diff --git a/comment-nss-security-provider.patch b/comment-nss-security-provider.patch
deleted file mode 100644
index 944d4aa..0000000
--- a/comment-nss-security-provider.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- openjdk/jdk/src/share/lib/security/java.security-linux 2021-09-16 11:10:18.388933075 +0200
-+++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-10-11 13:35:57.523155519 +0200
-@@ -74,7 +74,7 @@
- security.provider.7=com.sun.security.sasl.Provider
- security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
- security.provider.9=sun.security.smartcardio.SunPCSC
--security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
-+#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
-
- #
- # Sun Provider SecureRandom seed source.
diff --git a/fips.patch b/fips.patch
index ef10bb9..9e7d116 100644
--- a/fips.patch
+++ b/fips.patch
@@ -1,5 +1,5 @@
---- openjdk/common/autoconf/configure.ac 2021-12-04 07:42:42.465816095 +0100
-+++ openjdk/common/autoconf/configure.ac 2021-12-04 07:43:01.237927592 +0100
+--- openjdk/common/autoconf/configure.ac 2022-02-08 15:00:13.864829794 +0100
++++ openjdk/common/autoconf/configure.ac 2022-02-08 15:00:30.560949558 +0100
@@ -212,6 +212,7 @@
LIB_SETUP_ALSA
LIB_SETUP_FONTCONFIG
@@ -8,8 +8,8 @@
LIB_SETUP_STATIC_LINK_LIBSTDCPP
LIB_SETUP_ON_WINDOWS
---- openjdk/common/autoconf/libraries.m4 2021-12-04 07:42:42.465816095 +0100
-+++ openjdk/common/autoconf/libraries.m4 2021-12-04 07:43:01.237927592 +0100
+--- openjdk/common/autoconf/libraries.m4 2022-02-08 15:00:13.864829794 +0100
++++ openjdk/common/autoconf/libraries.m4 2022-02-08 15:00:30.560949558 +0100
@@ -1334,3 +1334,63 @@
BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
fi
@@ -74,8 +74,8 @@
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
---- openjdk/common/autoconf/spec.gmk.in 2021-12-04 07:42:42.465816095 +0100
-+++ openjdk/common/autoconf/spec.gmk.in 2021-12-04 07:43:01.249927665 +0100
+--- openjdk/common/autoconf/spec.gmk.in 2022-02-08 15:00:13.864829794 +0100
++++ openjdk/common/autoconf/spec.gmk.in 2022-02-08 15:00:30.560949558 +0100
@@ -313,6 +313,10 @@
ALSA_LIBS:=@ALSA_LIBS@
ALSA_CFLAGS:=@ALSA_CFLAGS@
@@ -87,8 +87,8 @@
PACKAGE_PATH=@PACKAGE_PATH@
# Source file for cacerts
---- openjdk/common/bin/compare_exceptions.sh.incl 2021-12-04 07:42:42.465816095 +0100
-+++ openjdk/common/bin/compare_exceptions.sh.incl 2021-12-04 07:43:01.261927736 +0100
+--- openjdk/common/bin/compare_exceptions.sh.incl 2022-02-08 15:00:13.864829794 +0100
++++ openjdk/common/bin/compare_exceptions.sh.incl 2022-02-08 15:00:30.560949558 +0100
@@ -280,6 +280,7 @@
./jre/lib/i386/libsplashscreen.so
./jre/lib/i386/libsunec.so
@@ -121,8 +121,8 @@
./jre/lib/sparcv9/libunpack.so
./jre/lib/sparcv9/libverify.so
./jre/lib/sparcv9/libzip.so
---- openjdk/common/nb_native/nbproject/configurations.xml 2021-12-04 07:42:42.469816118 +0100
-+++ openjdk/common/nb_native/nbproject/configurations.xml 2021-12-04 07:43:01.265927761 +0100
+--- openjdk/common/nb_native/nbproject/configurations.xml 2022-02-08 15:00:13.868829822 +0100
++++ openjdk/common/nb_native/nbproject/configurations.xml 2022-02-08 15:00:30.564949586 +0100
@@ -53,6 +53,9 @@
jvmtiEnterTrace.cpp
@@ -145,8 +145,8 @@
- attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = P11ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+--- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2022-02-08 15:00:17.144853321 +0100
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2022-02-08 15:03:03.350045534 +0100
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -42,6 +45,8 @@
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
@@ -562,17 +894,63 @@
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
-@@ -58,6 +60,9 @@
+@@ -58,6 +63,29 @@
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -379,6 +384,24 @@
+@@ -320,10 +348,15 @@
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -339,7 +372,7 @@
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -379,6 +412,24 @@
if (nssModule != null) {
nssModule.setProvider(this);
}
@@ -597,8 +975,156 @@
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
---- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-12-04 07:42:43.825824124 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2021-12-04 07:43:01.293927930 +0100
+--- openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2022-02-08 15:00:17.148853350 +0100
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2022-02-08 15:03:03.350045534 +0100
+@@ -49,6 +49,7 @@
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -147,17 +148,29 @@
+
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
++ } else {
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
++ }
+ if (omitInitialize == false) {
+ try {
+ pkcs11.C_Initialize(pInitArgs);
+@@ -1905,4 +1918,69 @@
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
+--- openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java 2022-02-08 15:00:17.152853378 +0100
++++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java 2022-02-08 15:03:03.350045534 +0100
+@@ -33,8 +33,13 @@
+
+ import javax.net.ssl.*;
+
++import sun.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@
+ keyManager = new X509KeyManagerImpl(
+ Collections.emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+--- openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2022-02-08 15:00:17.152853378 +0100
++++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java 2022-02-08 15:00:30.568949614 +0100
@@ -31,6 +31,7 @@
import java.security.cert.*;
import java.util.*;
@@ -673,8 +1199,8 @@
return new ProtocolVersion[]{
ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
---- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-12-04 07:42:43.825824124 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2021-12-04 07:43:01.293927930 +0100
+--- openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2022-02-08 15:00:17.156853408 +0100
++++ openjdk/jdk/src/share/classes/sun/security/ssl/SunJSSE.java 2022-02-08 15:00:30.568949614 +0100
@@ -30,6 +30,8 @@
import java.security.*;
@@ -698,9 +1224,9 @@
put("SSLContext.TLS",
"sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) {
---- openjdk/jdk/src/share/lib/security/java.security-linux 2021-12-04 07:42:43.901824572 +0100
-+++ openjdk/jdk/src/share/lib/security/java.security-linux 2021-12-04 07:43:01.297927954 +0100
-@@ -77,6 +77,14 @@
+--- openjdk/jdk/src/share/lib/security/java.security-linux 2022-02-08 15:00:17.300854441 +0100
++++ openjdk/jdk/src/share/lib/security/java.security-linux 2022-02-08 15:00:30.568949614 +0100
+@@ -80,6 +80,14 @@
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
@@ -715,7 +1241,7 @@
# Sun Provider SecureRandom seed source.
#
# Select the primary source of seed data for the "SHA1PRNG" and
-@@ -172,6 +180,11 @@
+@@ -175,6 +183,11 @@
keystore.type=jks
#
@@ -728,7 +1254,7 @@
#
# When set to 'true', the JKS keystore type supports loading
--- openjdk/jdk/src/solaris/native/java/security/systemconf.c 1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2021-12-04 07:43:01.297927954 +0100
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c 2022-02-08 15:00:30.568949614 +0100
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
diff --git a/java-1_8_0-openjdk.changes b/java-1_8_0-openjdk.changes
index 2b66432..885397b 100644
--- a/java-1_8_0-openjdk.changes
+++ b/java-1_8_0-openjdk.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Feb 9 14:51:51 UTC 2022 - Fridrich Strba
+
+- Removed patch:
+ * comment-nss-security-provider.patch
+ + there is a configure-time option to do exactly the same thing
+- Modified patch:
+ * fips.patch
+ + allow plain key import, unless disabled with
+ -Dcom.suse.fips.plainKeySupport=false command-line option
+
-------------------------------------------------------------------
Sat Dec 4 07:23:12 UTC 2021 - Fridrich Strba
diff --git a/java-1_8_0-openjdk.spec b/java-1_8_0-openjdk.spec
index 619ce30..3583c10 100644
--- a/java-1_8_0-openjdk.spec
+++ b/java-1_8_0-openjdk.spec
@@ -1,7 +1,7 @@
#
# spec file for package java-1_8_0-openjdk
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -198,7 +198,6 @@ Patch2001: disable-doclint-by-default.patch
Patch2002: JDK_1_8_0-8208602.patch
Patch3000: tls13extensions.patch
Patch4000: riscv64-zero.patch
-Patch5000: comment-nss-security-provider.patch
Patch5001: fips.patch
BuildRequires: alsa-lib-devel
BuildRequires: autoconf
@@ -455,7 +454,7 @@ sh autogen.sh
--with-tzdata-dir=%{_datadir}/javazi \
--with-pkgversion="build %{javaver}_%{updatever}-b%{buildver} suse-%{release}-%{_arch}" \
--with-jdk-home="%{_sysconfdir}/alternatives/java_sdk" \
- --enable-nss \
+ --disable-nss \
--enable-sysconf-nss \
--enable-non-nss-curves \
%if %{with bootstrap}
@@ -542,7 +541,6 @@ patch -p0 -i %{PATCH3000}
patch -p0 -i %{PATCH4000}
-patch -p0 -i %{PATCH5000}
patch -p0 -i %{PATCH5001}
(cd openjdk/common/autoconf