From 6b6820f4858dc8b62f8cf1f5fcc60e3661c2ff58 Mon Sep 17 00:00:00 2001 From: anolis-bot Date: Thu, 20 Apr 2023 13:26:28 +0800 Subject: [PATCH] update to java-17-openjdk-17.0.7.0.7-1.el8_7 Signed-off-by: anolis-bot --- NEWS | 692 +++++- TestTranslations.java | 32 +- dist | 2 +- download | 2 +- ...a9ccc5.patch => fips-17u-bf363eecce3.patch | 2059 +++++++++++++++-- java-17-openjdk.spec | 391 +++- jdk8274864-remove_amman_cairo_hacks.patch | 53 + jdk8275535-rh2053256-ldap_auth.patch | 26 - jdk8293834-kyiv_cldr_update.patch | 51 - jdk8294357-tzdata2022d.patch | 303 --- jdk8295173-tzdata2022e.patch | 420 ---- jdk8305113-tzdata2023c.patch | 1098 +++++++++ nss.fips.cfg.in | 8 - remove-intree-libraries.sh | 11 +- 14 files changed, 4008 insertions(+), 1140 deletions(-) rename fips-17u-0bd5ca9ccc5.patch => fips-17u-bf363eecce3.patch (75%) create mode 100644 jdk8274864-remove_amman_cairo_hacks.patch delete mode 100644 jdk8275535-rh2053256-ldap_auth.patch delete mode 100644 jdk8293834-kyiv_cldr_update.patch delete mode 100644 jdk8294357-tzdata2022d.patch delete mode 100644 jdk8295173-tzdata2022e.patch create mode 100644 jdk8305113-tzdata2023c.patch delete mode 100644 nss.fips.cfg.in diff --git a/NEWS b/NEWS index b1f281d..8807249 100644 --- a/NEWS +++ b/NEWS @@ -3,10 +3,681 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.7 (2023-04-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk1707 + +* CVEs + - CVE-2023-21930 + - CVE-2023-21937 + - CVE-2023-21938 + - CVE-2023-21939 + - CVE-2023-21954 + - CVE-2023-21967 + - CVE-2023-21968 +* Security fixes + - JDK-8287404: Improve ping times + - JDK-8288436: Improve Xalan supports + - JDK-8294474: Better AES support + - JDK-8295304: Runtime support improvements + - JDK-8296676, JDK-8296622: Improve String platform support + - JDK-8296684: Improve String platform support + - JDK-8296692: Improve String platform support + - JDK-8296832: Improve Swing platform support + - JDK-8297371: Improve UTF8 representation redux + - JDK-8298191: Enhance object reclamation process + - JDK-8298310: Enhance TLS session negotiation + - JDK-8298667: Improved path handling + - JDK-8299129: Enhance NameService lookups +* Other changes + - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion + - JDK-6779701: Wrong defect ID in the code of test LocalRMIServerSocketFactoryTest.java + - JDK-8008243: Zero: Implement fast bytecodes + - JDK-8048190: NoClassDefFoundError omits original ExceptionInInitializerError + - JDK-8065097: [macosx] javax/swing/Popup/TaskbarPositionTest.java fails because Popup is one pixel off + - JDK-8144030: [macosx] test java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again) + - JDK-8155246: Throw error if default java.security file is missing + - JDK-8186765: Speed up test sun/net/www/protocol/https/HttpsClient/ProxyAuthTest.java + - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails + - JDK-8195809: [TESTBUG] jps and jcmd -l support for containers is not tested + - JDK-8208077: File.listRoots performance degradation + - JDK-8209935: Test to cover CodeSource.getCodeSigners() + - JDK-8210927: JDB tests do not update source path after doing a redefine class + - JDK-8212961: [TESTBUG] vmTestbase/nsk/stress/jni/ native code cleanup + - JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails + - JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java sometimes detect threads+1 connections + - JDK-8230374: maxOutputSize, instead of javatest.maxOutputSize, should be used in TEST.properties + - JDK-8231491: JDI tc02x004 failed again due to wrong # of breakpoints + - JDK-8235297: sun/security/ssl/SSLSessionImpl/ResumptionUpdateBoundValues.java fails intermittent + - JDK-8241293: CompressedClassSpaceSizeInJmapHeap.java time out after 8 minutes + - JDK-8242115: C2 SATB barriers are not safepoint-safe + - JDK-8244669: convert clhsdb "mem" command from javascript to java + - JDK-8245654: Add Certigna Root CA + - JDK-8251177: [macosx] The text "big" is truncated in JTabbedPane + - JDK-8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" + - JDK-8258512: serviceability/sa/TestJmapCore.java timed out on macOS 10.13.6 + - JDK-8262386: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out + - JDK-8266974: duplicate property key in java.sql.rowset resource bundle + - JDK-8267038: Update IANA Language Subtag Registry to Version 2022-03-02 + - JDK-8270156: Add "randomness" and "stress" keys to JTreg tests which use StressGCM, StressLCM and/or StressIGVN + - JDK-8270476: Make floating-point test infrastructure more lambda and method reference friendly + - JDK-8271471: [IR Framework] Rare occurrence of "" in PrintIdeal/PrintOptoAssembly can let tests fail + - JDK-8271838: AmazonCA.java interop test fails + - JDK-8272702: Resolving URI relative path with no / may lead to incorrect toString + - JDK-8272985: Reference discovery is confused about atomicity and degree of parallelism + - JDK-8273154: Provide a JavadocTester method for non-overlapping, unordered output matching + - JDK-8273410: IR verification framework fails with "Should find method name in validIrRulesMap" + - JDK-8274911: testlibrary_tests/ir_framework/tests/TestIRMatching.java fails with "java.lang.RuntimeException: Should have thrown exception" + - JDK-8275173: testlibrary_tests/ir_framework/tests/TestCheckedTests.java fails after JDK-8274911 + - JDK-8275301: Unify C-heap buffer overrun checks into NMT + - JDK-8275320: NMT should perform buffer overrun checks + - JDK-8275582: Don't purge metaspace mapping lists + - JDK-8275704: Metaspace::contains() should be threadsafe + - JDK-8275843: Random crashes while the UI code is executed + - JDK-8276064: CheckCastPP with raw oop input floats below a safepoint + - JDK-8276086: Increase size of metaspace mappings + - JDK-8277485: Zero: Fix _fast_{i,f}access_0 bytecodes handling + - JDK-8277822: Remove debug-only heap overrun checks in os::malloc and friends + - JDK-8277946: NMT: Remove VM.native_memory shutdown jcmd command option + - JDK-8277990: NMT: Remove NMT shutdown capability + - JDK-8278961: Enable debug logging in java/net/DatagramSocket/SendDatagramToBadAddress.java + - JDK-8279024: Remove javascript references from clhsdb.html + - JDK-8279119: src/jdk.hotspot.agent/doc/index.html file contains references to scripts that no longer exist + - JDK-8279351: [TESTBUG] SADebugDTest.java does not handle "Address already in use" error + - JDK-8279614: The left line of the TitledBorder is not painted on 150 scale factor + - JDK-8280007: Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 + - JDK-8280048: Missing comma in copyright header + - JDK-8280132: Incorrect comparator com.sun.beans.introspect.MethodInfo.MethodOrder + - JDK-8280166: Extend java/lang/instrument/GetObjectSizeIntrinsicsTest.java test cases + - JDK-8280553: resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java can fail if GC occurs + - JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption + - JDK-8280784: VM_Cleanup unnecessarily processes all thread oops + - JDK-8280868: LineBodyHandlerTest.java creates and discards too many clients + - JDK-8280889: java/lang/instrument/GetObjectSizeIntrinsicsTest.java fails with -XX:-UseCompressedOops + - JDK-8280896: java/nio/file/Files/probeContentType/Basic.java fails on Windows 11 + - JDK-8281122: [IR Framework] Cleanup IR matching code in preparation for JDK-8280378 + - JDK-8281170: Test jdk/tools/jpackage/windows/WinInstallerIconTest always fails on Windows 11 + - JDK-8282036: Change java/util/zip/ZipFile/DeleteTempJar.java to stop HttpServer cleanly in case of exceptions + - JDK-8282143: Objects.requireNonNull should be ForceInline + - JDK-8282577: ICC_Profile.setData(int, byte[]) invalidates the profile + - JDK-8282771: Create test case for JDK-8262981 + - JDK-8282958: Rendering Issues with Borders on Windows High-DPI systems + - JDK-8283606: Tests may fail with zh locale on MacOS + - JDK-8283717: vmTestbase/nsk/jdi/ThreadStartEvent/thread/thread001 failed due to SocketTimeoutException + - JDK-8283719: java/util/logging/CheckZombieLockTest.java failing intermittently + - JDK-8283870: jdeprscan --help causes an exception when the locale is ja, zh_CN or de + - JDK-8284115: [IR Framework] Compilation is not found due to rare safepoint while dumping PrintIdeal/PrintOptoAssembly + - JDK-8284165: Add pid to process reaper thread name + - JDK-8284524: Create an automated test for JDK-4422362 + - JDK-8284726: Print active locale settings in hs_err reports and in VM.info + - JDK-8284767: Create an automated test for JDK-4422535 + - JDK-8285399: JNI exception pending in awt_GraphicsEnv.c:1432 + - JDK-8285690: CloneableReference subtest should not throw CloneNotSupportedException + - JDK-8285755: JDK-8285093 changed the default for --with-output-sync + - JDK-8285835: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work + - JDK-8285919: Remove debug printout from JDK-8285093 + - JDK-8285965: TestScenarios.java does not check for "" correctly + - JDK-8286030: Avoid JVM crash when containers share the same /tmp dir + - JDK-8286154: Fix 3rd party notices in test files + - JDK-8286562: GCC 12 reports some compiler warnings + - JDK-8286694: Incorrect argument processing in java launcher + - JDK-8286705: GCC 12 reports use-after-free potential bugs + - JDK-8286707: JFR: Don't commit JFR internal jdk.JavaMonitorWait events + - JDK-8286800: Assert in PhaseIdealLoop::dump_real_LCA is too strong + - JDK-8286844: com/sun/jdi/RedefineCrossEvent.java failed with 1 threads completed while VM suspended + - JDK-8286873: Improve websocket test execution time + - JDK-8286962: java/net/httpclient/ServerCloseTest.java failed once with ConnectException + - JDK-8287180: Update IANA Language Subtag Registry to Version 2022-08-08 + - JDK-8287217: C2: PhaseCCP: remove not visited nodes, prevent type inconsistency + - JDK-8287491: compiler/jvmci/errors/TestInvalidDebugInfo.java fails new assert: assert((uint)t < T_CONFLICT + 1) failed: invalid type # + - JDK-8287593: ShortResponseBody could be made more resilient to rogue connections + - JDK-8287754: Update jib GNU make dependency on Windows to latest cygwin build + - JDK-8288005: HotSpot build with disabled PCH fails for Windows AArch64 + - JDK-8288130: compiler error with AP and explicit record accessor + - JDK-8288332: Tier1 validate-source fails after 8279614 + - JDK-8288415: java/awt/PopupMenu/PopupMenuLocation.java is unstable in MacOS machines + - JDK-8288854: getLocalGraphicsEnvironment() on for multi-screen setups throws exception NPE + - JDK-8289400: Improve com/sun/jdi/TestScaffold error reporting + - JDK-8289440: Remove vmTestbase/nsk/monitoring/MemoryPoolMBean/isCollectionUsageThresholdExceeded/isexceeded003 from ProblemList.txt + - JDK-8289508: Improve test coverage for XPath Axes: ancestor, ancestor-or-self, preceding, and preceding-sibling + - JDK-8289511: Improve test coverage for XPath Axes: child + - JDK-8289647: AssertionError during annotation processing of record related tests + - JDK-8289948: Improve test coverage for XPath functions: Node Set Functions + - JDK-8290067: Show stack dimensions in UL logging when attaching threads + - JDK-8290083: ResponseBodyBeforeError: AssertionError or SSLException: Unsupported or unrecognized SSL message + - JDK-8290197: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails on some systems for the ".rar" extension + - JDK-8290322: Optimize Vector.rearrange over byte vectors for AVX512BW targets. + - JDK-8290836: Improve test coverage for XPath functions: String Functions + - JDK-8290837: Improve test coverage for XPath functions: Boolean Functions + - JDK-8290838: Improve test coverage for XPath functions: Number Functions + - JDK-8290850: C2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph + - JDK-8290899: java/lang/String/StringRepeat.java test requests too much heap on windows x86 + - JDK-8290964: C2 compilation fails with assert "non-reduction loop contains reduction nodes" + - JDK-8291825: java/time/nontestng/java/time/zone/CustomZoneNameTest.java fails if defaultLocale and defaultFormatLocale are different + - JDK-8292033: Move jdk.X509Certificate event logic to JCA layer + - JDK-8292066: Convert TestInputArgument.sh and TestSystemLoadAvg.sh to java version + - JDK-8292159: TYPE_USE annotations on generic type arguments of record components discarded + - JDK-8292177: InitialSecurityProperty JFR event + - JDK-8292285: C2: remove unreachable block after NeverBranch-to-Goto conversion + - JDK-8292297: Fix up loading of override java.security properties file + - JDK-8292328: AccessibleActionsTest.java test instruction for show popup on JLabel did not specify shift key + - JDK-8292443: Weak CAS VarHandle/Unsafe tests should test always-failing cases + - JDK-8292602: ZGC: C2 late barrier analysis uses invalid dominator information + - JDK-8292660: C2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly + - JDK-8292780: misc tests failed "assert(false) failed: graph should be schedulable" + - JDK-8292877: java/util/concurrent/atomic/Serial.java uses {Double,Long}Accumulator incorrectly + - JDK-8293000: Review running times of jshell regression tests + - JDK-8293326: jdk/sun/security/tools/jarsigner/compatibility/SignTwice.java slow on Windows + - JDK-8293466: libjsig should ignore non-modifying sigaction calls + - JDK-8293493: Signal Handlers printout should show signal block state + - JDK-8293531: C2: some vectorapi tests fail assert "Not monotonic" with flag -XX:TypeProfileLevel=222 + - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections + - JDK-8293691: converting a defined BasicType value to a string should not crash the VM + - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings + - JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed with "RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG" + - JDK-8293965: Code signing warnings after JDK-8293550 + - JDK-8293996: C2: fix and simplify IdealLoopTree::do_remove_empty_loop + - JDK-8294160: misc crash dump improvements + - JDK-8294217: Assertion failure: parsing found no loops but there are some + - JDK-8294310: compare.sh fails on macos after JDK-8293550 + - JDK-8294378: URLPermission constructor exception when using tr locale + - JDK-8294538: missing is_unloading() check in SharedRuntime::fixup_callers_callsite() + - JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316 + - JDK-8294580: frame::interpreter_frame_print_on() crashes if free BasicObjectLock exists in frame + - JDK-8294677: chunklevel::MAX_CHUNK_WORD_SIZE too small for some applications + - JDK-8294705: Disable an assertion in test/jdk/java/util/DoubleStreamSums/CompensatedSums.java + - JDK-8294902: Undefined Behavior in C2 regalloc with null references + - JDK-8294947: Use 64bit atomics in patch_verified_entry on x86_64 + - JDK-8294958: java/net/httpclient/ConnectTimeout tests are slow + - JDK-8295000: java/util/Formatter/Basic test cleanup + - JDK-8295066: Folding of loads is broken in C2 after JDK-8242115 + - JDK-8295116: C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead + - JDK-8295211: Fix autoconf 2.71 warning "AC_CHECK_HEADERS: you should use literals" + - JDK-8295413: com/sun/jdi/EATests.java fails with compiler flag -XX:+StressReflectiveCode + - JDK-8295414: [Aarch64] C2: assert(false) failed: bad AD file + - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 + - JDK-8295685: Update Libpng to 1.6.38 + - JDK-8295724: VirtualMachineError: Out of space in CodeCache for method handle intrinsic + - JDK-8295774: Write a test to verify List sends ItemEvent/ActionEvent + - JDK-8295777: java/net/httpclient/ConnectExceptionTest.java should not rely on system resolver + - JDK-8295788: C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" + - JDK-8296136: Use correct register in aarch64_enc_fast_unlock() + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296329: jar validator doesn't account for minor class file version + - JDK-8296389: C2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors + - JDK-8296548: Improve MD5 intrinsic for x86_64 + - JDK-8296611: Problemlist several sun/security tests until JDK-8295343 is resolved + - JDK-8296619: Upgrade jQuery to 3.6.1 + - JDK-8296675: Exclude linux-aarch64 in NSS tests + - JDK-8296878: Document Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters + - JDK-8296904: Improve handling of macos xcode toolchain + - JDK-8296912: C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 + - JDK-8296924: C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address + - JDK-8297088: Update LCMS to 2.14 + - JDK-8297211: Expensive fillInStackTrace operation in HttpURLConnection.getOutputStream0 when no content-length in response + - JDK-8297259: Bump update version for OpenJDK: jdk-17.0.7 + - JDK-8297264: C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top + - JDK-8297431: [JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception + - JDK-8297437: javadoc cannot link to old docs (with old style anchors) + - JDK-8297480: GetPrimitiveArrayCritical in imageioJPEG misses result - NULL check + - JDK-8297489: Modify TextAreaTextEventTest.java as to verify the content change of TextComponent sends TextEvent + - JDK-8297523: Various GetPrimitiveArrayCritical miss result - NULL check + - JDK-8297569: URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 + - JDK-8297642: PhaseIdealLoop::only_has_infinite_loops must detect all loops that never lead to termination + - JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication + - JDK-8297959: Provide better descriptions for some Operating System JFR events + - JDK-8297963: Partially fix string expansion issues in UTIL_DEFUN_NAMED and related macros + - JDK-8298027: Remove SCCS id's from awt jtreg tests + - JDK-8298035: Provide better descriptions for JIT compiler JFR events + - JDK-8298073: gc/metaspace/CompressedClassSpaceSizeInJmapHeap.java causes test task timeout on macosx + - JDK-8298093: improve cleanup and error handling of awt_parseColorModel in awt_parseImage.c + - JDK-8298108: Add a regression test for JDK-8297684 + - JDK-8298129: Let checkpoint event sizes grow beyond u4 limit + - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows + - JDK-8298459: Fix msys2 linking and handling out of tree build directory for source zip creation + - JDK-8298472: AArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options + - JDK-8298527: Cygwin's uname -m returns different string than before + - JDK-8298568: Fastdebug build fails after JDK-8296389 + - JDK-8298588: WebSockets: HandshakeUrlEncodingTest unnecessarily depends on a response body + - JDK-8298649: JFR: RemoteRecordingStream support for checkpoint event sizes beyond u4 + - JDK-8298726: (fs) Change PollingWatchService to record last modified time as FileTime rather than milliseconds + - JDK-8298947: compiler/codecache/MHIntrinsicAllocFailureTest.java fails intermittently + - JDK-8299015: Ensure that HttpResponse.BodySubscribers.ofFile writes all bytes + - JDK-8299018: java/net/httpclient/HttpsTunnelAuthTest.java fails with java.io.IOException: HTTP/1.1 header parser received no bytes + - JDK-8299194: CustomTzIDCheckDST.java may fail at future date + - JDK-8299296: Write a test to verify the components selection sends ItemEvent + - JDK-8299388: java/util/regex/NegativeArraySize.java fails on Alpine and sometimes Windows + - JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java fails on SLES12 ppc64le when testing Memory and Swap Limit + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299470: sun/jvm/hotspot/SALauncher.java handling of negative rmiport args + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8299497: Usage of constructors of primitive wrapper classes should be avoided in java.desktop API docs + - JDK-8299520: TestPrintXML.java output error messages in case compare fails + - JDK-8299597: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.7 + - JDK-8299657: sun/tools/jhsdb/SAGetoptTest.java fails after 8299470 + - JDK-8299671: Speed up compiler/intrinsics/string/TestStringLatin1IndexOfChar.java + - JDK-8299789: Compilation of gtest causes build to fail if runtime libraries are in different dirs + - JDK-8299957: Enhance error logging in instrument coding with additional jplis_assert_msg + - JDK-8299970: Speed up compiler/arraycopy/TestArrayCopyConjoint.java + - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems + - JDK-8300205: Swing test bug8078268 make latch timeout configurable + - JDK-8300266: Detect Virtualization on Linux aarch64 + - JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550 + - JDK-8300590: [JVMCI] BytecodeFrame.equals is broken + - JDK-8300642: [17u,11u] Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev + - JDK-8300692: GCC 12 reports some compiler warnings in bundled freetype + - JDK-8300751: [17u] Remove duplicate entry in javac.properties + - JDK-8300773: Address the inconsistency between the constant array and pool size + - JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns + - JDK-8301342: Prefer ArrayList to LinkedList in LayoutComparator + - JDK-8301397: [11u, 17u] Bump jtreg to fix issue with build JDK 11.0.18 + - JDK-8301760: Fix possible leak in SpNegoContext dispose + - JDK-8301842: JFR: increase checkpoint event size for stacktrace and string pool + - JDK-8302152: Speed up tests with infinite loops, sleep less + - JDK-8302692: [17u] Update GHA Boot JDK to 17.0.6 + - JDK-8302879: doc/building.md update link to jtreg builds + - JDK-8304871: Use default visibility for static library builds + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate +========================================================== +The following root certificate has been added to the cacerts truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR + +JDK-8292177: New JFR Event: jdk.InitialSecurityProperty +======================================================= +The initial security properties loaded by the java.security.Security class +are now accessible in the new JFR event, `jdk.InitialSecurityProperty`. + +The event contains two fields: + +* key - the security property key +* value - the corresponding security property value + +The combination of this new event and the existing +`jdk.SecurityPropertyModification` event means that security +properties can now be monitored throughout their lifecycle. + +The initial security properties are now also printed to the standard +error output stream when `-Djava.security.debug=properties` is passed +to the Java virtual machine. + +JDK-8155246: Throw Error If Default java.security File Fails to Load +==================================================================== +A hardcoded set of security properties was used in previous releases +when the `java.security` file could not be loaded. This set of +properties were poorly maintained and it was not obvious to the user +that they were being utilised. This release instead throws an +`InternalError` if the `java.security` file can not be loaded. + +core-libs/java.io: + +JDK-8208077: File::listRoots Changed To Return All Available Drives On Windows +============================================================================== +The `java.io.File.listRoots()` method on Windows systems filtered out disk +drives that could not be accessed or did not have media loaded. The +use of this filtering led to observable performance issues. This release +now returns all available disk drives, unfiltered. + +New in release OpenJDK 17.0.6 (2023-01-17): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk1706 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html + +* CVEs + - CVE-2023-21835 + - CVE-2023-21843 +* Security fixes + - JDK-8286070: Improve UTF8 representation + - JDK-8286496: Improve Thread labels + - JDK-8287411: Enhance DTLS performance + - JDK-8288516: Enhance font creation + - JDK-8289350: Better media supports + - JDK-8293554: Enhanced DH Key Exchanges + - JDK-8293598: Enhance InetAddress address handling + - JDK-8293717: Objective view of ObjectView + - JDK-8293734: Improve BMP image handling + - JDK-8293742: Better Banking of Sounds + - JDK-8295687: Better BMP bounds +* Other changes + - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows + - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails + - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails + - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails + - JDK-8029633: Raw inner class constructor ref should not perform diamond inference + - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails + - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled + - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails + - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java + - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java + - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout + - JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails + - JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...' + - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop" + - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs + - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos + - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos + - JDK-8244670: convert clhsdb "whatis" command from javascript to java + - JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives. + - JDK-8255439: System Tray icons get corrupted when Windows scaling changes + - JDK-8256811: Delayed/missed jdwp class unloading events + - JDK-8257722: Improve "keytool -printcert -jarfile" output + - JDK-8262721: Add Tests to verify single iteration loops are properly optimized + - JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation + - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint + - JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al + - JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java + - JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow" + - JDK-8268276: Base64 Decoding optimization for x86 using AVX-512 + - JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out + - JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" + - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs + - JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512 + - JDK-8269571: NMT should print total malloc bytes and invocation count + - JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m) + - JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter + - JDK-8270155: ARM32: Improve register dump in hs_err + - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction + - JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns. + - JDK-8270947: AArch64: C1: use zero_words to initialize all objects + - JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts + - JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah + - JDK-8271956: AArch64: C1 build failed after JDK-8270947 + - JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" + - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 + - JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag + - JDK-8272776: NullPointerException not reported + - JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947 + - JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains + - JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java + - JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 + - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints + - JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long + - JDK-8273459: Update code segment alignment to 64 bytes + - JDK-8273497: building.md should link to both md and html + - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 + - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 + - JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction + - JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled + - JDK-8273881: Metaspace: test repeated deallocations + - JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java + - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI + - JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high + - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS + - JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java + - JDK-8274527: Minimal VM build fails after JDK-8273459 + - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening + - JDK-8274903: Zero: Support AsyncGetCallTrace + - JDK-8275170: Some jtreg sound tests should be marked with sound keyword + - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList + - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked + - JDK-8275569: Add linux-aarch64 to test-make profiles + - JDK-8276108: Wrong instruction generation in aarch64 backend + - JDK-8276904: Optional.toString() is unnecessarily expensive + - JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM" + - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64 + - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64 + - JDK-8277358: Accelerate CRC32-C + - JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check + - JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64 + - JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64 + - JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64 + - JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size + - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode + - JDK-8277928: Fix compilation on macosx-aarch64 after 8276108 + - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" + - JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing) + - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore + - JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" + - JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out + - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC + - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails + - JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines + - JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes + - JDK-8280234: AArch64 "core" variant does not build after JDK-8270947 + - JDK-8280391: NMT: Correct NMT tag on CollectedHeap + - JDK-8280511: AArch64: Combine shift and negate to a single instruction + - JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered + - JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object + - JDK-8280872: Reorder code cache segments to improve code density + - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR + - JDK-8280948: Write a regression test for JDK-4659800 + - JDK-8281296: Create a regression test for JDK-4515999 + - JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points + - JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores + - JDK-8282276: Problem list failing two Robot Screen Capture tests + - JDK-8282347: AARCH64: Untaken branch in has_negatives stub + - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired + - JDK-8282402: Create a regression test for JDK-4666101 + - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template + - JDK-8282528: AArch64: Incorrect replicate2L_zero rule + - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary + - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1 + - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure + - JDK-8282777: Create a Regression test for JDK-4515031 + - JDK-8282857: Create a regression test for JDK-4702690 + - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 + - JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup + - JDK-8283298: Make CodeCacheSegmentSize a product flag + - JDK-8283337: Posix signal handler modification warning triggering incorrectly + - JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32 + - JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name + - JDK-8283999: Update JMH devkit to 1.35 + - JDK-8284533: Improve InterpreterCodelet data footprint + - JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction" + - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox + - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X + - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation + - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" + - JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently + - JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot + - JDK-8285093: Introduce UTIL_ARG_WITH + - JDK-8285305: Create an automated test for JDK-4495286 + - JDK-8285373: Create an automated test for JDK-4702233 + - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" + - JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java + - JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java + - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox + - JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment + - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" + - JDK-8286172: Create an automated test for JDK-4516019 + - JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3" + - JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable + - JDK-8286452: The array length of testSmallConstArray should be small and const + - JDK-8286460: Remove dependence on JAR filename in CDS tests + - JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2 + - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 + - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray + - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows + - JDK-8286872: Refactor add/modify notification icon (TrayIcon) + - JDK-8287011: Improve container information + - JDK-8287076: Document.normalizeDocument() produces different results + - JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance + - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path + - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative + - JDK-8287740: NSAccessibilityShowMenuAction not working for text editors + - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile + - JDK-8288132: Update test artifacts in QuoVadis CA interop tests + - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces + - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable + - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding + - JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name + - JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support + - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output + - JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented + - JDK-8289301: P11Cipher should not throw out of bounds exception during padding + - JDK-8289524: Add JFR JIT restart event + - JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException + - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https + - JDK-8290207: Missing notice in dom.md + - JDK-8290209: jcup.md missing additional text + - JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier() + - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 + - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure + - JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes + - JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS + - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" + - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize + - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses + - JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false" + - JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM + - JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false + - JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 + - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) + - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 + - JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath + - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region + - JDK-8292083: Detected container memory limit may exceed physical machine memory + - JDK-8292158: AES-CTR cipher state corruption with AVX-512 + - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out + - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory + - JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle + - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update + - JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library + - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free + - JDK-8292816: GPL Classpath exception missing from assemblyprefix.h + - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures + - JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading + - JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java + - JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6 + - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform + - JDK-8292903: enhance round_up_power_of_2 assertion output + - JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking + - JDK-8293044: C1: Missing access check on non-accessible class + - JDK-8293232: Fix race condition in pkcs11 SessionManager + - JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if + - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present + - JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint + - JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx + - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts + - JDK-8293550: Optionally add get-task-allow entitlement to macos binaries + - JDK-8293578: Duplicate ldc generated by javac + - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" + - JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details + - JDK-8293672: Update freetype md file + - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present + - JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception + - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation + - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent + - JDK-8293826: Closed test fails after JDK-8276108 on aarch64 + - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening + - JDK-8293834: Update CLDR data following tzdata 2022c update + - JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum + - JDK-8293965: Code signing warnings after JDK-8293550 + - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + - JDK-8294307: ISO 4217 Amendment 173 Update + - JDK-8294310: compare.sh fails on macos after JDK-8293550 + - JDK-8294357: (tz) Update Timezone Data to 2022d + - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode + - JDK-8294740: Add cgroups keyword to TestDockerBasic.java + - JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md + - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator + - JDK-8295173: (tz) Update Timezone Data to 2022e + - JDK-8295288: Some vm_flags tests associate with a wrong BugID + - JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests + - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp + - JDK-8295419: JFR: Change name of jdk.JitRestart + - JDK-8295429: Update harfbuzz md file + - JDK-8295469: S390X: Optimized builds are broken + - JDK-8295554: Move the "sizecalc.h" to the correct location + - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev + - JDK-8295714: GHA ::set-output is deprecated and will be removed + - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error + - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor + - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 + - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM + - JDK-8296108: (tz) Update Timezone Data to 2022f + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing + - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException + - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation + - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent + - JDK-8296715: CLDR v42 update for tzdata 2022f + - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect + - JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds + - JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value + - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 + - JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes + - JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool + - JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField + - JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod + - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used + - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again + - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java + - JDK-8297309: Memory leak in ShenandoahFullGC + - JDK-8297481: Create a regression test for JDK-4424517 + - JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation + - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run + - JDK-8297656: AArch64: Enable AES/GCM Intrinsics + - JDK-8297804: (tz) Update Timezone Data to 2022g + - JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6 + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + +Notes on individual issues: +=========================== + +client-libs/javax.imageio: + +JDK-8295687: Better BMP bounds +============================== +Loading a linked ICC profile within a BMP image is now disabled by +default. To re-enable it, set the new system property +`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property +replaces the old property, +`sun.imageio.plugins.bmp.disableLinkedProfiles`. + +client-libs/javax.sound: + +JDK-8293742: Better Banking of Sounds +===================================== +Previously, the SoundbankReader implementation, +`com.sun.media.sound.JARSoundbankReader`, would download a JAR +soundbank from a URL. This behaviour is now disabled by default. To +re-enable it, set the new system property `jdk.sound.jarsoundbank` to +`true`. + +security-libs/java.security: + +JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set +========================================================================================================== +Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to +hold principals and credentials so that it rejected null +values. Attempts to call add(null), contains(null) or remove(null) +were changed to throw a NullPointerException. + +However, the logout() methods in the LoginModule implementations +within the JDK were not updated to check for null values, which may +occur in the event of a failed login. As a result, a logout() call may +throw a NullPointerException. + +The LoginModule implementations have now been updated with such checks +and an implementation note added to the specification to suggest that +the same change is made in third party modules. Developers of third +party modules are advised to verify that their logout() method does not +throw a NullPointerException. + +security-libs/javax.net.ssl: + +JDK-8287411: Enhance DTLS performance +===================================== +The JDK now exchanges DTLS cookies for all handshakes, new and +resumed. The previous behaviour can be re-enabled by setting the new +system property `jdk.tls.enableDtlsResumeCookie` to `false`. + New in release OpenJDK 17.0.5 (2022-10-18): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1705 + * https://bit.ly/openjdk1705 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html * Security fixes @@ -275,6 +946,17 @@ make it clear they map to the current user: * "Windows-MY-CURRENTUSER" (same as "Windows-MY") * "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + hotspot/runtime: JDK-8281181: CPU Shares Ignored When Computing Active Processor Count @@ -363,12 +1045,13 @@ Runtime to crash unpredictably. New in release OpenJDK 17.0.4 (2022-07-19): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1704 + * https://bit.ly/openjdk1704 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt * Security fixes - JDK-8272243: Improve DER parsing - JDK-8272249: Better properties of loaded Properties + - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions - JDK-8277608: Address IP Addressing - JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations @@ -423,7 +1106,6 @@ Live versions of these release notes can be found at: - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests @@ -680,7 +1362,7 @@ the use of special devices such as `NUL:` New in release OpenJDK 17.0.3 (2022-04-19): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1703 + * https://bit.ly/openjdk1703 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt * Security fixes @@ -885,7 +1567,7 @@ An OCSP response signed with the RSASSA-PSS algorithm is now supported. New in release OpenJDK 17.0.2 (2022-01-18): =========================================== Live versions of these release notes can be found at: - * https://bitly.com/openjdk1702 + * https://bit.ly/openjdk1702 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt * Security fixes diff --git a/TestTranslations.java b/TestTranslations.java index dbea417..d87647a 100644 --- a/TestTranslations.java +++ b/TestTranslations.java @@ -30,7 +30,7 @@ import java.util.TimeZone; public class TestTranslations { - private static Map KYIV; + private static Map KYIV, CIUDAD_JUAREZ; static { Map map = new HashMap(); @@ -44,6 +44,18 @@ public class TestTranslations { "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); KYIV = Collections.unmodifiableMap(map); + + map = new HashMap(); + map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST", + "Mountain Daylight Time", "MDT", "MDT", + "Mountain Time", "MT", "MT"}); + map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", + "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", + "heure des Rocheuses", "UTC\u221207:00", "MT"}); + map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST", + "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", + "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); + CIUDAD_JUAREZ = Collections.unmodifiableMap(map); } @@ -53,7 +65,6 @@ public class TestTranslations { System.exit(1); } - String localeProvider = args[0]; System.out.println("Checking sanity of full zone string set..."); boolean invalid = Arrays.stream(Locale.getAvailableLocales()) .peek(l -> System.out.println("Locale: " + l)) @@ -68,9 +79,18 @@ public class TestTranslations { System.exit(2); } - for (Locale l : KYIV.keySet()) { - String[] expected = KYIV.get(l); - for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) { + String localeProvider = args[0]; + testZone(localeProvider, KYIV, + new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }); + testZone(localeProvider, CIUDAD_JUAREZ, + new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" }); + } + + private static void testZone(String localeProvider, Map exp, String[] ids) { + for (Locale l : exp.keySet()) { + String[] expected = exp.get(l); + System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected)); + for (String id : ids) { String expectedShortStd = null; String expectedShortDST = null; String expectedShortGen = null; @@ -124,7 +144,7 @@ public class TestTranslations { } if (!expected[6].equals(longGen)) { - System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", id, l, longGen, expected[6]); System.exit(8); } diff --git a/dist b/dist index 0ee7539..535c690 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_6 +an8_7 diff --git a/download b/download index 56a8073..0a12ea2 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -fb02aac10a17256e9e19547bf6e53eff openjdk-jdk17u-jdk-17.0.5+8.tar.xz +c297d1aa575323f580491d993822dc37 openjdk-jdk17u-jdk-17.0.7+7.tar.xz 5d441d6217cc75372ca5a0943997cb24 tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/fips-17u-0bd5ca9ccc5.patch b/fips-17u-bf363eecce3.patch similarity index 75% rename from fips-17u-0bd5ca9ccc5.patch rename to fips-17u-bf363eecce3.patch index 86fb1ab..cd8565c 100644 --- a/fips-17u-0bd5ca9ccc5.patch +++ b/fips-17u-bf363eecce3.patch @@ -1,9 +1,33 @@ +diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 +index 5f4b22bb27f..1ca9f5b8ffe 100644 +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 new file mode 100644 -index 00000000000..b2b1c1787da +index 00000000000..f48fc7f7e80 --- /dev/null +++ b/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,84 @@ +@@ -0,0 +1,87 @@ +# +# Copyright (c) 2021, Red Hat, Inc. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -38,8 +62,10 @@ index 00000000000..b2b1c1787da + # + # Check for the NSS library + # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) + -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) + + # default is not available + DEFAULT_SYSCONF_NSS=no @@ -87,6 +113,7 @@ index 00000000000..b2b1c1787da + fi + fi + AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 index a65d91ee974..a8f054c1397 100644 @@ -109,20 +136,43 @@ index a65d91ee974..a8f054c1397 100644 BASIC_JDKLIB_LIBS="" if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index c2c9c4adf3a..9d105b37acf 100644 +index 537c3e3043c..16ad3df6f09 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -841,6 +841,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ # Libraries # +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +NSS_LIBS:=@NSS_LIBS@ +NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk +index 4b894eeae4a..51567071aa8 100644 +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk index 5658ff342e5..c8bc5bde1e1 100644 --- a/make/modules/java.base/Lib.gmk @@ -1312,27 +1362,18 @@ index a020e1c15d8..3c064965e82 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index ff2bc942c03..96a3ba4040c 100644 +index 2477027969c..06b1b6c671c 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - +@@ -33,6 +33,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; +import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ +@@ -57,6 +58,11 @@ import sun.security.jca.*; public final class Security { @@ -1344,7 +1385,7 @@ index ff2bc942c03..96a3ba4040c 100644 /* Are we debugging? -- for developers */ private static final Debug sdebug = Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { +@@ -74,6 +80,19 @@ public final class Security { } static { @@ -1364,26 +1405,19 @@ index ff2bc942c03..96a3ba4040c 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -84,6 +106,7 @@ public final class Security { +@@ -97,6 +116,7 @@ public final class Security { + private static void initialize() { props = new Properties(); - boolean loadedProps = false; boolean overrideAll = false; + boolean systemSecPropsEnabled = false; // first load the system properties file // to determine the value of security.overridePropertiesFile -@@ -99,6 +122,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -193,6 +217,61 @@ public final class Security { +@@ -117,6 +137,60 @@ public final class Security { } + loadProps(null, extraPropFile, overrideAll); } - ++ + boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); + boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); + if (sdebug != null) { @@ -1403,9 +1437,7 @@ index ff2bc942c03..96a3ba4040c 100644 + } + } + -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { ++ if (systemSecPropsEnabled) { + boolean shouldEnable; + String sysProp = System.getProperty("com.redhat.fips"); + if (sysProp == null) { @@ -1439,15 +1471,27 @@ index ff2bc942c03..96a3ba4040c 100644 + "system security properties being enabled."); + } + } + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -124,10 +198,9 @@ public final class Security { + props.getProperty(key)); + } + } +- } - /* +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 -index 00000000000..98ffced455b +index 00000000000..9d26a54f5d4 --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,249 @@ +@@ -0,0 +1,232 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * @@ -1528,26 +1572,9 @@ index 00000000000..98ffced455b + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); + } + + /* @@ -1602,7 +1629,7 @@ index 00000000000..98ffced455b + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } @@ -1735,10 +1762,10 @@ index 00000000000..3f3caac64dc + boolean isPlainKeySupportEnabled(); +} diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index f6d3638c3dd..a1ee182d913 100644 +index ea28bb8747e..77161eb3844 100644 --- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -39,6 +39,7 @@ import java.io.FilePermission; +@@ -40,6 +40,7 @@ import java.io.FilePermission; import java.io.ObjectInputStream; import java.io.RandomAccessFile; import java.security.ProtectionDomain; @@ -1746,7 +1773,7 @@ index f6d3638c3dd..a1ee182d913 100644 import java.security.Signature; /** A repository of "shared secrets", which are a mechanism for -@@ -81,6 +82,7 @@ public class SharedSecrets { +@@ -83,6 +84,7 @@ public class SharedSecrets { private static JavaSecuritySpecAccess javaSecuritySpecAccess; private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; @@ -1754,7 +1781,7 @@ index f6d3638c3dd..a1ee182d913 100644 public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { javaUtilCollectionAccess = juca; -@@ -442,4 +444,15 @@ public class SharedSecrets { +@@ -457,4 +459,15 @@ public class SharedSecrets { MethodHandles.lookup().ensureInitialized(c); } catch (IllegalAccessException e) {} } @@ -1771,7 +1798,7 @@ index f6d3638c3dd..a1ee182d913 100644 + } } diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index 63bb580eb3a..dbbf11bbb22 100644 +index fad70bdc058..29a813a485f 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java @@ -152,6 +152,8 @@ module java.base { @@ -1782,9 +1809,9 @@ index 63bb580eb3a..dbbf11bbb22 100644 + jdk.crypto.ec, jdk.jartool, jdk.jlink, - jdk.net, + jdk.jfr, diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..709d32912ca 100644 +index 912cad59714..7803e97f7ef 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -30,6 +30,7 @@ import java.net.*; @@ -1806,7 +1833,7 @@ index 912cad59714..709d32912ca 100644 // the default algo used by SecureRandom class for new SecureRandom() calls public static final String DEF_SECURE_RANDOM_ALGO; -@@ -94,99 +99,101 @@ public final class SunEntries { +@@ -94,89 +99,92 @@ public final class SunEntries { // common attribute map HashMap attrs = new HashMap<>(3); @@ -1870,8 +1897,6 @@ index 912cad59714..709d32912ca 100644 - "sun.security.provider.DSA$SHA3_384withDSA", attrs); - addWithAlias(p, "Signature", "SHA3-512withDSA", - "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); + if (!systemFipsEnabled) { + /* + * SecureRandom engines @@ -1894,32 +1919,7 @@ index 912cad59714..709d32912ca 100644 + add(p, "SecureRandom", "SHA1PRNG", + "sun.security.provider.SecureRandom", attrs); -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only +- attrs.remove("KeySize"); + /* + * Signature engines + */ @@ -1982,16 +1982,39 @@ index 912cad59714..709d32912ca 100644 + "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); + add(p, "Signature", "SHA3-512withDSAinP1363Format", + "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ } + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); + /* + * Key Pair Generator engines + */ +@@ -184,9 +192,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); @@ -1999,7 +2022,7 @@ index 912cad59714..709d32912ca 100644 /* * Algorithm Parameter Generator engines -@@ -201,40 +208,42 @@ public final class SunEntries { +@@ -201,40 +211,42 @@ public final class SunEntries { addWithAlias(p, "AlgorithmParameters", "DSA", "sun.security.provider.DSAParameters", attrs); @@ -2076,7 +2099,7 @@ index 912cad59714..709d32912ca 100644 /* * Certificates diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..225517ac69b 100644 +index ca79f25cc44..a12fcbbd6e7 100644 --- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java @@ -27,6 +27,7 @@ package sun.security.rsa; @@ -2098,19 +2121,7 @@ index ca79f25cc44..225517ac69b 100644 private void add(Provider p, String type, String algo, String cn, List aliases, HashMap attrs) { services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ } - +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { add(p, "KeyFactory", "RSA", "sun.security.rsa.RSAKeyFactory$Legacy", getAliases("PKCS1"), null); @@ -2193,18 +2204,6 @@ index ca79f25cc44..225517ac69b 100644 addA(p, "AlgorithmParameters", "RSASSA-PSS", "sun.security.rsa.PSSParameters", null); } -diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index 6ffdfeda18d..82e896170f0 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -32,6 +32,7 @@ import java.security.cert.*; - import java.util.*; - import java.util.concurrent.locks.ReentrantLock; - import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java new file mode 100644 index 00000000000..dc8bc72fccb @@ -2509,10 +2508,10 @@ index 00000000000..dc8bc72fccb + } +} diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 6d91e3f8e4e..f357b630460 100644 +index fab52688c04..29337576f37 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security -@@ -79,6 +79,16 @@ security.provider.tbd=Apple +@@ -82,6 +82,17 @@ security.provider.tbd=Apple #endif security.provider.tbd=SunPKCS11 @@ -2525,11 +2524,12 @@ index 6d91e3f8e4e..f357b630460 100644 +fips.provider.4=SunJSSE +fips.provider.5=SunJCE +fips.provider.6=SunRsaSign ++fips.provider.7=XMLDSig + # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. -@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false +@@ -292,6 +303,47 @@ policy.ignoreIdentityScope=false # keystore.type=pkcs12 @@ -2537,11 +2537,47 @@ index 6d91e3f8e4e..f357b630460 100644 +# Default keystore type used when global crypto-policies are set to FIPS. +# +fips.keystore.type=pkcs12 ++ ++# ++# Location of the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# The syntax for this property is identical to the 'nssSecmodDirectory' ++# attribute available in the SunPKCS11 NSS configuration file. Use the ++# 'sql:' prefix to refer to an SQLite DB. ++# ++# If the system property fips.nssdb.path is also specified, it supersedes ++# the security property value defined here. ++# ++# Note: the default value for this property points to an NSS DB that might be ++# readable by multiple operating system users and unsuitable to store keys. ++# ++fips.nssdb.path=sql:/etc/pki/nssdb ++ ++# ++# PIN for the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# Values must take any of the following forms: ++# 1) pin: ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: + # # Controls compatibility mode for JKS and PKCS12 keystore types. # -@@ -326,6 +341,13 @@ package.definition=sun.misc.,\ +@@ -329,6 +381,13 @@ package.definition=sun.misc.,\ # security.overridePropertiesFile=true @@ -2555,8 +2591,22 @@ index 6d91e3f8e4e..f357b630460 100644 # # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. +diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in +new file mode 100644 +index 00000000000..55bbba98b7a +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index b22f26947af..3ee2ce6ea88 100644 +index b22f26947af..02bea84e210 100644 --- a/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy @@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { @@ -2575,6 +2625,15 @@ index b22f26947af..3ee2ce6ea88 100644 permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; +@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c new file mode 100644 index 00000000000..ddf9befe5bc @@ -2819,10 +2878,10 @@ index 00000000000..ddf9befe5bc +#endif diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java new file mode 100644 -index 00000000000..8cfa2734d4e +index 00000000000..d3f0bffb821 --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,461 @@ +@@ -0,0 +1,457 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -2897,9 +2956,6 @@ index 00000000000..8cfa2734d4e + private static volatile Provider sunECProvider = null; + private static final ReentrantLock sunECProviderLock = new ReentrantLock(); + -+ private static volatile KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ + static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) + throws PKCS11Exception { + long keyID = -1; @@ -3144,8 +3200,7 @@ index 00000000000..8cfa2734d4e + CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, + CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); + RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( -+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey -+ ); ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); + CK_ATTRIBUTE attr; + if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { + attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); @@ -3284,6 +3339,162 @@ index 00000000000..8cfa2734d4e + } + } +} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +new file mode 100644 +index 00000000000..f8d505ca815 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java index 9b69072280e..5696b904979 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -3597,7 +3808,7 @@ index 00000000000..ae4262703e6 + +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -index c98960f7fcc..c14319a5356 100644 +index 8d1b8ccb0ae..7ea9b4c5e7f 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java @@ -31,6 +31,7 @@ import java.security.*; @@ -3608,7 +3819,7 @@ index c98960f7fcc..c14319a5356 100644 import javax.crypto.spec.*; import static sun.security.pkcs11.TemplateManager.*; -@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { +@@ -194,6 +195,130 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { return p11Key; } @@ -3637,9 +3848,11 @@ index c98960f7fcc..c14319a5356 100644 + } + + if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { -+ CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion; -+ if (P11Util.isNSS(token) || p11Ver.major < 2 || -+ p11Ver.major == 2 && p11Ver.minor < 40) { ++ CK_INFO p11Info = token.p11.getInfo(); ++ CK_VERSION p11Ver = (p11Info != null ? p11Info.cryptokiVersion ++ : null); ++ if (P11Util.isNSS(token) || p11Ver != null && (p11Ver.major < ++ 2 || p11Ver.major == 2 && p11Ver.minor < 40)) { + // NSS keeps using the old structure beyond PKCS #11 v2.40 + ckMech = new CK_MECHANISM(kdfData.kdfMech, + new CK_PKCS5_PBKD2_PARAMS(password, salt, @@ -3737,7 +3950,7 @@ index c98960f7fcc..c14319a5356 100644 static void fixDESParity(byte[] key, int offset) { for (int i = 0; i < 8; i++) { int b = key[offset] & 0xfe; -@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { +@@ -320,6 +445,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { keySpec = new SecretKeySpec(keyBytes, "DESede"); return engineGenerateSecret(keySpec); } @@ -3747,7 +3960,7 @@ index c98960f7fcc..c14319a5356 100644 } throw new InvalidKeySpecException ("Unsupported spec: " + keySpec.getClass().getName()); -@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { +@@ -373,6 +501,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { // see JCE spec protected SecretKey engineTranslateKey(SecretKey key) throws InvalidKeyException { @@ -3880,7 +4093,7 @@ index 262cfc062ad..72b64f72c0a 100644 Provider p = sun; if (p == null) { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 112b639aa96..3e170b4c115 100644 +index aa35e8fa668..1855e5631bd 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -3893,7 +4106,7 @@ index 112b639aa96..3e170b4c115 100644 import java.util.*; import java.security.*; -@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; import com.sun.crypto.provider.ChaCha20Poly1305Parameters; @@ -3901,7 +4114,12 @@ index 112b639aa96..3e170b4c115 100644 import jdk.internal.misc.InnocuousThread; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; -@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; */ public final class SunPKCS11 extends AuthProvider { @@ -3935,11 +4153,43 @@ index 112b639aa96..3e170b4c115 100644 + fipsImportKey = fipsImportKeyTmp; + fipsExportKey = fipsExportKeyTmp; + } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; + private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; @@ -3960,7 +4210,7 @@ index 112b639aa96..3e170b4c115 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider { +@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, @@ -3975,32 +4225,7 @@ index 112b639aa96..3e170b4c115 100644 if (p11Info.cryptokiVersion.major < 2) { throw new ProviderException("Only PKCS#11 v2.0 and later " + "supported, library version is v" + p11Info.cryptokiVersion); -@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException -@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { final String className; final List aliases; final int[] mechanisms; @@ -4021,7 +4246,7 @@ index 112b639aa96..3e170b4c115 100644 } private P11Service service(Token token, int mechanism) { return new P11Service -@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider { +@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { private static void d(String type, String algorithm, String className, int[] m) { @@ -4054,7 +4279,7 @@ index 112b639aa96..3e170b4c115 100644 } private static void register(Descriptor d) { -@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider { +@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { String P11Cipher = "sun.security.pkcs11.P11Cipher"; String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; @@ -4062,7 +4287,7 @@ index 112b639aa96..3e170b4c115 100644 String P11Signature = "sun.security.pkcs11.P11Signature"; String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; -@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider { +@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { d(MAC, "SslMacSHA1", P11Mac, m(CKM_SSL3_SHA1_MAC)); @@ -4093,7 +4318,7 @@ index 112b639aa96..3e170b4c115 100644 d(KPG, "RSA", P11KeyPairGenerator, getAliases("PKCS1"), m(CKM_RSA_PKCS_KEY_PAIR_GEN)); -@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider { +@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { d(SKF, "ChaCha20", P11SecretKeyFactory, m(CKM_CHACHA20_POLY1305)); @@ -4160,7 +4385,7 @@ index 112b639aa96..3e170b4c115 100644 // XXX attributes for Ciphers (supported modes, padding) dA(CIP, "ARCFOUR", P11Cipher, m(CKM_RC4)); -@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider { +@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { d(CIP, "RSA/ECB/NoPadding", P11RSACipher, m(CKM_RSA_X_509)); @@ -4207,7 +4432,7 @@ index 112b639aa96..3e170b4c115 100644 d(SIG, "RawDSA", P11Signature, List.of("NONEwithDSA"), m(CKM_DSA)); -@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider { if (ds == null) { continue; } @@ -4229,7 +4454,60 @@ index 112b639aa96..3e170b4c115 100644 supportedAlgs.put(d, integerMech); continue; } -@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider { +@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (token.isValid() == false) { + throw new NoSuchAlgorithmException("Token has been removed"); + } ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ ++ try { ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); ++ } ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); ++ } ++ } + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider { } else if (algorithm.endsWith("GCM/NoPadding") || algorithm.startsWith("ChaCha20-Poly1305")) { return new P11AEADCipher(token, algorithm, mechanism); @@ -4238,6 +4516,63 @@ index 112b639aa96..3e170b4c115 100644 } else { return new P11Cipher(token, algorithm, mechanism); } +@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +index 9858a5faedf..e63585486d9 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + private static final long serialVersionUID = 2541527649100571747L; + +@@ -114,6 +118,10 @@ class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -232,7 +240,12 @@ class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (isLoggedIn(session) == false) { +- provider.login(null, null); ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { ++ provider.login(null, null); ++ } + } + } + diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java index 88ff8a71fc3..47a2f97eddf 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java @@ -4581,7 +4916,7 @@ index 1f9c4d39f57..5e3c1b9d29f 100644 public String toString() { StringBuilder sb = new StringBuilder(); diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 5c0aacd1a67..5fbf8addcba 100644 +index 5c0aacd1a67..d796aaa3075 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; @@ -4598,12 +4933,12 @@ index 5c0aacd1a67..5fbf8addcba 100644 private long pNativeData; -+ private CK_INFO pInfo; ++ private volatile CK_INFO pInfo; + /** * This method does the initialization of the native library. It is called * exactly once for this class. -@@ -145,23 +150,49 @@ public class PKCS11 { +@@ -145,23 +150,48 @@ public class PKCS11 { * @postconditions */ PKCS11(String pkcs11ModulePath, String functionListName) @@ -4611,9 +4946,8 @@ index 5c0aacd1a67..5fbf8addcba 100644 + throws IOException, PKCS11Exception { connect(pkcs11ModulePath, functionListName); this.pkcs11ModulePath = pkcs11ModulePath; -+ pInfo = C_GetInfo(); -+ } -+ + } + + /* + * Compatibility wrapper to allow this method to work as before + * when FIPS mode support is not active. @@ -4623,8 +4957,8 @@ index 5c0aacd1a67..5fbf8addcba 100644 + boolean omitInitialize) throws IOException, PKCS11Exception { + return getInstance(pkcs11ModulePath, functionList, + pInitArgs, omitInitialize, null, null); - } - ++ } ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { @@ -4657,7 +4991,7 @@ index 5c0aacd1a67..5fbf8addcba 100644 } if (omitInitialize == false) { try { -@@ -179,6 +210,14 @@ public class PKCS11 { +@@ -179,6 +209,28 @@ public class PKCS11 { return pkcs11; } @@ -4666,13 +5000,27 @@ index 5c0aacd1a67..5fbf8addcba 100644 + * C_GetInfo. This structure represent Cryptoki library information. + */ + public CK_INFO getInfo() { -+ return pInfo; ++ CK_INFO lPInfo = pInfo; ++ if (lPInfo == null) { ++ synchronized (this) { ++ lPInfo = pInfo; ++ if (lPInfo == null) { ++ try { ++ lPInfo = C_GetInfo(); ++ pInfo = lPInfo; ++ } catch (PKCS11Exception e) { ++ // Some PKCS #11 tokens require initialization first. ++ } ++ } ++ } ++ } ++ return lPInfo; + } + /** * Connects this object to the specified PKCS#11 library. This method is for * internal use only. -@@ -1625,7 +1664,7 @@ public class PKCS11 { +@@ -1625,7 +1677,7 @@ public class PKCS11 { static class SynchronizedPKCS11 extends PKCS11 { SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) @@ -4681,7 +5029,7 @@ index 5c0aacd1a67..5fbf8addcba 100644 super(pkcs11ModulePath, functionListName); } -@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 { +@@ -1911,4 +1963,194 @@ static class SynchronizedPKCS11 extends PKCS11 { super.C_GenerateRandom(hSession, randomData); } } @@ -4877,7 +5225,7 @@ index 5c0aacd1a67..5fbf8addcba 100644 +} } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java -index d22844cfba8..9e02958b4b0 100644 +index 0d65ee26805..38fd4aff1f3 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java @@ -1104,17 +1104,6 @@ public interface PKCS11Constants { @@ -4939,7 +5287,7 @@ index d22844cfba8..9e02958b4b0 100644 + /* (CKM_NSS + 32) */ = 0xCE534370L; } diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c -index 666c5eb9b3b..5523dafcdb4 100644 +index d941b574cc7..e2de13648be 100644 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c @@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, @@ -5583,3 +5931,1318 @@ index 8c9e4f9dbe6..883dc04758e 100644 } } +diff --git a/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java +new file mode 100644 +index 00000000000..a184a169732 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/Cipher/PBECipher.java +@@ -0,0 +1,233 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.math.BigInteger; ++import java.security.AlgorithmParameters; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.SecureRandom; ++import java.security.Security; ++import java.util.Map; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKey; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.interfaces.PBEKey; ++import javax.crypto.spec.IvParameterSpec; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test password based encryption on SunPKCS11's Cipher service ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @run main/othervm/timeout=30 PBECipher ++ */ ++ ++public final class PBECipher { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ PBECipher2.main(args); ++ } ++} ++ ++final class PBECipher2 extends PKCS11Test { ++ private static final char[] password = "123456".toCharArray(); ++ private static final byte[] salt = "abcdefgh".getBytes(); ++ private static final byte[] iv = new byte[16]; ++ private static final int iterations = 1000; ++ private static final String plainText = "This is a know plain text!"; ++ private static final String sep = ++ "========================================================================="; ++ ++ private static enum Configuration { ++ // Provide salt and iterations through a PBEParameterSpec instance ++ PBEParameterSpec, ++ ++ // Provide salt and iterations through a AlgorithmParameters instance ++ AlgorithmParameters, ++ ++ // Provide salt and iterations through an anonymous class implementing ++ // the javax.crypto.interfaces.PBEKey interface ++ AnonymousPBEKey, ++ } ++ ++ private static Provider sunJCE = Security.getProvider("SunJCE"); ++ ++ // Generated with SunJCE ++ private static final Map assertionData = Map.of( ++ "PBEWithHmacSHA1AndAES_128", new BigInteger("8eebe98a580fb09d026" + ++ "dbfe60b3733b079e0de9ea7b0b1ccba011a1652d1e257", 16), ++ "PBEWithHmacSHA224AndAES_128", new BigInteger("1cbabdeb5d483af4a" + ++ "841942f4b1095b7d6f60e46fabfd2609c015adc38cc227", 16), ++ "PBEWithHmacSHA256AndAES_128", new BigInteger("4d82f6591df3508d2" + ++ "4531f06cdc4f90f4bdab7aeb07fbb57a3712e999d5b6f59", 16), ++ "PBEWithHmacSHA384AndAES_128", new BigInteger("3a0ed0959d51f40b9" + ++ "ba9f506a5277f430521f2fbe1ba94bae368835f221b6cb9", 16), ++ "PBEWithHmacSHA512AndAES_128", new BigInteger("1388287a446009309" + ++ "1418f4eca3ba1735b1fa025423d74ced36ce578d8ebf9da", 16), ++ "PBEWithHmacSHA1AndAES_256", new BigInteger("80f8208daab27ed02dd" + ++ "8a354ef6f23ff7813c84dd1c8a1b081d6f4dee27182a2", 16), ++ "PBEWithHmacSHA224AndAES_256", new BigInteger("7e3b9ce20aec2e52f" + ++ "f6c781602d4f79a55a88495b5217f1e22e1a068268e6247", 16), ++ "PBEWithHmacSHA256AndAES_256", new BigInteger("9d6a8b6a351dfd0dd" + ++ "9e9f45924b2860dca7719c4c07e207a64ebc1acd16cc157", 16), ++ "PBEWithHmacSHA384AndAES_256", new BigInteger("6f1b386cee3a8e2d9" + ++ "8c2e81828da0467dec8b989d22258efeab5932580d01d53", 16), ++ "PBEWithHmacSHA512AndAES_256", new BigInteger("30aaa346b2edd394f" + ++ "50916187876ac32f1287b19d55c5eea6f7ef9b84aaf291e", 16) ++ ); ++ ++ private static final class NoRandom extends SecureRandom { ++ @Override ++ public void nextBytes(byte[] bytes) { ++ return; ++ } ++ } ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ for (Configuration conf : Configuration.values()) { ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", conf); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", conf); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private void testWith(Provider sunPKCS11, String algorithm, ++ Configuration conf) throws Exception { ++ System.out.println(sep + System.lineSeparator() + algorithm ++ + " (with " + conf.name() + ")"); ++ ++ Cipher pbeCipher = getCipher(sunPKCS11, algorithm, conf); ++ BigInteger cipherText = new BigInteger(1, pbeCipher.doFinal( ++ plainText.getBytes())); ++ printByteArray("Cipher Text", cipherText); ++ ++ BigInteger expectedCipherText = null; ++ if (sunJCE != null) { ++ Cipher c = getCipher(sunJCE, algorithm, conf); ++ if (c != null) { ++ expectedCipherText = new BigInteger(1, c.doFinal( ++ plainText.getBytes())); ++ } else { ++ // Move to assertionData as it's unlikely that any of ++ // the algorithms are available. ++ sunJCE = null; ++ } ++ } ++ if (expectedCipherText == null) { ++ // If SunJCE or the algorithm are not available, assertionData ++ // is used instead. ++ expectedCipherText = assertionData.get(algorithm); ++ } ++ ++ if (!cipherText.equals(expectedCipherText)) { ++ printByteArray("Expected Cipher Text", expectedCipherText); ++ throw new Exception("Expected Cipher Text did not match"); ++ } ++ } ++ ++ private Cipher getCipher(Provider p, String algorithm, ++ Configuration conf) throws Exception { ++ Cipher pbeCipher = null; ++ try { ++ pbeCipher = Cipher.getInstance(algorithm, p); ++ } catch (NoSuchAlgorithmException e) { ++ return null; ++ } ++ switch (conf) { ++ case PBEParameterSpec, AlgorithmParameters -> { ++ SecretKey key = getPasswordOnlyPBEKey(); ++ PBEParameterSpec paramSpec = new PBEParameterSpec( ++ salt, iterations, new IvParameterSpec(iv)); ++ switch (conf) { ++ case PBEParameterSpec -> { ++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, paramSpec); ++ } ++ case AlgorithmParameters -> { ++ AlgorithmParameters algoParams = ++ AlgorithmParameters.getInstance("PBES2"); ++ algoParams.init(paramSpec); ++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, algoParams); ++ } ++ } ++ } ++ case AnonymousPBEKey -> { ++ SecretKey key = getPasswordSaltIterationsPBEKey(); ++ pbeCipher.init(Cipher.ENCRYPT_MODE, key, new NoRandom()); ++ } ++ } ++ return pbeCipher; ++ } ++ ++ private static SecretKey getPasswordOnlyPBEKey() throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password); ++ SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE"); ++ SecretKey skey = skFac.generateSecret(keySpec); ++ keySpec.clearPassword(); ++ return skey; ++ } ++ ++ private static SecretKey getPasswordSaltIterationsPBEKey() { ++ return new PBEKey() { ++ public byte[] getSalt() { return salt.clone(); } ++ public int getIterationCount() { return iterations; } ++ public String getAlgorithm() { return "PBE"; } ++ public String getFormat() { return "RAW"; } ++ public char[] getPassword() { return null; } // unused in PBE Cipher ++ public byte[] getEncoded() { ++ byte[] passwdBytes = new byte[password.length]; ++ for (int i = 0; i < password.length; i++) ++ passwdBytes[i] = (byte) (password[i] & 0x7f); ++ return passwdBytes; ++ } ++ }; ++ } ++ ++ private static void printByteArray(String title, BigInteger b) { ++ String repr = (b == null) ? "buffer is null" : b.toString(16); ++ System.out.println(title + ": " + repr + System.lineSeparator()); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ PBECipher2 test = new PBECipher2(); ++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); ++ if (p != null) { ++ test.main(p); ++ } else { ++ main(test); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java +new file mode 100644 +index 00000000000..360e11c339d +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/KeyStore/ImportKeyToP12.java +@@ -0,0 +1,137 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.io.ByteArrayInputStream; ++import java.io.ByteArrayOutputStream; ++import java.security.Key; ++import java.security.KeyStore; ++import java.security.KeyStoreException; ++import java.security.MessageDigest; ++import java.security.Provider; ++import java.security.Security; ++ ++import javax.crypto.spec.SecretKeySpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test SunPKCS11's password based privacy and integrity ++ * applied to PKCS#12 keystores ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @modules java.base/sun.security.util ++ * @run main/othervm/timeout=30 -Dcom.redhat.fips=false -DNO_DEFAULT=true ImportKeyToP12 ++ */ ++ ++public final class ImportKeyToP12 { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ ImportKeyToP122.main(args); ++ } ++} ++ ++final class ImportKeyToP122 extends PKCS11Test { ++ private static final String alias = "alias"; ++ private static final char[] password = "123456".toCharArray(); ++ private static final Key key = new SecretKeySpec(new byte[] { ++ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, ++ 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf }, "AES"); ++ private static final String[] pbeCipherAlgs = new String[] { ++ "PBEWithHmacSHA1AndAES_128", "PBEWithHmacSHA224AndAES_128", ++ "PBEWithHmacSHA256AndAES_128", "PBEWithHmacSHA384AndAES_128", ++ "PBEWithHmacSHA512AndAES_128", "PBEWithHmacSHA1AndAES_256", ++ "PBEWithHmacSHA224AndAES_256", "PBEWithHmacSHA256AndAES_256", ++ "PBEWithHmacSHA384AndAES_256", "PBEWithHmacSHA512AndAES_256" ++ }; ++ private static final String[] pbeMacAlgs = new String[] { ++ "HmacPBESHA1", "HmacPBESHA224", "HmacPBESHA256", ++ "HmacPBESHA384", "HmacPBESHA512" ++ }; ++ private static final KeyStore p12; ++ private static final String sep = ++ "========================================================================="; ++ ++ static { ++ KeyStore tP12 = null; ++ try { ++ tP12 = KeyStore.getInstance("PKCS12"); ++ } catch (KeyStoreException e) {} ++ p12 = tP12; ++ } ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ // Test all privacy PBE algorithms with an integrity algorithm fixed ++ for (String pbeCipherAlg : pbeCipherAlgs) { ++ testWith(sunPKCS11, pbeCipherAlg, pbeMacAlgs[0]); ++ } ++ // Test all integrity PBE algorithms with a privacy algorithm fixed ++ for (String pbeMacAlg : pbeMacAlgs) { ++ testWith(sunPKCS11, pbeCipherAlgs[0], pbeMacAlg); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ /* ++ * Consistency test: 1) store a secret key in a PKCS#12 keystore using ++ * PBE algorithms from SunPKCS11 and, 2) read the secret key from the ++ * PKCS#12 keystore using PBE algorithms from other security providers ++ * such as SunJCE. ++ */ ++ private void testWith(Provider sunPKCS11, String pbeCipherAlg, ++ String pbeMacAlg) throws Exception { ++ System.out.println(sep + System.lineSeparator() + ++ "Cipher PBE: " + pbeCipherAlg + System.lineSeparator() + ++ "Mac PBE: " + pbeMacAlg); ++ ++ System.setProperty("keystore.pkcs12.macAlgorithm", pbeMacAlg); ++ System.setProperty("keystore.pkcs12.keyProtectionAlgorithm", ++ pbeCipherAlg); ++ ++ // Create an empty PKCS#12 keystore ++ ByteArrayOutputStream baos = new ByteArrayOutputStream(); ++ p12.load(null, password); ++ ++ // Use PBE privacy and integrity algorithms from SunPKCS11 to store ++ // the secret key ++ Security.insertProviderAt(sunPKCS11, 1); ++ p12.setKeyEntry(alias, key, password, null); ++ p12.store(baos, password); ++ ++ // Use PBE privacy and integrity algorithms from other security ++ // providers, such as SunJCE, to read the secret key ++ Security.removeProvider(sunPKCS11.getName()); ++ p12.load(new ByteArrayInputStream(baos.toByteArray()), password); ++ Key k = p12.getKey(alias, password); ++ ++ if (!MessageDigest.isEqual(key.getEncoded(), k.getEncoded())) { ++ throw new Exception("Keys differ. Consistency check failed."); ++ } ++ System.out.println("Secret key import successful" + System.lineSeparator() + sep); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ main(new ImportKeyToP122()); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/Mac/PBAMac.java b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java +new file mode 100644 +index 00000000000..6b5662f6b4c +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/Mac/PBAMac.java +@@ -0,0 +1,187 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.math.BigInteger; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Map; ++ ++import javax.crypto.Mac; ++import javax.crypto.SecretKey; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.interfaces.PBEKey; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test password based authentication on SunPKCS11's Mac service ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @run main/othervm/timeout=30 PBAMac ++ */ ++ ++public final class PBAMac { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ PBAMac2.main(args); ++ } ++} ++ ++final class PBAMac2 extends PKCS11Test { ++ private static final char[] password = "123456".toCharArray(); ++ private static final byte[] salt = "abcdefgh".getBytes(); ++ private static final int iterations = 1000; ++ private static final String plainText = "This is a know plain text!"; ++ private static final String sep = ++ "========================================================================="; ++ ++ private static enum Configuration { ++ // Provide salt & iterations through a PBEParameterSpec instance ++ PBEParameterSpec, ++ ++ // Provide salt & iterations through an anonymous class implementing ++ // the javax.crypto.interfaces.PBEKey interface ++ AnonymousPBEKey, ++ } ++ ++ // Generated with SunJCE ++ private static final Map assertionData = Map.of( ++ "HmacPBESHA1", new BigInteger("febd26da5d63ce819770a2af1fc2857e" + ++ "e2c9c41c", 16), ++ "HmacPBESHA224", new BigInteger("aa6a3a1c35a4b266fea62d1a871508" + ++ "bd45f8ec326bcf16e09699063", 16), ++ "HmacPBESHA256", new BigInteger("af4d71121fd4e9d52eb42944d99b77" + ++ "8ff64376fcf6af8d1dca3ec688dfada5c8", 16), ++ "HmacPBESHA384", new BigInteger("5d6d37764205985ffca7e4a6222752" + ++ "a8bbd0520858da08ecafdc57e6246894675e375b9ba084f9ce7142" + ++ "35f202cc3452", 16), ++ "HmacPBESHA512", new BigInteger("f586c2006cc2de73fd5743e5cca701" + ++ "c942d3741a7a54a2a649ea36898996cf3c483f2d734179b47751db" + ++ "e8373c980b4072136d2e2810f4e7276024a3e9081cc1", 16) ++ ); ++ ++ private static Provider sunJCE = Security.getProvider("SunJCE"); ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ for (Configuration conf : Configuration.values()) { ++ testWith(sunPKCS11, "HmacPBESHA1", conf); ++ testWith(sunPKCS11, "HmacPBESHA224", conf); ++ testWith(sunPKCS11, "HmacPBESHA256", conf); ++ testWith(sunPKCS11, "HmacPBESHA384", conf); ++ testWith(sunPKCS11, "HmacPBESHA512", conf); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private void testWith(Provider sunPKCS11, String algorithm, ++ Configuration conf) throws Exception { ++ System.out.println(sep + System.lineSeparator() + algorithm ++ + " (with " + conf.name() + ")"); ++ ++ BigInteger macResult = computeMac(sunPKCS11, algorithm, conf); ++ printByteArray("HMAC Result", macResult); ++ ++ BigInteger expectedMacResult = computeExpectedMac(algorithm, conf); ++ ++ if (!macResult.equals(expectedMacResult)) { ++ printByteArray("Expected HMAC Result", expectedMacResult); ++ throw new Exception("Expected HMAC Result did not match"); ++ } ++ } ++ ++ private BigInteger computeMac(Provider p, String algorithm, ++ Configuration conf) throws Exception { ++ Mac pbaMac; ++ try { ++ pbaMac = Mac.getInstance(algorithm, p); ++ } catch (NoSuchAlgorithmException e) { ++ return null; ++ } ++ switch (conf) { ++ case PBEParameterSpec -> { ++ SecretKey key = getPasswordOnlyPBEKey(); ++ pbaMac.init(key, new PBEParameterSpec(salt, iterations)); ++ } ++ case AnonymousPBEKey -> { ++ SecretKey key = getPasswordSaltIterationsPBEKey(); ++ pbaMac.init(key); ++ } ++ } ++ return new BigInteger(1, pbaMac.doFinal(plainText.getBytes())); ++ } ++ ++ private BigInteger computeExpectedMac(String algorithm, Configuration conf) ++ throws Exception { ++ if (sunJCE != null) { ++ BigInteger macResult = computeMac(sunJCE, algorithm, conf); ++ if (macResult != null) { ++ return macResult; ++ } ++ // Move to assertionData as it's unlikely that any of ++ // the algorithms are available. ++ sunJCE = null; ++ } ++ // If SunJCE or the algorithm are not available, assertionData ++ // is used instead. ++ return assertionData.get(algorithm); ++ } ++ ++ private static SecretKey getPasswordOnlyPBEKey() throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password); ++ SecretKeyFactory skFac = SecretKeyFactory.getInstance("PBE"); ++ SecretKey skey = skFac.generateSecret(keySpec); ++ keySpec.clearPassword(); ++ return skey; ++ } ++ ++ private static SecretKey getPasswordSaltIterationsPBEKey() { ++ return new PBEKey() { ++ public byte[] getSalt() { return salt.clone(); } ++ public int getIterationCount() { return iterations; } ++ public String getAlgorithm() { return "PBE"; } ++ public String getFormat() { return "RAW"; } ++ public char[] getPassword() { return password.clone(); } ++ public byte[] getEncoded() { return null; } // unused in PBA Mac ++ }; ++ } ++ ++ private static void printByteArray(String title, BigInteger b) { ++ String repr = (b == null) ? "buffer is null" : b.toString(16); ++ System.out.println(title + ": " + repr + System.lineSeparator()); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ PBAMac2 test = new PBAMac2(); ++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); ++ if (p != null) { ++ test.main(p); ++ } else { ++ main(test); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java +new file mode 100644 +index 00000000000..67c3cee5970 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/SecretKeyFactory/TestPBKD.java +@@ -0,0 +1,296 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Field; ++import java.lang.reflect.Method; ++import java.math.BigInteger; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++ ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.PBEKeySpec; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary test key derivation on SunPKCS11's SecretKeyFactory service ++ * @requires (jdk.version.major >= 8) ++ * @library /test/lib .. ++ * @modules java.base/com.sun.crypto.provider:open ++ * @run main/othervm/timeout=30 TestPBKD ++ */ ++ ++public final class TestPBKD { ++ public static void main(String[] args) throws Exception { ++ java.security.Security.getProviders(); ++ TestPBKD2.main(args); ++ } ++} ++ ++final class TestPBKD2 extends PKCS11Test { ++ private static final char[] password = "123456".toCharArray(); ++ private static final byte[] salt = "abcdefgh".getBytes(); ++ private static final int iterations = 1000; ++ private static final String sep = ++ "========================================================================="; ++ ++ private static Provider sunJCE = Security.getProvider("SunJCE"); ++ ++ // Generated with SunJCE ++ private static final Map assertionData = ++ new HashMap<>() {{ ++ put("HmacPBESHA1", new BigInteger("5f7d1c360d1703cede76f47db" + ++ "2fa3facc62e7694", 16)); ++ put("HmacPBESHA224", new BigInteger("289563f799b708f522ab2a3" + ++ "8d283d0afa8fc1d3d227fcb9236c3a035", 16)); ++ put("HmacPBESHA256", new BigInteger("888defcf4ef37eb0647014a" + ++ "d172dd6fa3b3e9d024b962dba47608eea9b9c4b79", 16)); ++ put("HmacPBESHA384", new BigInteger("f5464b34253fadab8838d0d" + ++ "b11980c1787a99bf6f6304f2d8c942e30bada523494f9d5a0f3" + ++ "741e411de21add8b5718a8", 16)); ++ put("HmacPBESHA512", new BigInteger("18ae94337b132c68c611bc2" + ++ "e723ac24dcd44a46d900dae2dd6170380d4c34f90fef7bdeb5f" + ++ "6fddeb0d2230003e329b7a7eefcd35810d364ba95d31b68bb61" + ++ "e52", 16)); ++ put("PBEWithHmacSHA1AndAES_128", new BigInteger("fdb3dcc2e81" + ++ "244d4d56bf7ec8dd61dd7", 16)); ++ put("PBEWithHmacSHA224AndAES_128", new BigInteger("5ef9e5c6f" + ++ "df7c355f3b424233a9f24c2", 16)); ++ put("PBEWithHmacSHA256AndAES_128", new BigInteger("c5af597b0" + ++ "1b4f6baac8f62ff6f22bfb1", 16)); ++ put("PBEWithHmacSHA384AndAES_128", new BigInteger("c3208ebc5" + ++ "d6db88858988ec00153847d", 16)); ++ put("PBEWithHmacSHA512AndAES_128", new BigInteger("b27e8f7fb" + ++ "6a4bd5ebea892cd9a7f5043", 16)); ++ put("PBEWithHmacSHA1AndAES_256", new BigInteger("fdb3dcc2e81" + ++ "244d4d56bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2ccde" + ++ "98", 16)); ++ put("PBEWithHmacSHA224AndAES_256", new BigInteger("5ef9e5c6f" + ++ "df7c355f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8d" + ++ "f64d", 16)); ++ put("PBEWithHmacSHA256AndAES_256", new BigInteger("c5af597b0" + ++ "1b4f6baac8f62ff6f22bfb1f319c3278c8b31cc616294716d4e" + ++ "ab08", 16)); ++ put("PBEWithHmacSHA384AndAES_256", new BigInteger("c3208ebc5" + ++ "d6db88858988ec00153847d5b1b7a8723640a022dc332bcaefe" + ++ "b356", 16)); ++ put("PBEWithHmacSHA512AndAES_256", new BigInteger("b27e8f7fb" + ++ "6a4bd5ebea892cd9a7f5043cefff9c38b07e599721e8d116189" + ++ "5482", 16)); ++ put("PBKDF2WithHmacSHA1", new BigInteger("fdb3dcc2e81244d4d5" + ++ "6bf7ec8dd61dd78a1b6fb3ad11d9ebd7f62027a2cc", 16)); ++ put("PBKDF2WithHmacSHA224", new BigInteger("5ef9e5c6fdf7c355" + ++ "f3b424233a9f24c2c9c41793cb0948b8ea3aac240b8df64d1a0" + ++ "736ec1c69eef1c7b2", 16)); ++ put("PBKDF2WithHmacSHA256", new BigInteger("c5af597b01b4f6ba" + ++ "ac8f62ff6f22bfb1f319c3278c8b31cc616294716d4eab080b9" + ++ "add9db34a42ceb2fea8d27adc00f4", 16)); ++ put("PBKDF2WithHmacSHA384", new BigInteger("c3208ebc5d6db888" + ++ "58988ec00153847d5b1b7a8723640a022dc332bcaefeb356995" + ++ "d076a949d35c42c7e1e1ca936c12f8dc918e497edf279a522b7" + ++ "c99580e2613846b3919af637da", 16)); ++ put("PBKDF2WithHmacSHA512", new BigInteger("b27e8f7fb6a4bd5e" + ++ "bea892cd9a7f5043cefff9c38b07e599721e8d1161895482da2" + ++ "55746844cc1030be37ba1969df10ff59554d1ac5468fa9b7297" + ++ "7bb7fd52103a0a7b488cdb8957616c3e23a16bca92120982180" + ++ "c6c11a4f14649b50d0ade3a", 16)); ++ }}; ++ ++ static interface AssertData { ++ BigInteger derive(String pbAlgo, PBEKeySpec keySpec) throws Exception; ++ } ++ ++ static final class P12PBKDAssertData implements AssertData { ++ private final int outLen; ++ private final String kdfAlgo; ++ private final int blockLen; ++ ++ P12PBKDAssertData(int outLen, String kdfAlgo, int blockLen) { ++ this.outLen = outLen; ++ this.kdfAlgo = kdfAlgo; ++ this.blockLen = blockLen; ++ } ++ ++ @Override ++ public BigInteger derive(String pbAlgo, PBEKeySpec keySpec) ++ throws Exception { ++ // Since we need to access an internal SunJCE API, we use reflection ++ Class PKCS12PBECipherCore = Class.forName( ++ "com.sun.crypto.provider.PKCS12PBECipherCore"); ++ ++ Field macKeyField = PKCS12PBECipherCore.getDeclaredField("MAC_KEY"); ++ macKeyField.setAccessible(true); ++ int MAC_KEY = (int) macKeyField.get(null); ++ ++ Method deriveMethod = PKCS12PBECipherCore.getDeclaredMethod( ++ "derive", char[].class, byte[].class, int.class, ++ int.class, int.class, String.class, int.class); ++ deriveMethod.setAccessible(true); ++ ++ return new BigInteger(1, (byte[]) deriveMethod.invoke(null, ++ keySpec.getPassword(), keySpec.getSalt(), ++ keySpec.getIterationCount(), this.outLen, ++ MAC_KEY, this.kdfAlgo, this.blockLen)); ++ } ++ } ++ ++ static final class PBKD2AssertData implements AssertData { ++ private final String kdfAlgo; ++ private final int keyLen; ++ ++ PBKD2AssertData(String kdfAlgo, int keyLen) { ++ // Key length is pinned by the algorithm name (not kdfAlgo, ++ // but the algorithm under test: PBEWithHmacSHA*AndAES_*) ++ this.kdfAlgo = kdfAlgo; ++ this.keyLen = keyLen; ++ } ++ ++ PBKD2AssertData(String kdfAlgo) { ++ // Key length is variable for the algorithm under test ++ // (kdfAlgo is the algorithm under test: PBKDF2WithHmacSHA*) ++ this(kdfAlgo, -1); ++ } ++ ++ @Override ++ public BigInteger derive(String pbAlgo, PBEKeySpec keySpec) ++ throws Exception { ++ if (this.keyLen != -1) { ++ keySpec = new PBEKeySpec( ++ keySpec.getPassword(), keySpec.getSalt(), ++ keySpec.getIterationCount(), this.keyLen); ++ } ++ if (sunJCE != null) { ++ try { ++ return new BigInteger(1, SecretKeyFactory.getInstance( ++ this.kdfAlgo, sunJCE).generateSecret(keySpec) ++ .getEncoded()); ++ } catch (NoSuchAlgorithmException e) { ++ // Move to assertionData as it's unlikely that any of ++ // the algorithms are available. ++ sunJCE = null; ++ } ++ } ++ // If SunJCE or the algorithm are not available, assertionData ++ // is used instead. ++ return assertionData.get(pbAlgo); ++ } ++ } ++ ++ public void main(Provider sunPKCS11) throws Exception { ++ System.out.println("SunPKCS11: " + sunPKCS11.getName()); ++ testWith(sunPKCS11, "HmacPBESHA1", ++ new P12PBKDAssertData(20, "SHA-1", 64)); ++ testWith(sunPKCS11, "HmacPBESHA224", ++ new P12PBKDAssertData(28, "SHA-224", 64)); ++ testWith(sunPKCS11, "HmacPBESHA256", ++ new P12PBKDAssertData(32, "SHA-256", 64)); ++ testWith(sunPKCS11, "HmacPBESHA384", ++ new P12PBKDAssertData(48, "SHA-384", 128)); ++ testWith(sunPKCS11, "HmacPBESHA512", ++ new P12PBKDAssertData(64, "SHA-512", 128)); ++ ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA1", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA224", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA256", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA384", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_128", ++ new PBKD2AssertData("PBKDF2WithHmacSHA512", 128)); ++ testWith(sunPKCS11, "PBEWithHmacSHA1AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA1", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA224AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA224", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA256AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA256", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA384AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA384", 256)); ++ testWith(sunPKCS11, "PBEWithHmacSHA512AndAES_256", ++ new PBKD2AssertData("PBKDF2WithHmacSHA512", 256)); ++ ++ // Use 1,5 * digest size as the testing derived key length (in bits) ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA1", 240, ++ new PBKD2AssertData("PBKDF2WithHmacSHA1")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA224", 336, ++ new PBKD2AssertData("PBKDF2WithHmacSHA224")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA256", 384, ++ new PBKD2AssertData("PBKDF2WithHmacSHA256")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA384", 576, ++ new PBKD2AssertData("PBKDF2WithHmacSHA384")); ++ testWith(sunPKCS11, "PBKDF2WithHmacSHA512", 768, ++ new PBKD2AssertData("PBKDF2WithHmacSHA512")); ++ ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void testWith(Provider sunPKCS11, String algorithm, ++ AssertData assertData) throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations); ++ testWith(sunPKCS11, algorithm, keySpec, assertData); ++ } ++ ++ private static void testWith(Provider sunPKCS11, String algorithm, ++ int keyLen, AssertData assertData) throws Exception { ++ PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterations, keyLen); ++ testWith(sunPKCS11, algorithm, keySpec, assertData); ++ } ++ ++ private static void testWith(Provider sunPKCS11, String algorithm, ++ PBEKeySpec keySpec, AssertData assertData) throws Exception { ++ System.out.println(sep + System.lineSeparator() + algorithm); ++ ++ SecretKeyFactory skFac = SecretKeyFactory.getInstance( ++ algorithm, sunPKCS11); ++ BigInteger derivedKey = new BigInteger(1, ++ skFac.generateSecret(keySpec).getEncoded()); ++ printByteArray("Derived Key", derivedKey); ++ ++ BigInteger expectedDerivedKey = assertData.derive(algorithm, keySpec); ++ ++ if (!derivedKey.equals(expectedDerivedKey)) { ++ printByteArray("Expected Derived Key", expectedDerivedKey); ++ throw new Exception("Expected Derived Key did not match"); ++ } ++ } ++ ++ private static void printByteArray(String title, BigInteger b) { ++ String repr = (b == null) ? "buffer is null" : b.toString(16); ++ System.out.println(title + ": " + repr + System.lineSeparator()); ++ } ++ ++ public static void main(String[] args) throws Exception { ++ TestPBKD2 test = new TestPBKD2(); ++ Provider p = Security.getProvider("SunPKCS11-NSS-FIPS"); ++ if (p != null) { ++ test.main(p); ++ } else { ++ main(test); ++ } ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +new file mode 100644 +index 00000000000..ce01c655eb8 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +@@ -0,0 +1,349 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Method; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Arrays; ++import java.util.function.Consumer; ++import java.util.List; ++import javax.crypto.Cipher; ++import javax.crypto.spec.SecretKeySpec; ++ ++import jdk.test.lib.process.Proc; ++import jdk.test.lib.util.FileUtils; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary ++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used ++ * for a successful login into an NSS DB. Some additional unitary testing ++ * is then performed. This test depends on NSS modutil and must be run in ++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). ++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @library /test/lib ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=600 NssdbPin ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class NssdbPin { ++ ++ // Public properties and names ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; ++ private static final String NSSDB_TOKEN_NAME = ++ "NSS FIPS 140-2 Certificate DB"; ++ ++ // Data to be tested ++ private static final String[] PINS_TO_TEST = ++ new String[] { ++ "", ++ "1234567890abcdef1234567890ABCDEF\uA4F7" ++ }; ++ private static enum PropType { SYSTEM, SECURITY } ++ private static enum LoginType { IMPLICIT, EXPLICIT } ++ ++ // Internal test fields ++ private static final boolean DEBUG = true; ++ private static class TestContext { ++ String pin; ++ PropType propType; ++ Path workspace; ++ String nssdbPath; ++ Path nssdbPinFile; ++ LoginType loginType; ++ TestContext(String pin, Path workspace) { ++ this.pin = pin; ++ this.workspace = workspace; ++ this.nssdbPath = "sql:" + workspace; ++ this.loginType = LoginType.IMPLICIT; ++ } ++ } ++ ++ public static void main(String[] args) throws Throwable { ++ if (args.length == 3) { ++ // Executed by a child process. ++ mainChild(args[0], args[1], LoginType.valueOf(args[2])); ++ } else if (args.length == 0) { ++ // Executed by the parent process. ++ mainLauncher(); ++ // Test defaults ++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); ++ System.out.println("TEST PASS - OK"); ++ } else { ++ throw new Exception("Unexpected number of arguments."); ++ } ++ } ++ ++ private static void mainChild(String expectedPath, String expectedPin, ++ LoginType loginType) throws Throwable { ++ if (DEBUG) { ++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, ++ FIPS_NSSDB_PIN_PROP)) { ++ System.out.println(prop + " (System): " + ++ System.getProperty(prop)); ++ System.out.println(prop + " (Security): " + ++ Security.getProperty(prop)); ++ } ++ } ++ ++ /* ++ * Functional cross-test against an NSS DB generated by modutil ++ * with the same PIN. Check that we can perform a crypto operation ++ * that requires a login. The login might be explicit or implicit. ++ */ ++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); ++ if (DEBUG) { ++ System.out.println(FIPS_PROVIDER_NAME + ": " + p); ++ } ++ if (p == null) { ++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); ++ } ++ if (DEBUG) { ++ System.out.println("Login type: " + loginType); ++ } ++ if (loginType == LoginType.EXPLICIT) { ++ // Do the expansion to account for truncation, so C_Login in ++ // the NSS Software Token gets a UTF-8 encoded PIN. ++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ KeyStore.getInstance("PKCS11", p).load(null, pinChar); ++ if (DEBUG) { ++ System.out.println("Explicit login succeeded."); ++ } ++ } ++ if (DEBUG) { ++ System.out.println("Trying a crypto operation..."); ++ } ++ final int blockSize = 16; ++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); ++ cipher.init(Cipher.ENCRYPT_MODE, ++ new SecretKeySpec(new byte[blockSize], "AES")); ++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { ++ throw new Exception("Could not perform a crypto operation."); ++ } ++ if (DEBUG) { ++ if (loginType == LoginType.IMPLICIT) { ++ System.out.println("Implicit login succeeded."); ++ } ++ System.out.println("Crypto operation after login succeeded."); ++ } ++ ++ if (loginType == LoginType.IMPLICIT) { ++ /* ++ * Additional unitary testing. Expected to succeed at this point. ++ */ ++ if (DEBUG) { ++ System.out.println("Trying unitary test..."); ++ } ++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); ++ if (DEBUG) { ++ System.out.println("Path value (as a System property): " + ++ sysPathProp); ++ } ++ if (!expectedPath.equals(sysPathProp)) { ++ throw new Exception("Path is different than expected: " + ++ sysPathProp + " (actual) vs " + expectedPath + ++ " (expected)."); ++ } ++ Class c = Class ++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); ++ Method m = c.getDeclaredMethod("getFipsNssdbPin"); ++ m.setAccessible(true); ++ String pin = null; ++ char[] pinChar = (char[]) m.invoke(c); ++ if (pinChar != null) { ++ byte[] pinUtf8 = new byte[pinChar.length]; ++ for (int i = 0; i < pinUtf8.length; i++) { ++ pinUtf8[i] = (byte) pinChar[i]; ++ } ++ pin = new String(pinUtf8, StandardCharsets.UTF_8); ++ } ++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || ++ expectedPin.isEmpty() && pin != null) { ++ throw new Exception("PIN is different than expected: '" + pin + ++ "' (actual) vs '" + expectedPin + "' (expected)."); ++ } ++ if (DEBUG) { ++ System.out.println("PIN value: " + pin); ++ System.out.println("Unitary test succeeded."); ++ } ++ } ++ } ++ ++ private static void mainLauncher() throws Throwable { ++ for (String pin : PINS_TO_TEST) { ++ Path workspace = Files.createTempDirectory(null); ++ try { ++ TestContext ctx = new TestContext(pin, workspace); ++ createNSSDB(ctx); ++ { ++ ctx.loginType = LoginType.IMPLICIT; ++ for (PropType propType : PropType.values()) { ++ ctx.propType = propType; ++ pinLauncher(ctx); ++ envLauncher(ctx); ++ fileLauncher(ctx); ++ } ++ } ++ explicitLoginLauncher(ctx); ++ } finally { ++ FileUtils.deleteFileTreeWithRetry(workspace); ++ } ++ } ++ } ++ ++ private static void pinLauncher(TestContext ctx) throws Throwable { ++ launchTest(p -> {}, "pin:" + ctx.pin, ctx); ++ } ++ ++ private static void envLauncher(TestContext ctx) throws Throwable { ++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; ++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), ++ "env:" + NSSDB_PIN_ENV_VAR, ctx); ++ } ++ ++ private static void fileLauncher(TestContext ctx) throws Throwable { ++ // The file containing the PIN (ctx.nssdbPinFile) was created by the ++ // generatePinFile method, called from createNSSDB. ++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); ++ } ++ ++ private static void explicitLoginLauncher(TestContext ctx) ++ throws Throwable { ++ ctx.loginType = LoginType.EXPLICIT; ++ ctx.propType = PropType.SYSTEM; ++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); ++ } ++ ++ private static void launchTest(Consumer procCb, String pinPropVal, ++ TestContext ctx) throws Throwable { ++ if (DEBUG) { ++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + ++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + ++ "=" + pinPropVal); ++ } ++ Proc p = Proc.create(NssdbPin.class.getName()) ++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); ++ if (ctx.propType == PropType.SYSTEM) { ++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ // Make sure that Security properties defaults are not used. ++ p.secprop(FIPS_NSSDB_PATH_PROP, ""); ++ p.secprop(FIPS_NSSDB_PIN_PROP, ""); ++ } else if (ctx.propType == PropType.SECURITY) { ++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ pinPropVal = escapeForPropsFile(pinPropVal); ++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ } else { ++ throw new Exception("Unsupported property type."); ++ } ++ if (DEBUG) { ++ p.inheritIO(); ++ p.prop("java.security.debug", "sunpkcs11"); ++ p.debug(NssdbPin.class.getName()); ++ ++ // Need the launched process to connect to a debugger? ++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + ++ // "transport=dt_socket,address=localhost:8000,suspend=y"); ++ } else { ++ p.nodump(); ++ } ++ procCb.accept(p); ++ p.start().waitFor(0); ++ } ++ ++ private static String escapeForPropsFile(String str) throws Throwable { ++ StringBuffer sb = new StringBuffer(); ++ for (int i = 0; i < str.length(); i++) { ++ int cp = str.codePointAt(i); ++ if (Character.UnicodeBlock.of(cp) ++ == Character.UnicodeBlock.BASIC_LATIN) { ++ sb.append(Character.toChars(cp)); ++ } else { ++ sb.append("\\u").append(String.format("%04X", cp)); ++ } ++ } ++ return sb.toString(); ++ } ++ ++ private static void createNSSDB(TestContext ctx) throws Throwable { ++ ProcessBuilder pb = getModutilPB(ctx, "-create"); ++ if (DEBUG) { ++ System.out.println("Creating an NSS DB in " + ctx.workspace + ++ "..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB creation failed."); ++ } ++ generatePinFile(ctx); ++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, ++ "-newpwfile", ctx.nssdbPinFile.toString()); ++ if (DEBUG) { ++ System.out.println("NSS DB created."); ++ System.out.println("Changing NSS DB PIN..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB PIN change failed."); ++ } ++ if (DEBUG) { ++ System.out.println("NSS DB PIN changed."); ++ } ++ } ++ ++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) ++ throws Throwable { ++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); ++ List pbCommand = pb.command(); ++ if (args != null) { ++ pbCommand.addAll(Arrays.asList(args)); ++ } ++ pbCommand.add("-dbdir"); ++ pbCommand.add(ctx.nssdbPath); ++ if (DEBUG) { ++ pb.inheritIO(); ++ } else { ++ pb.redirectError(ProcessBuilder.Redirect.INHERIT); ++ } ++ return pb; ++ } ++ ++ private static void generatePinFile(TestContext ctx) throws Throwable { ++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); ++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + ++ "2nd line with garbage"); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +new file mode 100644 +index 00000000000..87f1ad04505 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=30 VerifyMissingAttributes ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class VerifyMissingAttributes { ++ ++ private static final String[] svcAlgImplementedIn = { ++ "AlgorithmParameterGenerator.DSA", ++ "AlgorithmParameters.DSA", ++ "CertificateFactory.X.509", ++ "KeyStore.JKS", ++ "KeyStore.CaseExactJKS", ++ "KeyStore.DKS", ++ "CertStore.Collection", ++ "CertStore.com.sun.security.IndexedCollection" ++ }; ++ ++ public static void main(String[] args) throws Throwable { ++ Provider sunProvider = Security.getProvider("SUN"); ++ for (String svcAlg : svcAlgImplementedIn) { ++ String filter = svcAlg + " ImplementedIn:Software"; ++ doQuery(sunProvider, filter); ++ } ++ if (Double.parseDouble( ++ System.getProperty("java.specification.version")) >= 17) { ++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"; ++ doQuery(Security.getProvider("SunRsaSign"), filter); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void doQuery(Provider expectedProvider, String filter) ++ throws Exception { ++ if (expectedProvider == null) { ++ throw new Exception("Provider not found."); ++ } ++ Provider[] providers = Security.getProviders(filter); ++ if (providers == null || providers.length != 1 || ++ providers[0] != expectedProvider) { ++ throw new Exception("Failure retrieving the provider with this" + ++ " query: " + filter); ++ } ++ } ++} diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 0547830..e051d75 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -23,6 +23,8 @@ %bcond_without staticlibs # Build a fresh libjvm.so for use in a copy of the bootstrap JDK %bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -39,6 +41,16 @@ %global build_hotspot_first 0 %endif +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -190,11 +202,15 @@ %global staticlibs_loop %{nil} %endif +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from @@ -305,7 +321,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 5 +%global updatever 7 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -345,15 +361,16 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 0bd5ca9ccc5 +%global fipsver bf363eecce3 # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 2 +%global buildver 7 +%global rpmrelease 1 +#%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -411,7 +428,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.* +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -815,6 +832,9 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%if ! %{system_libs} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so @@ -933,7 +953,7 @@ exit 0 %ifarch %{sa_arches} %ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb -%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* %endif %endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo @@ -972,11 +992,11 @@ exit 0 %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* %if %{with_systemtap} %dir %{tapsetroot} @@ -1099,9 +1119,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2022d required as of JDK-8294357 -# Should be bumped to 2022e once available (JDK-8295173) -Requires: tzdata-java >= 2022d +# 2022g required as of JDK-8297804 +Requires: tzdata-java >= 2022g # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1293,9 +1312,6 @@ Source15: TestSecurityProperties.java # Ensure vendor settings are correct Source16: CheckVendor.java -# nss fips configuration file -Source17: nss.fips.cfg.in - # Ensure translations are available for new timezones Source18: TestTranslations.java @@ -1320,8 +1336,8 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u-cpu-2022-07 -# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch +# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u +# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -1347,6 +1363,14 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # Build the systemconf library on all platforms # RH2048582: Support PKCS#12 keystores # RH2020290: Support TLS 1.3 in FIPS mode +# Add nss.fips.cfg support to OpenJDK tree +# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +# Remove forgotten dead code from RH2020290 and RH2104724 +# OJ1357: Fix issue on FIPS with a SecurityManager in place +# RH2134669: Add missing attributes when registering services in FIPS mode. +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +# RH1940064: Enable XML Signature provider in FIPS mode +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -1354,20 +1378,16 @@ Patch1001: fips-17u-%{fipsver}.patch # OpenJDK patches in need of upstreaming # ############################################# -# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked -Patch2000: jdk8275535-rh2053256-ldap_auth.patch ############################################# # -# OpenJDK patches appearing in 17.0.6 +# OpenJDK patches appearing in 17.0.8 # ############################################# -# JDK-8293834: Update CLDR data following tzdata 2022c update -Patch2001: jdk8293834-kyiv_cldr_update.patch -# JDK-8294357: (tz) Update Timezone Data to 2022d -Patch2002: jdk8294357-tzdata2022d.patch -# JDK-8295173: (tz) Update Timezone Data to 2022e -Patch2003: jdk8295173-tzdata2022e.patch +# JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile +Patch2001: jdk8274864-remove_amman_cairo_hacks.patch +# JDK-8305113: (tz) Update Timezone Data to 2023c +Patch2002: jdk8305113-tzdata2023c.patch BuildRequires: autoconf BuildRequires: automake @@ -1378,14 +1398,8 @@ BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel BuildRequires: fontconfig-devel -BuildRequires: freetype-devel -BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: harfbuzz-devel -BuildRequires: lcms2-devel -BuildRequires: libjpeg-devel -BuildRequires: libpng-devel BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXi-devel @@ -1407,10 +1421,8 @@ BuildRequires: java-17-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022d required as of JDK-8294357 -# Should be bumped to 2022e once available (JDK-8295173) -BuildRequires: tzdata-java >= 2022d - +# 2023c required as of JDK-8305113 +BuildRequires: tzdata-java >= 2023c # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1419,6 +1431,30 @@ BuildRequires: systemtap-sdt-devel %endif BuildRequires: make +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h +Provides: bundled(freetype) = 2.12.1 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 4.4.1 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.12.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} @@ -1768,8 +1804,11 @@ if [ $prioritylength -ne 8 ] ; then fi # OpenJDK patches + +%if %{system_libs} # Remove libraries that are linked by both static and dynamic builds sh %{SOURCE12} %{top_level_dir_name} +%endif # Patch the JDK pushd %{top_level_dir_name} @@ -1781,16 +1820,13 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 -# tzdata updates targetted for 17.0.6 +# tzdata update %patch2001 -p1 %patch2002 -p1 -%patch2003 -p1 popd # openjdk %patch600 -%patch2000 - # The OpenJDK version file includes the current # upstream version information. For some reason, # configure does not automatically use the @@ -1808,8 +1844,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then echo "WARNING: Designator mismatch"; echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; - # Don't fail at present as upstream are not maintaining the value correctly - #exit 17 + exit 17 fi # Extract systemtap tapsets @@ -1861,9 +1896,6 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg - %build # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) @@ -1907,6 +1939,14 @@ function buildjdk() { local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + echo "Using output directory: ${outputdir}"; echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version @@ -1918,6 +1958,10 @@ function buildjdk() { mkdir -p ${outputdir} pushd ${outputdir} + # Note: zlib and freetype use %{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build bash ${top_dir_abs_src_path}/configure \ %ifarch %{zero_arches} --with-jvm-variants=zero \ @@ -1938,13 +1982,14 @@ function buildjdk() { --with-native-debug-symbols="%{debug_symbols}" \ --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=system \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ --with-libjpeg=${link_opt} \ --with-giflib=${link_opt} \ --with-libpng=${link_opt} \ --with-lcms=${link_opt} \ --with-harfbuzz=${link_opt} \ - --with-stdc++lib=dynamic \ + --with-stdc++lib=${libc_link_opt} \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-ldflags="%{ourldflags}" \ @@ -1984,9 +2029,6 @@ function installjdk() { # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg ${imagepath}/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Turn on system security properties sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ ${imagepath}/conf/security/java.security @@ -2030,12 +2072,13 @@ for suffix in %{build_loop} ; do bootbuilddir=boot${builddir} if test "x${loop}" = "x%{main_suffix}" ; then + link_opt="%{link_type}" +%if %{system_libs} # Copy the source tree so we can remove all in-tree libraries cp -a %{top_level_dir_name} %{top_level_dir_name_backup} # Remove all libraries that are linked sh %{SOURCE12} %{top_level_dir_name} full - # Use system libraries - link_opt="system" +%endif # Debug builds don't need same targets as release for # build speed-up. We also avoid bootstrapping these # slower builds. @@ -2053,9 +2096,11 @@ for suffix in %{build_loop} ; do else buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} fi +%if %{system_libs} # Restore original source tree we modified by removing full in-tree sources rm -rf %{top_level_dir_name} mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif else # Use bundled libraries for building statically link_opt="bundled" @@ -2123,10 +2168,14 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif -# Check translations are available for new timezones +%if ! 0%{?flatpak} +# Check translations are available for new timezones (during flatpak builds, the +# tzdb.dat used by this test is not where the test expects it, so this is +# disabled for flatpak builds) $JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +%endif %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) @@ -2583,58 +2632,124 @@ require "copy_jdk_configs.lua" %endif %changelog -* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2 +* Thu Apr 13 2023 Andrew Hughes - 1:17.0.7.0.7-1 +- Update to jdk-17.0.7.0+7 +- Update release notes to 17.0.7.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Update FIPS support against 17.0.7+6 and bring in latest changes: +- * RH2134669: Add missing attributes when registering services in FIPS mode. +- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +- * RH1940064: Enable XML Signature provider in FIPS mode +- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2186835 +- Resolves: rhbz#2186827 +- Resolves: rhbz#2186831 + +* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Add missing release note for JDK-8295687 +- Resolves: rhbz#2160111 + +* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Update FIPS support to bring in latest changes +- * OJ1357: Fix issue on FIPS with a SecurityManager in place +- Related: rhbz#2147473 + +* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.10-3 +- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat +- Related: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:17.0.6.0.10-2 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Switch to GA mode for release +- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. ** +- Related: rhbz#2153010 + +* Wed Jan 04 2023 Andrew Hughes - 1:17.0.6.0.9-0.2.ea +- Update to jdk-17.0.6+9 +- Update release notes to 17.0.6+9 +- Drop local copy of JDK-8293834 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- Resolves: rhbz#2153010 + +* Sat Dec 03 2022 Andrew Hughes - 1:17.0.6.0.1-0.2.ea +- Update to jdk-17.0.6+1 +- Update release notes to 17.0.6+1 +- Switch to EA mode for 17.0.6 pre-release builds. +- Re-enable EA upstream status check now it is being actively maintained. +- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream +- Drop JDK-8275535 local patch now this has been accepted and backported upstream +- Bump tzdata requirement to 2022e now the package is available in RHEL +- Related: rhbz#2153010 + +* Wed Nov 23 2022 Andrew Hughes - 1:17.0.5.0.8-4 +- Update FIPS support to bring in latest changes +- * Add nss.fips.cfg support to OpenJDK tree +- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +- * Remove forgotten dead code from RH2020290 and RH2104724 +- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build +- Resolves: rhbz#2147473 + +* Wed Oct 26 2022 Andrew Hughes - 1:17.0.5.0.8-1 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 +- Bump FreeType bundled version to 2.12.1 following JDK-8290334 - Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 - Update CLDR data with Europe/Kyiv (JDK-8293834) - Drop JDK-8292223 patch which we found to be unnecessary - Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream -- Related: rhbz#2133695 - -* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1 -- Update to jdk-17.0.5+8 (GA) -- Update release notes to 17.0.5+8 (GA) -- Switch to GA mode for final release. -- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds +- Remove freetype sources along with zlib sources +- Resolves: rhbz#2132502 - Resolves: rhbz#2133695 -* Tue Oct 04 2022 Andrew Hughes - 1:17.0.5.0.7-0.1.ea -- Update to jdk-17.0.5+7 -- Update release notes to 17.0.5+7 -- Resolves: rhbz#2132503 +* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-6 +- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider +- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650 +- Resolves: rhbz#2006351 -* Mon Oct 03 2022 Andrew Hughes - 1:17.0.5.0.1-0.1.ea -- Update to jdk-17.0.5+1 -- Update release notes to 17.0.5+1 -- Switch to EA mode for 17.0.5 pre-release builds. -- Related: rhbz#2132503 +* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-5 +- Switch to static builds, reducing system dependencies and making build more portable +- Resolves: rhbz#2121263 -* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2 +* Mon Aug 29 2022 Stephan Bergmann - 1:17.0.4.1.1-4 +- Fix flatpak builds (catering for their uncompressed manual pages) +- Fix flatpak builds by exempting them from bootstrap +- Resolves: rhbz#2102734 + +* Mon Aug 29 2022 Andrew Hughes - 1:17.0.4.1.1-3 - Update FIPS support to bring in latest changes -- * RH2023467: Enable FIPS keys export - * RH2104724: Avoid import/export of DH private keys - * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode - * Build the systemconf library on all platforms - * RH2048582: Support PKCS#12 keystores - * RH2020290: Support TLS 1.3 in FIPS mode -- Resolves: rhbz#2123561 -- Resolves: rhbz#2123564 -- Resolves: rhbz#2123566 -- Resolves: rhbz#2123568 -- Resolves: rhbz#2123572 +- Resolves: rhbz#2104724 +- Resolves: rhbz#2092507 +- Resolves: rhbz#2048582 +- Resolves: rhbz#2020290 -* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-2 - Update to jdk-17.0.4.1+1 - Update release notes to 17.0.4.1+1 - Add patch to provide translations for Europe/Kyiv added in tzdata2022b - Add test to ensure timezones can be translated -- Resolves: rhbz#2120059 +- Resolves: rhbz#2119531 -* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.8-0.2.ea -- Add rpminspect.yaml to turn off Java bytecode inspections -- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode -- Resolves: rhbz#2109106 +* Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-3 +- Update to jdk-17.0.4.0+8 +- Update release notes to 17.0.4.0+8 +- Switch to GA mode for release +- Resolves: rhbz#2106522 -* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.8-0.2.ea +* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea - Revert the following changes until copy-java-configs has adapted to relative symlinks: - * Move cacerts replacement to install section and retain original of this and tzdb.dat - * Run tests on the installed image, rather than the build image @@ -2642,18 +2757,19 @@ require "copy_jdk_configs.lua" - * Use relative symlinks so they work within the image - * Run debug symbols check during build stage, before the install strips them - The move of turning on system security properties is retained so we don't ship with them off -- Related: rhbz#2084650 +- Related: rhbz#2100674 -* Wed Jul 20 2022 Jiri Vanek - 1:17.0.4.0.8-0.2.ea -- Returned absolute symlinks -- Relative symlinks are breaking cjc, and deeper investigations are necessary +* Wed Jul 20 2022 Jiri Vanek - 1:17.0.4.0.7-0.2.ea +- retutrned absolute symlinks +- relative symlinks are breaking cjc, and deeper investigations are necessary -- why cjc intentionally skips relative symllinks -- Images have to be workarounded differently -- Related: rhbz#2084650 +- images have to be workarounded differently +- Related: rhbz#2100674 -* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1 -- Update to jdk-17.0.4.0+8 -- Update release notes to 17.0.4.0+8 +* Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea +- Update to jdk-17.0.4.0+7 +- Update release notes to 17.0.4.0+7 +- Switch to EA mode for 17.0.4 pre-release builds. - Need to include the '.S' suffix in debuginfo checks after JDK-8284661 - Print release file during build, which should now include a correct SOURCE value from .src-rev - Update tarball script with IcedTea GitHub URL and .src-rev generation @@ -2664,41 +2780,78 @@ require "copy_jdk_configs.lua" - Explicitly require crypto-policies during build and runtime for system security properties - Make use of the vendor version string to store our version & release rather than an upstream release date - Include a test in the RPM to check the build has the correct vendor information. -- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository -- * RH2094027: SunEC runtime permission for FIPS -- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -- * RH2090378: Revert to disabling system security properties and FIPS mode support together -- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch -- Enable system security properties in the RPM (now disabled by default in the FIPS repo) -- Improve security properties test to check both enabled and disabled behaviour -- Run security properties test with property debugging on +- Resolves: rhbz#2083316 + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2083316 + +* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-6 +- Fix whitespace in spec file +- Related: rhbz#2100674 + +* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-6 +- Sequence spec file sections as they are run by rpmbuild (build, install then test) +- Related: rhbz#2100674 + +* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-6 - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them -- Resolves: rhbz#2084650 -- Resolves: rhbz#2099913 -- Resolves: rhbz#2108206 -- Resolves: rhbz#2108209 -- Resolves: rhbz#2106521 +- Related: rhbz#2100674 -* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea -- Fix issue where CheckVendor.java test erroneously passes when it should fail. -- Add proper quoting so '&' is not treated as a special character by the shell. -- Related: rhbz#2084650 - -* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-2 +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-5 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode -- Resolves: rhbz#2108190 +- Resolves: rhbz#2007331 + +* Tue Jun 28 2022 Andrew Hughes - 1:17.0.3.0.7-4 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099840 +- Resolves: rhbz#2100674 + +* Tue Jun 28 2022 Andrew Hughes - 1:17.0.3.0.7-3 +- Add rpminspect.yaml to turn off Java bytecode inspections +- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode +- Resolves: rhbz#2101524 + +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-2 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS +- Resolves: rhbz#2023467 +- Resolves: rhbz#2094027 -* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-2 +* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1 - April 2022 security update to jdk 17.0.3+7 -- Update to jdk-17.0.3.0+7 tarball -- Update release notes to 17.0.3.0+7 +- Update to jdk-17.0.3.0+7 release tarball +- Update release notes to 17.0.3.0+6 - Add missing README.md and generate_source_tarball.sh -- Resolves: rhbz#2073576 +- Switch to GA mode for release +- JDK-8283911 patch no longer needed now we're GA... +- Resolves: rhbz#2073577 + +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 +- Resolves: rhbz#2050456 + +* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value +- Related: rhbz#2050456 * Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-15 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode diff --git a/jdk8274864-remove_amman_cairo_hacks.patch b/jdk8274864-remove_amman_cairo_hacks.patch new file mode 100644 index 0000000..5a5263a --- /dev/null +++ b/jdk8274864-remove_amman_cairo_hacks.patch @@ -0,0 +1,53 @@ +commit 1b3825db8631e55771fb723d4fcd10040ea15b7e +Author: duke +Date: Wed Apr 12 17:25:27 2023 +0000 + + Backport ec199072c5867624d66840238cc8828e16ae8da7 + +diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +index 6f6e190efcd..ef278203182 100644 +--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -608,34 +608,6 @@ public final class ZoneInfoFile { + params[8] = endRule.secondOfDay * 1000; + params[9] = toSTZTime[endRule.timeDefinition]; + dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000; +- +- // Note: known mismatching -> Asia/Amman +- // ZoneInfo : startDayOfWeek=5 <= Thursday +- // startTime=86400000 <= 24 hours +- // This: startDayOfWeek=6 +- // startTime=0 +- // Similar workaround needs to be applied to Africa/Cairo and +- // its endDayOfWeek and endTime +- // Below is the workarounds, it probably slows down everyone a little +- if (params[2] == 6 && params[3] == 0 && +- (zoneId.equals("Asia/Amman"))) { +- params[2] = 5; +- params[3] = 86400000; +- } +- // Additional check for startDayOfWeek=6 and starTime=86400000 +- // is needed for Asia/Amman; +- if (params[2] == 7 && params[3] == 0 && +- (zoneId.equals("Asia/Amman"))) { +- params[2] = 6; // Friday +- params[3] = 86400000; // 24h +- } +- //endDayOfWeek and endTime workaround +- if (params[7] == 6 && params[8] == 0 && +- (zoneId.equals("Africa/Cairo"))) { +- params[7] = 5; +- params[8] = 86400000; +- } +- + } else if (nTrans > 0) { // only do this if there is something in table already + if (lastyear < LASTYEAR) { + // ZoneInfo has an ending entry for 2037 +@@ -908,7 +880,6 @@ public final class ZoneInfoFile { + this.dow = dowByte == 0 ? -1 : dowByte; + this.secondOfDay = timeByte == 31 ? in.readInt() : timeByte * 3600; + this.timeDefinition = (data & (3 << 12)) >>> 12; +- + this.standardOffset = stdByte == 255 ? in.readInt() : (stdByte - 128) * 900; + this.offsetBefore = beforeByte == 3 ? in.readInt() : standardOffset + beforeByte * 1800; + this.offsetAfter = afterByte == 3 ? in.readInt() : standardOffset + afterByte * 1800; diff --git a/jdk8275535-rh2053256-ldap_auth.patch b/jdk8275535-rh2053256-ldap_auth.patch deleted file mode 100644 index 51bd6d2..0000000 --- a/jdk8275535-rh2053256-ldap_auth.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -index 70903206ea0..09956084cf9 100644 ---- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor - ctx = getLdapCtxFromUrl( - r.getDomainName(), url, new LdapURL(u), env); - return ctx; -+ } catch (AuthenticationException e) { -+ // do not retry on a different endpoint to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - // try the next element - lastException = e; -@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor - for (String u : urls) { - try { - return getUsingURL(u, env); -+ } catch (AuthenticationException e) { -+ // do not retry on a different URL to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - ex = e; - } diff --git a/jdk8293834-kyiv_cldr_update.patch b/jdk8293834-kyiv_cldr_update.patch deleted file mode 100644 index b8dda24..0000000 --- a/jdk8293834-kyiv_cldr_update.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml -index 41ff6d236c8..e703020dcdd 100644 ---- a/make/data/cldr/common/bcp47/timezone.xml -+++ b/make/data/cldr/common/bcp47/timezone.xml -@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html - - - -- -+ - - - -diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java -index eb56c087ad6..e398af3c151 100644 ---- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java -+++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java -@@ -23,7 +23,7 @@ - - /* - * @test -- * @bug 8181157 8202537 8234347 8236548 8261279 -+ * @bug 8181157 8202537 8234347 8236548 8261279 8293834 - * @modules jdk.localedata - * @summary Checks CLDR time zone names are generated correctly at runtime - * @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest -@@ -102,6 +102,24 @@ public class TimeZoneNamesTest { - "UTC+04:00", - "heure : Astrakhan", - "UTC+04:00"}, -+ {"Europe/Kyiv", Locale.US, "Eastern European Standard Time", -+ "GMT+02:00", -+ "Eastern European Summer Time", -+ "GMT+03:00", -+ "Eastern European Time", -+ "GMT+02:00"}, -+ {"Europe/Kyiv", Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est", -+ "UTC+02:00", -+ "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", -+ "UTC+03:00", -+ "heure d\u2019Europe de l\u2019Est", -+ "UTC+02:00"}, -+ {"Europe/Kyiv", Locale.GERMANY, "Osteurop\u00e4ische Normalzeit", -+ "OEZ", -+ "Osteurop\u00e4ische Sommerzeit", -+ "OESZ", -+ "Osteurop\u00e4ische Zeit", -+ "OEZ"}, - {"Europe/Saratov", Locale.US, "Saratov Standard Time", - "GMT+04:00", - "Saratov Daylight Time", diff --git a/jdk8294357-tzdata2022d.patch b/jdk8294357-tzdata2022d.patch deleted file mode 100644 index 9eb6727..0000000 --- a/jdk8294357-tzdata2022d.patch +++ /dev/null @@ -1,303 +0,0 @@ -commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce -Author: Goetz Lindenmaier -Date: Wed Oct 5 07:13:43 2022 +0000 - - 8294357: (tz) Update Timezone Data to 2022d - - Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54 - -diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION -index decb8716b22..889d0e6dad7 100644 ---- a/make/data/tzdata/VERSION -+++ b/make/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022c -+tzdata2022d -diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia -index 3a150b0f36b..f9df7432947 100644 ---- a/make/data/tzdata/asia -+++ b/make/data/tzdata/asia -@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # The winter time in 2015 started on October 23 at 01:00. - # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY - # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 --# --# From Paul Eggert (2019-04-10): --# For now, guess spring-ahead transitions are at 00:00 on the Saturday --# preceding March's last Sunday (i.e., Sat>=24). - - # From P Chan (2021-10-18): - # http://wafa.ps/Pages/Details/34701 -@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # From Heba Hamad (2022-03-10): - # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. - -+# From Heba Hamad (2022-08-30): -+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by -+# 60 minutes backwards. Also the state of Palestine adopted the summer -+# and winter time for the years: 2023,2024,2025,2026 ... -+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf -+# (2022-08-31): ... the Saturday before the last Sunday in March and October -+# at 2:00 AM ,for the years from 2023 to 2026. -+# (2022-09-05): https://mtit.pna.ps/Site/New/1453 -+# -+# From Paul Eggert (2022-08-31): -+# For now, assume that this rule will also be used after 2026. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule EgyptAsia 1957 only - May 10 0:00 1:00 S - Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - -@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - - Rule Palestine 2014 only - Oct 24 0:00 0 - - Rule Palestine 2015 only - Mar 28 0:00 1:00 S - Rule Palestine 2015 only - Oct 23 1:00 0 - --Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S --Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - -+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S -+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - - Rule Palestine 2019 only - Mar 29 0:00 1:00 S --Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - --Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S -+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - -+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S - Rule Palestine 2020 only - Oct 24 1:00 0 - --Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - --Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S -+Rule Palestine 2021 only - Oct 29 1:00 0 - -+Rule Palestine 2022 only - Mar 27 0:00 1:00 S -+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - -+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Gaza 2:17:52 - LMT 1900 Oct -diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward -index d4a29e8cf29..7765d99aedf 100644 ---- a/make/data/tzdata/backward -+++ b/make/data/tzdata/backward -@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT - Link Europe/London Europe/Belfast - Link Europe/Kyiv Europe/Kiev - Link Europe/Chisinau Europe/Tiraspol -+Link Europe/Kyiv Europe/Uzhgorod -+Link Europe/Kyiv Europe/Zaporozhye - Link Europe/London GB - Link Europe/London GB-Eire - Link Etc/GMT GMT+0 -diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe -index 879b5337536..accc845dbaf 100644 ---- a/make/data/tzdata/europe -+++ b/make/data/tzdata/europe -@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 - # From Alexander Krivenyshev (2014-03-17): - # time change at 2:00 (2am) on March 30, 2014 - # https://vz.ru/news/2014/3/17/677464.html --# From Paul Eggert (2014-03-30): --# Simferopol and Sevastopol reportedly changed their central town clocks --# late the previous day, but this appears to have been ceremonial --# and the discrepancies are small enough to not worry about. -+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): -+# The clocks at the railway station in Simferopol were put forward from 22:00 -+# to 24:00 the previous day in a "symbolic ceremony"; however, per -+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings -+# time switch at 2am" on Sunday. -+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html -+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329 -+# https://www.bbc.com/news/av/world-europe-26806583 - 2:00 EU EE%sT 2014 Mar 30 2:00 - 4:00 - MSK 2014 Oct 26 2:00s - 3:00 - MSK -@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # US colleague David Cochrane) are still trying to get more - # information upon these local deviations from Kiev rules. - # --# From Paul Eggert (2022-02-08): --# For now, assume that Ukraine's other three zones followed the same rules, -+# From Paul Eggert (2022-08-27): -+# For now, assume that Ukraine's zones all followed the same rules, - # except that Crimea switched to Moscow time in 1994 as described elsewhere. - - # From Igor Karpov, who works for the Ukrainian Ministry of Justice, -@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # * Ukrainian Government's Resolution of 20.03.1992, No. 139. - # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm - --# From Paul Eggert (2022-04-12): --# As is usual in tzdb, Ukrainian zones use the most common English spellings. --# In particular, tzdb's name Europe/Kyiv uses the most common spelling in --# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, --# "Kyiv" is now more common due to widespread reporting of the current conflict. --# Conversely, tzdb continues to use the names Europe/Uzhgorod and --# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is --# certainly wrong as a transliteration of the Czech "Praha". --# English-language spelling of Ukrainian names is in flux, and --# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more --# common in English; in the meantime, do not change these --# English spellings as that means less disruption for our users. -- - # Zone NAME STDOFF RULES FORMAT [UNTIL] --# This represents most of Ukraine. See above for the spelling of "Kyiv". - Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time - 2:00 - EET 1930 Jun 21 -@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:00 1:00 EEST 1991 Sep 29 3:00 - 2:00 C-Eur EE%sT 1996 May 13 - 2:00 EU EE%sT --# Transcarpathia used CET 1990/1991. --# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but --# "Uzhgorod" is more common in English. --Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct -- 1:00 - CET 1940 -- 1:00 C-Eur CE%sT 1944 Oct -- 1:00 1:00 CEST 1944 Oct 26 -- 1:00 - CET 1945 Jun 29 -- 3:00 Russia MSK/MSD 1990 -- 3:00 - MSK 1990 Jul 1 2:00 -- 1:00 - CET 1991 Mar 31 3:00 -- 2:00 - EET 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT --# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. --# "Zaporizhzhia" is the transliteration of the Ukrainian name, but --# "Zaporozh'ye" is more common in English. Use the common English --# spelling, except omit the apostrophe as it is not allowed in --# portable Posix file names. --Zone Europe/Zaporozhye 2:20:40 - LMT 1880 -- 2:20 - +0220 1924 May 2 -- 2:00 - EET 1930 Jun 21 -- 3:00 - MSK 1941 Aug 25 -- 1:00 C-Eur CE%sT 1943 Oct 25 -- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 -- 2:00 E-Eur EE%sT 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT - - # Vatican City - # See Europe/Rome. -diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica -index 13ec081c7e0..3c0e0e2061c 100644 ---- a/make/data/tzdata/southamerica -+++ b/make/data/tzdata/southamerica -@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 - # for America/Santiago will start on midnight of September 11th; - # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) - # will keep UTC -3 "indefinitely"... This is because on September 4th --# we will have a voting whether to approve a new Constitution.... --# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/ -+# we will have a voting whether to approve a new Constitution. -+# -+# From Eduardo Romero Urra (2022-08-17): -+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf -+# -+# From Paul Eggert (2022-08-17): -+# Although the presidential decree stops at fall 2026, assume that -+# similar DST rules will continue thereafter. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Chile 1927 1931 - Sep 1 0:00 1:00 - -diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab -index 51b65fa273c..ee025196e50 100644 ---- a/make/data/tzdata/zone.tab -+++ b/make/data/tzdata/zone.tab -@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti - TW +2503+12130 Asia/Taipei - TZ -0648+03917 Africa/Dar_es_Salaam - UA +5026+03031 Europe/Kyiv Ukraine (most areas) --UA +4837+02218 Europe/Uzhgorod Transcarpathia --UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk - UG +0019+03225 Africa/Kampala - UM +2813-17722 Pacific/Midway Midway Islands - UM +1917+16637 Pacific/Wake Wake Island -diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java -index 15c2f0d1275..6f6e190efcd 100644 ---- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java -+++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java -@@ -574,12 +574,8 @@ public final class ZoneInfoFile { - // we can then pass in the dom = -1, dow > 0 into ZoneInfo - // - // hacking, assume the >=24 is the result of ZRB optimization for -- // "last", it works for now. From tzdata2020d this hacking -- // will not work for Asia/Gaza and Asia/Hebron which follow -- // Palestine DST rules. -- if (dom < 0 || dom >= 24 && -- !(zoneId.equals("Asia/Gaza") || -- zoneId.equals("Asia/Hebron"))) { -+ // "last", it works for now. -+ if (dom < 0 || dom >= 24) { - params[1] = -1; - params[2] = toCalendarDOW[dow]; - } else { -@@ -601,7 +597,6 @@ public final class ZoneInfoFile { - params[7] = 0; - } else { - // hacking: see comment above -- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e - if (dom < 0 || dom >= 24) { - params[6] = -1; - params[7] = toCalendarDOW[dow]; -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -index c32bee39fba..71470168456 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -@@ -1 +1 @@ --tzdata2022c -+tzdata2022d -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -index a5e6428a3f5..e3ce742f887 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT - Link Europe/London Europe/Belfast - Link Europe/Kyiv Europe/Kiev - Link Europe/Chisinau Europe/Tiraspol -+Link Europe/Kyiv Europe/Uzhgorod -+Link Europe/Kyiv Europe/Zaporozhye - Link Europe/London GB - Link Europe/London GB-Eire - Link Etc/GMT GMT+0 -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -index fc148537f1f..b3823958ae4 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -@@ -163,11 +163,9 @@ Europe/Simferopol MSK - Europe/Sofia EET EEST - Europe/Tallinn EET EEST - Europe/Tirane CET CEST --Europe/Uzhgorod EET EEST - Europe/Vienna CET CEST - Europe/Vilnius EET EEST - Europe/Warsaw CET CEST --Europe/Zaporozhye EET EEST - Europe/Zurich CET CEST - HST HST - MET MET MEST -diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -index 7b50c342a0d..a7d14f1aa21 100644 ---- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -+++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -@@ -176,11 +176,12 @@ public class TestZoneInfo310 { - * save time in IANA tzdata. This bug is tracked via JDK-8223388. - * - * These are the zones/rules that employ negative DST in vanguard -- * format (as of 2019a): -+ * format (as of 2019a), Palestine added in 2022d: - * - * - Rule "Eire" - * - Rule "Morocco" - * - Rule "Namibia" -+ * - Rule "Palestine" - * - Zone "Europe/Prague" - * - * Tehran/Iran rule has rules beyond 2037, in which javazic assumes -@@ -196,6 +197,8 @@ public class TestZoneInfo310 { - zid.equals("Europe/Dublin") || // uses "Eire" rule - zid.equals("Europe/Prague") || - zid.equals("Asia/Tehran") || // last rule mismatch -+ zid.equals("Asia/Gaza") || // uses "Palestine" rule -+ zid.equals("Asia/Hebron") || // uses "Palestine" rule - zid.equals("Iran")) { // last rule mismatch - continue; - } diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch deleted file mode 100644 index 8ffd2ee..0000000 --- a/jdk8295173-tzdata2022e.patch +++ /dev/null @@ -1,420 +0,0 @@ -commit d159a377e0243bd2c80593689fd7cd20b2b578f7 -Author: duke -Date: Fri Oct 14 03:37:19 2022 +0000 - - Backport 21407dec0156301871a83328615e4d975c4287c4 - -diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION -index 889d0e6dad7..b8cb36e69f4 100644 ---- a/make/data/tzdata/VERSION -+++ b/make/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022d -+tzdata2022e -diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia -index f9df7432947..5b2337fd0b6 100644 ---- a/make/data/tzdata/asia -+++ b/make/data/tzdata/asia -@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u - # From the Arabic version, it seems to say it would be at midnight - # (assume 24:00) on the last Thursday in February, starting from 2022. - -+# From Issam Al-Zuwairi (2022-10-05): -+# The Council of Ministers in Jordan decided Wednesday 5th October 2022, -+# that daylight saving time (DST) will be throughout the year.... -+# -+# From Brian Inglis (2022-10-06): -+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news -+# -+# From Paul Eggert (2022-10-05): -+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Jordan 1973 only - Jun 6 0:00 1:00 S - Rule Jordan 1973 1975 - Oct 1 0:00 0 - -@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - - Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - - Rule Jordan 2013 only - Dec 20 0:00 0 - - Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S --Rule Jordan 2014 max - Oct lastFri 0:00s 0 - --Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S -+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - -+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Amman 2:23:44 - LMT 1931 -- 2:00 Jordan EE%sT -+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s -+ 3:00 - +03 - - - # Kazakhstan -@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - - # Our brief summary: - # https://www.timeanddate.com/news/time/syria-dst-2012.html - --# From Arthur David Olson (2012-03-27): --# Assume last Friday in March going forward XXX. -+# From Steffen Thorsen (2022-10-05): -+# Syria is adopting year-round DST, starting this autumn.... -+# From https://www.enabbaladi.net/archives/607812 -+# "This [the decision] came after the weekly government meeting today, -+# Tuesday 4 October ..." -+# -+# From Paul Eggert (2022-10-05): -+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. - - Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S - Rule Syria 2008 only - Nov 1 0:00 0 - - Rule Syria 2009 only - Mar lastFri 0:00 1:00 S - Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S --Rule Syria 2012 max - Mar lastFri 0:00 1:00 S --Rule Syria 2009 max - Oct lastFri 0:00 0 - -+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S -+Rule Syria 2009 2022 - Oct lastFri 0:00 0 - - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq -- 2:00 Syria EE%sT -+ 2:00 Syria EE%sT 2022 Oct 28 0:00 -+ 3:00 - +03 - - # Tajikistan - # From Shanks & Pottenger. -diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe -index accc845dbaf..2832c4b9763 100644 ---- a/make/data/tzdata/europe -+++ b/make/data/tzdata/europe -@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u - 0:00 Spain WE%sT 1940 Mar 16 23:00 - 1:00 Spain CE%sT 1979 - 1:00 EU CE%sT --Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 -+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u - 0:00 - WET 1918 May 6 23:00 - 0:00 1:00 WEST 1918 Oct 7 23:00 - 0:00 - WET 1924 -diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica -index 114cef14cce..ce4ee74582c 100644 ---- a/make/data/tzdata/northamerica -+++ b/make/data/tzdata/northamerica -@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D - Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S - Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 -+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Chicago C%sT 1936 Mar 1 2:00 - -5:00 - EST 1936 Nov 15 2:00 -@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 - -6:00 Chicago C%sT 1967 - -6:00 US C%sT - # Oliver County, ND switched from mountain to central time on 1992-10-25. --Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 -+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1992 Oct 25 2:00 - -6:00 US C%sT - # Morton County, ND, switched from mountain to central time on -@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 - # Jones, Mellette, and Todd Counties in South Dakota; - # but in practice these other counties were already observing central time. - # See . --Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 -+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2003 Oct 26 2:00 - -6:00 US C%sT - -@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 - # largest city in Mercer County). Google Maps places Beulah's city hall - # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". - --Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 -+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2010 Nov 7 2:00 - -6:00 US C%sT - -@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S - Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D - Rule Denver 1965 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 -+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1920 - -7:00 Denver M%sT 1942 - -7:00 US M%sT 1946 -@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D - Rule CA 1950 1961 - Sep lastSun 2:00 0 S - Rule CA 1962 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 -+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1946 - -8:00 CA P%sT 1967 - -8:00 US P%sT -@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 - # Go with the Arizona State Library instead. - - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 -+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1944 Jan 1 0:01 - -7:00 - MST 1944 Apr 1 0:01 - -7:00 US M%sT 1944 Oct 1 0:01 -@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston - # switched four weeks late in 1974. - # - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 -+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1923 May 13 2:00 - -7:00 US M%sT 1974 - -7:00 - MST 1974 Feb 3 2:00 -@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D - Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S - Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 -+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Indianapolis C%sT 1942 - -6:00 US C%sT 1946 -@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S - Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D - Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 -+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1951 - -6:00 Marengo C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S - Rule Vincennes 1961 only - Sep lastSun 2:00 0 S - Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 -+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Vincennes C%sT 1964 Apr 26 2:00 - -5:00 - EST 1969 -@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S - Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D - Rule Perry 1961 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 -+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Perry C%sT 1964 Apr 26 2:00 - -5:00 - EST 1967 Oct 29 2:00 -@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S - Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D - Rule Pike 1961 1964 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 -+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1955 - -6:00 Pike C%sT 1965 Apr 25 2:00 - -5:00 - EST 1966 Oct 30 2:00 -@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S - Rule Starke 1957 1958 - Sep lastSun 2:00 0 S - Rule Starke 1959 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 -+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1947 - -6:00 Starke C%sT 1962 Apr 29 2:00 - -5:00 - EST 1963 Oct 27 2:00 -@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S - Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S - Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 -+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Pulaski C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 - # - # Switzerland County, Indiana, did not observe DST from 1973 through 2005. - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 -+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1954 Apr 25 2:00 - -5:00 - EST 1969 - -5:00 US E%sT 1973 -@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D - Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S - Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 -+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1921 - -6:00 Louisville C%sT 1942 - -6:00 US C%sT 1946 -@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 - # Federal Register 65, 160 (2000-08-17), pp 50154-50158. - # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm - # --Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 -+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 - CST 1968 - -6:00 US C%sT 2000 Oct 29 2:00 -@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 - # longitude they are located at. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -+Rule Mexico 1931 only - May 1 23:00 1:00 D -+Rule Mexico 1931 only - Oct 1 0:00 0 S - Rule Mexico 1939 only - Feb 5 0:00 1:00 D - Rule Mexico 1939 only - Jun 25 0:00 0 S - Rule Mexico 1940 only - Dec 9 0:00 1:00 D -@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D - Rule Mexico 2002 max - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - # Quintana Roo; represented by Cancún --Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 -+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 Mexico E%sT 1998 Aug 2 2:00 - -6:00 Mexico C%sT 2015 Feb 1 2:00 - -5:00 - EST - # Campeche, Yucatán; represented by Mérida --Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 -+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 - EST 1982 Dec 2 - -6:00 Mexico C%sT -@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 - # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, - # 2016-03-12 - # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza --Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 -+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT 2010 - -6:00 US C%sT - # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) --Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 -+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT - # Central Mexico --Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 -+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 Mexico C%sT 2001 Sep 30 2:00 - -6:00 - CST 2002 Feb 20 - -6:00 Mexico C%sT -@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 - # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, - # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. - # (See the 2016-03-12 El Universal source mentioned above.) --Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 -+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT 2010 - -7:00 US M%sT - # Chihuahua (away from US border) --Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 -+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT - # Sonora --Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 -+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 - # Use "Bahia_Banderas" to keep the name to fourteen characters. - - # Mazatlán --Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 -+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 - -7:00 Mexico M%sT - - # Bahía de Banderas --Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 -+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 - -6:00 Mexico C%sT - - # Baja California --Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 -+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1924 - -8:00 - PST 1927 Jun 10 23:00 - -7:00 - MST 1930 Nov 15 -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -index 71470168456..0cad939008f 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -@@ -1 +1 @@ --tzdata2022d -+tzdata2022e -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -index b3823958ae4..2f2786f1c69 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -@@ -97,9 +97,7 @@ America/Winnipeg CST CDT - America/Yakutat AKST AKDT - America/Yellowknife MST MDT - Antarctica/Macquarie AEST AEDT --Asia/Amman EET EEST - Asia/Beirut EET EEST --Asia/Damascus EET EEST - Asia/Famagusta EET EEST - Asia/Gaza EET EEST - Asia/Hebron EET EEST diff --git a/jdk8305113-tzdata2023c.patch b/jdk8305113-tzdata2023c.patch new file mode 100644 index 0000000..6758dfd --- /dev/null +++ b/jdk8305113-tzdata2023c.patch @@ -0,0 +1,1098 @@ +commit 9619cdb7b7f63f2d8a71d35c8672be93fd6255e9 +Author: Yoshiki Sato +Date: Wed Apr 5 01:19:00 2023 +0000 + + Backport ed9592c6e81f82e2bf6508ce45ba15aad8232181 + +diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION +index 0f328a4a7ff..66bd061e8bc 100644 +--- a/make/data/tzdata/VERSION ++++ b/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022g ++tzdata2023c +diff --git a/make/data/tzdata/africa b/make/data/tzdata/africa +index 830d7d10b7e..a73405fdb01 100644 +--- a/make/data/tzdata/africa ++++ b/make/data/tzdata/africa +@@ -344,6 +344,14 @@ Rule Egypt 2007 only - Sep Thu>=1 24:00 0 - + # From Mina Samuel (2016-07-04): + # Egyptian government took the decision to cancel the DST, + ++# From Ahmad ElDardiry (2023-03-01): ++# Egypt officially announced today that daylight savings will be ++# applied from last Friday of April to last Thursday of October. ++# From Paul Eggert (2023-03-01): ++# Assume transitions are at 00:00 and 24:00 respectively. ++# From Amir Adib (2023-03-07): ++# https://www.facebook.com/EgyptianCabinet/posts/638829614954129/ ++ + Rule Egypt 2008 only - Aug lastThu 24:00 0 - + Rule Egypt 2009 only - Aug 20 24:00 0 - + Rule Egypt 2010 only - Aug 10 24:00 0 - +@@ -353,6 +361,8 @@ Rule Egypt 2014 only - May 15 24:00 1:00 S + Rule Egypt 2014 only - Jun 26 24:00 0 - + Rule Egypt 2014 only - Jul 31 24:00 1:00 S + Rule Egypt 2014 only - Sep lastThu 24:00 0 - ++Rule Egypt 2023 max - Apr lastFri 0:00 1:00 S ++Rule Egypt 2023 max - Oct lastThu 24:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + #STDOFF 2:05:08.9 +@@ -452,7 +462,7 @@ Zone Africa/Nairobi 2:27:16 - LMT 1908 May + # President William R. Tolbert, Jr., July 23, 1971-July 31, 1972. + # Monrovia: Executive Mansion. + # +-# Use the abbreviation "MMT" before 1972, as the more-accurate numeric ++# Use the abbreviation "MMT" before 1972, as the more accurate numeric + # abbreviation "-004430" would be one byte over the POSIX limit. + # + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -589,8 +599,8 @@ Zone Africa/Tripoli 0:52:44 - LMT 1920 + # DST the coming summer... + # + # Some sources, in French: +-# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-%C2%AB-L%E2%80%99heure-d%E2%80%99%C3%A9t%C3%A9-ne-sera-pas-appliqu%C3%A9e-cette-ann%C3%A9e-%C2%BB +-# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints- ++# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-«-L%E2%80%99heure-d%E2%80%99été-ne-sera-pas-appliquée-cette-année-» ++# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-économie-d-énergie-de-l-heure-d-été-ont-été-atteints- + # + # Our wrap-up: + # https://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html +@@ -721,7 +731,7 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # More articles in the press + # https://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html + # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923 +-# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim ++# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT+1-a-partir-de-dim + + # From Petr Machata (2011-03-30): + # They have it written in English here: +@@ -736,7 +746,7 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # According to Infomédiaire web site from Morocco (infomediaire.ma), + # on March 9, 2012, (in French) Heure légale: + # Le Maroc adopte officiellement l'heure d'été +-# http://www.infomediaire.ma/news/maroc/heure-l%C3%A9gale-le-maroc-adopte-officiellement-lheure-d%C3%A9t%C3%A9 ++# http://www.infomediaire.ma/news/maroc/heure-légale-le-maroc-adopte-officiellement-lheure-dété + # Governing Council adopted draft decree, that Morocco DST starts on + # the last Sunday of March (March 25, 2012) and ends on + # last Sunday of September (September 30, 2012) +@@ -860,19 +870,28 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # Friday or Saturday (and so the 2 days off are on a weekend), the next time + # shift will be the next weekend. + # +-# From Paul Eggert (2020-05-31): ++# From Milamber (2021-03-31, 2022-03-10): ++# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076 ++# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/ ++# ++# From Milamber (2023-03-14, 2023-03-15): ++# The return to legal GMT time will take place this Sunday, March 19 at 3 a.m. ++# ... the return to GMT+1 will be made on Sunday April 23, 2023 at 2 a.m. ++# https://www.mmsp.gov.ma/fr/actualites/passage-à-l%E2%80%99heure-gmt-à-partir-du-dimanche-19-mars-2023 ++# ++# From Paul Eggert (2023-03-14): + # For now, guess that in the future Morocco will fall back at 03:00 + # the last Sunday before Ramadan, and spring forward at 02:00 the +-# first Sunday after two days after Ramadan. To implement this, ++# first Sunday after one day after Ramadan. To implement this, + # transition dates and times for 2019 through 2087 were determined by +-# running the following program under GNU Emacs 26.3. (This algorithm ++# running the following program under GNU Emacs 28.2. (This algorithm + # also produces the correct transition dates for 2016 through 2018, + # though the times differ due to Morocco's time zone change in 2018.) + # (let ((islamic-year 1440)) + # (require 'cal-islam) + # (while (< islamic-year 1511) + # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) +-# (b (+ 2 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) ++# (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) + # (sunday 0)) + # (while (/= sunday (mod (setq a (1- a)) 7))) + # (while (/= sunday (mod b 7)) +@@ -886,10 +905,6 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a)) + # (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b))))) + # (setq islamic-year (+ 1 islamic-year)))) +-# +-# From Milamber (2021-03-31, 2022-03-10), confirming these predictions: +-# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076 +-# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/ + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Morocco 1939 only - Sep 12 0:00 1:00 - +@@ -942,7 +957,7 @@ Rule Morocco 2021 only - May 16 2:00 0 - + Rule Morocco 2022 only - Mar 27 3:00 -1:00 - + Rule Morocco 2022 only - May 8 2:00 0 - + Rule Morocco 2023 only - Mar 19 3:00 -1:00 - +-Rule Morocco 2023 only - Apr 30 2:00 0 - ++Rule Morocco 2023 only - Apr 23 2:00 0 - + Rule Morocco 2024 only - Mar 10 3:00 -1:00 - + Rule Morocco 2024 only - Apr 14 2:00 0 - + Rule Morocco 2025 only - Feb 23 3:00 -1:00 - +@@ -958,7 +973,7 @@ Rule Morocco 2029 only - Feb 18 2:00 0 - + Rule Morocco 2029 only - Dec 30 3:00 -1:00 - + Rule Morocco 2030 only - Feb 10 2:00 0 - + Rule Morocco 2030 only - Dec 22 3:00 -1:00 - +-Rule Morocco 2031 only - Feb 2 2:00 0 - ++Rule Morocco 2031 only - Jan 26 2:00 0 - + Rule Morocco 2031 only - Dec 14 3:00 -1:00 - + Rule Morocco 2032 only - Jan 18 2:00 0 - + Rule Morocco 2032 only - Nov 28 3:00 -1:00 - +@@ -974,7 +989,7 @@ Rule Morocco 2036 only - Nov 23 2:00 0 - + Rule Morocco 2037 only - Oct 4 3:00 -1:00 - + Rule Morocco 2037 only - Nov 15 2:00 0 - + Rule Morocco 2038 only - Sep 26 3:00 -1:00 - +-Rule Morocco 2038 only - Nov 7 2:00 0 - ++Rule Morocco 2038 only - Oct 31 2:00 0 - + Rule Morocco 2039 only - Sep 18 3:00 -1:00 - + Rule Morocco 2039 only - Oct 23 2:00 0 - + Rule Morocco 2040 only - Sep 2 3:00 -1:00 - +@@ -990,7 +1005,7 @@ Rule Morocco 2044 only - Aug 28 2:00 0 - + Rule Morocco 2045 only - Jul 9 3:00 -1:00 - + Rule Morocco 2045 only - Aug 20 2:00 0 - + Rule Morocco 2046 only - Jul 1 3:00 -1:00 - +-Rule Morocco 2046 only - Aug 12 2:00 0 - ++Rule Morocco 2046 only - Aug 5 2:00 0 - + Rule Morocco 2047 only - Jun 23 3:00 -1:00 - + Rule Morocco 2047 only - Jul 28 2:00 0 - + Rule Morocco 2048 only - Jun 7 3:00 -1:00 - +@@ -1006,7 +1021,7 @@ Rule Morocco 2052 only - Jun 2 2:00 0 - + Rule Morocco 2053 only - Apr 13 3:00 -1:00 - + Rule Morocco 2053 only - May 25 2:00 0 - + Rule Morocco 2054 only - Apr 5 3:00 -1:00 - +-Rule Morocco 2054 only - May 17 2:00 0 - ++Rule Morocco 2054 only - May 10 2:00 0 - + Rule Morocco 2055 only - Mar 28 3:00 -1:00 - + Rule Morocco 2055 only - May 2 2:00 0 - + Rule Morocco 2056 only - Mar 12 3:00 -1:00 - +@@ -1022,7 +1037,7 @@ Rule Morocco 2060 only - Mar 7 2:00 0 - + Rule Morocco 2061 only - Jan 16 3:00 -1:00 - + Rule Morocco 2061 only - Feb 27 2:00 0 - + Rule Morocco 2062 only - Jan 8 3:00 -1:00 - +-Rule Morocco 2062 only - Feb 19 2:00 0 - ++Rule Morocco 2062 only - Feb 12 2:00 0 - + Rule Morocco 2062 only - Dec 31 3:00 -1:00 - + Rule Morocco 2063 only - Feb 4 2:00 0 - + Rule Morocco 2063 only - Dec 16 3:00 -1:00 - +@@ -1038,7 +1053,7 @@ Rule Morocco 2067 only - Dec 11 2:00 0 - + Rule Morocco 2068 only - Oct 21 3:00 -1:00 - + Rule Morocco 2068 only - Dec 2 2:00 0 - + Rule Morocco 2069 only - Oct 13 3:00 -1:00 - +-Rule Morocco 2069 only - Nov 24 2:00 0 - ++Rule Morocco 2069 only - Nov 17 2:00 0 - + Rule Morocco 2070 only - Oct 5 3:00 -1:00 - + Rule Morocco 2070 only - Nov 9 2:00 0 - + Rule Morocco 2071 only - Sep 20 3:00 -1:00 - +@@ -1054,7 +1069,7 @@ Rule Morocco 2075 only - Sep 15 2:00 0 - + Rule Morocco 2076 only - Jul 26 3:00 -1:00 - + Rule Morocco 2076 only - Sep 6 2:00 0 - + Rule Morocco 2077 only - Jul 18 3:00 -1:00 - +-Rule Morocco 2077 only - Aug 29 2:00 0 - ++Rule Morocco 2077 only - Aug 22 2:00 0 - + Rule Morocco 2078 only - Jul 10 3:00 -1:00 - + Rule Morocco 2078 only - Aug 14 2:00 0 - + Rule Morocco 2079 only - Jun 25 3:00 -1:00 - +@@ -1064,13 +1079,13 @@ Rule Morocco 2080 only - Jul 21 2:00 0 - + Rule Morocco 2081 only - Jun 1 3:00 -1:00 - + Rule Morocco 2081 only - Jul 13 2:00 0 - + Rule Morocco 2082 only - May 24 3:00 -1:00 - +-Rule Morocco 2082 only - Jul 5 2:00 0 - ++Rule Morocco 2082 only - Jun 28 2:00 0 - + Rule Morocco 2083 only - May 16 3:00 -1:00 - + Rule Morocco 2083 only - Jun 20 2:00 0 - + Rule Morocco 2084 only - Apr 30 3:00 -1:00 - + Rule Morocco 2084 only - Jun 11 2:00 0 - + Rule Morocco 2085 only - Apr 22 3:00 -1:00 - +-Rule Morocco 2085 only - Jun 3 2:00 0 - ++Rule Morocco 2085 only - May 27 2:00 0 - + Rule Morocco 2086 only - Apr 14 3:00 -1:00 - + Rule Morocco 2086 only - May 19 2:00 0 - + Rule Morocco 2087 only - Mar 30 3:00 -1:00 - +@@ -1213,15 +1228,15 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8 + # From P Chan (2020-12-03): + # GMT was adopted as the standard time of Lagos on 1905-07-01. + # Lagos Weekly Record, 1905-06-24, p 3 +-# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446%2C5221%2C1931%2C1235 ++# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446,5221,1931,1235 + # says "It is officially notified that on and after the 1st of July 1905 +-# Greenwich Mean Solar Time will be adopted thought the Colony and ++# Greenwich Mean Solar Time will be adopted throughout the Colony and + # Protectorate, and that it will be necessary to put all clocks 13 minutes and + # 35 seconds back, recording local mean time." + # + # It seemed that Lagos returned to LMT on 1908-07-01. + # [The Lagos Standard], 1908-07-01, p 5 +-# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92%2C3590%2C3944%2C2523 ++# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92,3590,3944,2523 + # says "Scarcely have the people become accustomed to this new time, when + # another official notice has now appeared announcing that from and after the + # 1st July next, return will be made to local mean time." +@@ -1233,7 +1248,7 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8 + # https://libsysdigi.library.illinois.edu/ilharvest/Africana/Books2011-05/3064634/3064634_1914/3064634_1914_opt.pdf#page=27 + # "On January 1st [1914], a universal standard time for Nigeria was adopted, + # viz., half an hour fast on Greenwich mean time, corresponding to the meridian +-# 7 [degrees] 30' E. long." ++# 7° 30' E. long." + # Lloyd's Register of Shipping (1915) says "Hitherto the time observed in Lagos + # was the local mean time. On 1st January, 1914, standard time for the whole of + # Nigeria was introduced ... Lagos time has been advanced about 16 minutes +@@ -1251,7 +1266,7 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8 + # The Lagos Weekly Record, 1919-09-20, p 3 details discussion on the first + # reading of this Bill by the Legislative Council of the Colony of Nigeria on + # Thursday 1919-08-28: +-# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261%2C3408%2C2994%2C1915 ++# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261,3408,2994,1915 + # "The proposal is that the Globe should be divided into twelve zones East and + # West of Greenwich, of one hour each, Nigeria falling into the zone with a + # standard of one hour fast on Greenwich Mean Time. Nigeria standard time is +diff --git a/make/data/tzdata/antarctica b/make/data/tzdata/antarctica +index 792542b9224..3de5e726eb4 100644 +--- a/make/data/tzdata/antarctica ++++ b/make/data/tzdata/antarctica +@@ -315,7 +315,7 @@ Zone Antarctica/Rothera 0 - -00 1976 Dec 1 + # but that he found it more convenient to keep GMT+12 + # as supplies for the station were coming from McMurdo Sound, + # which was on GMT+12 because New Zealand was on GMT+12 all year +-# at that time (1957). (Source: Siple's book 90 Degrees South.) ++# at that time (1957). (Source: Siple's book 90° South.) + # + # From Susan Smith + # http://www.cybertours.com/whs/pole10.html +diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia +index ff81978bc47..6a048c3ad28 100644 +--- a/make/data/tzdata/asia ++++ b/make/data/tzdata/asia +@@ -2714,6 +2714,40 @@ Zone Asia/Pyongyang 8:23:00 - LMT 1908 Apr 1 + + + # Lebanon ++# ++# From Saadallah Itani (2023-03-23): ++# Lebanon ... announced today delay of Spring forward from March 25 to April 20. ++# ++# From Paul Eggert (2023-03-27): ++# This announcement was by the Lebanese caretaker prime minister Najib Mikati. ++# https://www.mtv.com.lb/en/News/Local/1352516/lebanon-postpones-daylight-saving-time-adoption ++# A video was later leaked to the media of parliament speaker Nabih Berri ++# asking Mikati to postpone DST to aid observance of Ramadan, Mikati objecting ++# that this would cause problems such as scheduling airline flights, to which ++# Berri interjected, "What flights?" ++# ++# The change was controversial and led to a partly-sectarian divide. ++# Many Lebanese institutions, including the education ministry, the Maronite ++# church, and two news channels LCBI and MTV, ignored the announcement and ++# went ahead with the long-scheduled spring-forward on March 25/26, some ++# arguing that the prime minister had not followed the law because the change ++# had not been approved by the cabinet. Google went with the announcement; ++# Apple ignored it. At least one bank followed the announcement for its doors, ++# but ignored the announcement in internal computer systems. ++# Beirut international airport listed two times for each departure. ++# Dan Azzi wrote "My view is that this whole thing is a Dumb and Dumber movie." ++# Eventually the prime minister backed down, said the cabinet had decided to ++# stick with its 1998 decision, and that DST would begin midnight March 29/30. ++# https://www.nna-leb.gov.lb/en/miscellaneous/604093/lebanon-has-two-times-of-day-amid-daylight-savings ++# https://www.cnbc.com/2023/03/27/lebanon-in-two-different-time-zones-as-government-disagrees-on-daylight-savings.html ++# ++# Although we could model the chaos with two Zones, that would likely cause ++# more trouble than it would cure. Since so many manual clocks and ++# computer-based timestamps ignored the announcement, stick with official ++# cabinet resolutions in the data while recording the prime minister's ++# announcement as a comment. This is how we treated a similar situation in ++# Rio de Janeiro in spring 1993. ++# + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Lebanon 1920 only - Mar 28 0:00 1:00 S + Rule Lebanon 1920 only - Oct 25 0:00 0 - +@@ -2739,6 +2773,10 @@ Rule Lebanon 1992 only - Oct 4 0:00 0 - + Rule Lebanon 1993 max - Mar lastSun 0:00 1:00 S + Rule Lebanon 1993 1998 - Sep lastSun 0:00 0 - + Rule Lebanon 1999 max - Oct lastSun 0:00 0 - ++# This one-time rule, announced by the prime minister first for April 21 ++# then for March 30, is commented out for reasons described above. ++#Rule Lebanon 2023 only - Mar 30 0:00 1:00 S ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Beirut 2:22:00 - LMT 1880 + 2:00 Lebanon EE%sT +@@ -2977,7 +3015,7 @@ Zone Asia/Kathmandu 5:41:16 - LMT 1920 + # 9pm and moving clocks forward by one hour for the next three months. ...." + # + # http://www.worldtimezone.com/dst_news/dst_news_pakistan01.html +-# http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1_4 ++# http://www.dailytimes.com.pk/default.asp?page=2008\05\15\story_15-5-2008_pg1_4 + + # From Arthur David Olson (2008-05-19): + # XXX--midnight transitions is a guess; 2008 only is a guess. +@@ -3300,7 +3338,7 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # Some of many sources in Arabic: + # http://www.samanews.com/index.php?act=Show&id=122638 + # +-# http://safa.ps/details/news/74352/%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-%D8%A8%D8%A7%D9%84%D8%B6%D9%81%D8%A9-%D9%88%D8%BA%D8%B2%D8%A9-%D9%84%D9%8A%D9%84%D8%A9-%D8%A7%D9%84%D8%AC%D9%85%D8%B9%D8%A9.html ++# http://safa.ps/details/news/74352/بدء-التوقيت-الصيفي-بالضفة-وغزة-ليلة-الجمعة.html + # + # Our brief summary: + # https://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html +@@ -3310,7 +3348,7 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # time from midnight on Friday, March 29, 2013" (translated). + # [These are in Arabic and are for Gaza and for Ramallah, respectively.] + # http://www.samanews.com/index.php?act=Show&id=154120 +-# http://safa.ps/details/news/99844/%D8%B1%D8%A7%D9%85-%D8%A7%D9%84%D9%84%D9%87-%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-29-%D8%A7%D9%84%D8%AC%D8%A7%D8%B1%D9%8A.html ++# http://safa.ps/details/news/99844/رام-الله-بدء-التوقيت-الصيفي-29-الجاري.html + + # From Steffen Thorsen (2013-09-24): + # The Gaza and West Bank are ending DST Thursday at midnight +@@ -3408,9 +3446,41 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # (2022-08-31): ... the Saturday before the last Sunday in March and October + # at 2:00 AM ,for the years from 2023 to 2026. + # (2022-09-05): https://mtit.pna.ps/Site/New/1453 +-# +-# From Paul Eggert (2022-08-31): +-# For now, assume that this rule will also be used after 2026. ++ ++# From Heba Hamad (2023-03-22): ++# ... summer time will begin in Palestine from Saturday 04-29-2023, ++# 02:00 AM by 60 minutes forward. ++# ++# From Paul Eggert (2023-03-22): ++# For now, guess that spring and fall transitions will normally ++# continue to use 2022's rules, that during DST Palestine will switch ++# to standard time at 02:00 the last Saturday before Ramadan and back ++# to DST at 02:00 the first Saturday after Ramadan, and that ++# if the normal spring-forward or fall-back transition occurs during ++# Ramadan the former is delayed and the latter advanced. ++# To implement this, I predicted Ramadan-oriented transition dates for ++# 2023 through 2086 by running the following program under GNU Emacs 28.2, ++# with the results integrated by hand into the table below. ++# Predictions after 2086 are approximated without Ramadan. ++# ++# (let ((islamic-year 1444)) ++# (require 'cal-islam) ++# (while (< islamic-year 1510) ++# (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) ++# (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) ++# (saturday 6)) ++# (while (/= saturday (mod (setq a (1- a)) 7))) ++# (while (/= saturday (mod b 7)) ++# (setq b (1+ b))) ++# (setq a (calendar-gregorian-from-absolute a)) ++# (setq b (calendar-gregorian-from-absolute b)) ++# (insert ++# (format ++# (concat "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t0\t-\n" ++# "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t1:00\tS\n") ++# (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a)) ++# (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b))))) ++# (setq islamic-year (+ 1 islamic-year)))) + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S +@@ -3450,8 +3520,86 @@ Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S + Rule Palestine 2020 only - Oct 24 1:00 0 - + Rule Palestine 2021 only - Oct 29 1:00 0 - + Rule Palestine 2022 only - Mar 27 0:00 1:00 S +-Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - +-Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S ++Rule Palestine 2022 2035 - Oct Sat<=30 2:00 0 - ++Rule Palestine 2023 only - Apr 29 2:00 1:00 S ++Rule Palestine 2024 only - Apr 13 2:00 1:00 S ++Rule Palestine 2025 only - Apr 5 2:00 1:00 S ++Rule Palestine 2026 2054 - Mar Sat<=30 2:00 1:00 S ++Rule Palestine 2036 only - Oct 18 2:00 0 - ++Rule Palestine 2037 only - Oct 10 2:00 0 - ++Rule Palestine 2038 only - Sep 25 2:00 0 - ++Rule Palestine 2039 only - Sep 17 2:00 0 - ++Rule Palestine 2039 only - Oct 22 2:00 1:00 S ++Rule Palestine 2039 2067 - Oct Sat<=30 2:00 0 - ++Rule Palestine 2040 only - Sep 1 2:00 0 - ++Rule Palestine 2040 only - Oct 13 2:00 1:00 S ++Rule Palestine 2041 only - Aug 24 2:00 0 - ++Rule Palestine 2041 only - Sep 28 2:00 1:00 S ++Rule Palestine 2042 only - Aug 16 2:00 0 - ++Rule Palestine 2042 only - Sep 20 2:00 1:00 S ++Rule Palestine 2043 only - Aug 1 2:00 0 - ++Rule Palestine 2043 only - Sep 12 2:00 1:00 S ++Rule Palestine 2044 only - Jul 23 2:00 0 - ++Rule Palestine 2044 only - Aug 27 2:00 1:00 S ++Rule Palestine 2045 only - Jul 15 2:00 0 - ++Rule Palestine 2045 only - Aug 19 2:00 1:00 S ++Rule Palestine 2046 only - Jun 30 2:00 0 - ++Rule Palestine 2046 only - Aug 11 2:00 1:00 S ++Rule Palestine 2047 only - Jun 22 2:00 0 - ++Rule Palestine 2047 only - Jul 27 2:00 1:00 S ++Rule Palestine 2048 only - Jun 6 2:00 0 - ++Rule Palestine 2048 only - Jul 18 2:00 1:00 S ++Rule Palestine 2049 only - May 29 2:00 0 - ++Rule Palestine 2049 only - Jul 3 2:00 1:00 S ++Rule Palestine 2050 only - May 21 2:00 0 - ++Rule Palestine 2050 only - Jun 25 2:00 1:00 S ++Rule Palestine 2051 only - May 6 2:00 0 - ++Rule Palestine 2051 only - Jun 17 2:00 1:00 S ++Rule Palestine 2052 only - Apr 27 2:00 0 - ++Rule Palestine 2052 only - Jun 1 2:00 1:00 S ++Rule Palestine 2053 only - Apr 12 2:00 0 - ++Rule Palestine 2053 only - May 24 2:00 1:00 S ++Rule Palestine 2054 only - Apr 4 2:00 0 - ++Rule Palestine 2054 only - May 16 2:00 1:00 S ++Rule Palestine 2055 only - May 1 2:00 1:00 S ++Rule Palestine 2056 only - Apr 22 2:00 1:00 S ++Rule Palestine 2057 only - Apr 7 2:00 1:00 S ++Rule Palestine 2058 max - Mar Sat<=30 2:00 1:00 S ++Rule Palestine 2068 only - Oct 20 2:00 0 - ++Rule Palestine 2069 only - Oct 12 2:00 0 - ++Rule Palestine 2070 only - Oct 4 2:00 0 - ++Rule Palestine 2071 only - Sep 19 2:00 0 - ++Rule Palestine 2072 only - Sep 10 2:00 0 - ++Rule Palestine 2072 only - Oct 15 2:00 1:00 S ++Rule Palestine 2073 only - Sep 2 2:00 0 - ++Rule Palestine 2073 only - Oct 7 2:00 1:00 S ++Rule Palestine 2074 only - Aug 18 2:00 0 - ++Rule Palestine 2074 only - Sep 29 2:00 1:00 S ++Rule Palestine 2075 only - Aug 10 2:00 0 - ++Rule Palestine 2075 only - Sep 14 2:00 1:00 S ++Rule Palestine 2075 max - Oct Sat<=30 2:00 0 - ++Rule Palestine 2076 only - Jul 25 2:00 0 - ++Rule Palestine 2076 only - Sep 5 2:00 1:00 S ++Rule Palestine 2077 only - Jul 17 2:00 0 - ++Rule Palestine 2077 only - Aug 28 2:00 1:00 S ++Rule Palestine 2078 only - Jul 9 2:00 0 - ++Rule Palestine 2078 only - Aug 13 2:00 1:00 S ++Rule Palestine 2079 only - Jun 24 2:00 0 - ++Rule Palestine 2079 only - Aug 5 2:00 1:00 S ++Rule Palestine 2080 only - Jun 15 2:00 0 - ++Rule Palestine 2080 only - Jul 20 2:00 1:00 S ++Rule Palestine 2081 only - Jun 7 2:00 0 - ++Rule Palestine 2081 only - Jul 12 2:00 1:00 S ++Rule Palestine 2082 only - May 23 2:00 0 - ++Rule Palestine 2082 only - Jul 4 2:00 1:00 S ++Rule Palestine 2083 only - May 15 2:00 0 - ++Rule Palestine 2083 only - Jun 19 2:00 1:00 S ++Rule Palestine 2084 only - Apr 29 2:00 0 - ++Rule Palestine 2084 only - Jun 10 2:00 1:00 S ++Rule Palestine 2085 only - Apr 21 2:00 0 - ++Rule Palestine 2085 only - Jun 2 2:00 1:00 S ++Rule Palestine 2086 only - Apr 13 2:00 0 - ++Rule Palestine 2086 only - May 18 2:00 1:00 S + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +@@ -3655,7 +3803,7 @@ Zone Asia/Singapore 6:55:25 - LMT 1901 Jan 1 + # standard time is SLST. + # + # From Paul Eggert (2016-10-18): +-# "SLST" seems to be reasonably recent and rarely-used outside time ++# "SLST" seems to be reasonably recent and rarely used outside time + # zone nerd sources. I searched Google News and found three uses of + # it in the International Business Times of India in February and + # March of this year when discussing cricket match times, but nothing +diff --git a/make/data/tzdata/australasia b/make/data/tzdata/australasia +index fbe3b8a6d72..893d7055eab 100644 +--- a/make/data/tzdata/australasia ++++ b/make/data/tzdata/australasia +@@ -346,7 +346,7 @@ Zone Antarctica/Macquarie 0 - -00 1899 Nov + + # From Steffen Thorsen (2013-01-10): + # Fiji will end DST on 2014-01-19 02:00: +-# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-%281%29.aspx ++# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-(1).aspx + + # From Ken Rylander (2014-10-20): + # DST will start Nov. 2 this year. +@@ -746,7 +746,7 @@ Zone Pacific/Pago_Pago 12:37:12 - LMT 1892 Jul 5 + # + # Samoa's Daylight Saving Time Act 2009 is available here, but does not + # contain any dates: +-# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20%28English%29%20-%20Final%207-7-091.pdf ++# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20(English)%20-%20Final%207-7-091.pdf + + # From Laupue Raymond Hughes (2010-10-07): + # Please see +@@ -1831,7 +1831,7 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila + # period. It would probably be reasonable to assume Guam use GMT+9 during + # that period of time like the surrounding area. + +-# From Paul Eggert (2018-11-18): ++# From Paul Eggert (2023-01-23): + # Howse writes (p 153) "The Spaniards, on the other hand, reached the + # Philippines and the Ladrones from America," and implies that the Ladrones + # (now called the Marianas) kept American date for quite some time. +@@ -1844,7 +1844,7 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila + # they did as that avoids the need for a separate zone due to our 1970 cutoff. + # + # US Public Law 106-564 (2000-12-23) made UT +10 the official standard time, +-# under the name "Chamorro Standard Time". There is no official abbreviation, ++# under the name "Chamorro standard time". There is no official abbreviation, + # but Congressman Robert A. Underwood, author of the bill that became law, + # wrote in a press release (2000-12-27) that he will seek the use of "ChST". + +@@ -2222,24 +2222,18 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila + # an international standard, there are some places on the high seas where the + # correct date is ambiguous. + +-# From Wikipedia (2005-08-31): +-# Before 1920, all ships kept local apparent time on the high seas by setting +-# their clocks at night or at the morning sight so that, given the ship's +-# speed and direction, it would be 12 o'clock when the Sun crossed the ship's +-# meridian (12 o'clock = local apparent noon). During 1917, at the +-# Anglo-French Conference on Time-keeping at Sea, it was recommended that all +-# ships, both military and civilian, should adopt hourly standard time zones +-# on the high seas. Whenever a ship was within the territorial waters of any +-# nation it would use that nation's standard time. The captain was permitted +-# to change his ship's clocks at a time of his choice following his ship's +-# entry into another zone time - he often chose midnight. These zones were +-# adopted by all major fleets between 1920 and 1925 but not by many +-# independent merchant ships until World War II. +- +-# From Paul Eggert, using references suggested by Oscar van Vlijmen +-# (2005-03-20): +-# +-# The American Practical Navigator (2002) +-# http://pollux.nss.nima.mil/pubs/pubs_j_apn_sections.html?rid=187 +-# talks only about the 180-degree meridian with respect to ships in +-# international waters; it ignores the international date line. ++# From Wikipedia (2023-01-23): ++# The nautical time zone system is analogous to the terrestrial time zone ++# system for use on high seas. Under the system time changes are required for ++# changes of longitude in one-hour steps. The one-hour step corresponds to a ++# time zone width of 15° longitude. The 15° gore that is offset from GMT or ++# UT1 (not UTC) by twelve hours is bisected by the nautical date line into two ++# 7°30' gores that differ from GMT by ±12 hours. A nautical date line is ++# implied but not explicitly drawn on time zone maps. It follows the 180th ++# meridian except where it is interrupted by territorial waters adjacent to ++# land, forming gaps: it is a pole-to-pole dashed line. ++ ++# From Paul Eggert (2023-01-23): ++# The American Practical Navigator , ++# 2019 edition, merely says that the International Date Line ++# "coincides with the 180th meridian over most of its length." +diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward +index fa44f655009..c0746d6dd1b 100644 +--- a/make/data/tzdata/backward ++++ b/make/data/tzdata/backward +@@ -297,6 +297,7 @@ Link America/Argentina/Cordoba America/Rosario + Link America/Tijuana America/Santa_Isabel + Link America/Denver America/Shiprock + Link America/Toronto America/Thunder_Bay ++Link America/Edmonton America/Yellowknife + Link Pacific/Auckland Antarctica/South_Pole + Link Asia/Shanghai Asia/Chongqing + Link Asia/Shanghai Asia/Harbin +diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe +index acc5da3ec79..446d2e1e658 100644 +--- a/make/data/tzdata/europe ++++ b/make/data/tzdata/europe +@@ -540,9 +540,7 @@ Zone Europe/London -0:01:15 - LMT 1847 Dec 1 + # other form with a traditional approximation for Irish timestamps + # after 1971-10-31 02:00 UTC; although this approximation has tm_isdst + # flags that are reversed, its UTC offsets are correct and this often +-# suffices. This source file currently uses only nonnegative SAVE +-# values, but this is intended to change and downstream code should +-# not rely on it. ++# suffices.... + # + # The following is like GB-Eire and EU, except with standard time in + # summer and negative daylight saving time in winter. It is for when +@@ -1136,19 +1134,18 @@ Zone Atlantic/Faroe -0:27:04 - LMT 1908 Jan 11 # Tórshavn + # + # From Jürgen Appel (2022-11-25): + # https://ina.gl/samlinger/oversigt-over-samlinger/samling/dagsordener/dagsorden.aspx?lang=da&day=24-11-2022 +-# If I understand this correctly, from the next planned switch to +-# summer time, Greenland will permanently stay at that time, i.e. no +-# switch back to winter time in 2023 will occur. +-# +-# From Paul Eggert (2022-11-28): +-# The official document in Danish +-# https://naalakkersuisut.gl/-/media/naalakkersuisut/filer/kundgoerelser/2022/11/2511/31_da_inatsisartutlov-om-tidens-bestemmelse.pdf?la=da&hash=A33597D8A38CC7038465241119EF34F3 +-# says standard time for Greenland is -02, that Naalakkersuisut can lay down +-# rules for DST and can require some areas to use a different time zone, +-# and that this all takes effect 2023-03-25 22:00. The abovementioned +-# "bekymringer" URL says the intent is no transition March 25, that +-# Greenland will not go back to winter time in fall 2023, and that +-# only America/Nuuk is affected (though further changes may occur). ++# ++# From Thomas M. Steenholdt (2022-12-02): ++# - The bill to move America/Nuuk from UTC-03 to UTC-02 passed. ++# - The bill to stop observing DST did not (Greenland will stop observing DST ++# when EU does). ++# Details on the implementation are here (section 6): ++# https://ina.gl/dvd/EM%202022/pdf/media/2553529/pkt17_em2022_tidens_bestemmelse_bem_da.pdf ++# This is how the change will be implemented: ++# 1. The shift *to* DST in 2023 happens as normal. ++# 2. The shift *from* DST in 2023 happens as normal, but coincides with the ++# shift to UTC-02 normaltime (people will not change their clocks here). ++# 3. After this, DST is still observed, but as -02/-01 instead of -03/-02. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D +@@ -1172,8 +1169,8 @@ Zone America/Scoresbysund -1:27:52 - LMT 1916 Jul 28 # Ittoqqortoormiit + -1:00 EU -01/+00 + Zone America/Nuuk -3:26:56 - LMT 1916 Jul 28 # Godthåb + -3:00 - -03 1980 Apr 6 2:00 +- -3:00 EU -03/-02 2023 Mar 25 22:00 +- -2:00 - -02 ++ -3:00 EU -03/-02 2023 Oct 29 1:00u ++ -2:00 EU -02/-01 + Zone America/Thule -4:35:08 - LMT 1916 Jul 28 # Pituffik + -4:00 Thule A%sT + +@@ -1509,9 +1506,9 @@ Zone Europe/Paris 0:09:21 - LMT 1891 Mar 16 + Rule Germany 1946 only - Apr 14 2:00s 1:00 S + Rule Germany 1946 only - Oct 7 2:00s 0 - + Rule Germany 1947 1949 - Oct Sun>=1 2:00s 0 - +-# http://www.ptb.de/de/org/4/44/441/salt.htm says the following transition +-# occurred at 3:00 MEZ, not the 2:00 MEZ given in Shanks & Pottenger. +-# Go with the PTB. ++# https://www.ptb.de/cms/en/ptb/fachabteilungen/abt4/fb-44/ag-441/realisation-of-legal-time-in-germany/dst-and-midsummer-dst-in-germany-until-1979.html ++# says the following transition occurred at 3:00 MEZ, not the 2:00 MEZ ++# given in Shanks & Pottenger. Go with the PTB. + Rule Germany 1947 only - Apr 6 3:00s 1:00 S + Rule Germany 1947 only - May 11 2:00s 2:00 M + Rule Germany 1947 only - Jun 29 3:00 1:00 S +@@ -2272,7 +2269,7 @@ Zone Europe/Bucharest 1:44:24 - LMT 1891 Oct + # the State Duma has approved ... the draft bill on returning to + # winter time standard and return Russia 11 time zones. The new + # regulations will come into effect on October 26, 2014 at 02:00 ... +-# http://asozd2.duma.gov.ru/main.nsf/%28Spravka%29?OpenAgent&RN=431985-6&02 ++# http://asozd2.duma.gov.ru/main.nsf/(Spravka)?OpenAgent&RN=431985-6&02 + # Here is a link where we put together table (based on approved Bill N + # 431985-6) with proposed 11 Russian time zones and corresponding + # areas/cities/administrative centers in the Russian Federation (in English): +@@ -2682,13 +2679,13 @@ Zone Europe/Volgograd 2:57:40 - LMT 1920 Jan 3 + 3:00 - +03 1930 Jun 21 + 4:00 - +04 1961 Nov 11 + 4:00 Russia +04/+05 1988 Mar 27 2:00s +- 3:00 Russia +03/+04 1991 Mar 31 2:00s ++ 3:00 Russia MSK/MSD 1991 Mar 31 2:00s + 4:00 - +04 1992 Mar 29 2:00s +- 3:00 Russia +03/+04 2011 Mar 27 2:00s +- 4:00 - +04 2014 Oct 26 2:00s +- 3:00 - +03 2018 Oct 28 2:00s ++ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s ++ 4:00 - MSK 2014 Oct 26 2:00s ++ 3:00 - MSK 2018 Oct 28 2:00s + 4:00 - +04 2020 Dec 27 2:00s +- 3:00 - +03 ++ 3:00 - MSK + + # From Paul Eggert (2016-11-11): + # Europe/Saratov covers: +@@ -2719,11 +2716,11 @@ Zone Europe/Saratov 3:04:18 - LMT 1919 Jul 1 0:00u + Zone Europe/Kirov 3:18:48 - LMT 1919 Jul 1 0:00u + 3:00 - +03 1930 Jun 21 + 4:00 Russia +04/+05 1989 Mar 26 2:00s +- 3:00 Russia +03/+04 1991 Mar 31 2:00s ++ 3:00 Russia MSK/MSD 1991 Mar 31 2:00s + 4:00 - +04 1992 Mar 29 2:00s +- 3:00 Russia +03/+04 2011 Mar 27 2:00s +- 4:00 - +04 2014 Oct 26 2:00s +- 3:00 - +03 ++ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s ++ 4:00 - MSK 2014 Oct 26 2:00s ++ 3:00 - MSK + + # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25): + # Europe/Samara covers... +diff --git a/make/data/tzdata/iso3166.tab b/make/data/tzdata/iso3166.tab +index fbfb74bec45..cea17732dd1 100644 +--- a/make/data/tzdata/iso3166.tab ++++ b/make/data/tzdata/iso3166.tab +@@ -261,7 +261,7 @@ SY Syria + SZ Eswatini (Swaziland) + TC Turks & Caicos Is + TD Chad +-TF French Southern Territories ++TF French S. Terr. + TG Togo + TH Thailand + TJ Tajikistan +diff --git a/make/data/tzdata/leapseconds b/make/data/tzdata/leapseconds +index d6fb840f512..89ce8b89cd2 100644 +--- a/make/data/tzdata/leapseconds ++++ b/make/data/tzdata/leapseconds +@@ -95,11 +95,11 @@ Leap 2016 Dec 31 23:59:60 + S + # Any additional leap seconds will come after this. + # This Expires line is commented out for now, + # so that pre-2020a zic implementations do not reject this file. +-#Expires 2023 Jun 28 00:00:00 ++#Expires 2023 Dec 28 00:00:00 + + # POSIX timestamps for the data in this file: + #updated 1467936000 (2016-07-08 00:00:00 UTC) +-#expires 1687910400 (2023-06-28 00:00:00 UTC) ++#expires 1703721600 (2023-12-28 00:00:00 UTC) + +-# Updated through IERS Bulletin C64 +-# File expires on: 28 June 2023 ++# Updated through IERS Bulletin C65 ++# File expires on: 28 December 2023 +diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica +index a5fd701f88c..e240cf35103 100644 +--- a/make/data/tzdata/northamerica ++++ b/make/data/tzdata/northamerica +@@ -1,4 +1,3 @@ +-# + # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + # + # This code is free software; you can redistribute it and/or modify it +@@ -299,9 +298,10 @@ Zone PST8PDT -8:00 US P%sT + # -10 Standard Alaska Time (AST) Alaska-Hawaii standard time (AHST) + # -11 (unofficial) Nome (NST) Bering standard time (BST) + # +-# From Paul Eggert (2000-01-08), following a heads-up from Rives McDow: +-# Public law 106-564 (2000-12-23) introduced ... "Chamorro Standard Time" ++# From Paul Eggert (2023-01-23), from a 2001-01-08 heads-up from Rives McDow: ++# Public law 106-564 (2000-12-23) introduced "Chamorro standard time" + # for time in Guam and the Northern Marianas. See the file "australasia". ++# Also see 15 U.S.C. §263 . + # + # From Paul Eggert (2015-04-17): + # HST and HDT are standardized abbreviations for Hawaii-Aleutian +@@ -618,7 +618,7 @@ Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + # local times of other Alaskan locations so that they change simultaneously. + + # From Paul Eggert (2014-07-18): +-# One opinion of the early-1980s turmoil in Alaska over time zones and ++# One opinion of the early 1980s turmoil in Alaska over time zones and + # daylight saving time appeared as graffiti on a Juneau airport wall: + # "Welcome to Juneau. Please turn your watch back to the 19th century." + # See: Turner W. Alaska's four time zones now two. NY Times 1983-11-01. +@@ -690,6 +690,10 @@ Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + # So they won't be waiting for Alaska to join them on 2019-03-10, but will + # rather change their clocks twice in seven weeks. + ++# From Paul Eggert (2023-01-23): ++# America/Adak is for the Aleutian Islands that are part of Alaska ++# and are west of 169.5° W. ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone America/Juneau 15:02:19 - LMT 1867 Oct 19 15:33:32 + -8:57:41 - LMT 1900 Aug 20 12:00 +@@ -2148,10 +2152,6 @@ Zone America/Fort_Nelson -8:10:47 - LMT 1884 + # Nunavut ... moved ... to incorporate the whole territory into one time zone. + # Nunavut moves to single time zone Oct. 31 + # http://www.nunatsiaq.com/nunavut/nvt90903_13.html +-# +-# From Antoine Leca (1999-09-06): +-# We then need to create a new timezone for the Kitikmeot region of Nunavut +-# to differentiate it from the Yellowknife region. + + # From Paul Eggert (1999-09-20): + # Basic Facts: The New Territory +@@ -2345,9 +2345,6 @@ Zone America/Cambridge_Bay 0 - -00 1920 # trading post est.? + -5:00 - EST 2000 Nov 5 0:00 + -6:00 - CST 2001 Apr 1 3:00 + -7:00 Canada M%sT +-Zone America/Yellowknife 0 - -00 1935 # Yellowknife founded? +- -7:00 NT_YK M%sT 1980 +- -7:00 Canada M%sT + Zone America/Inuvik 0 - -00 1953 # Inuvik founded + -8:00 NT_YK P%sT 1979 Apr lastSun 2:00 + -7:00 NT_YK M%sT 1980 +@@ -2584,7 +2581,7 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + # and in addition changes all of Chihuahua to -06 with no DST. + + # From Heitor David Pinto (2022-11-28): +-# Now the northern municipalities want to have the same time zone as the ++# Now the northern [municipios] want to have the same time zone as the + # respective neighboring cities in the US, for example Juárez in UTC-7 with + # DST, matching El Paso, and Ojinaga in UTC-6 with DST, matching Presidio.... + # the president authorized the publication of the decree for November 29, +@@ -2621,7 +2618,7 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u + -5:00 - EST 1982 Dec 2 + -6:00 Mexico C%sT + # Coahuila, Nuevo León, Tamaulipas (near US border) +-# This includes the following municipalities: ++# This includes the following municipios: + # in Coahuila: Acuña, Allende, Guerrero, Hidalgo, Jiménez, Morelos, Nava, + # Ocampo, Piedras Negras, Villa Unión, Zaragoza + # in Nuevo León: Anáhuac +@@ -2647,8 +2644,8 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u + -6:00 - CST 2002 Feb 20 + -6:00 Mexico C%sT + # Chihuahua (near US border - western side) +-# This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, +-# and Práxedis G Guerrero. ++# This includes the municipios of Janos, Ascensión, Juárez, Guadalupe, and ++# Práxedis G Guerrero. + # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf + Zone America/Ciudad_Juarez -7:05:56 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 +@@ -2662,7 +2659,8 @@ Zone America/Ciudad_Juarez -7:05:56 - LMT 1922 Jan 1 7:00u + -6:00 - CST 2022 Nov 30 0:00 + -7:00 US M%sT + # Chihuahua (near US border - eastern side) +-# The municipalities of Coyame del Sotol, Ojinaga, and Manuel Benavides. ++# This includes the municipios of Coyame del Sotol, Ojinaga, and Manuel ++# Benavides. + # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf + Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 +@@ -3083,7 +3081,7 @@ Zone America/Costa_Rica -5:36:13 - LMT 1890 # San José + # + # He supplied these references: + # +-# http://www.prensalatina.com.mx/article.asp?ID=%7B4CC32C1B-A9F7-42FB-8A07-8631AFC923AF%7D&language=ES ++# http://www.prensalatina.com.mx/article.asp?ID={4CC32C1B-A9F7-42FB-8A07-8631AFC923AF}&language=ES + # http://actualidad.terra.es/sociedad/articulo/cuba_llama_ahorrar_energia_cambio_1957044.htm + # + # From Alex Krivenyshev (2007-10-25): +diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica +index 81fdd793df4..4024e7180cd 100644 +--- a/make/data/tzdata/southamerica ++++ b/make/data/tzdata/southamerica +@@ -231,7 +231,7 @@ Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 - + # Hora de verano para la República Argentina + # http://buenasiembra.com.ar/esoterismo/astrologia/hora-de-verano-de-la-republica-argentina-27.html + # says that standard time in Argentina from 1894-10-31 +-# to 1920-05-01 was -4:16:48.25. Go with this more-precise value ++# to 1920-05-01 was -4:16:48.25. Go with this more precise value + # over Shanks & Pottenger. It is upward compatible with Milne, who + # says Córdoba time was -4:16:48.2. + +diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab +index 939432d3456..3edb0d61c80 100644 +--- a/make/data/tzdata/zone.tab ++++ b/make/data/tzdata/zone.tab +@@ -144,9 +144,8 @@ CA +744144-0944945 America/Resolute Central - NU (Resolute) + CA +624900-0920459 America/Rankin_Inlet Central - NU (central) + CA +5024-10439 America/Regina CST - SK (most areas) + CA +5017-10750 America/Swift_Current CST - SK (midwest) +-CA +5333-11328 America/Edmonton Mountain - AB; BC (E); SK (W) ++CA +5333-11328 America/Edmonton Mountain - AB; BC (E); NT (E); SK (W) + CA +690650-1050310 America/Cambridge_Bay Mountain - NU (west) +-CA +6227-11421 America/Yellowknife Mountain - NT (central) + CA +682059-1334300 America/Inuvik Mountain - NT (west) + CA +4906-11631 America/Creston MST - BC (Creston) + CA +5546-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John) +@@ -162,7 +161,7 @@ CG -0416+01517 Africa/Brazzaville + CH +4723+00832 Europe/Zurich + CI +0519-00402 Africa/Abidjan + CK -2114-15946 Pacific/Rarotonga +-CL -3327-07040 America/Santiago Chile (most areas) ++CL -3327-07040 America/Santiago most of Chile + CL -5309-07055 America/Punta_Arenas Region of Magallanes + CL -2709-10926 Pacific/Easter Easter Island + CM +0403+00942 Africa/Douala +@@ -174,10 +173,10 @@ CU +2308-08222 America/Havana + CV +1455-02331 Atlantic/Cape_Verde + CW +1211-06900 America/Curacao + CX -1025+10543 Indian/Christmas +-CY +3510+03322 Asia/Nicosia Cyprus (most areas) ++CY +3510+03322 Asia/Nicosia most of Cyprus + CY +3507+03357 Asia/Famagusta Northern Cyprus + CZ +5005+01426 Europe/Prague +-DE +5230+01322 Europe/Berlin Germany (most areas) ++DE +5230+01322 Europe/Berlin most of Germany + DE +4742+00841 Europe/Busingen Busingen + DJ +1136+04309 Africa/Djibouti + DK +5540+01235 Europe/Copenhagen +@@ -210,7 +209,7 @@ GF +0456-05220 America/Cayenne + GG +492717-0023210 Europe/Guernsey + GH +0533-00013 Africa/Accra + GI +3608-00521 Europe/Gibraltar +-GL +6411-05144 America/Nuuk Greenland (most areas) ++GL +6411-05144 America/Nuuk most of Greenland + GL +7646-01840 America/Danmarkshavn National Park (east coast) + GL +7029-02158 America/Scoresbysund Scoresbysund/Ittoqqortoormiit + GL +7634-06847 America/Thule Thule/Pituffik +@@ -258,7 +257,7 @@ KP +3901+12545 Asia/Pyongyang + KR +3733+12658 Asia/Seoul + KW +2920+04759 Asia/Kuwait + KY +1918-08123 America/Cayman +-KZ +4315+07657 Asia/Almaty Kazakhstan (most areas) ++KZ +4315+07657 Asia/Almaty most of Kazakhstan + KZ +4448+06528 Asia/Qyzylorda Qyzylorda/Kyzylorda/Kzyl-Orda + KZ +5312+06337 Asia/Qostanay Qostanay/Kostanay/Kustanay + KZ +5017+05710 Asia/Aqtobe Aqtobe/Aktobe +@@ -282,12 +281,12 @@ MD +4700+02850 Europe/Chisinau + ME +4226+01916 Europe/Podgorica + MF +1804-06305 America/Marigot + MG -1855+04731 Indian/Antananarivo +-MH +0709+17112 Pacific/Majuro Marshall Islands (most areas) ++MH +0709+17112 Pacific/Majuro most of Marshall Islands + MH +0905+16720 Pacific/Kwajalein Kwajalein + MK +4159+02126 Europe/Skopje + ML +1239-00800 Africa/Bamako + MM +1647+09610 Asia/Yangon +-MN +4755+10653 Asia/Ulaanbaatar Mongolia (most areas) ++MN +4755+10653 Asia/Ulaanbaatar most of Mongolia + MN +4801+09139 Asia/Hovd Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan + MN +4804+11430 Asia/Choibalsan Dornod, Sukhbaatar + MO +221150+1133230 Asia/Macau +@@ -325,7 +324,7 @@ NO +5955+01045 Europe/Oslo + NP +2743+08519 Asia/Kathmandu + NR -0031+16655 Pacific/Nauru + NU -1901-16955 Pacific/Niue +-NZ -3652+17446 Pacific/Auckland New Zealand (most areas) ++NZ -3652+17446 Pacific/Auckland most of New Zealand + NZ -4357-17633 Pacific/Chatham Chatham Islands + OM +2336+05835 Asia/Muscat + PA +0858-07932 America/Panama +@@ -333,7 +332,7 @@ PE -1203-07703 America/Lima + PF -1732-14934 Pacific/Tahiti Society Islands + PF -0900-13930 Pacific/Marquesas Marquesas Islands + PF -2308-13457 Pacific/Gambier Gambier Islands +-PG -0930+14710 Pacific/Port_Moresby Papua New Guinea (most areas) ++PG -0930+14710 Pacific/Port_Moresby most of Papua New Guinea + PG -0613+15534 Pacific/Bougainville Bougainville + PH +1435+12100 Asia/Manila + PK +2452+06703 Asia/Karachi +@@ -379,7 +378,7 @@ RU +4310+13156 Asia/Vladivostok MSK+07 - Amur River + RU +643337+1431336 Asia/Ust-Nera MSK+07 - Oymyakonsky + RU +5934+15048 Asia/Magadan MSK+08 - Magadan + RU +4658+14242 Asia/Sakhalin MSK+08 - Sakhalin Island +-RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); North Kuril Is ++RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); N Kuril Is + RU +5301+15839 Asia/Kamchatka MSK+09 - Kamchatka + RU +6445+17729 Asia/Anadyr MSK+09 - Bering Sea + RW -0157+03004 Africa/Kigali +@@ -420,7 +419,7 @@ TT +1039-06131 America/Port_of_Spain + TV -0831+17913 Pacific/Funafuti + TW +2503+12130 Asia/Taipei + TZ -0648+03917 Africa/Dar_es_Salaam +-UA +5026+03031 Europe/Kyiv Ukraine (most areas) ++UA +5026+03031 Europe/Kyiv most of Ukraine + UG +0019+03225 Africa/Kampala + UM +2813-17722 Pacific/Midway Midway Islands + UM +1917+16637 Pacific/Wake Wake Island +@@ -443,7 +442,7 @@ US +465042-1012439 America/North_Dakota/New_Salem Central - ND (Morton rural) + US +471551-1014640 America/North_Dakota/Beulah Central - ND (Mercer) + US +394421-1045903 America/Denver Mountain (most areas) + US +433649-1161209 America/Boise Mountain - ID (south); OR (east) +-US +332654-1120424 America/Phoenix MST - Arizona (except Navajo) ++US +332654-1120424 America/Phoenix MST - AZ (except Navajo) + US +340308-1181434 America/Los_Angeles Pacific + US +611305-1495401 America/Anchorage Alaska (most areas) + US +581807-1342511 America/Juneau Alaska - Juneau area +@@ -451,7 +450,7 @@ US +571035-1351807 America/Sitka Alaska - Sitka area + US +550737-1313435 America/Metlakatla Alaska - Annette Island + US +593249-1394338 America/Yakutat Alaska - Yakutat + US +643004-1652423 America/Nome Alaska (west) +-US +515248-1763929 America/Adak Aleutian Islands ++US +515248-1763929 America/Adak Alaska - western Aleutians + US +211825-1575130 Pacific/Honolulu Hawaii + UY -345433-0561245 America/Montevideo + UZ +3940+06648 Asia/Samarkand Uzbekistan (west) +diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +index ef278203182..3762eb820bb 100644 +--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -608,6 +608,17 @@ public final class ZoneInfoFile { + params[8] = endRule.secondOfDay * 1000; + params[9] = toSTZTime[endRule.timeDefinition]; + dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000; ++ ++ // Note: known mismatching -> Africa/Cairo ++ // ZoneInfo : startDayOfWeek=5 <= Thursday ++ // startTime=86400000 <= 24:00 ++ // This: startDayOfWeek=6 <= Friday ++ // startTime=0 <= 0:00 ++ if (zoneId.equals("Africa/Cairo") && ++ params[7] == Calendar.FRIDAY && params[8] == 0) { ++ params[7] = Calendar.THURSDAY; ++ params[8] = SECONDS_PER_DAY * 1000; ++ } + } else if (nTrans > 0) { // only do this if there is something in table already + if (lastyear < LASTYEAR) { + // ZoneInfo has an ending entry for 2037 +diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +index bf7918659ae..2763ac30ca7 100644 +--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java ++++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -845,9 +845,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, +- {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00", +- "Kirov Daylight Time", "GMT+03:00", +- "Kirov Time", "GMT+03:00"}}, ++ {"Europe/Kirov", MSK}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +index 0f66ee12c94..c5483b48512 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022g ++tzdata2023c +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +index d495743b268..07c5edbafee 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +@@ -211,6 +211,7 @@ Link America/Argentina/Cordoba America/Rosario + Link America/Tijuana America/Santa_Isabel + Link America/Denver America/Shiprock + Link America/Toronto America/Thunder_Bay ++Link America/Edmonton America/Yellowknife + Link Pacific/Auckland Antarctica/South_Pole + Link Asia/Shanghai Asia/Chongqing + Link Asia/Shanghai Asia/Harbin +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +index 44db4dbdb81..03f5305e65e 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -92,7 +92,6 @@ America/Vancouver PST PDT + America/Whitehorse MST + America/Winnipeg CST CDT + America/Yakutat AKST AKDT +-America/Yellowknife MST MDT + Antarctica/Macquarie AEST AEDT + Asia/Beirut EET EEST + Asia/Famagusta EET EEST +@@ -144,6 +143,7 @@ Europe/Dublin IST/GMT IST/GMT + Europe/Gibraltar CET CEST + Europe/Helsinki EET EEST + Europe/Kaliningrad EET ++Europe/Kirov MSK + Europe/Kyiv EET EEST + Europe/Lisbon WET WEST + Europe/London GMT/BST GMT/BST +@@ -160,6 +160,7 @@ Europe/Tallinn EET EEST + Europe/Tirane CET CEST + Europe/Vienna CET CEST + Europe/Vilnius EET EEST ++Europe/Volgograd MSK + Europe/Warsaw CET CEST + Europe/Zurich CET CEST + HST HST +diff --git a/test/jdk/java/util/TimeZone/TimeZoneTest.java b/test/jdk/java/util/TimeZone/TimeZoneTest.java +index d31d1722b7b..8e5d403f87b 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneTest.java ++++ b/test/jdk/java/util/TimeZone/TimeZoneTest.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -25,7 +25,7 @@ + * @test + * @bug 4028006 4044013 4096694 4107276 4107570 4112869 4130885 7039469 7126465 7158483 + * 8008577 8077685 8098547 8133321 8138716 8148446 8151876 8159684 8166875 8181157 +- * 8228469 8274407 ++ * 8228469 8274407 8305113 + * @modules java.base/sun.util.resources + * @library /java/text/testlib + * @summary test TimeZone +@@ -121,7 +121,7 @@ public class TimeZoneTest extends IntlTest + new ZoneDescriptor("GMT", 0, false), + new ZoneDescriptor("UTC", 0, false), + new ZoneDescriptor("ECT", 60, true), +- new ZoneDescriptor("ART", 120, false), ++ new ZoneDescriptor("ART", 120, true), + new ZoneDescriptor("EET", 120, true), + new ZoneDescriptor("EAT", 180, false), + new ZoneDescriptor("MET", 60, true), diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in deleted file mode 100644 index 2d9ec35..0000000 --- a/nss.fips.cfg.in +++ /dev/null @@ -1,8 +0,0 @@ -name = NSS-FIPS -nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = sql:/etc/pki/nssdb -nssDbMode = readOnly -nssModule = fips - -attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } - diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh index e999c7e..25c2fc8 100644 --- a/remove-intree-libraries.sh +++ b/remove-intree-libraries.sh @@ -5,6 +5,7 @@ TREE=${1} TYPE=${2} ZIP_SRC=src/java.base/share/native/libzip/zlib/ +FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ @@ -31,15 +32,21 @@ cd ${TREE} echo "Removing built-in libs (they will be linked)" -# On full runs, allow for zlib having already been deleted by minimal +# On full runs, allow for zlib & freetype having already been deleted by minimal echo "Removing zlib" if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then echo "${ZIP_SRC} does not exist. Refusing to proceed." exit 1 fi rm -rvf ${ZIP_SRC} +echo "Removing freetype" +if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then + echo "${FREETYPE_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${FREETYPE_SRC} -# Minimal is limited to just zlib so finish here +# Minimal is limited to just zlib and freetype so finish here if test "x${TYPE}" = "xminimal"; then echo "Finished."; exit 0; -- Gitee