF-8 encoded bytes
+    + JDK-8280234: AArch64 "core" variant does not build after
+      JDK-8270947
+    + JDK-8280391: NMT: Correct NMT tag on CollectedHeap
+    + JDK-8280511: AArch64: Combine shift and negate to a single
+      instruction
+    + JDK-8280554: resourcehogs/serviceability/sa/
+      /ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is
+      triggered
+    + JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java
+      is failing due to ObjectMonitor referencing a null Object
+    + JDK-8280872: Reorder code cache segments to improve code
+      density
+    + JDK-8280890: Cannot use '-Djava.system.class.loader' with
+      class loader in signed JAR
+    + JDK-8280948: Write a regression test for JDK-4659800
+    + JDK-8281296: Create a regression test for JDK-4515999
+    + JDK-8281744: x86: Use short jumps in
+      TIG::set_vtos_entry_points
+    + JDK-8282049: AArch64: Use ZR for integer zero immediate
+      volatile stores
+    + JDK-8282276: Problem list failing two Robot Screen Capture
+      tests
+    + JDK-8282347: AARCH64: Untaken branch in has_negatives stub
+    + JDK-8282398: EndingDotHostname.java test fails because SSL
+      cert expired
+    + JDK-8282402: Create a regression test for JDK-4666101
+    + JDK-8282511: Use fixed certificate validation date in
+      SSLExampleCert template
+    + JDK-8282528: AArch64: Incorrect replicate2L_zero rule
+    + JDK-8282600: SSLSocketImpl should not use user_canceled
+      workaround when not necessary
+    + JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/
+      /LoadUnloadGC2.java fails intermittently with exit code 1
+    + JDK-8282730: LdapLoginModule throw NPE from logout method
+      after login failure
+    + JDK-8282777: Create a Regression test for JDK-4515031
+    + JDK-8282857: Create a regression test for JDK-4702690
+    + JDK-8283059: Uninitialized warning in check_code.c with GCC
+      11.2
+    + JDK-8283199: Linux os::cpu_microcode_revision() stalls cold
+      startup
+    + JDK-8283298: Make CodeCacheSegmentSize a product flag
+    + JDK-8283337: Posix signal handler modification warning
+      triggering incorrectly
+    + JDK-8283353: compiler/c2/cr6865031/Test.java and
+      compiler/runtime/Test6826736.java fails on x86_32
+    + JDK-8283383: [macos] a11y : Screen magnifier shows extra
+      characters (0) at the end JButton accessibility name
+    + JDK-8283999: Update JMH devkit to 1.35
+    + JDK-8284533: Improve InterpreterCodelet data footprint
+    + JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with
+      "RuntimeException: for CodeHeap < 250MB the far jump is
+      expected to be encoded with a single branch instruction"
+    + JDK-8284690: [macos] VoiceOver : Getting
+      java.lang.IllegalArgumentException: Invalid location on
+      Editable JComboBox
+    + JDK-8284732: FFI_GO_CLOSURES macro not defined but required
+      for zero build on Mac OS X
+    + JDK-8284752: Zero does not build on Mac OS X due to missing
+      os::current_thread_enable_wx implementation
+    + JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java
+      failed with "AssertionError: Expected IOException to be
+      thrown, but nothing was thrown"
+    + JDK-8284892: java/net/httpclient/http2/TLSConnection.java
+      fails intermittently
+    + JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java
+      times out with -Xcomp  -XX:+DeoptimizeALot
+    + JDK-8285093: Introduce UTIL_ARG_WITH
+    + JDK-8285305: Create an automated test for JDK-4495286
+    + JDK-8285373: Create an automated test for JDK-4702233
+    + JDK-8285604: closed sun/java2d/GdiRendering/
+      /ClipShapeRendering.java failed with "Incorrect color ffeeeeee
+      instead of ff0000ff in pixel (100, 100)"
+    + JDK-8285612: Remove jtreg tag manual=yesno for
+      java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java
+    + JDK-8285687: Remove jtreg tag manual=yesno for
+      java/awt/print/PrinterJob/PageRangesDlgTest.java
+    + JDK-8285698: Create a test to check the focus stealing of
+      JPopupMenu from JComboBox
+    + JDK-8285794: AsyncGetCallTrace might acquire a lock via
+      JavaThread::thread_from_jni_environment
+    + JDK-8285836: sun/net/www/http/KeepAliveCache/
+      /KeepAliveProperty.java failed with "RuntimeException: Failed
+      in server"
+    + JDK-8286172: Create an automated test for JDK-4516019
+    + JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed
+      with "RuntimeException: testCurrentTimeMillis failed with -3"
+    + JDK-8286313: [macos] Voice over reads the boolean value as
+      null in the JTable
+    + JDK-8286452: The array length of testSmallConstArray should
+      be small and const
+    + JDK-8286460: Remove dependence on JAR filename in CDS tests
+    + JDK-8286551: JDK-8286460 causes tests to fail to compile in
+      Tier2
+    + JDK-8286624: Regression Test CoordinateTruncationBug.java
+      fails on OL8.3
+    + JDK-8286663: Resolve IDE warnings in WTrayIconPeer and
+      SystemTray
+    + JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/
+      /DropTargetInInternalFrameTest.html times out and fails in
+      Windows
+    + JDK-8286872: Refactor add/modify notification icon (TrayIcon)
+    + JDK-8287011: Improve container information
+    + JDK-8287076: Document.normalizeDocument() produces different
+      results
+    + JDK-8287349: AArch64: Merge LDR instructions to improve C1
+      OSR performance
+    + JDK-8287425: Remove unnecessary register push for
+      MacroAssembler::check_klass_subtype_slow_path
+    + JDK-8287609: macOS: SIGSEGV at [CoreFoundation]
+      CFArrayGetCount / sun.font.CFont.getTableBytesNative
+    + JDK-8287740: NSAccessibilityShowMenuAction not working for
+      text editors
+    + JDK-8287826: javax/accessibility/4702233/
+      /AccessiblePropertiesTest.java fails to compile
+    + JDK-8288132: Update test artifacts in QuoVadis CA interop
+      tests
+    + JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit
+      compiling xerces
+    + JDK-8288377: [REDO] DST not applying properly with zone id
+      offset set with TZ env variable
+    + JDK-8288445: AArch64: C2 compilation fails with
+      guarantee(!true || (true && (shift != 0))) failed: impossible
+      encoding
+    + JDK-8288651: CDS test HelloUnload.java should not use literal
+      string as ClassLoader name
+    + JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata
+       type support
+    + JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java
+      fails on linux ppc64le machine with missing Memory and Swap
+      Limit output
+    + JDK-8289257: Some custom loader tests failed due to symbol
+      refcount not decremented
+    + JDK-8289301: P11Cipher should not throw out of bounds
+      exception during padding
+    + JDK-8289524: Add JFR JIT restart event
+    + JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test
+      fails with java.lang.NullPointerException
+    + JDK-8289562: Change bugs.java.com and bugreport.java.com
+      URL's to https
+    + JDK-8290207: Missing notice in dom.md
+    + JDK-8290209: jcup.md missing additional text
+    + JDK-8290374: Shenandoah: Remove inaccurate comment on
+      SBS::load_reference_barrier()
+    + JDK-8290451: Incorrect result when switching to C2 OSR
+      compilation from C1
+    + JDK-8290529: C2: assert(BoolTest(btest).is_canonical())
+      failure
+    + JDK-8290532: Adjust PKCS11Exception and handle more PKCS11
+      error codes
+    + JDK-8290687: serviceability/sa/TestClassDump.java could leave
+      files owned by root on macOS
+    + JDK-8290705: StringConcat::validate_mem_flow asserts with
+      "unexpected user: StoreI"
+    + JDK-8290711: assert(false) failed: infinite loop in
+      PhaseIterGVN::optimize
+    + JDK-8290781: Segfault at
+      PhaseIdealLoop::clone_loop_handle_data_uses
+    + JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java
+      failed with "RuntimeException: No JIT restart event found:
+      expected true, was false"
+    + JDK-8290908: misc tests fail: assert(!thread->owns_locks())
+      failed: must release all locks when leaving VM
+    + JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is
+      false
+    + JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed
+      with: Wrong number of class unload events: expected 10 got 4
+    + JDK-8291459: JVM crash with GenerateOopMap::error_work(char
+      const*, __va_list_tag*)
+    + JDK-8291599: Assertion in
+      PhaseIdealLoop::skeleton_predicate_has_opaque after
+      JDK-8289127
+    + JDK-8291650: Add delay to ClassUnloadEventTest before exiting
+      to give time for JVM to send all events before VMDeath
+    + JDK-8291775: C2: assert(r != __null && r->is_Region())
+      failed: this phi must have a region
+    + JDK-8292083: Detected container memory limit may exceed
+      physical machine memory
+    + JDK-8292158: AES-CTR cipher state corruption with AVX-512
+    + JDK-8292385: assert(ctrl == kit.control()) failed: Control
+      flow was added although the intrinsic bailed out
+    + JDK-8292541: [Metrics] Reported memory limit may exceed
+      physical machine memory
+    + JDK-8292586: simplify cleanups in NTLMAuthSequence
+      getCredentialsHandle
+    + JDK-8292682: Code change of JDK-8282730 not updated to
+      reflect CSR update
+    + JDK-8292695: SIGQUIT and jcmd attaching mechanism does not
+      work with signal chaining library
+    + JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString
+      wrong placing of free
+    + JDK-8292816: GPL Classpath exception missing from
+      assemblyprefix.h
+    + JDK-8292866:
+      Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check
+      MultiByteToWideChar return value for failures
+    + JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due
+      to classes not unloading
+    + JDK-8292880: Improve debuggee logging for
+      com/sun/jdi/ClassUnloadEventTest.java
+    + JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6
+    + JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX
+      platform
+    + JDK-8292903: enhance round_up_power_of_2 assertion output
+    + JDK-8293010: JDI ObjectReference/referringObjects/
+      /referringObjects001 fails:
+      assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed:
+      checking
+    + JDK-8293044: C1: Missing access check on non-accessible class
+    + JDK-8293232: Fix race condition in pkcs11 SessionManager
+    + JDK-8293319: [C2 cleanup] Remove unused other_path arg in
+      Parse::adjust_map_after_if
+    + JDK-8293472: Incorrect container resource limit detection if
+      manual cgroup fs mounts present
+    + JDK-8293489: Accept CAs with BasicConstraints without
+      pathLenConstraint
+    + JDK-8293535: jdk/javadoc/doclet/testJavaFX/
+      /TestJavaFxMode.java fail with jfx
+    + JDK-8293540: [Metrics] Incorrectly detected resource limits
+      with additional cgroup fs mounts
+    + JDK-8293550: Optionally add get-task-allow entitlement to
+      macos binaries
+    + JDK-8293578: Duplicate ldc generated by javac
+    + JDK-8293657: sun/management/jmxremote/bootstrap/
+      /RmiBootstrapTest.java#id1 failed with "SSLHandshakeException:
+      Remote host terminated the handshake"
+    + JDK-8293659: Improve UnsatisfiedLinkError error message to
+      include dlopen error details
+    + JDK-8293672: Update freetype md file
+    + JDK-8293701: jdeps InverseDepsAnalyzer runs into
+      NoSuchElementException: No value present
+    + JDK-8293808: mscapi destroyKeyContainer enhance
+      KeyStoreException: Access is denied exception
+    + JDK-8293815: P11PSSSignature.engineUpdate should not print
+      debug messages during normal operation
+    + JDK-8293816: CI: ciBytecodeStream::get_klass() is not
+      consistent
+    + JDK-8293826: Closed test fails after JDK-8276108 on aarch64
+    + JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java
+      still fails when GC cycles are not happening
+    + JDK-8293834: Update CLDR data following tzdata 2022c update
+    + JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java
+      (still) assumes that GCs take 1ms minimum
+    + JDK-8293965: Code signing warnings after JDK-8293550
+    + JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr)
+      failed: must have PC
+    + JDK-8294307: ISO 4217 Amendment 173 Update
+    + JDK-8294310: compare.sh fails on macos after JDK-8293550
+    + JDK-8294357: (tz) Update Timezone Data to 2022d
+    + JDK-8294578: [PPC64] C2: Missing is_oop information when
+      using disjoint compressed oops mode
+    + JDK-8294740: Add cgroups keyword to TestDockerBasic.java
+    + JDK-8294837: unify Windows 2019 version check in os_windows
+      and java_props_md
+    + JDK-8294840: langtools OptionalDependencyTest.java use
+      File.pathSeparator
+    + JDK-8295173: (tz) Update Timezone Data to 2022e
+    + JDK-8295288: Some vm_flags tests associate with a wrong BugID
+    + JDK-8295405: Add cause in a couple of IllegalArgumentException
+      and InvalidParameterException shown by sun/security/pkcs11
+      tests
+    + JDK-8295412: support latest VS2022 MSC_VER in
+      abstract_vm_version.cpp
+    + JDK-8295419: JFR: Change name of jdk.JitRestart
+    + JDK-8295429: Update harfbuzz md file
+    + JDK-8295469: S390X: Optimized builds are broken
+    + JDK-8295554: Move the "sizecalc.h" to the correct location
+    + JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
+    + JDK-8295714: GHA ::set-output is deprecated and will be
+      removed
+    + JDK-8295723: security/infra/wycheproof/RunWycheproof.java
+      fails with Assertion Error
+    + JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr
+      check before frame constructor
+    + JDK-8295952: Problemlist existing compiler/rtm tests also on
+      x86
+    + JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails
+      intermittently on a VM
+    + JDK-8296108: (tz) Update Timezone Data to 2022f
+    + JDK-8296239: ISO 4217 Amendment 174 Update
+    + JDK-8296480: java/security/cert/pkix/policyChanges/
+      /TestPolicy.java is failing
+    + JDK-8296485: BuildEEBasicConstraints.java test fails with
+      SunCertPathBuilderException
+    + JDK-8296496: Overzealous check in sizecalc.h prevents large
+      memory allocation
+    + JDK-8296632: Write a test to verify the content change of
+      TextArea sends TextEvent
+    + JDK-8296715: CLDR v42 update for tzdata 2022f
+    + JDK-8296733: JFR: File Read event for
+      RandomAccessFile::write(byte[]) is incorrect
+    + JDK-8296945: PublicMethodsTest is slow due to dependency
+      verification with debug builds
+    + JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex
+      returns wrong value
+    + JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
+    + JDK-8296958: [JVMCI] add API for retrieving ConstantValue
+      attributes
+    + JDK-8296960: [JVMCI] list
+      HotSpotConstantPool.loadReferencedType to ConstantPool
+    + JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field
+      for ResolvedJavaMethod/ResolvedJavaField
+    + JDK-8296967: [JVMCI] rationalize relationship between
+      getCodeSize and getCode in ResolvedJavaMethod
+    + JDK-8297147: UnexpectedSourceImageSize test times out on slow
+      machines when fastdebug is used
+    + JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/
+      /OnScreenRenderingResizeTest.java fails again
+    + JDK-8297241: Update sun/java2d/DirectX/
+      /OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java
+    + JDK-8297309: Memory leak in ShenandoahFullGC
+    + JDK-8297481: Create a regression test for JDK-4424517
+    + JDK-8297530: java.lang.IllegalArgumentException: Negative
+      length on strings concatenation
+    + JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not
+      run
+    + JDK-8297656: AArch64: Enable AES/GCM Intrinsics
+    + JDK-8297804: (tz) Update Timezone Data to 2022g
+    + JDK-8299392: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6
+    + JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java
+      fails for hr_HR
+    + JDK-8299483: ProblemList java/text/Format/NumberFormat/
+      /CurrencyFormat.java
+- Modified patch:
+  * fips.patch
+    + update to newest level
+- Removed patch:
+  * fix_armv6_build.patch
+    + does not apply and at least a part of the fix is in this
+      version
+
+-------------------------------------------------------------------
+Thu Dec  8 13:19:26 UTC 2022 - Fridrich Strba 
+
+- Removed patch:
+  * system-crypto-policy.patch
+    + folded into the fips.patch, since they are patching the same
+      places
+- Modified patches:
+  * fips.patch
+    + revert to the version used with 17.0.4.0, since the newest
+      changes are buggy (bsc#1205916)
+    + fold in the system-crypto-policy.patch
+  * nss-security-provider.patch
+    + apply after the fips.patch and thus rediff the hunk to changed
+      context.
+
+-------------------------------------------------------------------
+Tue Nov  1 15:59:11 UTC 2022 - Javier Llorente 
+
+- Fix jconsole.desktop icon
+
+-------------------------------------------------------------------
+Fri Oct 21 11:36:52 UTC 2022 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.5+8 (October 2022 CPU)
+  * Security fixes
+    + JDK-8282252: Improve BigInteger/Decimal validation
+    + JDK-8285662: Better permission resolution
+    + JDK-8286077, CVE-2022-21618, bsc#1204468: Wider MultiByte
+      conversions
+    + JDK-8286511: Improve macro allocation
+    + JDK-8286519: Better memory handling
+    + JDK-8286526, CVE-2022-21619, bsc#1204473: Improve NTLM support
+    + JDK-8286910, CVE-2022-21624, bsc#1204475: Improve JNDI lookups
+    + JDK-8286918, CVE-2022-21628, bsc#1204472: Better HttpServer
+      service
+    + JDK-8287446: Enhance icon presentations
+    + JDK-8288508: Enhance ECDSA usage
+    + JDK-8289366, CVE-2022-39399, bsc#1204480: Improve HTTP/2
+      client usage
+    + JDK-8289853: Update HarfBuzz to 4.4.1
+    + JDK-8290334: Update FreeType to 2.12.1
+  * Other changes
+    + JDK-6782021: It is not possible to read local computer
+      certificates with the SunMSCAPI provider
+    + JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/
+      /SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14
+      & jdk7
+    + JDK-7131823: bug in GIFImageReader
+    + JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/
+      /bug4634626.java sometimes failed on ac
+    + JDK-8028265: Add legacy tz tests to OpenJDK
+    + JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/
+      /DropTargetEnterExitTest/MissedDragExitTest.java failed
+    + JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/
+      /RepaintTest.java fails
+    + JDK-8159694: HiDPI, Unity, java/awt/dnd/
+      /DropTargetEnterExitTest/MissedDragExitTest.java
+    + JDK-8169468: NoResizeEventOnDMChangeTest.java fails because
+      FS Window didn't receive all resizes!
+    + JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The
+      selected index should be "aad"
+    + JDK-8178969: [TESTBUG] Wrong reporting of
+      gc/g1/humongousObjects/TestHeapCounters test.
+    + JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips
+      testing for non-corner-case values
+    + JDK-8212096: javax/net/ssl/ServerName/
+      /SSLEngineExplorerMatchedSNI.java failed intermittently due to
+      SSLException: Tag mismatch
+    + JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/
+      /DrawString/LCDTextSrcEa.java has issues
+    + JDK-8225122: Test AncestorResized.java fails when Windows
+      desktop is scaled.
+    + JDK-8227651: Tests fail with SSLProtocolException: Input
+      record too big
+    + JDK-8240903: Add test to check that jmod hashes are
+      reproducible
+    + JDK-8254318: Remove .hgtags
+    + JDK-8255724: [XRender] the BlitRotateClippedArea test fails
+      on Linux in the XR pipeline
+    + JDK-8256844: Make NMT late-initializable
+    + JDK-8257534: misc tests failed with "NoClassDefFoundError:
+      Could not initialize class
+      java.util.concurrent.ThreadLocalRandom"
+    + JDK-8264666: Change implementation of safeAdd/safeMult in the
+      LCMSImageLayout class
+    + JDK-8264792: The NumberFormat for locale sq_XK formats price
+      incorrectly.
+    + JDK-8265360: several compiler/whitebox tests fail with
+      "private compiler.whitebox.SimpleTestCaseHelper(int) must be
+      compiled"
+    + JDK-8269039: Disable SHA-1 Signed JARs
+    + JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails
+      with RuntimeException 'JShellToolProvider' missing from
+      stdout/stderr
+    + JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over
+      projections
+    + JDK-8270312: Error: Not a test or directory containing tests:
+      java/awt/print/PrinterJob/XparColor.java
+    + JDK-8271078: jdk/incubator/vector/Float128VectorTests.java
+      failed a subtest
+    + JDK-8271344: Windows product version issue
+    + JDK-8272352: Java launcher can not parse Chinese character
+      when system locale is set to UTF-8
+    + JDK-8272417: ZGC: fastdebug build crashes when printing
+      ClassLoaderData
+    + JDK-8272736: [JVMCI] Add API for reading and writing JVMCI
+      thread locals
+    + JDK-8272815: jpackage --type rpm produces an error: Invalid
+      or unsupported type: [null]
+    + JDK-8273040: Turning off JpAllowDowngrades (or Upgrades)
+    + JDK-8273115: CountedLoopEndNode::stride_con crash in debug
+      build with -XX:+TraceLoopOpts
+    + JDK-8273506: java Robot API did the 'm' keypress and caused
+      /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out
+      on macOS 12
+    + JDK-8274434: move os::get_default_process_handle and
+      os::dll_lookup to os_posix for POSIX platforms
+    + JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java
+      fails with expected [true] but found [false]
+    + JDK-8274597: Some of the dnd tests time out and fail
+      intermittently
+    + JDK-8274856: Failing jpackage tests with fastdebug/release
+      build
+    + JDK-8275689: [TESTBUG] Use color tolerance only for XRender
+      in BlitRotateClippedArea test
+    + JDK-8275887: jarsigner prints invalid digest/signature
+      algorithm warnings if keysize is weak/disabled
+    + JDK-8276546: [IR Framework] Whitelist and ignore
+      CompileThreshold
+    + JDK-8276837: [macos]: Error when signing the additional
+      launcher
+    + JDK-8277429: Conflicting jpackage static library name
+    + JDK-8277493: [REDO] Quarantined jpackage apps are labeled as
+      "damaged"
+    + JDK-8278067: Make HttpURLConnection default keep alive
+      timeout configurable
+    + JDK-8278233: [macos] tools/jpackage tests timeout due to
+      /usr/bin/osascript
+    + JDK-8278311: Debian packaging doesn't work
+    + JDK-8278609: [macos] accessibility frame is misplaced on a
+      secondary monitor on macOS
+    + JDK-8278612: [macos] test/jdk/java/awt/dnd/
+      /RemoveDropTargetCrashTest crashes with VoiceOver on macOS
+    + JDK-8279032: compiler/loopopts/
+      /TestSkeletonPredicateNegation.java times out with
+      -XX:TieredStopAtLevel < 4
+    + JDK-8279370: jdk.jpackage/share/native/applauncher/
+      /JvmLauncher.cpp fails to build with GCC 6.3.0
+    + JDK-8279622: C2: miscompilation of map pattern as a vector
+      reduction
+    + JDK-8280233: Temporarily disable Unix domain sockets in
+      Windows PipeImpl
+    + JDK-8280550: SplittableRandom#nextDouble(double,double) can
+      return result >= bound
+    + JDK-8280696: C2 compilation hits assert(is_dominator(c,
+      n_ctrl)) failed
+    + JDK-8280863: Update build README to reflect that MSYS2 is
+      supported
+    + JDK-8280913: Create a regression test for
+      JRootPane.setDefaultButton() method
+    + JDK-8280944: Enable Unix domain sockets in Windows Selector
+      notification mechanism
+    + JDK-8280950: RandomGenerator:NextDouble() default behavior
+      non conformant after JDK-8280550 fix
+    + JDK-8281181: Do not use CPU Shares to compute active
+      processor count
+    + JDK-8281183: RandomGenerator:NextDouble() default behavior
+       partially fixed by JDK-8280950
+    + JDK-8281297: TestStressG1Humongous fails with
+      guarantee(is_range_uncommitted)
+    + JDK-8281535: Create a regression test for JDK-4670051
+    + JDK-8281569: Create tests for Frame.setMinimumSize() method
+    + JDK-8281628: KeyAgreement : generateSecret intermittently not
+      resetting
+    + JDK-8281738: Create a regression test for checking the
+      'Space' key activation of focused Button
+    + JDK-8281745: Create a regression test for JDK-4514331
+    + JDK-8281988: Create a regression test for JDK-4618767
+    + JDK-8282007: Assorted enhancements to jpackage testing
+      framework
+    + JDK-8282046: Create a regression test for JDK-8000326
+    + JDK-8282214: Upgrade JQuery to version 3.6.0
+    + JDK-8282234: Create a regression test for JDK-4532513
+    + JDK-8282280: Update Xerces to Version 2.12.2
+    + JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid
+      link access
+    + JDK-8282343: Create a regression test for JDK-4518432
+    + JDK-8282351: jpackage does not work if class file has `$$` in
+      the name on windows
+    + JDK-8282407: Missing ')' in MacResources.properties
+    + JDK-8282467: add extra diagnostics for JDK-8268184
+    + JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL,
+      "already walkable"); fails with async profiler
+    + JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+    + JDK-8282548: Create a regression test for JDK-4330998
+    + JDK-8282555: Missing memory edge when spilling MoveF2I,
+      MoveD2L etc
+    + JDK-8282640: Create a test for JDK-4740761
+    + JDK-8282778: Create a regression test for JDK-4699544
+    + JDK-8282789: Create a regression test for the JTree usecase
+      of JDK-4618767
+    + JDK-8282860: Write a regression test for JDK-4164779
+    + JDK-8282933: Create a test for JDK-4529616
+    + JDK-8282936: Write a regression test for JDK-4615365
+    + JDK-8282937: Write a regression test for JDK-4820080
+    + JDK-8282947: JFR: Dump on shutdown live-locks in some
+      conditions
+    + JDK-8283015: Create a test for JDK-4715496
+    + JDK-8283087: Create a test or JDK-4715503
+    + JDK-8283245: Create a test for JDK-4670319
+    + JDK-8283277: ISO 4217 Amendment 171 Update
+    + JDK-8283441: C2: segmentation fault in
+      ciMethodBlocks::make_block_at(int)
+    + JDK-8283457: [macos] libpng build failures with Xcode13.3
+    + JDK-8283493: Create an automated regression test for RFE
+      4231298
+    + JDK-8283507: Create a regression test for RFE 4287690
+    + JDK-8283562: JDK-8282306 breaks gtests on zero
+    + JDK-8283597: [REDO] Invalid generic signature for redefined
+      classes
+    + JDK-8283621: Write a regression test for CCC4400728
+    + JDK-8283623: Create an automated regression test for
+      JDK-4525475
+    + JDK-8283624: Create an automated regression test for
+      RFE-4390885
+    + JDK-8283712: Create a manual test framework class
+    + JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for
+      Oracle builds on Windows
+    + JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/
+      /PrinterJob/PrintGlyphVectorTest.java and fix test
+    + JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+    + JDK-8283903: GetContainerCpuLoad does not return the correct
+      result in share mode
+    + JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea'
+      for jdk-17.0.4
+    + JDK-8284014: Menu items with submenus in JPopupMenu are not
+      spoken on macOS
+    + JDK-8284067: jpackage'd launcher reports non-zero exit codes
+      with error prompt
+    + JDK-8284077: Create an automated test for JDK-4170173
+    + JDK-8284294: Create an automated regression test for RFE
+      4138746
+    + JDK-8284358: Unreachable loop is not removed from C2 IR,
+      leading to a broken graph
+    + JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
+    + JDK-8284521: Write an automated regression test for RFE
+      4371575
+    + JDK-8284535: Fix PrintLatinCJKTest.java test that is failing
+      with Parse Exception
+    + JDK-8284675: "jpackage.exe" creates application launcher
+      without Windows Application Manifest
+    + JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks
+      charset
+    + JDK-8284686: Interval of < 1 ms disables ExecutionSample
+      events
+    + JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
+    + JDK-8284883: JVM crash: guarantee(sect->end() <=
+      sect->limit()) failed: sanity on AVX512
+    + JDK-8284898: Enhance PassFailJFrame
+    + JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in
+      loop optimization
+    + JDK-8284950: CgroupV1 detection code should consider
+      memory.swappiness
+    + JDK-8284956: Potential leak awtImageData/color_data when
+      initializes X11GraphicsEnvironment
+    + JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile
+      fails when named value doesn't exist
+    + JDK-8285081: Improve XPath operators count accuracy
+    + JDK-8285097: Duplicate XML keys in XPATHErrorResources.java
+      and XSLTErrorResources.java
+    + JDK-8285301: C2: assert(!requires_atomic_access) failed:
+      can't ensure atomicity
+    + JDK-8285380: Fix typos in security
+    + JDK-8285398: Cache the results of constraint checks
+    + JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/
+      /PrintARGBImage.java manual test
+    + JDK-8285693: Create an automated test for JDK-4702199
+    + JDK-8285696: AlgorithmConstraints:permits not throwing
+      IllegalArgumentException when 'alg'  is null
+    + JDK-8285730: unify _WIN32_WINNT settings
+    + JDK-8285820: C2: LCM prioritizes locally dependent CreateEx
+      nodes over projections after 8270090
+    + JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle
+      offsets in MacroAssembler as 64-bit quantities
+    + JDK-8286114: [test] show real exception in bomb call in
+      sun/rmi/runtime/Log/checkLogging/CheckLogging.java
+    + JDK-8286122: [macos]: App bundle cannot upload to Mac App
+      Store due to info.plist embedded in java exe
+    + JDK-8286177: C2: "failed: non-reduction loop contains
+      reduction nodes" assert failure
+    + JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
+    + JDK-8286266: [macos] Voice over moving JTable column to be
+      the first column JVM crashes
+    + JDK-8286277: CDS VerifyError when calling clone() on object
+      array
+    + JDK-8286314: Trampoline not created for far runtime targets
+      outside small CodeCache
+    + JDK-8286429: jpackageapplauncher build fails intermittently
+      in Tier[45]
+    + JDK-8286573: Remove the unnecessary method
+      Attr#attribTopLevel and its usage
+    + JDK-8286582: Build fails on macos aarch64 when using
+      --with-zlib=bundled
+    + JDK-8286625: C2 fails with assert(!n->is_Store() &&
+      !n->is_LoadStore()) failed: no node with a side effect
+    + JDK-8286638: C2: CmpU needs to do more precise over/underflow
+      analysis
+    + JDK-8286869: unify os::dir_is_empty across posix platforms
+    + JDK-8286870: Memory leak with RepeatCompilation
+    + JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5
+    + JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
+    + JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits))
+      failed: Field too big for insn
+    + JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts
+      with freezer controller
+    + JDK-8287113: JFR: Periodic task thread uses period for method
+      sampling events
+    + JDK-8287125: [macos] Multiple jpackage tests fail/timeout on
+      same host
+    + JDK-8287202: GHA: Add macOS aarch64 to the list of default
+      platforms for workflow_dispatch event
+    + JDK-8287223: C1: Inlining attempt through MH::invokeBasic()
+      with null receiver
+    + JDK-8287366: Improve test failure reporting in GHA
+    + JDK-8287396: LIR_Opr::vreg_number() and data() can return
+      negative number
+    + JDK-8287432: C2: assert(tn->in(0) != __null) failed: must
+      have live top node
+    + JDK-8287463: JFR: Disable TestDevNull.java on Windows
+    + JDK-8287663: Add a regression test for JDK-8287073
+    + JDK-8287672: jtreg test com/sun/jndi/ldap/
+      /LdapPoolTimeoutTest.java fails intermittently in nightly run
+    + JDK-8287724: Fix various issues with msys2
+    + JDK-8287735: Provide separate event category for dll
+      operations
+    + JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer
+      controller) was incomplete
+    + JDK-8287824: The MTPerLineTransformValidation tests has a
+      typo in the @run tag
+    + JDK-8287895: Some langtools tests fail on msys2
+    + JDK-8287896: PropertiesTest.sh fail on msys2
+    + JDK-8287902: UnreadableRB case in MissingResourceCauseTest is
+      not working reliably on Windows
+    + JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
+    + JDK-8287917: System.loadLibrary does not work on Big Sur if
+      JDK is built with macOS SDK 10.15 and earlier
+    + JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails
+      with release VMs
+    + JDK-8288003: log events for os::dll_unload
+    + JDK-8288303: C1: Miscompilation due to broken
+      Class.getModifiers intrinsic
+    + JDK-8288360: CI: ciInstanceKlass::implementor() is not
+      consistent for well-known classes
+    + JDK-8288399: MacOS debug symbol files not always
+      deterministic in reproducible builds
+    + JDK-8288467: remove memory_operand assert for spilled
+      instructions
+    + JDK-8288499: Restore cancel-in-progress in GHA
+    + JDK-8288599: com/sun/management/OperatingSystemMXBean/
+      /TestTotalSwap.java: Expected total swap size ... but
+      getTotalSwapSpaceSize returned ...
+    + JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
+    + JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too
+      small
+    + JDK-8288985: P11TlsKeyMaterialGenerator should work with
+      ChaCha20-Poly1305
+    + JDK-8288992: AArch64: CMN should be handled the same way as
+      CMP
+    + JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE:
+      duplicated predicate failed which is impossible
+    + JDK-8289147: unify os::infinite_sleep on posix platforms
+    + JDK-8289197: [17u] Push of backport of 8286177 did not remove
+      assertion
+    + JDK-8289471: Issue in Initialization of keys in ErrorMsg.java
+      and XPATHErrorResources.java
+    + JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on
+      muslc
+    + JDK-8289486: Improve XSLT XPath operators count efficiency
+    + JDK-8289549: ISO 4217 Amendment 172 Update
+    + JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails
+      on Alpine/musl
+    + JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on
+      cgroups v2 and crun
+    + JDK-8289697: buffer overflow in MTLVertexCache.m:
+      MTLVertexCache_AddGlyphQuad
+    + JDK-8289799: Build warning in methodData.cpp memset
+      zero-length parameter
+    + JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime()
+      after JDK-8289060
+    + JDK-8289910: unify os::message_box across posix platforms
+    + JDK-8290000: Bump macOS GitHub actions to macOS 11
+    + JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr)
+      failed: must have PC
+    + JDK-8290020: Deadlock in leakprofiler::emit_events during
+      shutdown
+    + JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to
+      preserve vector registers
+    + JDK-8290246: test fails "assert(init != __null) failed:
+      initialization not found"
+    + JDK-8290417: CDS cannot archive lamda proxy with
+      useImplMethodHandle
+    + JDK-8290456: remove os::print_statistics()
+    + JDK-8291595: [17u] Delete files missed in backport of 8269039
+    + JDK-8291633: Build failures with GCC 11, Alpine 3 due to
+      incompatible casts from nullptr
+    + JDK-8292579: (tz) Update Timezone Data to 2022c
+    + JDK-8295056: [17u] Remove designator
+      DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5
+- Modified patch:
+  * fips.patch
+    + sync with newest RedHat version
+
+-------------------------------------------------------------------
+Sat Sep 17 15:32:05 UTC 2022 - Fridrich Strba 
+
+- Package the JAVA_HOME/release files in *-headless package
+  * fixes boo#1203476
+
+-------------------------------------------------------------------
+Thu Jul 21 10:57:42 UTC 2022 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.4+8 (July 2022 CPU)
+  * Security fixes:
+    + JDK-8272243: Improve DER parsing
+    + JDK-8272249: Better properties of loaded Properties
+    + JDK-8277608: Address IP Addressing
+    + JDK-8281859, CVE-2022-21540, bsc#1201694: Improve class
+      compilation
+    + JDK-8281866, CVE-2022-21541, bsc#1201692: Enhance
+      MethodHandle invocations
+    + JDK-8283190: Improve MIDI processing
+    + JDK-8284370: Improve zlib usage
+    + JDK-8285407, CVE-2022-34169, bsc#1201684: Improve Xalan
+      supports
+  * Other fixes:
+    + JDK-8139173: [macosx] JInternalFrame shadow is not properly
+      drawn
+    + JDK-8181571: printing to CUPS fails on mac sandbox app
+    + JDK-8193682: Infinite loop in ZipOutputStream.close()
+    + JDK-8206187:javax/management/remote/mandatory/connection/
+      /DefaultAgentFilterTest.java fails with Port already in use
+    + JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh
+      to plain java test
+    + JDK-8214733: runtime/8176717/TestInheritFD.java timed out
+    + JDK-8236136: tests which use CompilationMode shouldn't be run
+      w/ TieredStopAtLevel
+    + JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese
+      characters were garbled
+    + JDK-8249592: Robot.mouseMove moves cursor to incorrect
+      location when display scale varies and Java runs in DPI
+      Unaware mode
+    + JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/
+      /btree010.java fails with ClassNotFoundException:
+      nsk.sysdict.share.BTree0LLRLRLRRLR
+    + JDK-8255266: Update Public Suffix List to 3c213aa
+    + JDK-8256368: Avoid repeated upcalls into Java to re-resolve
+      MH/VH linkers/invokers
+    + JDK-8258814: Compilation logging crashes for thread
+      suspension / debugging tests
+    + JDK-8263461: jdk/jfr/event/gc/detailed/
+      /TestEvacuationFailedEvent.java uses wrong mechanism to cause
+      evacuation failure
+    + JDK-8263538: SharedArchiveConsistency.java should test
+      -Xshare:auto as well
+    + JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/
+      /suspendthrd003/TestDescription.java failed with
+      "agent_tools.cpp, 471: (foundThread = (jthread)
+      jni_env->NewGlobalRef(foundThread)) != NULL"
+    + JDK-8265261: java/nio/file/Files/InterruptCopy.java fails
+      with java.lang.RuntimeException: Copy was not interrupted
+    + JDK-8265317: [vector] assert(payload->is_object()) failed:
+      expected 'object' value for scalar-replaced boxed vector but
+      got: NULL
+    + JDK-8267163: Rename anonymous loader tests to hidden loader
+      tests
+    + JDK-8268231: Aarch64: Use Ldp in intrinsics for
+      String.compareTo
+    + JDK-8268558: [TESTBUG] Case 2 in
+      TestP11KeyFactoryGetRSAKeySpec is skipped
+    + JDK-8268595: java/io/Serializable/serialFilter/
+      /GlobalFilterTest.java#id1 failed in timeout
+    + JDK-8268773: Improvements related to: Failed to start thread
+      - pthread_create failed (EAGAIN)
+    + JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java
+      assumes that GCs take 1ms minimum
+    + JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large
+      pages subtest
+    + JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler
+      are failing for client VMs
+    + JDK-8269135: TestDifferentProtectionDomains runs into timeout
+      in client VM
+    + JDK-8269373: some tests in jdk/tools/launcher/ fails on
+      localized Windows platform
+    + JDK-8269753: Misplaced caret in PatternSyntaxException's
+      detail message
+    + JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo
+      incorrect verification of protocol and cipher support
+    + JDK-8270021: Incorrect log decorators in
+      gc/g1/plab/TestPLABEvacuationFailure.java
+    + JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree
+    + JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed:
+      did not find too_many string in output
+    + JDK-8270468: TestRangeCheckEliminated fails because methods
+      are not compiled
+    + JDK-8270797: ShortECDSA.java test is not complete
+    + JDK-8270837: fix typos in test TestSigParse.java
+    + JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java
+      tests time out because of excessive GC (CodeCache GC
+      Threshold) in loom
+    + JDK-8271055: Crash during deoptimization with
+      "assert(bb->is_reachable()) failed: getting result from
+      unreachable basicblock" with -XX:+VerifyStack
+    + JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java
+      doesn't check exit code
+    + JDK-8271302: Regex Test Refresh
+    + JDK-8272146: Disable Fibonacci test on memory constrained
+      systems
+    + JDK-8272168: some hotspot runtime/logging tests don't check
+      exit code
+    + JDK-8272169: runtime/logging/LoaderConstraintsTest.java
+      doesn't build test.Empty
+    + JDK-8272358: Some tests may fail when executed with other
+      locales than the US
+    + JDK-8272493: Suboptimal code generation around
+      Preconditions.checkIndex intrinsic with AVX2
+    + JDK-8272908: Missing coverage for certain classes in
+      com.sun.org.apache.xml.internal.security
+    + JDK-8272964: java/nio/file/Files/InterruptCopy.java fails
+      with java.lang.RuntimeException: Copy was not interrupted
+    + JDK-8273056, CVE-2022-21549, bsc#1201685: java.util.random
+      does not correctly sample exponential or Gaussian
+      distributions
+    + JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/
+      /Test.java fails with "wrong OOME"
+    + JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect
+      frequency
+    + JDK-8273142: Remove dependancy of TestHttpServer,
+      HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/
+      /protocol/http/ tests
+    + JDK-8273169: java/util/regex/NegativeArraySize.java failed
+      after JDK-8271302
+    + JDK-8273804: Platform.isTieredSupported should handle the
+      no-compiler case
+    + JDK-8274172: Convert JavadocTester to use NIO
+    + JDK-8274233: Minor cleanup for ToolBox
+    + JDK-8274244: ReportOnImportedModuleAnnotation.java fails on
+      rerun
+    + JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on
+      slow machines
+    + JDK-8274687: JDWP deadlocks if some Java thread reaches wait
+      in blockOnDebuggerSuspend
+    + JDK-8274735: javax.imageio.IIOException: Unsupported Image
+      Type  while processing a valid JPEG image
+    + JDK-8274751: Drag And Drop hangs on Windows
+    + JDK-8274855: vectorapi tests failing with
+      assert(!vbox->is_Phi()) failed
+    + JDK-8274939: Incorrect size of the pixel storage is used by
+      the robot on macOS
+    + JDK-8274983: C1 optimizes the invocation of private interface
+      methods
+    + JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/
+      /btree011/btree011.java crashes with memory exhaustion on
+      Windows
+    + JDK-8275337: C1: assert(false) failed: live_in set of first
+      block must be empty
+    + JDK-8275638: GraphKit::combine_exception_states fails with
+      "matching stack sizes" assert
+    + JDK-8275745: Reproducible copyright headers
+    + JDK-8275830: C2: Receiver downcast is missing when inlining
+      through method handle linkers
+    + JDK-8275854: C2: assert(stride_con != 0) failed: missed some
+      peephole opt
+    + JDK-8276260: (se) Remove java/nio/channels/Selector/
+      /Wakeup.java from ProblemList (win)
+    + JDK-8276657: XSLT compiler tries to define a class with empty
+      name
+    + JDK-8276796: gc/TestSystemGC.java large pages subtest fails
+      with ZGC
+    + JDK-8276825: hotspot/runtime/SelectionResolution test errors
+    + JDK-8276863: Remove test/jdk/sun/security/ec/
+      /ECDSAJavaVerify.java
+    + JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir
+      as unnecessary
+    + JDK-8276990: Memory leak in invoker.c fillInvokeRequest()
+      during JDI operations
+    + JDK-8277055: Assert "missing inlining msg" with
+      -XX:+PrintIntrinsics
+    + JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+    + JDK-8277087: ZipException: zip END header not found at
+      ZipFile#Source.findEND
+    + JDK-8277165: jdeps --multi-release --print-module-deps fails
+      if module-info.class in different versioned directories
+    + JDK-8277166: Data race in jdeps VersionHelper
+    + JDK-8277123: jdeps does not report some exceptions correctly
+    + JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java,
+      frame is accessed from main thread
+    + JDK-8277422: tools/jar/JarEntryTime.java fails with modified
+      time mismatch
+    + JDK-8277893: Arraycopy stress tests
+    + JDK-8277906: Incorrect type for IV phi of long counted loops
+      after CCP
+    + JDK-8277922: Unable to click JCheckBox in JTable through Java
+      Access Bridge
+    + JDK-8278014: [vectorapi] Remove test run script
+    + JDK-8278065: Refactor subclassAudits to use ClassValue
+    + JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils
+      .parseIdFromSameDocumentURI throws
+      StringIndexOutOfBoundsException when calling substring method
+    + JDK-8278472: Invalid value set to CANDIDATEFORM structure
+    + JDK-8278519: serviceability/jvmti/FieldAccessWatch/
+      /FieldAccessWatch.java failed "assert(handle != __null)
+      failed: JNI handle should not be null"
+    + JDK-8278549: UNIX sun/font coding misses SUSE distro
+      detection on recent distro SUSE 15
+    + JDK-8278766: Enable OpenJDK build support for reproducible
+      jars and jmods using --date
+    + JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+    + JDK-8278796: Incorrect behavior of FloatVector.withLane on X86
+    + JDK-8278851: Correct signer logic for jars signed with
+      multiple digestalgs
+    + JDK-8278948: compiler/vectorapi/reshape/
+      /TestVectorCastAVX1.java crashes in assembler
+    + JDK-8278966: two microbenchmarks tests fail
+      "assert(!jvms->method()->has_exception_handlers()) failed: no
+      exception handler expected" after JDK-8275638
+    + JDK-8279182: MakeZipReproducible ZipEntry timestamps not
+      localized to UTC
+    + JDK-8279219: [REDO] C2 crash when allocating array of size
+      too large
+    + JDK-8279227: Access Bridge: Wrong frame position and hit test
+      result on HiDPI display
+    + JDK-8279356: Method linking fails with
+      guarantee(mh->adapter() != NULL) failed: Adapter blob must
+      already exist!
+    + JDK-8279437: [JVMCI] exception in
+      HotSpotJVMCIRuntime.translate can exit the VM
+    + JDK-8279515: C1: No inlining through invokedynamic and
+      invokestatic call sites when resolved class is not linked
+    + JDK-8279520: SPNEGO has not passed channel binding info into
+      the underlying mechanism
+    + JDK-8279529: ProblemList java/nio/channels/DatagramChannel/
+      /ManySourcesAndTargets.java on macosx-aarch64
+    + JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/
+      /NoInvalidateSocketException.java
+    + JDK-8279560: AArch64:
+      generate_compare_long_string_same_encoding and
+      LARGE_LOOP_PREFETCH alignment
+    + JDK-8279586: [macos] custom JCheckBox and JRadioBox with
+      custom icon set: focus is still displayed after unchecking
+    + JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails
+      with -XX:TieredStopAtLevel=1 on machines with many cores
+    + JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+    + JDK-8279822: CI: Constant pool entries in error state are not
+      supported
+    + JDK-8279834: Alpine Linux fails to build when
+      --with-source-date enabled
+    + JDK-8279837: C2: assert(is_Loop()) failed: invalid node
+      class: Region
+    + JDK-8279842: HTTPS Channel Binding support for Java
+      GSS/Kerberos
+    + JDK-8279958: Provide configure hints for Alpine/apk package
+      managers
+    + JDK-8280004: DCmdArgument::parse_value() should handle
+      NULL input
+    + JDK-8280041: Retry loop issues in java.io.ClassCache
+    + JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during
+      IGVN
+    + JDK-8280401: [sspi] gss_accept_sec_context leaves
+      output_token uninitialized
+    + JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest
+      clang
+    + JDK-8280543: Update the "java" and "jcmd" tool specification
+      for CDS
+    + JDK-8280593: [PPC64, S390] redundant allocation of
+      MacroAssembler in StubGenerator ctor
+    + JDK-8280600: C2: assert(!had_error) failed: bad dominance
+    + JDK-8280684: JfrRecorderService failes with
+      guarantee(num_written > 0) when no space left on device.
+    + JDK-8280799: С2: assert(false) failed: cyclic dependency
+      prevents range check elimination
+    + JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD
+      CPUs
+    + JDK-8280901: MethodHandle::linkToNative stub is missing w/
+      -Xint
+    + JDK-8280940: gtest os.release_multi_mappings_vm is racy
+    + JDK-8280941: os::print_memory_mappings() prints segment
+      preceeding the inclusion range
+    + JDK-8280956: Re-examine copyright headers on files in
+      src/java.desktop/macosx/native/libawt_lwawt/awt/a11y
+    + JDK-8280964: [Linux aarch64] : drawImage dithers
+      TYPE_BYTE_INDEXED images incorrectly
+    + JDK-8281043: Intrinsify recursive ObjectMonitor locking for
+      PPC64
+    + JDK-8281168: Micro-optimize VarForm.getMemberName for
+      interpreter
+    + JDK-8281262: Windows builds in different directories are not
+      fully reproducible
+    + JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle
+      hidden classes correctly
+    + JDK-8281274: deal with ActiveProcessorCount in
+      os::Linux::print_container_info
+    + JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as
+      filepath separator in gc paths
+    + JDK-8281318: Improve jfr/event/allocation tests reliability
+    + JDK-8281338: NSAccessibilityPressAction action for tree node
+      and NSAccessibilityShowMenuAcgtion action not working
+    + JDK-8281450: Remove unnecessary operator new and delete from
+      ObjectMonitor
+    + JDK-8281522: Rename ADLC classes which have the same name as
+      hotspot variants
+    + JDK-8281544: assert(VM_Version::supports_avx512bw()) failed
+      for Tests jdk/incubator/vector/
+    + JDK-8281615: Deadlock caused by jdwp agent
+    + JDK-8281638: jfr/event/allocation tests fail with release VMs
+      after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions
+    + JDK-8281771: Crash in
+      java_lang_invoke_MethodType::print_signature
+    + JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after
+      JDK-8280799
+    + JDK-8281822: Test failures on non-DTrace builds due to
+      incomplete DTrace* flags handling
+    + JDK-8282008: Incorrect handling of quoted arguments in
+      ProcessBuilder
+    + JDK-8282045: When loop strip mining fails, safepoints are
+      removed from loop anyway
+    + JDK-8282142: [TestCase] compiler/inlining/
+      /ResolvedClassTest.java will fail when
+      --with-jvm-features=-compiler1
+    + JDK-8282170: JVMTI SetBreakpoint metaspace allocation test
+    + JDK-8282172: CompileBroker::log_metaspace_failure is called
+      from non-Java/compiler threads
+    + JDK-8282225: GHA: Allow one concurrent run per PR only
+    + JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv
+      corrupts registers
+    + JDK-8282293: Domain value for system property
+      jdk.https.negotiate.cbt should be case-insensitive
+    + JDK-8282295: SymbolPropertyEntry::set_method_type fails with
+      assert
+    + JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic
+      on x86
+    + JDK-8282345: handle latest VS2022 in abstract_vm_version
+    + JDK-8282382: Report glibc malloc tunables in error reports
+    + JDK-8282422: JTable.print() failed with
+      UnsupportedCharsetException on AIX ko_KR locale
+    + JDK-8282444: Module finder incorrectly assumes default file
+      system path-separator character
+    + JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4
+    + JDK-8282509: [exploded image] ResolvedClassTest fails with
+      similar output
+    + JDK-8282551: Properly initialize L32X64MixRandom state
+    + JDK-8282583: Update BCEL md to include the copyright notice
+    + JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() >
+      0) failed: Don't process dead nodes
+    + JDK-8282592: C2: assert(false) failed: graph should be
+      schedulable
+    + JDK-8282628: Potential memory leak in
+      sun.font.FontConfigManager.getFontConfig()
+    + JDK-8282874: Bad performance on gather/scatter API caused by
+      different IntSpecies of indexMap
+    + JDK-8282887: Potential memory leak in sun.util.locale.provider
+      .HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+    + JDK-8282929: Localized monetary symbols are not reflected in
+      'toLocalizedPattern' return value
+    + JDK-8283017: GHA: Workflows break with update release versions
+    + JDK-8283187: C2: loop candidate for superword not always
+      unrolled fully if superword fails
+    + JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in
+      fontpath.c
+    + JDK-8283249: CompressedClassPointers.java fails on ppc with
+      'Narrow klass shift: 0' missing
+    + JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize
+    + JDK-8283315: jrt-fs.jar not always deterministically built
+    + JDK-8283323: libharfbuzz optimization level results in
+      extreme build times
+    + JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is
+      shown when Screen magnifier is enabled
+    + JDK-8283350: (tz) Update Timezone Data to 2022a
+    + JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+    + JDK-8283422: Create a new test for JDK-8254790
+    + JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+    + JDK-8283469: Don't use memset to initialize members in
+      FileMapInfo and fix memory leak
+    + JDK-8283497: [windows] print TMP and TEMP in hs_err and
+      VM.info
+    + JDK-8283641: Large value for CompileThresholdScaling causes
+      assert
+    + JDK-8283725: Launching java with
+      "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the
+      JVM
+    + JDK-8283834: Unmappable character for US-ASCII encoding in
+      TestPredicateInputBelowLoopPredicate
+    + JDK-8284023: java.sun.awt.X11GraphicsDevice
+      .getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
+    + JDK-8284033: Leak XVisualInfo in getAllConfigs in
+      awt_GraphicsEnv.c
+    + JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+    + JDK-8284369: TestFailedAllocationBadGraph fails with
+      -XX:TieredStopAtLevel < 4
+    + JDK-8284389: Improve stability of GHA Pre-submit testing by
+      caching cygwin installer
+    + JDK-8284437: Building from different users/workspace is not
+      always deterministic
+    + JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+    + JDK-8284507: GHA: Only check test results if testing was not
+      skipped
+    + JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in
+      JFR leak profiler
+    + JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+    + JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2
+    + JDK-8284620: CodeBuffer may leak _overflow_arena
+    + JDK-8284622: Update versions of some Github Actions used in
+      JDK workflow
+    + JDK-8284661: Reproducible assembly builds without relative
+      linking
+    + JDK-8284754: print more interesting env variables in hs_err
+      and VM.info
+    + JDK-8284758: [linux] improve print_container_info
+    + JDK-8284848: C2: Compiler blackhole arguments should be
+      treated as globally escaping
+    + JDK-8284866: Add test to JDK-8273056
+    + JDK-8284884: Replace polling with waiting in
+      javax/swing/text/html/parser/Parser/8078268/bug8078268.java
+    + JDK-8284992: Fix misleading Vector API doc for LSHR operator
+    + JDK-8285342: Zero build failure with clang due to values not
+      handled in switch
+    + JDK-8285394: Compiler blackholes can be eliminated due to
+      stale ciMethod::intrinsic_id()
+    + JDK-8285397: JNI exception pending in CUPSfuncs.c:250
+    + JDK-8285445: cannot open file "NUL:"
+    + JDK-8285515: (dc) DatagramChannel.disconnect fails with
+      "Invalid argument" on macOS 12.4
+    + JDK-8285523: Improve test
+      java/io/FileOutputStream/OpenNUL.java
+    + JDK-8285686: Update FreeType to 2.12.0
+    + JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with
+      version from head
+    + JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with
+      version from head
+    + JDK-8285728: Alpine Linux build fails with busybox tar
+    + JDK-8285828: runtime/execstack/TestCheckJDK.java fails with
+      zipped debug symbols
+    + JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/
+      /AttachReturnError.java fails on Alpine
+    + JDK-8285956: (fs) Excessive default poll interval in
+      PollingWatchService
+    + JDK-8286013: Incorrect test configurations for
+      compiler/stable/TestStableShort.java
+    + JDK-8286029: Add classpath exemption to
+      globals_vectorApiSupport_***.S.inc
+    + JDK-8286198: [linux] Fix process-memory information
+    + JDK-8286293: Tests ShortResponseBody and
+      ShortResponseBodyWithRetry should use less resources
+    + JDK-8286444: javac errors after JDK-8251329 are not helpful
+      enough to find root cause
+    + JDK-8286594: (zipfs) Mention paths with dot elements in
+      ZipException and cleanups
+    + JDK-8286601: Mac Aarch: Excessive warnings to be ignored for
+      build jdk
+    + JDK-8286855: javac error on invalid jar should only print
+      filename
+    + JDK-8287109: Distrust.java failed with
+      CertificateExpiredException
+    + JDK-8287119: Add Distrust.java to ProblemList
+    + JDK-8287162: (zipfs) Performance regression related to
+      support for POSIX file permissions
+    + JDK-8287336: GHA: Workflows break on patch versions
+    + JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+    + JDK-8287378: GHA: Update cygwin to fix issues in langtools
+      tests on Windows
+- Removed patch:
+  * JDK-8282004.patch
+    + integrated upstream as JDK-8282231
+
+-------------------------------------------------------------------
+Wed Apr 20 13:50:24 UTC 2022 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.3+7 (April 2022 CPU)
+  * Security fixes:
+    + JDK-8284920: Incorrect Token type causes XPath expression to
+      return empty result
+    + JDK-8284548: Invalid XPath expression causes
+      StringIndexOutOfBoundsException
+    + JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
+    + JDK-8282397: createTempFile method of java.io.File is failing
+      when called with suffix of spaces character
+    + JDK-8278356: Improve file creation
+    + JDK-8270504, bsc#1198672, CVE-2022-21426: Better Xpath
+      expression handling
+    + JDK-8272588: Enhanced recording parsing
+    + JDK-8272594: Better record of recordings
+    + JDK-8277672, bsc#1198674, CVE-2022-21434: Better invocation
+      handler handling
+    + JDK-8282300: Throws NamingException instead of
+      InvalidNameException after JDK-8278972
+    + JDK-8278972, bsc#1198673, CVE-2022-21496: Improve URL supports
+    + JDK-8272261: Improve JFR recording file processing
+    + JDK-8269938: Enhance XML processing passes redux
+    + JDK-8272255: Completely handle MIDI files
+    + JDK-8278805: Enhance BMP image loading
+    + JDK-8278449: Improve keychain support
+    + JDK-8277227: Better identification of OIDs
+    + JDK-8275151, bsc#1198675, CVE-2022-21443: Improved Object
+      Identification
+    + JDK-8274221: More definite BER encodings
+    + JDK-8277233, bsc#1198670, CVE-2022-21449: Improve ECDSA
+      signature support
+    + JDK-8278798: Improve supported intrinsic
+  * Other changes:
+    + JDK-8282761: XPathFactoryImpl remove setProperty and
+      getProperty methods
+    + JDK-8277795: ldap connection timeout not honoured under
+      contention
+    + JDK-8276141: XPathFactory set/getProperty method
+    + JDK-8274471: Add support for RSASSA-PSS in OCSP Response
+    + JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on
+      AIX
+    + JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses
+      wrong condition
+    + JDK-8276841: Add support for Visual Studio 2022
+    + JDK-8272866: java.util.random package summary contains
+      incorrect mixing function in table
+    + JDK-8272996: JNDI DNS provider fails to resolve SRV entries
+      when IPV6 stack is enabled
+    + JDK-8278185: Custom JRE cannot find non-ASCII named module
+      inside
+    + JDK-8281460: Let ObjectMonitor have its own NMT category
+    + JDK-8278163: --with-cacerts-src variable resolved after
+      GenerateCacerts recipe setup
+    + JDK-8277383: VM.metaspace optionally show chunk freelist
+      details
+    + JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into
+      separate tests
+    + JDK-8277488: Add expiry exception for Digicert
+      (geotrustglobalca) expiring in May 2022
+    + JDK-8270117: Broken jtreg link in "Building the JDK" page
+    + JDK-8279695: [TESTBUG] modify compiler/loopopts/
+      /TestSkeletonPredicateNegation.java to run on C1 also
+    + JDK-8278080: Add --with-cacerts-src='user cacerts folder' to
+      enable deterministic cacerts generation
+    + JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER
+    + JDK-8274524: SSLSocket.close() hangs if it is called during
+      the ssl handshake
+    + JDK-8278346: java/nio/file/Files/probeContentType/Basic.java
+      fails on Linux SLES15 machine
+    + JDK-8274171: java/nio/file/Files/probeContentType/Basic.java
+      failed on "Content type" mismatches
+    + JDK-8274562: (fs) UserDefinedFileAttributeView doesn't
+      correctly determine if supported when using OverlayFS
+    + JDK-8273655: content-types.properties files are missing some
+      common types
+    + JDK-8279385: [test]  Adjust sun/security/pkcs12/
+      /KeytoolOpensslInteropTest.java after 8278344
+    + JDK-8280373: Update Xalan serializer / SystemIDResolver to
+      align with JDK-8270492
+    + JDK-8272541: Incorrect overflow test in Toom-Cook branch of
+      BigInteger multiplication
+    + JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu
+      21.10
+    + JDK-8272600: (test) Use native "sleep" in Basic.java
+    + JDK-8271199: Mutual TLS handshake fails signing client
+      certificate with custom sensitive PKCS11 key
+    + JDK-8277299: STACK_OVERFLOW in
+      Java_sun_awt_shell_Win32ShellFolder2_getIconBits
+    + JDK-8281061: [s390] JFR runs into assertions while validating
+      interpreter frames
+    + JDK-8275330: C2:  assert(n->is_Root() || n->is_Region() ||
+      n->is_Phi() || n->is_MachMerge() ||
+      def_block->dominates(block)) failed: uses must be dominated by
+      definitions
+    + JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java
+      and NonGregorianFormatTest fail intermittently
+    + JDK-8274750: java/io/File/GetXSpace.java failed: '/dev':
+      191488 != 190976
+    + JDK-8273387: remove some unreferenced gtk-related functions
+    + JDK-8279702: [macosx] ignore xcodebuild warnings on M1
+    + JDK-8277180: Intrinsify recursive ObjectMonitor locking for
+      C2 x64 and A64
+    + JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails
+      with release VMs
+    + JDK-8275643: C2's unaryOp vector intrinsic does not properly
+      handle LongVector.neg
+    + JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop
+      detected" due to cmoving identity
+    + JDK-8275847: Scheduling fails with "too many D-U pinch
+      points" on small method
+    + JDK-8274944: AppCDS dump causes SEGV in VM thread while
+      adjusting lambda proxy class info
+    + JDK-8275874: [JVMCI] only support aligned reads in
+      c2v_readFieldValue
+    + JDK-8271506: Add ResourceHashtable support for deleting
+      selected entries
+    + JDK-8278381: [GCC 11] Address::make_raw() does not initialize
+      rspec
+    + JDK-8279124: VM does not handle SIGQUIT during initialization
+    + JDK-8277497: Last column cell in the JTable row is read as
+      empty cell
+    + JDK-8278604: SwingSet2 table demo does not have accessible
+      description set for images 8278526: [macos] Screen reader
+      reads SwingSet2 JTable row selection as null, dimmed row for
+      last column
+    + JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64
+    + JDK-8280414: Memory leak in DefaultProxySelector
+    + JDK-8273381: Assert in
+      PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm
+    + JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java
+      fails with Address already in use error
+    + JDK-8280155: [PPC64, s390] frame size checks are not yet
+      correct
+    + JDK-8279924: [PPC64, s390] implement
+      frame::is_interpreted_frame_valid checks
+    + JDK-8280526: x86_32 Math.sqrt performance regression with
+      -XX:UseSSE={0,1}
+    + JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
+    + JDK-8279445: Update JMH devkit to 1.34
+    + JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes
+      8274935: dumptime_table has stale entry
+    + JDK-8251216: Implement MD5 intrinsics on AArch64
+    + JDK-8278241: Implement JVM SpinPause on linux-aarch64
+    + JDK-8275608: runtime/Metaspace/elastic/
+      /TestMetaspaceAllocationMT2 too slow
+    + JDK-8276057: Update JMH devkit to 1.33
+    + JDK-8275082, bsc#1198671, CVE-2022-21476: Update XML Security
+      for Java to 2.3.0
+    + JDK-8177814: jdk/editpad is not in jdk TEST.groups
+    + JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/
+      /TestDescription.java fails with "ERROR:
+      DebuggeeSleepingThread: ThreadDeath lost"
+    + JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
+    + JDK-8272553: several hotspot runtime/CommandLine tests don't
+      check exit code
+    + JDK-8275687: runtime/CommandLine/PrintTouchedMethods test
+      shouldn't catch RuntimeException
+    + JDK-8278344: sun/security/pkcs12/
+      /KeytoolOpensslInteropTest.java test fails because of
+      different openssl output
+    + JDK-8273972: Multi-core choke point in CMM engine
+      (LCMSTransform.doTransform)
+    + JDK-8273438: Enable parallelism in
+      vmTestbase/metaspace/stressHierarchy tests
+    + JDK-8278389: SuspendibleThreadSet::_suspend_all should be
+      volatile/atomic
+    + JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict
+      tests
+    + JDK-8277503: compiler/onSpinWait/
+      /TestOnSpinWaitAArch64DefaultFlags.java failed with
+      "OnSpinWaitInst with the expected value 'isb' not found."
+    + JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults
+      to "isb"/1 for Arm Neoverse N1
+    + JDK-8273341: Update Siphash to version 1.0
+    + JDK-8269032: Stringdedup tests are failing if the
+      ergonomically select GC does not support it
+    + JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
+    + JDK-8276766: Enable jar and jmod to produce deterministic
+      timestamped content 8279453: Disable tools/jar/
+      /ReproducibleJar.java on 32-bit platforms
+    + JDK-8279998: PPC64 debug builds fail with "untested:
+      RangeCheckStub: predicate_failed_trap_id"
+    + JDK-8280002: jmap -histo may leak stream
+    + JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip
+      Archive generation "reproducible"
+    + JDK-8279833: Loop optimization issue in
+      String.encodeUTF8_UTF16
+    + JDK-8273277: C2: Move conditional negation into rc_predicate
+    + JDK-8279412: [JVMCI] failed speculations list must outlive
+      any nmethod that refers to it
+    + JDK-8271202: C1: assert(false) failed: live_in set of first
+      block must be empty
+    + JDK-8263567: gtests don't terminate the VM safely
+    + JDK-8269206: A small typo in comment in
+      test/lib/sun/hotspot/WhiteBox.java
+    + JDK-8278309: [windows] use of uninitialized OSThread::_state
+    + JDK-8274506: TestPids.java and TestPidsLimit.java fail with
+      podman run as root
+    + JDK-8276764: Enable deterministic file content ordering for
+      Jar and Jmod
+    + JDK-8273967: gtest
+      os.dll_address_to_function_and_library_name_vm fails on
+      macOS12
+    + JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/
+      /bug6302464.java fails on macOS12
+    + JDK-8277846: Implement fast-path for ASCII-compatible
+      CharsetEncoders on ppc64
+    + JDK-8273526: Extend the OSContainer API  pids controller with
+      pids.current
+    + JDK-8269849: vmTestbase/gc/gctests/PhantomReference/
+      /phantom002/TestDescription.java failed with
+      "OutOfMemoryError: Java heap space: failed reallocation of
+      scalar replaced objects"
+    + JDK-8269087: CheckSegmentedCodeCache test fails in an
+      emulated-client VM
+    + JDK-8278871: [JVMCI] assert((uint)reason < 2*
+      _trap_hist_limit) failed: oob
+    + JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend
+      fun with loop
+    + JDK-8279505: Update documentation for RETRY_COUNT and
+      REPEAT_COUNT
+    + JDK-8225559: assertion error at TransTypes.visitApply
+    + JDK-8276654: element-list order is non deterministic
+    + JDK-8279300: [arm32] SIGILL when running
+      GetObjectSizeIntrinsicsTest
+    + JDK-8273682: Upgrade Jline to 3.20.0
+    + JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java
+      fails with release VMs after JDK-8262134
+    + JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed
+      with "guarantee(false) failed: wrong number of expression
+      stack elements during deopt"
+    + JDK-8269037: jsig/Testjsig.java doesn't have to be restricted
+      to linux only
+    + JDK-8269523: runtime/Safepoint/
+      /TestAbortOnVMOperationTimeout.java failed when expecting
+      'VM operation took too long'
+    + JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a
+      test
+    + JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
+    + JDK-8278384: Bytecodes::result_type() for arraylength returns
+      T_VOID instead of T_INT
+    + JDK-8278020: ~13% variation in Renaissance-Scrabble
+    + JDK-8279225: [arm32] C1 longs comparison operation destroys
+      argument registers
+    + JDK-8266490: Extend the OSContainer API to support the pids
+      controller of cgroups
+    + JDK-8279379: GHA: Print tests that are in error
+    + JDK-8278987: RunThese24H.java failed with
+      EXCEPTION_ACCESS_VIOLATION in __write_sample_info__
+    + JDK-8278627: Shenandoah: TestHeapDump test failed
+    + JDK-8278824: Uneven work distribution when scanning heap
+      roots in G1
+    + JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/
+      /StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at
+      0x000000000000000d
+    + JDK-8277919: OldObjectSample event causing bloat in the class
+      constant pool in JFR recording
+    + JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java
+      fails with SIGSEGV in InstanceKlass::jni_id_for
+    + JDK-8278104: C1 should support the compiler directive
+      'BreakAtExecute'
+    + JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/
+      /bug6364882.java failures
+    + JDK-8273933: [TESTBUG] Test must run without preallocated
+      exceptions
+    + JDK-8278172: java/nio/channels/FileChannel/
+      /BlockDeviceSize.java should only run on Linux
+    + JDK-8275800: Redefinition leaks MethodData::_extra_data_lock
+    + JDK-8273634: [TEST_BUG] Improve javax/swing/text/
+      /ParagraphView/6364882/bug6364882.java
+    + JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/
+      /6318524/bug6318524.java never fails
+    + JDK-8275326: C2: assert(no_dead_loop) failed: dead loop
+      detected
+    + JDK-8274130: C2: MulNode::Ideal chained transformations may
+      act on wrong nodes
+    + JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t
+      chunk size as size_t
+    + JDK-8276662: Scalability bottleneck in
+      SymbolTable::lookup_common()
+    + JDK-8275536: Add test to check that File::lastModified
+      returns same time stamp as Files.getLastModifiedTime
+    + JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails
+      due to wrong data size with TieredStopAtLevel=2,3
+    + JDK-8272167: AbsPathsInImage.java should skip *.dSYM
+      directories
+    + JDK-8270874: JFrame paint artifacts when dragged from
+      standard monitor to HiDPI monitor
+    + JDK-8275610: C2: Object field load floats above its null
+      check resulting in a segfault
+    + JDK-8278099: two sun/security/pkcs11/Signature tests failed
+      with AssertionError
+    + JDK-8276623: JDK-8275650 accidentally pushed "out" file
+    + JDK-8277328: jdk/jshell/CommandCompletionTest.java failures
+      on Windows
+    + JDK-8277441: CompileQueue::add fails with
+      assert(_last->next() == __null) failed: not last
+    + JDK-8274714: Incorrect verifier protected access error message
+    + JDK-8274658: ISO 4217 Amendment 170 Update
+    + JDK-8274795: AArch64: avoid spilling and restoring r18 in
+      macro assembler
+    + JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed:
+      must be in x86_32.ad
+    + JDK-8276314: [JVMCI] check alignment of call displacement
+      during code installation
+    + JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
+    + JDK-8276177: nsk/jvmti/RedefineClasses/
+      /StressRedefineWithoutBytecodeCorruption failed with
+      "assert(def_ik->is_being_redefined()) failed: should be
+      being redefined to get here"
+    + JDK-8275650: Problemlist java/io/File/createTempFile/
+      /SpecialTempFile.java for Windows 11
+    + JDK-8273704: DrawStringWithInfiniteXform.java failed:
+      drawString with InfiniteXform transform takes long time
+    + JDK-8273162: AbstractSplittableWithBrineGenerator does not
+      create a random salt
+    + JDK-8273351: bad tag in jdk.random module-info.java
+    + JDK-8247980: Exclusive execution of java/util/stream tests
+      slows down tier1
+    + JDK-8272327: Shenandoah: Avoid enqueuing duplicate string
+      candidates
+    + JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java
+      has duplicate -Xmx
+    + JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has
+      duplicate -Xmx
+    + JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
+    + JDK-8278016: Add compiler tests to tier{2,3}
+    + JDK-8277385: Zero: Enable CompactStrings support
+    + JDK-8275586: Zero: Simplify interpreter initialization
+    + JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file
+- Do not include back the JavaEE modules in the JDK
+- Removed patches:
+  * activation-module.patch
+  * annotation-module.patch
+    + The pached JavaEE modules do not exist any more
+
+-------------------------------------------------------------------
+Fri Mar 25 19:48:14 UTC 2022 - Fridrich Strba 
+
+- Set a non-zero alternatives priority for Factory builds
+- Added patch:
+  * JDK-8282004.patch
+    + fix missing CALL effects on x86_32
+
+-------------------------------------------------------------------
+Mon Mar 21 20:25:50 UTC 2022 - Fridrich Strba 
+
+- Added patch:
+  * JDK-8282944.patch
+    + Upstream fix for JDK-8281944: JavaDoc throws
+      java.lang.IllegalStateException: ERRONEOUS
+
+-------------------------------------------------------------------
+Sun Mar 20 01:08:12 UTC 2022 - Fridrich Strba 
+
+- Modified patch:
+  * disable-doclint-by-default.patch
+    + try actually disable the doclint by default
+
+-------------------------------------------------------------------
+Fri Feb  4 07:07:23 UTC 2022 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.2+8 (January 2022 CPU)
+  * Security fixes
+    + JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if
+      zip has dir named "." inside
+    + JDK-8264934, CVE-2022-21248, bnc#1194926: Enhance cross VM
+      serialization
+    + JDK-8268488: More valuable DerValues
+    + JDK-8268494: Better inlining of inlined interfaces
+    + JDK-8268512: More content for ContentInfo
+    + JDK-8268813, CVE-2022-21283, bnc#1194937: Better String
+      matching
+    + JDK-8269151: Better construction of EncryptedPrivateKeyInfo
+    + JDK-8269944: Better HTTP transport redux
+    + JDK-8270386, CVE-2022-21291, bsc#1194925: Better verification
+      of scan methods
+    + JDK-8270392, CVE-2022-21293, bsc#1194935: Improve String
+      constructions
+    + JDK-8270416, CVE-2022-21294, bsc#1194934: Enhance construction
+      of Identity maps
+    + JDK-8270492, CVE-2022-21282, bsc#1194933: Better resolution of
+      URIs
+    + JDK-8270498, CVE-2022-21296, bsc#1194932: Improve SAX Parser
+      configuration management
+    + JDK-8270646, CVE-2022-21299, bsc#1194931: Improved scanning of
+      XML entities
+    + JDK-8270952, CVE-2022-21277, bsc#1194930: Improve TIFF file
+      handling
+    + JDK-8271962: Better TrueType font loading
+    + JDK-8271968: Better canonical naming
+    + JDK-8271987: Manifest improved manifest entries
+    + JDK-8272014, CVE-2022-21305, bsc#1194939: Better array
+      indexing
+    + JDK-8272026, CVE-2022-21340, bsc#1194940: Verify Jar
+      Verification
+    + JDK-8272236, CVE-2022-21341, bsc#1194941: Improve serial forms
+      for transport
+    + JDK-8272272: Enhance jcmd communication
+    + JDK-8272462: Enhance image handling
+    + JDK-8273290: Enhance sound handling
+    + JDK-8273756, CVE-2022-21360, bsc#1194929: Enhance BMP image
+      support
+    + JDK-8273838, CVE-2022-21365, bsc#1194928: Enhanced BMP
+      processing
+    + JDK-8274096, CVE-2022-21366, bsc#1194927: Improve decoding of
+      image files
+  * Other changes
+    + JDK-4819544: SwingSet2 JTable Demo throws NullPointerException
+    + JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/
+      /4251579/bug4251579.java failure due to timing
+    + JDK-8140241: (fc) Data transfer from FileChannel to itself
+      causes hang in case of overlap
+    + JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java
+      fails intermittently
+    + JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes)
+      leads to a negative initial size for ByteArrayOutputStream
+    + JDK-8214761: Bug in parallel Kahan summation implementation
+    + JDK-8223923: C2: Missing interference with mismatched unsafe
+      accesses
+    + JDK-8233020: (fs) UnixFileSystemProvider should use
+      StaticProperty.userDir().
+    + JDK-8238649: Call new Win32 API SetThreadDescription in
+      os::set_native_thread_name
+    + JDK-8244675: assert(IncrementalInline ||
+      (_late_inlines.length() == 0 && !has_mh_late_inlines()))
+    + JDK-8261236: C2: ClhsdbJstackXcompStress test fails when
+      StressGCM is enabled
+    + JDK-8261579: AArch64: Support for weaker memory ordering in
+      Atomic
+    + JDK-8262031: Create implementation for
+      NSAccessibilityNavigableStaticText protocol
+    + JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot
+      invoke getThrownTypes because tree.meth.type is null
+    + JDK-8263059: security/infra/java/security/cert/
+      /CertPathValidator/certification/ComodoCA.java fails due to
+      revoked cert
+    + JDK-8263364: sun/net/www/http/KeepAliveStream/
+      /KeepAliveStreamCloseWithWrongContentLength.java wedged in
+      getInputStream
+    + JDK-8263375: Support stack watermarks in Zero VM
+    + JDK-8263773: Reenable German localization for builds at Oracle
+    + JDK-8264286: Create implementation for NSAccessibilityColumn
+      protocol peer
+    + JDK-8264287: Create implementation for
+      NSAccessibilityComboBox protocol peer
+    + JDK-8264291: Create implementation for NSAccessibilityCell
+      protocol peer
+    + JDK-8264292: Create implementation for NSAccessibilityList
+      protocol peer
+    + JDK-8264293: Create implementation for NSAccessibilityMenu
+      protocol peer
+    + JDK-8264294: Create implementation for NSAccessibilityMenuBar
+      protocol peer
+    + JDK-8264295: Create implementation for
+      NSAccessibilityMenuItem protocol peer
+    + JDK-8264296: Create implementation for
+      NSAccessibilityPopUpButton protocol peer
+    + JDK-8264297: Create implementation for
+      NSAccessibilityProgressIndicator protocol peer
+    + JDK-8264298: Create implementation for NSAccessibilityRow
+      protocol peer
+    + JDK-8264303: Create implementation for
+      NSAccessibilityTabGroup protocol peer
+    + JDK-8266239: Some duplicated javac command-line options have
+      repeated effect
+    + JDK-8266510: Nimbus JTree default tree cell renderer does not
+      use selected text color
+    + JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java
+      fails with Unexpected isMature state for multiple times
+      invoked method: expected false to equal true
+    + JDK-8267256: Extend minimal retry for loopback connections on
+      Windows to PlainSocketImpl
+    + JDK-8267385: Create NSAccessibilityElement implementation for
+      JavaComponentAccessibility
+    + JDK-8267387: Create implementation for NSAccessibilityOutline
+      protocol
+    + JDK-8267388: Create implementation for NSAccessibilityTable
+      protocol
+    + JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java
+      fails with "Exception: Failed to hide opaque button"
+    + JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs.
+    + JDK-8268361: Fix the infinite loop in next_line
+    + JDK-8268457: XML Transformer outputs Unicode supplementary
+      character incorrectly to HTML
+    + JDK-8268464: Remove dependancy of TestHttpsServer,
+      HttpTransaction, HttpCallback from
+      open/test/jdk/sun/net/www/protocol/https/ tests
+    + JDK-8268626: Remove native pre-jdk9 support for jtreg
+      failure handler
+    + JDK-8268860: Windows-Aarch64 build is failing in GitHub
+      actions
+    + JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n ||
+      n->is_Proj()) failed: No dead instructions after post-alloc
+    + JDK-8268885: duplicate checkcast when destination type is not
+      first type of intersection type
+    + JDK-8268893: jcmd to trim the glibc heap
+    + JDK-8268894: forged ASTs can provoke an AIOOBE at
+      com.sun.tools.javac.jvm.ClassWriter::writePosition
+    + JDK-8268927: Windows: link error: unresolved external symbol
+      "int __cdecl convert_to_unicode(char const *,wchar_t * *)"
+    + JDK-8269031: linux x86_64 check for binutils 2.25 or higher
+      after 8265783
+    + JDK-8269113: Javac throws when compiling switch (null)
+    + JDK-8269216: Useless initialization in
+      com/sun/crypto/provider/PBES2Parameters.java
+    + JDK-8269269: [macos11] SystemIconTest fails with
+      ClassCastException
+    + JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString()
+    + JDK-8269481: SctpMultiChannel never releases own file
+      descriptor
+    + JDK-8269637: javax/swing/JFileChooser/FileSystemView/
+      /SystemIconTest.java fails on windows
+    + JDK-8269656: The test test/langtools/tools/javac/versions/
+      /Versions.java has duplicate test cycles
+    + JDK-8269687: pauth_aarch64.hpp include name is incorrect
+    + JDK-8269850: Most JDK releases report macOS version 12 as
+      10.16 instead of 12.0
+    + JDK-8269924: Shenandoah: Introduce weak/strong marking asserts
+    + JDK-8269951: [macos] Focus not painted in JButton when
+      setBorderPainted(false) is invoked
+    + JDK-8270110: Shenandoah: Add test for JDK-8269661
+    + JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to
+      run in all LaFs, including Aqua on macOS
+    + JDK-8270171: Shenandoah: Cleanup TestStringDedup and
+      TestStringDedupStress tests
+    + JDK-8270290: NTLM authentication fails if HEAD request is used
+    + JDK-8270317: Large Allocation in CipherSuite
+    + JDK-8270320: JDK-8270110 committed invalid copyright headers
+    + JDK-8270517: Add Zero support for LoongArch
+    + JDK-8270533: AArch64: size_fits_all_mem_uses should return
+      false if its output is a CAS
+    + JDK-8270886: Crash in
+      PhaseIdealLoop::verify_strip_mined_scheduling
+    + JDK-8270893: IndexOutOfBoundsException while reading large
+      TIFF file
+    + JDK-8270901: Typo PHASE_CPP in CompilerPhaseType
+    + JDK-8270946: X509CertImpl.getFingerprint should not return
+      the empty String
+    + JDK-8271071: accessibility of a table on macOS lacks cell
+      navigation
+    + JDK-8271121: ZGC: stack overflow (segv) when
+      -Xlog:gc+start=debug
+    + JDK-8271142: package help is not displayed for missing
+      X11/extensions/Xrandr.h
+    + JDK-8271170: Add unit test for what jpackage app launcher
+      puts in the environment
+    + JDK-8271215: Fix data races in G1PeriodicGCTask
+    + JDK-8271254: javac generates unreachable code when using
+      empty semicolon statement
+    + JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with
+      "lists don't have the same size expected"
+    + JDK-8271308: (fc) FileChannel.transferTo() transfers no more
+      than Integer.MAX_VALUE bytes in one call
+    + JDK-8271315: Redo: Nimbus JTree renderer properties persist
+      across L&F changes
+    + JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java
+      fails with -XX:TieredStopAtLevel=1
+    + JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
+    + JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck)
+      || outcnt() == 2 assert failure with Test7179138_1.java
+    + JDK-8271459: C2: Missing NegativeArraySizeException when
+      creating StringBuilder with negative capacity
+    + JDK-8271463: Updating RE Configs for Upcoming CPU Release
+      17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open
+      repos.
+    + JDK-8271490: [ppc] [s390]: Crash in
+      JavaThread::pd_get_top_frame_for_profiling
+    + JDK-8271560: sun/security/ssl/DHKeyExchange/
+      /LegacyDHEKeyExchange.java still fails due to "An established
+      connection was aborted by the software in your host machine"
+    + JDK-8271567: AArch64: AES Galois CounterMode (GCM)
+      interleaved implementation using vector instructions
+    + JDK-8271600: C2: CheckCastPP which should closely follow
+      Allocate is sunk of a loop
+    + JDK-8271605: Update JMH devkit to 1.32
+    + JDK-8271718: Crash when during color transformation the color
+      profile is replaced
+    + JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java
+      can fail if G1 Full GC uses >1 workers
+    + JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in
+      UnsafeIntrinsicsTest
+    + JDK-8271862: C2 intrinsic for Reference.refersTo() is often
+      not used
+    + JDK-8271868: Warn user when using mac-sign option with
+      unsigned app-image.
+    + JDK-8271895: UnProblemList
+      javax/swing/JComponent/7154030/bug7154030.java in JDK18
+    + JDK-8271954: C2: assert(false) failed: Bad graph detected in
+      build_loop_late
+    + JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java
+      failed with Unexpected transfer size: 2147418112
+    + JDK-8272095: ProblemList java/nio/channels/FileChannel/
+      /Transfer2GPlus.java on linux-aarch64
+    + JDK-8272114: Unused _last_state in osThread_windows
+    + JDK-8272170: Missing memory barrier when checking active
+      state for regions
+    + JDK-8272305: several hotspot runtime/modules don't check exit
+      codes
+    + JDK-8272318: Improve performance of HeapDumpAllTest
+    + JDK-8272328: java.library.path is not set properly by Windows
+      jpackage app launcher
+    + JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't
+      check exit codes
+    + JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/
+      /PageDialogMarginTest.java catches all exceptions
+    + JDK-8272345: macos doesn't check `os::set_boot_path()` result
+    + JDK-8272369: java/io/File/GetXSpace.java failed with
+      "RuntimeException: java.nio.file.NoSuchFileException:
+      /run/user/0"
+    + JDK-8272391: Undeleted debug information
+    + JDK-8272413: Incorrect num of element count calculation for
+      vector cast
+    + JDK-8272473: Parsing epoch seconds at a DST transition with a
+      non-UTC parser is wrong
+    + JDK-8272562: C2: assert(false) failed: Bad graph detected in
+      build_loop_late
+    + JDK-8272570: C2: crash in PhaseCFG::global_code_motion
+    + JDK-8272574: C2: assert(false) failed: Bad graph detected in
+      build_loop_late
+    + JDK-8272639: jpackaged applications using microphone on mac
+    + JDK-8272703: StressSeed should be set via FLAG_SET_ERGO
+    + JDK-8272720: Fix the implementation of loop unrolling
+      heuristic with LoopPercentProfileLimit
+    + JDK-8272783: Epsilon: Refactor tests to improve performance
+    + JDK-8272836: Limit run time for java/lang/invoke/LFCaching
+      tests
+    + JDK-8272838: Move CriticalJNI tests out of tier1
+    + JDK-8272846: Move some runtime/Metaspace/elastic/ tests out
+      of tier1
+    + JDK-8272850: Drop zapping values in the Zap* option
+      descriptions
+    + JDK-8272854: split
+      runtime/CommandLine/PrintTouchedMethods.java test
+    + JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag
+    + JDK-8272859: Javadoc external links should only have feature
+      version number in URL
+    + JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test
+      groups
+    + JDK-8272970: Parallelize runtime/InvocationTests/
+    + JDK-8272973: Incorrect compile command used by
+      TestIllegalArrayCopyBeforeInfiniteLoop
+    + JDK-8273021: C2: Improve Add and Xor ideal optimizations
+    + JDK-8273026: Slow LoginContext.login() on multi threading
+      application
+    + JDK-8273135: java/awt/color/ICC_ColorSpace/
+      /MTTransformReplacedProfile.java crashes in liblcms.dylib
+      with NULLSeek+0x7
+    + JDK-8273165: GraphKit::combine_exception_states fails with
+      "matching stack sizes" assert
+    + JDK-8273176: handle latest VS2019 in abstract_vm_version
+    + JDK-8273229: Update OS detection code to recognize Windows
+      Server 2022
+    + JDK-8273234: extended 'for' with expression of type tvar
+      causes the compiler to crash
+    + JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on
+      Windows 32bit
+    + JDK-8273278: Support XSLT on GraalVM Native
+      Image--deterministic bytecode generation in XSLT
+    + JDK-8273308: PatternMatchTest.java fails on CI
+    + JDK-8273314: Add tier4 test groups
+    + JDK-8273315: Parallelize and increase timeouts for
+      java/foreign/TestMatrix.java test
+    + JDK-8273318: Some containers/docker/TestJFREvents.java
+      configs are running out of memory
+    + JDK-8273333: Zero should warn about unimplemented
+      -XX:+LogTouchedMethods
+    + JDK-8273335: compiler/blackhole tests should not run with
+      interpreter-only VMs
+    + JDK-8273342: Null pointer dereference in
+      classFileParser.cpp:2817
+    + JDK-8273359: CI: ciInstanceKlass::get_canonical_holder()
+      doesn't respect instance size
+    + JDK-8273361: InfoOptsTest is failing in tier1
+    + JDK-8273373: Zero: Cannot invoke JVM in primordial threads on
+      Zero
+    + JDK-8273375: Remove redundant 'new String' calls after
+      concatenation in java.desktop
+    + JDK-8273376: Zero: Disable vtable/itableStub gtests
+    + JDK-8273378: Shenandoah: Remove the remaining uses of
+      os::is_MP
+    + JDK-8273408: java.lang.AssertionError: typeSig ERROR on
+      generated class property of record
+    + JDK-8273416: C2: assert(false) failed: bad AD file after
+      JDK-8252372 with UseSSE={0,1}
+    + JDK-8273440: Zero: Disable
+      runtime/Unsafe/InternalErrorTest.java
+    + JDK-8273450: Fix the copyright header of SVML files
+    + JDK-8273451: Remove unreachable return in  mutexLocker::wait
+    + JDK-8273483: Zero: Clear pending JNI exception check in
+      native method handler
+    + JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM
+      option
+    + JDK-8273487: Zero: Handle "zero" variant in runtime tests
+    + JDK-8273489: Zero: Handle UseHeavyMonitors on all
+      monitorenter paths
+    + JDK-8273498: compiler/c2/Test7179138_1.java timed out
+    + JDK-8273505: runtime/cds/appcds/loaderConstraints/
+      /DynamicLoaderConstraintsTest.java#default-cl crashed with
+      SIGSEGV in MetaspaceShared::link_shared_classes
+    + JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java
+      failure
+    + JDK-8273575: memory leak in appendBootClassPath(), paths must
+      be deallocated
+    + JDK-8273592: Backout JDK-8271868
+    + JDK-8273593: [REDO] Warn user when using mac-sign option with
+      unsigned app-image.
+    + JDK-8273595: tools/jpackage tests do not work on apt-based
+      Linux distros like Debian
+    + JDK-8273606: Zero: SPARC64 build fails with si_band type
+      mismatch
+    + JDK-8273614: Shenandoah: intermittent  timeout with
+      ConcurrentGCBreakpoint tests
+    + JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails
+      in GTK L&F
+    + JDK-8273646: Add openssl from path variable also in to
+      Default System Openssl Path in OpensslArtifactFetcher
+    + JDK-8273678: TableAccessibility and TableRowAccessibility
+      miss autorelease
+    + JDK-8273695: Safepoint deadlock on VMOperation_lock
+    + JDK-8273790: Potential cyclic dependencies between Gregorian
+      and CalendarSystem
+    + JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should
+      test for CPU feature explicitly
+    + JDK-8273807: Zero: Drop incorrect test block from
+      compiler/startup/NumCompilerThreadsCheck.java
+    + JDK-8273808: Cleanup AddFontsToX11FontPath
+    + JDK-8273826: Correct Manifest file name and NPE checks
+    + JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/
+      /MTTransformReplacedProfile.java timed out
+    + JDK-8273894: ConcurrentModificationException raised every
+      time ReferralsCache drops referral
+    + JDK-8273902: Memory leak in OopStorage due to bug in
+      OopHandle::release()
+    + JDK-8273924: ArrayIndexOutOfBoundsException thrown in
+      java.util.JapaneseImperialCalendar.add()
+    + JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE
+      instead of returning null when view not supported
+    + JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests
+      in debug builds
+    + JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file
+      path contains '+' character
+    + JDK-8273965: some testlibrary_tests/ir_framework tests fail
+      when c1 disabled
+    + JDK-8273968: JCK javax_xml tests fail in CI
+    + JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
+    + JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM
+    + JDK-8274083: Update testing docs to mention tiered testing
+    + JDK-8274087: Windows DLL path not set correctly.
+    + JDK-8274145: C2: condition incorrectly made redundant with
+      dominating main loop exit condition
+    + JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from
+      KDC
+    + JDK-8274215: Remove globalsignr2ca root from 17.0.2
+    + JDK-8274242: Implement fast-path for ASCII-compatible
+      CharsetEncoders on x86
+    + JDK-8274265: Suspicious string concatenation in
+      logTestUtils.inline.hpp
+    + JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork
+      is deprecated
+    + JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows
+      after JDK-8234160
+    + JDK-8274326: [macos] Ensure initialisation of sun/lwawt/
+      /macosx/CAccessibility in JavaComponentAccessibility.m
+    + JDK-8274329: Fix non-portable HotSpot code in
+      MethodMatcher::parse_method_pattern
+    + JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed
+      "assert(m != __null) failed: NULL mirror"
+    + JDK-8274347: Passing a *nested* switch expression as a
+      parameter causes an NPE during compile
+    + JDK-8274349: ForkJoinPool.commonPool() does not work with 1
+      CPU
+    + JDK-8274381: missing CAccessibility definitions in JNI code
+    + JDK-8274383: JNI call of getAccessibleSelection on a wrong
+      thread
+    + JDK-8274401: C2: GraphKit::load_array_element bypasses Access
+      API
+    + JDK-8274406: RunThese30M.java failed
+      "assert(!LCA_orig->dominates(pred_block) ||
+      early->dominates(pred_block)) failed: early is high enough"
+    + JDK-8274407: (tz) Update Timezone Data to 2021c
+    + JDK-8274435: EXCEPTION_ACCESS_VIOLATION in
+      BFSClosure::closure_impl
+    + JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
+    + JDK-8274468: TimeZoneTest.java fails with tzdata2021b
+    + JDK-8274501: c2i entry barriers read int as long on AArch64
+    + JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java
+      fails when other GC is selected
+    + JDK-8274522: java/lang/management/ManagementFactory/
+      /MXBeanException.java test fails with Shenandoah
+    + JDK-8274523: java/lang/management/MemoryMXBean/
+      /MemoryTest.java test should handle Shenandoah
+    + JDK-8274550: c2i entry barriers read int as long on PPC
+    + JDK-8274560: JFR: Add test for OldObjectSample event when
+      using Shenandoah
+    + JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/
+      /SurrogateTest.java test
+    + JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with
+      NoSuchElementException after JDK-8271287
+    + JDK-8274716: JDWP Spec: the description for the Dispose
+      command confuses suspend with resume.
+    + JDK-8274736: Concurrent read/close of SSLSockets causes
+      SSLSessions to be invalidated unnecessarily
+    + JDK-8274770: [PPC64] resolve_jobject needs a generic
+      implementation to support load barriers
+    + JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently
+      fails on weak memory model platform
+    + JDK-8274779: HttpURLConnection: HttpClient and HttpsClient
+      incorrectly check request method when set to POST
+    + JDK-8274840: Update OS detection code to recognize Windows 11
+    + JDK-8274848: LambdaMetaFactory::metafactory on
+      REF_invokeSpecial impl method has incorrect behavior
+    + JDK-8274851: [ppc64] Port zgc to linux on ppc64le
+    + JDK-8274942: AssertionError at
+      jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
+    + JDK-8275008: gtest build failure due to stringop-overflow
+      warning with gcc11
+    + JDK-8275049: [ZGC] missing null check in
+      ZNMethod::log_register
+    + JDK-8275051: Shenandoah: Correct ordering of requested gc
+      cause and gc request flag
+    + JDK-8275071: [macos] A11y cursor gets stuck when combobox is
+      closed
+    + JDK-8275104: IR framework does not handle client VM builds
+      correctly
+    + JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on
+      master branch for jdk17u-cpu and jdk17u-cpu-open repos.
+    + JDK-8275131: Exceptions after a touchpad gesture on macOS
+    + JDK-8275141: recover corrupted line endings for the
+      version-numbers.conf
+    + JDK-8275145: file.encoding system property has an incorrect
+      value on Windows
+    + JDK-8275226: Shenandoah: Relax memory constraint for worker
+      claiming tasks/ranges
+    + JDK-8275302: unexpected compiler error: cast, intersection
+      types and sealed
+    + JDK-8275426: PretouchTask num_chunks calculation can overflow
+    + JDK-8275604: Zero: Reformat opclabels_data
+    + JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java
+      shouldn't have vm.flagless
+    + JDK-8275703: System.loadLibrary fails on Big Sur for
+      libraries hidden from filesystem
+    + JDK-8275720: CommonComponentAccessibility.createWithParent
+      isWrapped causes mem leak
+    + JDK-8275766: (tz) Update Timezone Data to 2021e
+    + JDK-8275809: crash in [CommonComponentAccessibility
+      getCAccessible:withEnv:]
+    + JDK-8275811: Incorrect instance to dispose
+    + JDK-8275819: [TableRowAccessibility accessibilityChildren]
+      method is ineffective
+    + JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
+    + JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte
+      encodings
+    + JDK-8275872: Sync J2DBench run and analyze Makefile targets
+      with build.xml
+    + JDK-8276025: Hotspot's libsvml.so may conflict with user
+      dependency
+    + JDK-8276066: Reset LoopPercentProfileLimit for x86 due to
+      suboptimal performance
+    + JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3
+    + JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle
+      rounding correctly
+    + JDK-8276112: Inconsistent scalar replacement debug info at
+      safepoints
+    + JDK-8276122: Change openjdk project in jcheck to jdk-updates
+    + JDK-8276130: Fix Github Actions of JDK17u to account for
+      update version scheme
+    + JDK-8276139: TestJpsHostName.java not reliable, better to
+      expand HostIdentifierCreate.java test
+    + JDK-8276157: C2: Compiler stack overflow during escape
+      analysis on Linux x86_32
+    + JDK-8276201: Shenandoah: Race results degenerated GC to enter
+      wrong entry point
+    + JDK-8276205: Shenandoah: CodeCache_lock should always be held
+      for initializing code cache iteration
+    + JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails
+      intermittently on storage acquisition
+    + JDK-8276536: Update TimeZoneNames files to follow the changes
+      made by JDK-8275766
+    + JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
+    + JDK-8276572: Fake libsyslookup.so library causes tooling
+      issues
+    + JDK-8276774: Cookie stored in CookieHandler not sent if user
+      headers contain cookie
+    + JDK-8276801: gc/stress/CriticalNativeStress.java fails
+      intermittently with Shenandoah
+    + JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java
+      fails due to disabled SecurityManager
+    + JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java
+      fails on x86_32
+    + JDK-8276846: JDK-8273416 is incomplete for UseSSE=1
+    + JDK-8276854: Windows GHA builds fail due to broken Cygwin
+    + JDK-8276864: Update boot JDKs to 17.0.1 in GHA
+    + JDK-8276905: Use appropriate macosx_version_minimum value
+      while compiling metal shaders
+    + JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le
+    + JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify
+      output array sizes
+    + JDK-8277093: Vector should throw ClassNotFoundException for a
+      missing class of an element
+    + JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by
+      ignoring /run/user/* mount points
+    + JDK-8277195: missing CAccessibility definition in
+      [CommonComponentAccessibility accessibilityHitTest]
+    + JDK-8277212: GC accidentally cleans valid megamorphic vtable
+      inline caches
+    + JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString()
+      throws NPE
+    + JDK-8277529: SIGSEGV in C2 CompilerThread
+      Node::rematerialize() compiling Packet::readUnsignedTrint
+    + JDK-8277981: String Deduplication table is never cleaned up
+      due to bad dead_factor_for_cleanup
+- Modified patch:
+  * fips.patch
+    + Rediff to changed context
+
+-------------------------------------------------------------------
+Fri Nov  5 16:52:14 UTC 2021 - Fridrich Strba 
+
+- Modified patch:
+  * fips.patch
+    + return in native code after generating java.io.IOException
+
+-------------------------------------------------------------------
+Thu Nov  4 07:44:09 UTC 2021 - Fridrich Strba 
+
+- Modified patches:
+  * PStack-808293.patch
+  * adlc-parser.patch
+  * alternative-tzdb_dat.patch
+  * disable-doclint-by-default.patch
+  * java-atk-wrapper-security.patch
+  * jaw-jdk10.patch
+  * jaw-misc.patch
+  * loadAssistiveTechnologies.patch
+  * memory-limits.patch
+  * multiple-pkcs11-library-init.patch
+  * ppc_stack_overflow_fix.patch
+  * system-crypto-policy.patch
+  * system-pcsclite.patch
+  * zero-ranges.patch
+    + Rediff to apply all hunks without shifts
+  * fips.patch
+    + Fix unused function compiler warning found in systemconf.c
+    + Allow plain key import
+
+-------------------------------------------------------------------
+Fri Oct 22 05:58:29 UTC 2021 - Fridrich Strba 
+
+- Update to upstream tag jdk-17.0.1+12 (October 2021 CPU)
+  * Security fixes
+    + JDK-8263314: Enhance XML Dsig modes
+    + JDK-8265167, CVE-2021-35556, bsc#1191910: Richer Text Editors
+    + JDK-8265574: Improve handling of sheets
+    + JDK-8265580, CVE-2021-35559, bsc#1191911: Enhanced style for
+      RTF kit
+    + JDK-8265776: Improve Stream handling for SSL
+    + JDK-8266097, CVE-2021-35561, bsc#1191912: Better hashing
+      support
+    + JDK-8266103: Better specified spec values
+    + JDK-8266109: More Resilient Classloading
+    + JDK-8266115: More Manifest Jar Loading
+    + JDK-8266137, CVE-2021-35564, bsc#1191913: Improve Keystore
+      integrity
+    + JDK-8266689, CVE-2021-35567, bsc#1191903: More Constrained
+      Delegation
+    + JDK-8267086: ArrayIndexOutOfBoundsException in
+      java.security.KeyFactory.generatePublic
+    + JDK-8267712: Better LDAP reference processing
+    + JDK-8267729, CVE-2021-35578, bsc#1191904: Improve TLS client
+      handshaking
+    + JDK-8267735, CVE-2021-35586, bsc#1191914: Better BMP support
+    + JDK-8268199: Correct certificate requests
+    + JDK-8268205: Enhance DTLS client handshake
+    + JDK-8268506: More Manifest Digests
+    + JDK-8269618, CVE-2021-35603, bsc#1191906: Better session
+      identification
+    + JDK-8269624: Enhance method selection support
+    + JDK-8270398: Enhance canonicalization
+    + JDK-8270404: Better canonicalization
+  * Other changes:
+    + JDK-8225082: Remove IdenTrust certificate that is expiring in
+      September 2021
+    + JDK-8225083: Remove Google certificate that is expiring in
+      December 2021
+    + JDK-8243543: jtreg test security/infra/java/security/cert/
+      /CertPathValidator/certification/BuypassCA.java fails
+    + JDK-8248899: security/infra/java/security/cert/
+      /CertPathValidator/certification/QuoVadisCA.java fails,
+      Certificate has been revoked
+    + JDK-8261088: Repeatable annotations without @Target cannot
+      have containers that target module declarations
+    + JDK-8262731: [macOS] Exception from "Printable.print" is
+      swallowed during "PrinterJob.print"
+    + JDK-8263531: Remove unused buffer int
+    + JDK-8266182: Automate manual steps listed in the test
+      jdk/sun/security/pkcs12/ParamsTest.java
+    + JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
+    + JDK-8267666: Add option to jcmd GC.heap_dump to use existing
+      file
+    + JDK-8268019: C2: assert(no_dead_loop) failed: dead loop
+      detected
+    + JDK-8268261: C2: assert(n != __null) failed: Bad immediate
+      dominator info.
+    + JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm
+      performance
+    + JDK-8268500: Better specified ParameterSpecs
+    + JDK-8268963: [IR Framework] Some default regexes matching on
+      PrintOptoAssembly in IRNode.java do not work on all platforms
+    + JDK-8269297: Bump version numbers for JDK 17.0.1
+    + JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should
+      be more resilient
+    + JDK-8269574: C2: Avoid redundant uncommon traps in
+      GraphKit::builtin_throw() for JVMTI exception events
+    + JDK-8269763: The JEditorPane is blank after JDK-8265167
+    + JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports
+      incorrect process cpu usage in containers
+    + JDK-8269882: stack-use-after-scope in NewObjectA
+    + JDK-8269897: Shenandoah: Resolve UNKNOWN access strength,
+      where possible
+    + JDK-8269934: RunThese24H.java failed with
+      EXCEPTION_ACCESS_VIOLATION in
+      java_lang_Thread::get_thread_status
+    + JDK-8269993: [Test]: java/net/httpclient/
+      /DigestEchoClientSSL.java contains redundant @run tags
+    + JDK-8270094: Shenandoah: Provide human-readable labels for
+      test configurations
+    + JDK-8270096: Shenandoah: Optimize
+      gc/shenandoah/TestRefprocSanity.java for interpreter mode
+    + JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails
+      with "Guard against surprises" assert
+    + JDK-8270137: Kerberos Credential Retrieval from Cache not
+      Working in Cross-Realm Setup
+    + JDK-8270280: security/infra/java/security/cert/
+      /CertPathValidator/certification/LetsEncryptCA.java OCSP
+      response error
+    + JDK-8270344: Session resumption errors
+    + JDK-8271203: C2: assert(iff->Opcode() == Op_If ||
+      iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() ==
+      Op_RangeCheck) failed: Check this code when new subtype is
+      added
+    + JDK-8271276: C2: Wrong JVM state used for receiver null check
+    + JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4
+    + JDK-8271589: fatal error with variable shift count integer
+      rotate operation.
+    + JDK-8271723: Unproblemlist
+      runtime/InvocationTests/invokevirtualTests.java
+    + JDK-8271730: Client authentication using RSASSA-PSS fails
+      after correct certificate requests
+    + JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load
+      barrier
+    + JDK-8272124: Cgroup v1 initialization causes
+      NullPointerException when cgroup path contains colon
+    + JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash
+      when clone null CallProjections.fallthrough_ioproj
+    + JDK-8272326: java/util/Random/RandomTestMoments.java had two
+      Gaussian fails
+    + JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz
+      after JDK-8255790
+    + JDK-8272472: StackGuardPages test doesn't build with glibc
+      2.34
+    + JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh
+      fails after JDK-8266182
+    + JDK-8272602: [macos] not all KEY_PRESSED events sent when
+      control modifier is used
+    + JDK-8272700: [macos] Build failure with Xcode 13.0 after
+      JDK-8264848
+    + JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/
+       /security/cert/CertPathValidator/certification/BuypassCA.java
+       no longer needs ocspEnabled
+    + JDK-8272806: [macOS] "Apple AWT Internal Exception" when
+      input method is changed
+    + JDK-8273150: Revert "8225083: Remove Google certificate that
+      is expiring in December 2021"
+    + JDK-8273358: macOS Monterey does not have the font Times
+      needed by Serif
+- Remove the unneeded icedtea-sound provider
+- Removed patches:
+  * icedtea-sound-1.0.1-jdk9.patch
+  * icedtea-sound-soundproperties.patch
+    + not needed since the icedtea-sound provider is removed
+  * harfbuzz-libs.patch
+  * openjdk-glibc234.patch
+    + integrated upstream
+
+-------------------------------------------------------------------
+Mon Sep 20 06:41:11 UTC 2021 - Fridrich Strba 
+
+- Added patch:
+  * openjdk-glibc234.patch
+    + fix build with glibc-2.34 (bsc#1189201)
+
+-------------------------------------------------------------------
+Thu Sep 16 06:16:11 UTC 2021 - Fridrich Strba 
+
+- Added patch:
+  * fips.patch
+    + implement FIPS support in OpenJDK
+
+-------------------------------------------------------------------
+Tue Sep 14 14:33:43 UTC 2021 - Fridrich Strba 
+
+- jdk-17+35 is official release of OpenJDK 17 (jsc#SLE-18742)
+
+-------------------------------------------------------------------
+Mon Sep 13 12:46:09 UTC 2021 - Fridrich Strba 
+
+- Modified patch:
+  * nss-security-provider.patch
+    + revert recent changes making NSS provider the default one
+    + fixes bsc#1190252
+
+-------------------------------------------------------------------
+Mon Aug 23 07:16:54 UTC 2021 - Fridrich Strba 
+
+- Initial release of the last release candidate of OpenJDK 17,
+  the next LTS release of OpenJDK
+  * Features:
+    + JEP-306: Restore Always-Strict Floating-Point Semantics
+    + JEP-356: Enhanced Pseudo-Random Number Generators
+    + JEP-382: New macOS Rendering Pipeline
+    + JEP-391: macOS/AArch64 Port
+    + JEP-398: Deprecate the Applet API for Removal
+    + JEP-403: Strongly Encapsulate JDK Internals
+    + JEP-406: Pattern Matching for switch (Preview)
+    + JEP-407: Remove RMI Activation
+    + JEP-409: Sealed Classes
+    + JEP-410: Remove the Experimental AOT and JIT Compiler
+    + JEP-411: Deprecate the Security Manager for Removal
+    + JEP-412: Foreign Function & Memory API (Incubator)
+    + JEP-414: Vector API (Second Incubator)
+    + JEP-415: Context-Specific Deserialization Filters
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
new file mode 100644
index 0000000..418cd0d
--- /dev/null
+++ b/java-17-openjdk.spec
@@ -0,0 +1,1065 @@
+#
+# spec file for package java-17-openjdk
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{!?aarch64:%global aarch64 aarch64 arm64 armv8}
+%{!?arm6:%global arm6 armv3l armv4b armv4l armv4tl armv5b armv5l armv5teb armv5tel armv5tejl armv6l armv6hl}
+%global jit_arches %{ix86} x86_64 ppc64 ppc64le %{aarch64} %{arm} s390x riscv64
+%global debug 0
+%global make make
+%global is_release 1
+%global buildoutputdir build
+# Convert an absolute path to a relative path.  Each symbolic link is
+# specified relative to the directory in which it is installed so that
+# it will resolve properly within chrooted installations.
+%global script 'use File::Spec; print File::Spec->abs2rel($ARGV[0], $ARGV[1])'
+%global abs2rel perl -e %{script}
+%global syslibdir       %{_libdir}
+%global archname        %{name}
+# Standard JPackage naming and versioning defines.
+%global featurever      17
+%global interimver      0
+%global updatever       14
+%global buildver        7
+%global openjdk_repo    jdk17u
+%global openjdk_tag     jdk-%{featurever}.%{interimver}.%{updatever}%{?patchver:.%{patchver}}+%{buildver}
+%global openjdk_dir     %{openjdk_repo}-jdk-%{featurever}.%{interimver}.%{updatever}%{?patchver:.%{patchver}}-%{buildver}
+# priority must be 6 digits in total
+%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
+%global priority        2705
+%else
+%global priority        0
+%endif
+%global javaver         %{featurever}
+# Standard JPackage directories and symbolic links.
+%global sdklnk          java-%{javaver}-openjdk
+%global archname        %{sdklnk}
+%global jrelnk          jre-%{javaver}-openjdk
+%global jrebindir       %{_jvmdir}/%{jrelnk}/bin
+%global sdkdir          %{sdklnk}-%{javaver}
+%global sdkbindir       %{_jvmdir}/%{sdklnk}/bin
+# Prevent brp-java-repack-jars from being run.
+%global __jar_repack 0
+# cacert symlink
+%global cacerts  %{_jvmdir}/%{sdkdir}/lib/security/cacerts
+# real file made by update-ca-certificates
+%global javacacerts %{_var}/lib/ca-certificates/java-cacerts
+%global bootcycle 1
+# turn zero on non jit arches by default
+%ifnarch %{jit_arches}
+%global _with_zero 1
+%endif
+%ifarch %{arm6}
+%global _with_zero 1
+%endif
+%if %{debug}
+%global debugbuild slowdebug
+%else
+%global debugbuild release
+%endif
+%if %{bootcycle}
+%global imagesdir bootcycle-build/images
+%global imagestarget bootcycle-images all
+%else
+%global imagesdir images
+%global imagestarget all
+%endif
+# bnc#542545
+# 32-bit versus 64-bit specific provides:
+%ifarch %{ix86} ppc s390
+%global bits 32
+%endif
+%ifarch x86_64 ia64 s390x
+%global bits 64
+%endif
+%if 0%{?__isa_bits}
+%global bits %{__isa_bits}
+%endif
+# Turn on/off some features depending on openSUSE version
+%if 0%{?suse_version} > 1320
+%global with_system_pcsc 1
+%global with_system_lcms 1
+%else
+%global with_system_pcsc 0
+%global with_system_lcms 0
+%endif
+%if %{is_release}
+%global package_version %{featurever}.%{interimver}.%{updatever}.%{?patchver:%{patchver}}%{!?patchver:0}
+%else
+%global package_version %{featurever}.%{interimver}.%{updatever}.%{?patchver:%{patchver}}%{!?patchver:0}~%{buildver}
+%endif
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+%bcond_with zero
+%if ! %{with zero}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+%if %{with_systemtap}
+%global tapsetroot      %{_datadir}/systemtap
+%global tapsetdir %{tapsetroot}/tapset/%{_build_cpu}
+%endif
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific subdir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinquish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka build_cpu as architecture specific directory name.
+%global tapsetroot %{_datadir}/systemtap
+%global tapsetdir %{tapsetroot}/tapset/%{_build_cpu}
+%endif
+Name:           java-%{featurever}-openjdk
+Version:        %{package_version}
+Release:        0
+Summary:        OpenJDK %{featurever} Runtime Environment
+License:        Apache-1.1 AND Apache-2.0 AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-only WITH Classpath-exception-2.0 AND LGPL-2.0-only AND MPL-1.0 AND MPL-1.1 AND SUSE-Public-Domain AND W3C
+Group:          Development/Languages/Java
+URL:            https://openjdk.java.net/
+# Sources from upstream OpenJDK project.
+Source0:        https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag}.tar.gz
+# Systemtap tapsets. Zipped up to keep it small.
+Source10:       systemtap-tapset.tar.xz
+# Desktop files. Adapated from IcedTea.
+Source11:       jconsole.desktop.in
+# Ensure we aren't using the limited crypto policy
+Source14:       TestCryptoLevel.java
+# Ensure ECDSA is working
+Source15:       TestECDSA.java
+# Fresh config.guess and config.sub files
+# wget -O config.guess 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD'
+Source100:      config.guess
+# wget -O config.sub 'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD'
+Source101:      config.sub
+# Restrict access to java-atk-wrapper classes
+Patch3:         java-atk-wrapper-security.patch
+# RHBZ 808293
+Patch4:         PStack-808293.patch
+# Allow multiple initialization of PKCS11 libraries
+Patch5:         multiple-pkcs11-library-init.patch
+# Fix instantiation of VM on ZERO
+Patch8:         zero-ranges.patch
+# From icedtea: Increase default memory limits
+Patch10:        memory-limits.patch
+# Fix use of unintialized memory in adlc parser
+Patch12:        adlc-parser.patch
+# Fix: implicit-pointer-decl
+Patch13:        implicit-pointer-decl.patch
+# Use SOURCE_DATE_EPOCH in timestamp when writing properties
+Patch14:        reproducible-properties.patch
+Patch15:        system-pcsclite.patch
+Patch16:        fips.patch
+Patch17:        reproducible-jlink.patch
+#
+Patch20:        loadAssistiveTechnologies.patch
+#
+Patch21:        reproducible-javadoc-timestamp.patch
+Patch22:        reproducible-directory-mtime.patch
+#
+# OpenJDK specific patches
+#
+Patch200:       ppc_stack_overflow_fix.patch
+#
+Patch301:       JDK-8303509.patch
+Patch302:       disable-doclint-by-default.patch
+Patch303:       unsigned-sni-server-name.patch
+#
+BuildRequires:  alsa-lib-devel
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  bc
+BuildRequires:  binutils
+BuildRequires:  cups-devel
+BuildRequires:  desktop-file-utils
+BuildRequires:  fdupes
+BuildRequires:  fontconfig-devel
+BuildRequires:  freetype2-devel
+BuildRequires:  giflib-devel
+BuildRequires:  hicolor-icon-theme
+BuildRequires:  java-ca-certificates
+BuildRequires:  libX11-devel
+BuildRequires:  libXi-devel
+BuildRequires:  libXinerama-devel
+BuildRequires:  libXrandr-devel
+BuildRequires:  libXrender-devel
+BuildRequires:  libXt-devel
+BuildRequires:  libXtst-devel
+BuildRequires:  libjpeg-devel
+BuildRequires:  libpng-devel
+BuildRequires:  libtool
+BuildRequires:  libxslt
+BuildRequires:  mozilla-nss-devel >= 3.53
+BuildRequires:  pkgconfig
+BuildRequires:  unzip
+BuildRequires:  update-desktop-files
+BuildRequires:  xorg-x11-proto-devel
+BuildRequires:  xprop
+BuildRequires:  zip
+# Requires rest of java
+Requires:       %{name}-headless = %{version}-%{release}
+Requires:       fontconfig
+Requires(post): file
+%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
+# Standard JPackage base provides.
+Provides:       java = %{javaver}
+Provides:       java-%{javaver} = %{version}-%{release}
+Provides:       java-openjdk = %{version}-%{release}
+Provides:       jre = %{javaver}
+Provides:       jre-%{javaver} = %{version}-%{release}
+Provides:       jre-%{javaver}-openjdk = %{version}-%{release}
+Provides:       jre-openjdk = %{version}-%{release}
+# Standard JPackage extensions provides.
+Provides:       java-fonts = %{version}
+# Required at least by fop
+Provides:       java-%{bits} = %{javaver}
+Provides:       java-%{javaver}-%{bits}
+Provides:       java-openjdk-%{bits} = %{version}-%{release}
+Provides:       jre-%{bits} = %{javaver}
+Provides:       jre-%{javaver}-%{bits}
+Provides:       jre-%{javaver}-openjdk-%{bits} = %{version}-%{release}
+Provides:       jre-openjdk-%{bits} = %{version}-%{release}
+Provides:       jre1.10.x
+Provides:       jre1.3.x
+Provides:       jre1.4.x
+Provides:       jre1.5.x
+Provides:       jre1.6.x
+Provides:       jre1.7.x
+Provides:       jre1.8.x
+Provides:       jre1.9.x
+%endif
+%if 0%{?suse_version} < 1500
+BuildRequires:  gcc7
+BuildRequires:  gcc7-c++
+%else
+BuildRequires:  gcc >= 7
+BuildRequires:  gcc-c++ >= 7
+%endif
+%if %{with_system_lcms}
+BuildRequires:  liblcms2-devel
+%endif
+%if %{bootcycle}
+%if 0%{?suse_version} > 1500 || 0%{?java_bootstrap}
+BuildRequires:  java-devel >= 16
+BuildConflicts: java-devel >= 18
+%else
+BuildRequires:  %{name}-devel
+%endif
+%else
+BuildRequires:  %{name}-devel
+%endif
+# Zero-assembler build requirement.
+%if %{with zero}
+BuildRequires:  libffi-devel
+%endif
+%if %{with_systemtap}
+BuildRequires:  systemtap-sdt-devel
+%endif
+%if %{with_system_pcsc}
+BuildRequires:  pcsc-lite-devel
+%endif
+
+%description
+The OpenJDK %{featurever} runtime environment.
+
+%package headless
+Summary:        OpenJDK %{featurever} Runtime Environment
+Group:          Development/Languages/Java
+Requires:       jpackage-utils
+Requires:       mozilla-nss
+# Post requires update-alternatives to install tool update-alternatives.
+Requires(post): update-alternatives
+Requires(posttrans): file
+Requires(posttrans): java-ca-certificates
+# Postun requires update-alternatives to uninstall tool update-alternatives.
+Requires(postun): update-alternatives
+Recommends:     mozilla-nss-sysinit
+Obsoletes:      %{name}-accessibility
+%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
+# Standard JPackage base provides.
+Provides:       java-%{javaver}-headless = %{version}-%{release}
+Provides:       java-headless = %{javaver}
+Provides:       java-openjdk-headless = %{version}-%{release}
+Provides:       jre-%{javaver}-headless = %{version}-%{release}
+Provides:       jre-%{javaver}-openjdk-headless = %{version}-%{release}
+Provides:       jre-headless = %{javaver}
+Provides:       jre-openjdk-headless = %{version}-%{release}
+# Standard JPackage extensions provides.
+Provides:       jaas = %{version}
+Provides:       java-sasl = %{version}
+Provides:       jce = %{version}
+Provides:       jdbc-stdext = 4.3
+Provides:       jndi = %{version}
+Provides:       jndi-cos = %{version}
+Provides:       jndi-dns = %{version}
+Provides:       jndi-ldap = %{version}
+Provides:       jndi-rmi = %{version}
+Provides:       jsse = %{version}
+%endif
+
+%description headless
+The OpenJDK %{featurever} runtime environment without audio and video support.
+
+%package devel
+Summary:        OpenJDK %{featurever} Development Environment
+# Require base package.
+Group:          Development/Languages/Java
+Requires:       %{name} = %{version}-%{release}
+# Post requires update-alternatives to install tool update-alternatives.
+Requires(post): update-alternatives
+# Postun requires update-alternatives to uninstall tool update-alternatives.
+Requires(postun): update-alternatives
+%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
+# Standard JPackage devel provides.
+Provides:       java-%{javaver}-devel = %{version}
+Provides:       java-devel = %{javaver}
+Provides:       java-devel-openjdk = %{version}
+Provides:       java-sdk = %{javaver}
+Provides:       java-sdk-%{javaver} = %{version}
+Provides:       java-sdk-%{javaver}-openjdk = %{version}
+Provides:       java-sdk-openjdk = %{version}
+%endif
+
+%description devel
+The OpenJDK %{featurever} development tools.
+
+%package jmods
+Summary:        JMods for OpenJDK %{featurever}
+Group:          Development/Languages/Java
+Requires:       %{name}-devel = %{version}-%{release}
+
+%description jmods
+The JMods for OpenJDK %{featurever}.
+
+%package demo
+Summary:        OpenJDK %{featurever} Demos
+Group:          Development/Languages/Java
+Requires:       %{name} = %{version}-%{release}
+
+%description demo
+The OpenJDK %{featurever} demos.
+
+%package src
+Summary:        OpenJDK %{featurever} Source Bundle
+Group:          Development/Languages/Java
+Requires:       %{name} = %{version}-%{release}
+
+%description src
+The OpenJDK %{featurever} source bundle.
+
+%package javadoc
+Summary:        OpenJDK %{featurever} API Documentation
+Group:          Development/Languages/Java
+Requires:       jpackage-utils
+# Post requires update-alternatives to install javadoc alternative.
+Requires(post): update-alternatives
+# Postun requires update-alternatives to uninstall javadoc alternative.
+Requires(postun): update-alternatives
+BuildArch:      noarch
+%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
+# Standard JPackage javadoc provides.
+Provides:       java-%{javaver}-javadoc = %{version}-%{release}
+Provides:       java-javadoc = %{version}-%{release}
+%endif
+
+%description javadoc
+The OpenJDK %{featurever} API documentation.
+
+%prep
+%setup -q -n %{openjdk_dir}
+
+# Replace config.sub and config.guess with fresh versions
+cp %{SOURCE100} make/autoconf/build-aux/
+cp %{SOURCE101} make/autoconf/build-aux/
+
+# Remove libraries that are linked
+rm -rvf src/java.base/share/native/libzip/zlib-*
+find src/java.desktop/share/native/libjavajpeg ! -name imageioJPEG.c ! -name jpegdecoder.c -type f -delete
+rm -rvf src/java.desktop/share/native/libsplashscreen/libpng
+rm -rvf src/java.desktop/share/native/libsplashscreen/giflib
+%if %{with_system_lcms}
+rm -rvf src/java.desktop/share/native/liblcms/cms*
+rm -rvf src/java.desktop/share/native/liblcms/lcms2*
+%endif
+
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 8 -p1
+%patch -P 10 -p1
+%patch -P 12 -p1
+%patch -P 13 -p1
+%patch -P 14 -p1
+
+%if %{with_system_pcsc}
+%patch -P 15 -p1
+%endif
+
+%patch -P 16 -p1
+%patch -P 17 -p1
+
+%patch -P 20 -p1
+
+%patch -P 21 -p1
+%patch -P 22 -p1
+
+%patch -P 200 -p1
+
+%patch -P 301 -p1
+%patch -P 302 -p1
+%patch -P 303 -p1
+
+# Extract systemtap tapsets
+
+%if %{with_systemtap}
+
+tar -x -I xz -f %{SOURCE10}
+
+for file in tapset/*.in; do
+
+    OUTPUT_FILE=`echo $file | sed -e s:\.in$::g`
+    sed -e s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir}/lib/server/libjvm.so:g $file > $file.1
+# TODO find out which architectures other than ix86 have a client vm
+
+%ifarch %{ix86}
+    sed -e s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir}/lib/client/libjvm.so:g $file.1 > $OUTPUT_FILE
+%else
+    sed -e '/@ABS_CLIENT_LIBJVM_SO@/d' $file.1 > $OUTPUT_FILE
+%endif
+    sed -i -e s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir}:g $OUTPUT_FILE
+
+done
+
+%endif
+
+# Prepare desktop files
+for file in %{SOURCE11} ; do
+    OUTPUT_FILE=`basename $file | sed -e s:\.in$::g`
+    sed -e s:@JAVA_HOME@:%{_jvmdir}/%{sdkdir}:g $file > $OUTPUT_FILE
+    sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE
+done
+
+%build
+
+%ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+
+%ifarch %{ix86}
+EXTRA_CFLAGS="${EXTRA_CFLAGS} -mstackrealign -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+EXTRA_CPP_FLAGS="${EXTRA_CPP_FLAGS} -mstackrealign -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+%endif
+
+mkdir -p %{buildoutputdir}
+
+pushd %{buildoutputdir}
+
+bash ../configure \
+%if 0%{?suse_version} < 1500
+    CPP=cpp-7 \
+    CXX=g++-7 \
+    CC=gcc-7 \
+    NM=gcc-nm-7 \
+%endif
+%if %{is_release}
+    --with-version-pre="" \
+%endif
+    --with-version-build="%{buildver}" \
+    --with-version-opt="suse-%{release}-%{_arch}" \
+%if %{with zero}
+    --with-jvm-variants=zero \
+%else
+%ifarch %{arm6}
+    --with-jvm-variants=client \
+%endif
+%endif
+    --disable-keep-packaged-modules \
+    --with-debug-level=%{debugbuild} \
+    --with-native-debug-symbols=internal \
+    --enable-sysconf-nss \
+    --with-zlib=system \
+    --with-libjpeg=system \
+    --with-giflib=system \
+    --with-libpng=system \
+%if %{with_system_lcms}
+    --with-lcms=system \
+%endif
+%if %{with_system_pcsc}
+    --with-pcsclite=system \
+%endif
+    --with-stdc++lib=dynamic \
+    --disable-javac-server \
+%ifarch %{ix86}
+    --with-extra-cxxflags="${EXTRA_CPP_FLAGS}" \
+    --with-extra-cflags="${EXTRA_CFLAGS}" \
+%endif
+    --disable-warnings-as-errors
+
+%{make} --no-print-directory \
+    LOG=trace \
+    %{imagestarget}
+
+# remove redundant *diz and *debuginfo files
+find %{imagesdir}/jdk -iname '*.diz' -exec rm {} \;
+find %{imagesdir}/jdk -iname '*.debuginfo' -exec rm {} \;
+
+popd >& /dev/null
+
+export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
+
+# cacerts are generated in runtime in openSUSE
+if [ -f %{buildoutputdir}/%{imagesdir}/jdk/lib/security/cacerts ]; then
+        rm %{buildoutputdir}/%{imagesdir}/jdk/lib/security/cacerts
+fi
+
+# Check debug symbols are present and can identify code
+SERVER_JVM="$JAVA_HOME/lib/server/libjvm.so"
+if [ -f "$SERVER_JVM" ] ; then
+  nm -aCl "$SERVER_JVM" | grep javaCalls.cpp
+fi
+CLIENT_JVM="$JAVA_HOME/lib/client/libjvm.so"
+if [ -f "$CLIENT_JVM" ] ; then
+  nm -aCl "$CLIENT_JVM" | grep javaCalls.cpp
+fi
+ZERO_JVM="$JAVA_HOME/lib/zero/libjvm.so"
+if [ -f "$ZERO_JVM" ] ; then
+  nm -aCl "$ZERO_JVM" | grep javaCalls.cpp
+fi
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+#FIXME make it run after system NSS support?
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE15})|sed "s|\.java||") || true
+
+%install
+export LANG=en_US.UTF-8
+#bnc#530046
+export STRIP_KEEP_SYMTAB=libjvm*
+# skip /usr/lib/rpm/brp-check-bytecode-version:
+export NO_BRP_CHECK_BYTECODE_VERSION=true
+
+%if %{with_systemtap}
+  # Install systemtap support files.
+  install -dm 755 %{buildroot}%{_jvmdir}/%{sdkdir}/tapset
+  cp -a tapset/*.stp %{buildroot}%{_jvmdir}/%{sdkdir}/tapset/
+  install -d -m 755 %{buildroot}%{tapsetdir}
+  pushd %{buildroot}%{tapsetdir}
+    RELATIVE=$(%{abs2rel} %{_jvmdir}/%{sdkdir}/tapset %{tapsetdir})
+    ln -sf $RELATIVE/*.stp .
+  popd
+%endif
+
+pushd %{buildoutputdir}/%{imagesdir}/jdk
+
+  # Install main files.
+  install -d -m 755 %{buildroot}%{_jvmdir}/%{sdkdir}
+  cp -a bin include lib conf release %{buildroot}%{_jvmdir}/%{sdkdir}
+
+  # Install JCE policy symlinks.
+  install -d -m 755 %{buildroot}%{_jvmprivdir}/%{archname}/jce/vanilla
+
+  # Install versionless symlinks.
+  pushd %{buildroot}%{_jvmdir}
+    ln -sf %{sdkdir} %{jrelnk}
+    ln -sf %{sdkdir} %{sdklnk}
+  popd
+
+  # Remove javaws man page
+  rm -f man/man1/javaws*
+
+  # Install man pages.
+  install -d -m 755 %{buildroot}%{_mandir}/man1
+  rm -f man/man1/javah*.1
+  for manpage in man/man1/*
+  do
+    # Convert man pages to UTF8 encoding.
+    iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp
+    mv -f $manpage.tmp $manpage
+    install -m 644 -p $manpage %{buildroot}%{_mandir}/man1/$(basename \
+      $manpage .1)-%{sdklnk}.1
+  done
+
+  # Install demos and samples.
+  cp -a demo %{buildroot}%{_jvmdir}/%{sdkdir}
+  # enable short-circuit
+  mkdir -p sample/rmi
+  [ -f bin/java-rmi.cgi ] && mv bin/java-rmi.cgi sample/rmi
+  cp -a sample %{buildroot}%{_jvmdir}/%{sdkdir}
+
+popd
+
+pushd %{buildoutputdir}/%{imagesdir}
+
+  # Install jmods
+  cp -a jmods %{buildroot}%{_jvmdir}/%{sdkdir}
+
+popd
+
+# Install Javadoc documentation.
+install -d -m 755 %{buildroot}%{_javadocdir}
+cp -a %{buildoutputdir}/images/docs %{buildroot}%{_javadocdir}/%{sdklnk}
+
+# Install icons and menu entries.
+for s in 16 24 32 48 ; do
+  install -D -p -m 644 \
+    src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
+    %{buildroot}%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}.png
+done
+
+# Install desktop file.
+install -d -m 0755 %{buildroot}%{_datadir}/{applications,pixmaps}
+install -d -m 0755 %{buildroot}/%{_jvmdir}/%{sdkdir}/lib/desktop/
+install -m 0644 jconsole.desktop %{buildroot}/%{_jvmdir}/%{sdkdir}/lib/desktop/
+%suse_update_desktop_file %{buildroot}/%{_jvmdir}/%{sdkdir}/lib/desktop/jconsole.desktop
+
+# Find demo directories.
+find %{buildroot}%{_jvmdir}/%{sdkdir}/demo \
+  %{buildroot}%{_jvmdir}/%{sdkdir}/sample -type d \
+  | sed 's|'%{buildroot}'|%dir |' \
+  > %{name}-demo.files
+
+# FIXME: remove SONAME entries from demo DSOs.  See
+# https://bugzilla.redhat.com/show_bug.cgi?id=436497
+
+# Find non-documentation demo files.
+find %{buildroot}%{_jvmdir}/%{sdkdir}/demo \
+  %{buildroot}%{_jvmdir}/%{sdkdir}/sample \
+  -type f -o -type l | sort \
+  | grep -v README \
+  | sed 's|'%{buildroot}'||' \
+  >> %{name}-demo.files
+# Find documentation demo files.
+find %{buildroot}%{_jvmdir}/%{sdkdir}/demo \
+  %{buildroot}%{_jvmdir}/%{sdkdir}/sample \
+  -type f -o -type l | sort \
+  | grep README \
+  | sed 's|'%{buildroot}'||' \
+  | sed 's|^|%doc |' \
+  >> %{name}-demo.files
+
+# fdupes links the files from JDK to JRE, so it breaks a JRE
+# use it carefully :))
+%fdupes -s %{buildroot}/%{_jvmdir}/%{sdkdir}/
+%fdupes -s %{buildroot}/%{_jvmdir}/%{sdkdir}/demo
+%fdupes -s %{buildroot}%{_javadocdir}/%{sdklnk}
+
+%post headless
+ext=.gz
+update-alternatives \
+  --install %{_bindir}/java java %{jrebindir}/java %{priority} \
+  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{jrelnk} \
+  --slave %{_bindir}/keytool keytool %{jrebindir}/keytool \
+  --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir}/rmiregistry \
+  --slave %{_mandir}/man1/java.1$ext java.1$ext \
+  %{_mandir}/man1/java-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \
+  %{_mandir}/man1/keytool-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \
+  %{_mandir}/man1/rmiregistry-%{sdklnk}.1$ext
+
+update-alternatives \
+  --install %{_jvmdir}/jre-openjdk \
+  jre_openjdk %{_jvmdir}/%{jrelnk} %{priority}
+update-alternatives \
+  --install %{_jvmdir}/jre-%{javaver} \
+  jre_%{javaver} %{_jvmdir}/%{jrelnk} %{priority}
+
+%postun headless
+if [ $1 -eq 0 ]
+then
+  if test -f /proc/sys/fs/binfmt_misc/jarexec
+  then
+    echo '-1' > /proc/sys/fs/binfmt_misc/jarexec
+  fi
+  update-alternatives --remove java %{jrebindir}/java
+  update-alternatives --remove jre_openjdk %{_jvmdir}/%{jrelnk}
+  update-alternatives --remove jre_%{javaver} %{_jvmdir}/%{jrelnk}
+fi
+
+%posttrans headless
+# bnc#781690#c11: don't trust user defined JAVA_HOME and use the current VM
+# XXX: this might conflict between various versions of openjdk
+export JAVA_HOME=%{_jvmdir}/%{jrelnk}
+
+# check if the java-cacerts is a valid keystore (bnc#781690)
+if [ X"`%{_bindir}/file --mime-type -b %{javacacerts}`" \
+    != "Xapplication/x-java-keystore;" ]; then
+%if 0%{?suse_version} <= 1310
+    # workaround for bnc#847952 - pre 13.1 keyring.jar attempts to load invalid keystore and fail on it
+    rm -f "%{javacacerts}"
+%endif
+    %{_sbindir}/update-ca-certificates
+fi
+
+# remove the default empty cacert file, if it's installed
+if [ 0`stat -c "%%s" %{cacerts} 2>/dev/null` = "032" ] ; then
+    rm -f %{cacerts}
+fi
+
+# if cacerts does exists, neither does not contain/point to a
+# valid keystore (bnc#781690) ...
+if [ X"`%{_bindir}/file --mime-type -b -L %{cacerts}`" \
+    != "Xapplication/x-java-keystore;" ]; then
+    # bnc#727223
+    rm -f %{cacerts}
+    ln -s %{javacacerts} %{cacerts}
+fi
+
+%post devel
+ext=.gz
+update-alternatives \
+  --install %{_bindir}/javac javac %{sdkbindir}/javac %{priority} \
+  --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdklnk} \
+  --slave %{_bindir}/jar jar %{sdkbindir}/jar \
+  --slave %{_bindir}/jarsigner jarsigner %{sdkbindir}/jarsigner \
+  --slave %{_bindir}/javadoc javadoc %{sdkbindir}/javadoc \
+  --slave %{_bindir}/javap javap %{sdkbindir}/javap \
+  --slave %{_bindir}/jcmd jcmd %{sdkbindir}/jcmd \
+  --slave %{_bindir}/jconsole jconsole %{sdkbindir}/jconsole \
+  --slave %{_bindir}/jdb jdb %{sdkbindir}/jdb \
+  --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir}/jdeprscan \
+  --slave %{_bindir}/jdeps jdeps %{sdkbindir}/jdeps \
+%if ! %{with zero}
+%ifnarch s390x
+  --slave %{_bindir}/jhsdb jhsdb %{sdkbindir}/jhsdb \
+%endif
+%endif
+  --slave %{_bindir}/jimage jimage %{sdkbindir}/jimage \
+  --slave %{_bindir}/jinfo jinfo %{sdkbindir}/jinfo \
+  --slave %{_bindir}/jlink jlink %{sdkbindir}/jlink \
+  --slave %{_bindir}/jmap jmap %{sdkbindir}/jmap \
+  --slave %{_bindir}/jmod jmod %{sdkbindir}/jmod \
+  --slave %{_bindir}/jps jps %{sdkbindir}/jps \
+  --slave %{_bindir}/jpackage jpackage %{sdkbindir}/jpackage \
+  --slave %{_bindir}/jrunscript jrunscript %{sdkbindir}/jrunscript \
+  --slave %{_bindir}/jshell jshell %{sdkbindir}/jshell \
+  --slave %{_bindir}/jstack jstack %{sdkbindir}/jstack \
+  --slave %{_bindir}/jstat jstat %{sdkbindir}/jstat \
+  --slave %{_bindir}/jstatd jstatd %{sdkbindir}/jstatd \
+  --slave %{_bindir}/serialver serialver %{sdkbindir}/serialver \
+  --slave %{_mandir}/man1/jar.1$ext jar.1$ext \
+  %{_mandir}/man1/jar-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \
+  %{_mandir}/man1/jarsigner-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/javac.1$ext javac.1$ext \
+  %{_mandir}/man1/javac-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \
+  %{_mandir}/man1/javadoc-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/javap.1$ext javap.1$ext \
+  %{_mandir}/man1/javap-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \
+  %{_mandir}/man1/jcmd-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \
+  %{_mandir}/man1/jconsole-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \
+  %{_mandir}/man1/jdb-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jdeprscan.1$ext jdeprscan.1$ext \
+  %{_mandir}/man1/jdeprscan-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \
+  %{_mandir}/man1/jdeps-%{sdklnk}.1$ext \
+%if ! %{with zero}
+%ifnarch s390x
+  --slave %{_mandir}/man1/jhsdb.1$ext jhsdb.1$ext \
+  %{_mandir}/man1/jhsdb-%{sdklnk}.1$ext \
+%endif
+%endif
+  --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \
+  %{_mandir}/man1/jinfo-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jlink.1$ext jlink.1$ext \
+  %{_mandir}/man1/jlink-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \
+  %{_mandir}/man1/jmap-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jmod.1$ext jmod.1$ext \
+  %{_mandir}/man1/jmod-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \
+  %{_mandir}/man1/jpackage-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jps.1$ext jps.1$ext \
+  %{_mandir}/man1/jps-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \
+  %{_mandir}/man1/jrunscript-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jshell.1$ext jshell.1$ext \
+  %{_mandir}/man1/jshell-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \
+  %{_mandir}/man1/jstack-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \
+  %{_mandir}/man1/jstat-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \
+  %{_mandir}/man1/jstatd-%{sdklnk}.1$ext \
+  --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \
+  %{_mandir}/man1/serialver-%{sdklnk}.1$ext \
+  --slave %{_datadir}/applications/jconsole.desktop jconsole.desktop \
+  %{_jvmdir}/%{sdkdir}/lib/desktop/jconsole.desktop
+
+update-alternatives \
+  --install %{_jvmdir}/java-openjdk \
+  java_sdk_openjdk %{_jvmdir}/%{sdklnk} %{priority}
+update-alternatives \
+  --install %{_jvmdir}/java-%{javaver} \
+  java_sdk_%{javaver} %{_jvmdir}/%{sdklnk} %{priority}
+
+%postun devel
+if [ $1 -eq 0 ]
+then
+  update-alternatives --remove javac %{sdkbindir}/javac
+  update-alternatives --remove java_sdk_openjdk %{_jvmdir}/%{sdklnk}
+  update-alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdklnk}
+fi
+
+%post javadoc
+# in some settings, the %{_javadocdir}/%{sdklnk}/api does not exist
+# and the update-alternatives call ends up in error. So, filter this
+# cases out.
+if [ -d %{_javadocdir}/%{sdklnk}/api ]
+then
+  update-alternatives \
+    --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{sdklnk}/api \
+    %{priority}
+fi
+
+%postun javadoc
+if [ $1 -eq 0 ]
+then
+# in some settings, the %{_javadocdir}/%{sdklnk}/api does not exist
+# and the update-alternatives call ends up in error. So, filter this
+# cases out.
+  if [ -d %{_javadocdir}/%{sdklnk}/api ]
+  then
+    update-alternatives --remove javadocdir %{_javadocdir}/%{sdklnk}/api
+  fi
+fi
+
+%files
+%dir %{_jvmdir}/%{sdkdir}/lib
+%{_jvmdir}/%{sdkdir}/lib/libawt_xawt.so
+%{_jvmdir}/%{sdkdir}/lib/libjawt.so
+%{_jvmdir}/%{sdkdir}/lib/libsplashscreen.so
+%dir %{_datadir}/icons/hicolor
+%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}.png
+
+%files headless
+%dir %{_jvmdir}
+%dir %{_jvmdir}/%{sdkdir}/
+%dir %{_jvmdir}/%{sdkdir}/bin
+%dir %{_jvmdir}/%{sdkdir}/lib
+%dir %{_jvmdir}/%{sdkdir}/lib/jfr
+%dir %{_jvmdir}/%{sdkdir}/lib/server
+%dir %{_jvmdir}/%{sdkdir}/lib/desktop
+%dir %{_jvmdir}/%{sdkdir}/lib/security
+
+%dir %{_jvmdir}/%{sdkdir}/conf
+%dir %{_jvmdir}/%{sdkdir}/conf/management
+%dir %{_jvmdir}/%{sdkdir}/conf/sdp
+%dir %{_jvmdir}/%{sdkdir}/conf/security
+%dir %{_jvmdir}/%{sdkdir}/conf/security/policy
+%dir %{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited
+%dir %{_jvmdir}/%{sdkdir}/conf/security/policy/limited
+
+%dir %{_jvmdir}/%{sdkdir}
+%{_jvmdir}/%{jrelnk}
+%{_jvmprivdir}/*
+
+%{_jvmdir}/%{sdkdir}/release
+%{_jvmdir}/%{sdkdir}/bin/java
+%{_jvmdir}/%{sdkdir}/bin/jfr
+%{_jvmdir}/%{sdkdir}/bin/keytool
+%{_jvmdir}/%{sdkdir}/bin/rmiregistry
+%{_jvmdir}/%{sdkdir}/conf/logging.properties
+%{_jvmdir}/%{sdkdir}/conf/management/jmxremote.access
+%{_jvmdir}/%{sdkdir}/conf/management/jmxremote.password.template
+%{_jvmdir}/%{sdkdir}/conf/management/management.properties
+%{_jvmdir}/%{sdkdir}/conf/net.properties
+%{_jvmdir}/%{sdkdir}/conf/sdp/sdp.conf.template
+%{_jvmdir}/%{sdkdir}/conf/security/java.policy
+%{_jvmdir}/%{sdkdir}/conf/security/java.security
+%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/default_local.policy
+%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/default_US_export.policy
+%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/exempt_local.policy
+%{_jvmdir}/%{sdkdir}/conf/security/policy/README.txt
+%{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited/default_local.policy
+%{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited/default_US_export.policy
+%{_jvmdir}/%{sdkdir}/conf/sound.properties
+%{_jvmdir}/%{sdkdir}/lib/desktop/jconsole.desktop
+%{_jvmdir}/%{sdkdir}/lib/jexec
+%{_jvmdir}/%{sdkdir}/lib/jfr/default.jfc
+%{_jvmdir}/%{sdkdir}/lib/jfr/profile.jfc
+%{_jvmdir}/%{sdkdir}/lib/jrt-fs.jar
+%{_jvmdir}/%{sdkdir}/lib/jspawnhelper
+%{_jvmdir}/%{sdkdir}/lib/jvm.cfg
+%{_jvmdir}/%{sdkdir}/lib/libawt_headless.so
+%{_jvmdir}/%{sdkdir}/lib/libawt.so
+%{_jvmdir}/%{sdkdir}/lib/libdt_socket.so
+%{_jvmdir}/%{sdkdir}/lib/libextnet.so
+%{_jvmdir}/%{sdkdir}/lib/libfontmanager.so
+%{_jvmdir}/%{sdkdir}/lib/libinstrument.so
+%{_jvmdir}/%{sdkdir}/lib/libj2gss.so
+%{_jvmdir}/%{sdkdir}/lib/libj2pcsc.so
+%{_jvmdir}/%{sdkdir}/lib/libj2pkcs11.so
+%{_jvmdir}/%{sdkdir}/lib/libjaas.so
+%{_jvmdir}/%{sdkdir}/lib/libjavajpeg.so
+%{_jvmdir}/%{sdkdir}/lib/libjava.so
+%{_jvmdir}/%{sdkdir}/lib/libjdwp.so
+%{_jvmdir}/%{sdkdir}/lib/libjimage.so
+%{_jvmdir}/%{sdkdir}/lib/libjli.so
+%{_jvmdir}/%{sdkdir}/lib/libjsig.so
+%{_jvmdir}/%{sdkdir}/lib/libjsound.so
+%{_jvmdir}/%{sdkdir}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir}/lib/libmanagement_agent.so
+%{_jvmdir}/%{sdkdir}/lib/libmanagement_ext.so
+%{_jvmdir}/%{sdkdir}/lib/libmanagement.so
+%{_jvmdir}/%{sdkdir}/lib/libmlib_image.so
+%{_jvmdir}/%{sdkdir}/lib/libnet.so
+%{_jvmdir}/%{sdkdir}/lib/libnio.so
+%{_jvmdir}/%{sdkdir}/lib/libprefs.so
+%{_jvmdir}/%{sdkdir}/lib/librmi.so
+%{_jvmdir}/%{sdkdir}/lib/libsctp.so
+%{_jvmdir}/%{sdkdir}/lib/libsystemconf.so
+%ifarch x86_64
+%{_jvmdir}/%{sdkdir}/lib/libjsvml.so
+%endif
+%{_jvmdir}/%{sdkdir}/lib/libsyslookup.so
+%{_jvmdir}/%{sdkdir}/lib/libverify.so
+%{_jvmdir}/%{sdkdir}/lib/libzip.so
+%{_jvmdir}/%{sdkdir}/lib/modules
+%{_jvmdir}/%{sdkdir}/lib/psfontj2d.properties
+%{_jvmdir}/%{sdkdir}/lib/psfont.properties.ja
+%{_jvmdir}/%{sdkdir}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir}/lib/*/libjsig.so
+%{_jvmdir}/%{sdkdir}/lib/*/libjvm.so
+%if ! %{with zero}
+%{_jvmdir}/%{sdkdir}/lib/classlist
+%{_jvmdir}/%{sdkdir}/lib/*/classes*.jsa
+%endif
+
+%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
+%{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
+%{_jvmdir}/%{sdkdir}/lib/security/default.policy
+%{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
+
+%{_mandir}/man1/java-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jfr-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/keytool-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/rmiregistry-%{sdklnk}.1%{?ext_man}
+
+%files devel
+%dir %{_jvmdir}/%{sdkdir}/bin
+%dir %{_jvmdir}/%{sdkdir}/include
+%dir %{_jvmdir}/%{sdkdir}/include/linux
+%dir %{_jvmdir}/%{sdkdir}/lib
+
+%if %{with_systemtap}
+%dir %{_jvmdir}/%{sdkdir}/tapset
+%endif
+%{_jvmdir}/%{sdkdir}/bin/jar
+%{_jvmdir}/%{sdkdir}/bin/jarsigner
+%{_jvmdir}/%{sdkdir}/bin/javac
+%{_jvmdir}/%{sdkdir}/bin/javadoc
+%{_jvmdir}/%{sdkdir}/bin/javap
+%{_jvmdir}/%{sdkdir}/bin/jcmd
+%{_jvmdir}/%{sdkdir}/bin/jconsole
+%{_jvmdir}/%{sdkdir}/bin/jdb
+%{_jvmdir}/%{sdkdir}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir}/bin/jdeps
+%if ! %{with zero}
+%ifnarch s390x
+%{_jvmdir}/%{sdkdir}/bin/jhsdb
+%endif
+%endif
+%{_jvmdir}/%{sdkdir}/bin/jimage
+%{_jvmdir}/%{sdkdir}/bin/jinfo
+%{_jvmdir}/%{sdkdir}/bin/jlink
+%{_jvmdir}/%{sdkdir}/bin/jmap
+%{_jvmdir}/%{sdkdir}/bin/jmod
+%{_jvmdir}/%{sdkdir}/bin/jpackage
+%{_jvmdir}/%{sdkdir}/bin/jps
+%{_jvmdir}/%{sdkdir}/bin/jrunscript
+%{_jvmdir}/%{sdkdir}/bin/jshell
+%{_jvmdir}/%{sdkdir}/bin/jstack
+%{_jvmdir}/%{sdkdir}/bin/jstat
+%{_jvmdir}/%{sdkdir}/bin/jstatd
+%{_jvmdir}/%{sdkdir}/bin/serialver
+%{_jvmdir}/%{sdkdir}/include/classfile_constants.h
+%{_jvmdir}/%{sdkdir}/include/jawt.h
+%{_jvmdir}/%{sdkdir}/include/jdwpTransport.h
+%{_jvmdir}/%{sdkdir}/include/jni.h
+%{_jvmdir}/%{sdkdir}/include/jvmticmlr.h
+%{_jvmdir}/%{sdkdir}/include/jvmti.h
+%{_jvmdir}/%{sdkdir}/lib/ct.sym
+%{_jvmdir}/%{sdkdir}/lib/libattach.so
+%if ! %{with zero}
+%ifnarch s390x
+%{_jvmdir}/%{sdkdir}/lib/libsaproc.so
+%endif
+%endif
+%{_jvmdir}/%{sdkdir}/include/linux/jawt_md.h
+%{_jvmdir}/%{sdkdir}/include/linux/jni_md.h
+
+%if %{with_systemtap}
+%{_jvmdir}/%{sdkdir}/tapset/*.stp
+%endif
+%{_jvmdir}/%{sdklnk}
+%{_mandir}/man1/jar-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jarsigner-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/javac-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/javadoc-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/javap-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jcmd-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jconsole-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jdb-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jdeprscan-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jdeps-%{sdklnk}.1%{?ext_man}
+%if ! %{with zero}
+%ifnarch s390x
+%{_mandir}/man1/jhsdb-%{sdklnk}.1%{?ext_man}
+%endif
+%endif
+%{_mandir}/man1/jinfo-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jlink-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jmap-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jmod-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jpackage-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jps-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jrunscript-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jshell-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jstack-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jstat-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/jstatd-%{sdklnk}.1%{?ext_man}
+%{_mandir}/man1/serialver-%{sdklnk}.1%{?ext_man}
+
+%if %{with_systemtap}
+%{tapsetroot}
+%endif
+
+%files jmods
+%dir %{_jvmdir}/%{sdkdir}/jmods
+%{_jvmdir}/%{sdkdir}/jmods/*.jmod
+
+%files demo -f %{name}-demo.files
+
+%files src
+%{_jvmdir}/%{sdkdir}/lib/src.zip
+
+%files javadoc
+%dir %{_javadocdir}
+%dir %{_javadocdir}/%{sdklnk}
+%{_javadocdir}/%{sdklnk}/*
+
+%changelog
diff --git a/java-atk-wrapper-security.patch b/java-atk-wrapper-security.patch
new file mode 100644
index 0000000..849df03
--- /dev/null
+++ b/java-atk-wrapper-security.patch
@@ -0,0 +1,20 @@
+--- jdk10/src/java.base/share/conf/security/java.security	2017-01-23 23:56:02.000000000 +0100
++++ jdk10/src/java.base/share/conf/security/java.security	2017-01-27 08:41:10.551819770 +0100
+@@ -307,6 +307,8 @@
+ #
+ package.access=sun.misc.,\
+                sun.reflect.,\
++               org.GNOME.Accessibility.,\
++               org.GNOME.Bonobo.,\
+ 
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -319,6 +321,8 @@
+ #
+ package.definition=sun.misc.,\
+                    sun.reflect.,\
++                   org.GNOME.Accessibility.,\
++                   org.GNOME.Bonobo.,\
+ 
+ #
+ # Determines whether this properties file can be appended to
diff --git a/jconsole.desktop.in b/jconsole.desktop.in
new file mode 100644
index 0000000..bc230d3
--- /dev/null
+++ b/jconsole.desktop.in
@@ -0,0 +1,11 @@
+[Desktop Entry]
+Name=OpenJDK @VERSION@ Monitoring & Management Console
+GenericName=OpenJDK Monitoring & Management Console
+Comment=Monitor and manage OpenJDK applications
+Exec=@JAVA_HOME@/bin/jconsole
+Icon=java-@VERSION@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;
+Version=1.0
diff --git a/jdk-17.0.12+7.tar.gz b/jdk-17.0.12+7.tar.gz
new file mode 100644
index 0000000..2d21aad
--- /dev/null
+++ b/jdk-17.0.12+7.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ccb7d37c24f9f5808f9d25419d93680570dc600f292e68944032338cb4b2c51e
+size 106583944
diff --git a/jdk-17.0.13+11.tar.gz b/jdk-17.0.13+11.tar.gz
new file mode 100644
index 0000000..3672036
--- /dev/null
+++ b/jdk-17.0.13+11.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:86e27ac99560e08db3c0ad4df0428a076e40679c20636b29ecee5b62431d1cbe
+size 107321403
diff --git a/jdk-17.0.14+7.tar.gz b/jdk-17.0.14+7.tar.gz
new file mode 100644
index 0000000..bb45e9c
--- /dev/null
+++ b/jdk-17.0.14+7.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:98a6eb04bf7067ea040c0e1fa068845db822bf3f9ca686436327a834fa796f30
+size 107396067
diff --git a/loadAssistiveTechnologies.patch b/loadAssistiveTechnologies.patch
new file mode 100644
index 0000000..9c03a84
--- /dev/null
+++ b/loadAssistiveTechnologies.patch
@@ -0,0 +1,17 @@
+--- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
++++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
+@@ -601,9 +601,13 @@
+                 !(toolkit instanceof HeadlessToolkit)) {
+                 toolkit = new HeadlessToolkit(toolkit);
+             }
+             if (!GraphicsEnvironment.isHeadless()) {
+-                loadAssistiveTechnologies();
++                try {
++                    loadAssistiveTechnologies();
++                } catch (AWTError error) {
++                    // ignore silently
++                }
+             }
+         }
+         return toolkit;
+     }
diff --git a/memory-limits.patch b/memory-limits.patch
new file mode 100644
index 0000000..6c02078
--- /dev/null
+++ b/memory-limits.patch
@@ -0,0 +1,11 @@
+--- jdk11/src/hotspot/share/gc/shared/gc_globals.hpp	2018-04-20 08:14:25.796265133 +0200
++++ jdk11/src/hotspot/share/gc/shared/gc_globals.hpp	2018-04-20 08:15:53.656690011 +0200
+@@ -593,7 +593,7 @@
+           "Initial heap size (in bytes); zero means use ergonomics")        \
+           constraint(InitialHeapSizeConstraintFunc,AfterErgo)               \
+                                                                             \
+-  product(size_t, MaxHeapSize, ScaleForWordSize(96*M),                      \
++  product(size_t, MaxHeapSize, ScaleForWordSize(512*M),                     \
+           "Maximum heap size (in bytes)")                                   \
+           constraint(MaxHeapSizeConstraintFunc,AfterErgo)                   \
+                                                                             \
diff --git a/multiple-pkcs11-library-init.patch b/multiple-pkcs11-library-init.patch
new file mode 100644
index 0000000..4c6e7e2
--- /dev/null
+++ b/multiple-pkcs11-library-init.patch
@@ -0,0 +1,65 @@
+--- jdk10/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java	2016-12-20 23:13:34.000000000 +0100
++++ jdk10/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java	2016-12-22 11:45:10.418651583 +0100
+@@ -52,6 +52,7 @@
+     static final int ERR_HALT       = 1;
+     static final int ERR_IGNORE_ALL = 2;
+     static final int ERR_IGNORE_LIB = 3;
++    static final int ERR_IGNORE_MULTI_INIT = 4;
+ 
+     // same as allowSingleThreadedModules but controlled via a system property
+     // and applied to all providers. if set to false, no SunPKCS11 instances
+@@ -1019,6 +1020,8 @@
+             handleStartupErrors = ERR_IGNORE_LIB;
+         } else if (val.equals("halt")) {
+             handleStartupErrors = ERR_HALT;
++        } else if (val.equals("ignoreMultipleInitialisation")) {
++            handleStartupErrors = ERR_IGNORE_MULTI_INIT;
+         } else {
+             throw excToken("Invalid value for handleStartupErrors:");
+         }
+--- jdk10/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java	2016-12-20 23:13:34.000000000 +0100
++++ jdk10/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java	2016-12-22 11:45:10.418651583 +0100
+@@ -179,26 +179,37 @@
+                 String nssLibraryDirectory = config.getNssLibraryDirectory();
+                 String nssSecmodDirectory = config.getNssSecmodDirectory();
+                 boolean nssOptimizeSpace = config.getNssOptimizeSpace();
++                int errorHandling = config.getHandleStartupErrors();
+ 
+                 if (secmod.isInitialized()) {
+                     if (nssSecmodDirectory != null) {
+                         String s = secmod.getConfigDir();
+                         if ((s != null) &&
+                                 (s.equals(nssSecmodDirectory) == false)) {
+-                            throw new ProviderException("Secmod directory "
+-                                + nssSecmodDirectory
+-                                + " invalid, NSS already initialized with "
+-                                + s);
++                            String msg = "Secmod directory " + nssSecmodDirectory
++                                + " invalid, NSS already initialized with " + s;
++                            if (errorHandling == Config.ERR_IGNORE_MULTI_INIT ||
++                                errorHandling == Config.ERR_IGNORE_ALL) {
++                                throw new UnsupportedOperationException(msg);
++                            } else {
++                                throw new ProviderException(msg);
++                            }
+                         }
+                     }
+                     if (nssLibraryDirectory != null) {
+                         String s = secmod.getLibDir();
+                         if ((s != null) &&
+                                 (s.equals(nssLibraryDirectory) == false)) {
+-                            throw new ProviderException("NSS library directory "
++                            String msg = "NSS library directory "
+                                 + nssLibraryDirectory
+                                 + " invalid, NSS already initialized with "
+-                                + s);
++                                + s;
++                            if (errorHandling == Config.ERR_IGNORE_MULTI_INIT ||
++                                errorHandling == Config.ERR_IGNORE_ALL) {
++                                throw new UnsupportedOperationException(msg);
++                            } else {
++                                throw new ProviderException(msg);
++                            }
+                         }
+                     }
+                 } else {
diff --git a/ppc_stack_overflow_fix.patch b/ppc_stack_overflow_fix.patch
new file mode 100644
index 0000000..d846fde
--- /dev/null
+++ b/ppc_stack_overflow_fix.patch
@@ -0,0 +1,27 @@
+--- a/src/hotspot/cpu/zero/stack_zero.hpp	2016-12-27 22:00:30.000000000 +0100
++++ b/src/hotspot/cpu/zero/stack_zero.hpp	2017-01-09 08:35:53.221098668 +0100
+@@ -97,7 +97,7 @@
+   int shadow_pages_size() const {
+     return _shadow_pages_size;
+   }
+-  int abi_stack_available(Thread *thread) const;
++  ssize_t abi_stack_available(Thread *thread) const;
+ 
+  public:
+   void overflow_check(int required_words, TRAPS);
+--- a/src/hotspot/cpu/zero/stack_zero.inline.hpp	2016-12-27 22:00:30.000000000 +0100
++++ b/src/hotspot/cpu/zero/stack_zero.inline.hpp	2017-01-09 08:35:53.221098668 +0100
+@@ -46,11 +46,11 @@
+ // This method returns the amount of ABI stack available for us
+ // to use under normal circumstances.  Note that the returned
+ // value can be negative.
+-inline int ZeroStack::abi_stack_available(Thread *thread) const {
++inline ssize_t ZeroStack::abi_stack_available(Thread *thread) const {
+   assert(Thread::current() == thread, "should run in the same thread");
+-  int stack_used = thread->stack_base() - (address) &stack_used
++  ssize_t stack_used = thread->stack_base() - (address) &stack_used
+     + (StackOverflow::stack_guard_zone_size() + StackOverflow::stack_shadow_zone_size());
+-  int stack_free = thread->stack_size() - stack_used;
++  ssize_t stack_free = thread->stack_size() - stack_used;
+   return stack_free;
+ }
diff --git a/reproducible-directory-mtime.patch b/reproducible-directory-mtime.patch
new file mode 100644
index 0000000..e6a456e
--- /dev/null
+++ b/reproducible-directory-mtime.patch
@@ -0,0 +1,15 @@
+--- a/src/java.base/share/classes/java/io/File.java
++++ b/src/java.base/share/classes/java/io/File.java
+@@ -1376,7 +1376,11 @@ public class File
+         if (isInvalid()) {
+             return false;
+         }
+-        return fs.createDirectory(this);
++        boolean result = fs.createDirectory(this);
++        if ( result && System.getenv("SOURCE_DATE_EPOCH") != null ) {
++            fs.setLastModifiedTime(this, 1000 * Long.parseLong(System.getenv("SOURCE_DATE_EPOCH")));
++        }
++        return result;
+     }
+ 
+     /**
diff --git a/reproducible-javadoc-timestamp.patch b/reproducible-javadoc-timestamp.patch
new file mode 100644
index 0000000..35a6332
--- /dev/null
+++ b/reproducible-javadoc-timestamp.patch
@@ -0,0 +1,60 @@
+--- a/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/formats/html/HtmlConfiguration.java
++++ b/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/formats/html/HtmlConfiguration.java
+@@ -213,6 +213,12 @@ public class HtmlConfiguration extends BaseConfiguration {
+         }
+         docletVersion = v;
+ 
++        if (System.getenv("SOURCE_DATE_EPOCH") != null) {
++            startTime = new Date(1000 * Long.parseLong(System.getenv("SOURCE_DATE_EPOCH")));
++        } else {
++            startTime = new Date();
++        }
++
+         conditionalPages = EnumSet.noneOf(ConditionalPage.class);
+     }
+     protected void initConfiguration(DocletEnvironment docEnv,
+@@ -223,7 +229,7 @@ public class HtmlConfiguration extends BaseConfiguration {
+     }
+ 
+     private final Runtime.Version docletVersion;
+-    public final Date startTime = new Date();
++    public final Date startTime;
+ 
+     @Override
+     public Runtime.Version getDocletVersion() {
+--- a/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/formats/html/markup/Head.java
++++ b/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/formats/html/markup/Head.java
+@@ -33,6 +33,7 @@ import java.util.Arrays;
+ import java.util.Collections;
+ import java.util.Date;
+ import java.util.List;
++import java.util.TimeZone;
+ 
+ import jdk.javadoc.internal.doclets.toolkit.Content;
+ import jdk.javadoc.internal.doclets.toolkit.util.DocPath;
+@@ -265,6 +266,9 @@ public class Head extends Content {
+ 
+         if (showTimestamp) {
+             SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd");
++            if (System.getenv("SOURCE_DATE_EPOCH") != null) {
++                dateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
++            }
+             tree.add(HtmlTree.META("dc.created", dateFormat.format(generatedDate)));
+         }
+ 
+@@ -298,7 +302,14 @@ public class Head extends Content {
+         String text = "Generated by javadoc"; // marker string, deliberately not localized
+         text += " (" + docletVersion.feature() + ")";
+         if (timestamp) {
+-            text += " on " + now;
++            text += " on ";
++            if (System.getenv("SOURCE_DATE_EPOCH") == null) {
++                text += now;
++            } else {
++                SimpleDateFormat fmt = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss z");
++                fmt.setTimeZone(TimeZone.getTimeZone("UTC"));
++                text += fmt.format(now);
++            }
+         }
+         return new Comment(text);
+     }
diff --git a/reproducible-jlink.patch b/reproducible-jlink.patch
new file mode 100644
index 0000000..34280e4
--- /dev/null
+++ b/reproducible-jlink.patch
@@ -0,0 +1,11 @@
+--- a/src/jdk.jlink/share/classes/jdk/tools/jlink/internal/JlinkTask.java
++++ b/src/jdk.jlink/share/classes/jdk/tools/jlink/internal/JlinkTask.java
+@@ -776,7 +776,7 @@ public class JlinkTask {
+ 
+     private String getSaveOpts() {
+         StringBuilder sb = new StringBuilder();
+-        sb.append('#').append(new Date()).append("\n");
++        sb.append('#').append(System.getenv("SOURCE_DATE_EPOCH") != null ? new Date(1000 * Long.parseLong(System.getenv("SOURCE_DATE_EPOCH"))) : new Date()).append("\n");
+         for (String c : optionsHelper.getInputCommand()) {
+             sb.append(c).append(" ");
+         }
diff --git a/reproducible-properties.patch b/reproducible-properties.patch
new file mode 100644
index 0000000..5c717ca
--- /dev/null
+++ b/reproducible-properties.patch
@@ -0,0 +1,15 @@
+--- a/src/java.base/share/classes/java/util/Properties.java
++++ b/src/java.base/share/classes/java/util/Properties.java
+@@ -903,7 +903,11 @@ public class Properties extends Hashtable {
+         if (comments != null) {
+             writeComments(bw, comments);
+         }
+-        bw.write("#" + new Date().toString());
++        Date now = new Date();
++        if (System.getenv("SOURCE_DATE_EPOCH") != null) {
++            now = new Date(1000 * Long.parseLong(System.getenv("SOURCE_DATE_EPOCH")));
++        }
++        bw.write("#" + now.toString());
+         bw.newLine();
+         synchronized (this) {
+             for (Map.Entry e : entrySet()) {
diff --git a/system-pcsclite.patch b/system-pcsclite.patch
new file mode 100644
index 0000000..5912a15
--- /dev/null
+++ b/system-pcsclite.patch
@@ -0,0 +1,177 @@
+--- jdk15/make/autoconf/lib-bundled.m4	2020-05-07 13:35:09.825368428 +0200
++++ jdk15/make/autoconf/lib-bundled.m4	2020-05-07 13:37:41.358280752 +0200
+@@ -41,6 +41,7 @@
+   LIB_SETUP_ZLIB
+   LIB_SETUP_LCMS
+   LIB_SETUP_HARFBUZZ
++  LIB_SETUP_PCSCLITE
+ ])
+ 
+ ################################################################################
+@@ -304,3 +305,41 @@
+   AC_SUBST(HARFBUZZ_CFLAGS)
+   AC_SUBST(HARFBUZZ_LIBS)
+ ])
++
++################################################################################
++# Setup pcsclite
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_PCSCLITE],
++[
++  AC_ARG_WITH(pcsclite, [AS_HELP_STRING([--with-pcsclite],
++     [use pcsclite from build system or OpenJDK source (system, bundled) @<:@bundled@:>@])])
++
++  AC_MSG_CHECKING([for which pcsclite to use])
++
++  # default is bundled
++  DEFAULT_PCSCLITE=bundled
++  # if user didn't specify, use DEFAULT_PCSCLITE
++  if test "x${with_pcsclite}" = "x"; then
++      with_libpng=${DEFAULT_PCSCLITE}
++  fi
++
++  if test "x${with_pcsclite}" = "xbundled"; then
++      USE_EXTERNAL_PCSCLITE=false
++      AC_MSG_RESULT([bundled])
++  elif test "x${with_pcsclite}" = "xsystem"; then
++      PKG_CHECK_MODULES(PCSCLITE, libpcsclite,
++                   [ PCSCLITE_FOUND=yes ],
++                   [ PCSCLITE_FOUND=no ])
++      if test "x${PCSCLITE_FOUND}" = "xyes"; then
++          USE_EXTERNAL_PCSCLITE=true
++          AC_MSG_RESULT([system])
++      else
++          AC_MSG_RESULT([system not found])
++          AC_MSG_ERROR([--with-pcsclite=system specified, but no pcsclite found!])
++      fi
++  else
++      AC_MSG_ERROR([Invalid value of --with-pcsclite: ${with_pcsclite}, use 'system' or 'bundled'])
++  fi
++
++  AC_SUBST(USE_EXTERNAL_PCSCLITE)
++])
+--- jdk15/make/autoconf/spec.gmk.in	2020-05-07 13:35:09.825368428 +0200
++++ jdk15/make/autoconf/spec.gmk.in	2020-05-07 13:37:41.358280752 +0200
+@@ -767,6 +767,7 @@
+ # Build setup
+ USE_EXTERNAL_LIBJPEG:=@USE_EXTERNAL_LIBJPEG@
+ USE_EXTERNAL_LIBGIF:=@USE_EXTERNAL_LIBGIF@
++USE_EXTERNAL_LIBPCSCLITE:=@USE_EXTERNAL_LIBPCSCLITE@
+ USE_EXTERNAL_LIBZ:=@USE_EXTERNAL_LIBZ@
+ LIBZ_CFLAGS:=@LIBZ_CFLAGS@
+ LIBZ_LIBS:=@LIBZ_LIBS@
+--- jdk15/make/modules/java.smartcardio/Lib.gmk	2020-05-07 13:35:09.933369079 +0200
++++ jdk15/make/modules/java.smartcardio/Lib.gmk	2020-05-07 13:40:06.651155470 +0200
+@@ -30,12 +30,12 @@
+ $(eval $(call SetupJdkLibrary, BUILD_LIBJ2PCSC, \
+     NAME := j2pcsc, \
+     CFLAGS := $(CFLAGS_JDKLIB), \
+-    CFLAGS_unix := -D__sun_jdk, \
+-    EXTRA_HEADER_DIRS := libj2pcsc/MUSCLE, \
++    CFLAGS_unix := -D__sun_jdk -DUSE_SYSTEM_LIBPCSCLITE, \
++    EXTRA_HEADER_DIRS := /usr/include/PCSC, \
+     OPTIMIZATION := LOW, \
+     LDFLAGS := $(LDFLAGS_JDKLIB) \
+         $(call SET_SHARED_LIBRARY_ORIGIN), \
+-    LIBS_unix := $(LIBDL), \
++    LIBS_unix := -lpcsclite $(LIBDL), \
+     LIBS_windows := winscard.lib, \
+ ))
+ 
+--- jdk15/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.c	2020-05-07 13:35:10.301371295 +0200
++++ jdk15/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.c	2020-05-07 13:37:55.482365786 +0200
+@@ -36,6 +36,7 @@
+ 
+ #include "pcsc_md.h"
+ 
++#ifndef USE_SYSTEM_LIBPCSCLITE
+ void *hModule;
+ FPTR_SCardEstablishContext scardEstablishContext;
+ FPTR_SCardConnect scardConnect;
+@@ -47,6 +48,7 @@
+ FPTR_SCardBeginTransaction scardBeginTransaction;
+ FPTR_SCardEndTransaction scardEndTransaction;
+ FPTR_SCardControl scardControl;
++#endif
+ 
+ /*
+  * Throws a Java Exception by name
+@@ -75,6 +77,7 @@
+     throwByName(env, "java/io/IOException", msg);
+ }
+ 
++#ifndef USE_SYSTEM_LIBPCSCLITE
+ void *findFunction(JNIEnv *env, void *hModule, char *functionName) {
+     void *fAddress = dlsym(hModule, functionName);
+     if (fAddress == NULL) {
+@@ -85,9 +88,11 @@
+     }
+     return fAddress;
+ }
++#endif
+ 
+ JNIEXPORT void JNICALL Java_sun_security_smartcardio_PlatformPCSC_initialize
+         (JNIEnv *env, jclass thisClass, jstring jLibName) {
++#ifndef USE_SYSTEM_LIBPCSCLITE
+     const char *libName = (*env)->GetStringUTFChars(env, jLibName, NULL);
+     if (libName == NULL) {
+         throwNullPointerException(env, "PCSC library name is null");
+@@ -141,4 +146,5 @@
+ #else
+     scardControl          = (FPTR_SCardControl)         findFunction(env, hModule, "SCardControl132");
+ #endif // __APPLE__
++#endif
+ }
+--- jdk15/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.h	2020-05-07 13:35:10.301371295 +0200
++++ jdk15/src/java.smartcardio/unix/native/libj2pcsc/pcsc_md.h	2020-05-07 13:37:55.482365786 +0200
+@@ -23,6 +23,8 @@
+  * questions.
+  */
+ 
++#ifndef USE_SYSTEM_LIBPCSCLITE
++
+ typedef LONG (*FPTR_SCardEstablishContext)(DWORD dwScope,
+                 LPCVOID pvReserved1,
+                 LPCVOID pvReserved2,
+@@ -111,3 +113,41 @@
+ extern FPTR_SCardBeginTransaction scardBeginTransaction;
+ extern FPTR_SCardEndTransaction scardEndTransaction;
+ extern FPTR_SCardControl scardControl;
++
++#else
++
++#define CALL_SCardEstablishContext(dwScope, pvReserved1, pvReserved2, phContext) \
++    (SCardEstablishContext(dwScope, pvReserved1, pvReserved2, phContext))
++
++#define CALL_SCardConnect(hContext, szReader, dwSharedMode, dwPreferredProtocols, phCard, pdwActiveProtocols) \
++    (SCardConnect(hContext, szReader, dwSharedMode, dwPreferredProtocols, phCard, pdwActiveProtocols))
++
++#define CALL_SCardDisconnect(hCard, dwDisposition) \
++    (SCardDisconnect(hCard, dwDisposition))
++
++#define CALL_SCardStatus(hCard, mszReaderNames, pcchReaderLen, pdwState, pdwProtocol, pbAtr, pcbAtrLen) \
++    (SCardStatus(hCard, mszReaderNames, pcchReaderLen, pdwState, pdwProtocol, pbAtr, pcbAtrLen))
++
++#define CALL_SCardGetStatusChange(hContext, dwTimeout, rgReaderStates, cReaders) \
++    (SCardGetStatusChange(hContext, dwTimeout, rgReaderStates, cReaders))
++
++#define CALL_SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, \
++                            pioRecvPci, pbRecvBuffer, pcbRecvLength) \
++    (SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, \
++                            pioRecvPci, pbRecvBuffer, pcbRecvLength))
++
++#define CALL_SCardListReaders(hContext, mszGroups, mszReaders, pcchReaders) \
++    (SCardListReaders(hContext, mszGroups, mszReaders, pcchReaders))
++
++#define CALL_SCardBeginTransaction(hCard) \
++    (SCardBeginTransaction(hCard))
++
++#define CALL_SCardEndTransaction(hCard, dwDisposition) \
++    (SCardEndTransaction(hCard, dwDisposition))
++
++#define CALL_SCardControl(hCard, dwControlCode, pbSendBuffer, cbSendLength, \
++            pbRecvBuffer, pcbRecvLength, lpBytesReturned) \
++    (SCardControl(hCard, dwControlCode, pbSendBuffer, cbSendLength, \
++            pbRecvBuffer, pcbRecvLength, lpBytesReturned))
++
++#endif
diff --git a/systemtap-tapset.tar.xz b/systemtap-tapset.tar.xz
new file mode 100644
index 0000000..26fb6b9
--- /dev/null
+++ b/systemtap-tapset.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:87fdf73bd17bc7391bf56e9c9006fc901188ceeb918062d7026a314add60d05b
+size 22548
diff --git a/unsigned-sni-server-name.patch b/unsigned-sni-server-name.patch
new file mode 100644
index 0000000..79c4e25
--- /dev/null
+++ b/unsigned-sni-server-name.patch
@@ -0,0 +1,13 @@
+Index: jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+===================================================================
+--- jdk17u-jdk-17.0.6-10.orig/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
++++ jdk17u-jdk-17.0.6-10/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+@@ -408,7 +408,7 @@ final class SSLSessionImpl extends Exten
+         } else {
+             requestedServerNames = new ArrayList<>();
+             while (len > 0) {
+-                int l = buf.get();
++                int l = Byte.toUnsignedInt(buf.get());
+                 b = new byte[l];
+                 buf.get(b, 0, l);
+                 requestedServerNames.add(new SNIHostName(new String(b)));
diff --git a/zero-ranges.patch b/zero-ranges.patch
new file mode 100644
index 0000000..c304979
--- /dev/null
+++ b/zero-ranges.patch
@@ -0,0 +1,15 @@
+--- jdk10/src/hotspot/cpu/zero/globals_zero.hpp	2016-01-21 19:16:09.000000000 +0100
++++ jdk10/src/hotspot/cpu/zero/globals_zero.hpp	2016-01-29 15:52:57.611610069 +0100
+@@ -53,9 +53,9 @@
+ #define DEFAULT_STACK_SHADOW_PAGES (5 LP64_ONLY(+1) DEBUG_ONLY(+3))
+ #define DEFAULT_STACK_RESERVED_PAGES (0)
+ 
+-#define MIN_STACK_YELLOW_PAGES DEFAULT_STACK_YELLOW_PAGES
+-#define MIN_STACK_RED_PAGES DEFAULT_STACK_RED_PAGES
+-#define MIN_STACK_SHADOW_PAGES DEFAULT_STACK_SHADOW_PAGES
++#define MIN_STACK_YELLOW_PAGES 1
++#define MIN_STACK_RED_PAGES 1
++#define MIN_STACK_SHADOW_PAGES 1
+ #define MIN_STACK_RESERVED_PAGES (0)
+ 
+ define_pd_global(intx,  StackYellowPages,     DEFAULT_STACK_YELLOW_PAGES);