From 706663bab6fbff0eff6e7737b25be3fda13b2a0d Mon Sep 17 00:00:00 2001
From: Christoph Langer <clanger@openjdk.org>
Date: Thu, 30 Nov 2023 17:54:56 +0000
Subject: [PATCH 1/5] 8320601: ProblemList
 java/lang/invoke/lambda/LambdaFileEncodingSerialization.java on linux-all

Backport-of: ab7380e2d9d3c340120bf9c41029c334c809291e
---
 test/jdk/ProblemList.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/jdk/ProblemList.txt b/test/jdk/ProblemList.txt
index 05bf219cb54..21edb81981e 100644
--- a/test/jdk/ProblemList.txt
+++ b/test/jdk/ProblemList.txt
@@ -532,7 +532,7 @@ java/lang/StringCoding/CheckEncodings.sh                        7008363 generic-
 java/lang/ProcessHandle/InfoTest.java                           8211847 aix-ppc64
 java/lang/invoke/LFCaching/LFMultiThreadCachingTest.java        8151492 generic-all
 java/lang/invoke/LFCaching/LFGarbageCollectedTest.java          8078602 generic-all
-java/lang/invoke/lambda/LambdaFileEncodingSerialization.java    8249079 linux-x64
+java/lang/invoke/lambda/LambdaFileEncodingSerialization.java    8249079 linux-all
 
 ############################################################################
 

From 80e98445824e5acde32399e165927333fff32eff Mon Sep 17 00:00:00 2001
From: Jason Katonica <katonica@us.ibm.com>
Date: Thu, 30 Nov 2023 11:36:25 -0500
Subject: [PATCH 2/5] Enable ECDSA ciphers when running with FIPS cryptography

In FIPS mode, certain cryptographic algorithms are typically disabled.
This includes the algorithm `SHA1withECDSA` since `SHA1` is no longer
recommended for general use.

The `JSSE`provider, responsible for managing TLS cipher specifications,
currently disables all `*ECDSA*` ciphers due to the absence of the
`SHA1withECDSA` algorithm on the system when running in FIPS mode.
This behavior is inaccurate, since other ECDSA-related
transformations, such as `SHA512withECDSA` or `SHA384withECDSA`, are
available in a FIPS environment and can be used for TLS connections.

With this update, `*ECDSA*` ciphers can now be enabled in FIPS mode. We
will allow for `*ECDSA*` ciphers to be enabled if any algorithm in the
ECDSA family is present such as `SHA512withECDSA`, `SHA384withECDSA`,
`SHA256withECDSA`, or `SHA224withECDSA`. We expect all these algorithms
to be present in the various FIPS solutions available within Semeru.

Signed-off-by: Jason Katonica <katonica@us.ibm.com>
---
 .../classes/sun/security/ssl/JsseJce.java     | 56 ++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/src/java.base/share/classes/sun/security/ssl/JsseJce.java b/src/java.base/share/classes/sun/security/ssl/JsseJce.java
index eefaaf2b79a..552ffc137b1 100644
--- a/src/java.base/share/classes/sun/security/ssl/JsseJce.java
+++ b/src/java.base/share/classes/sun/security/ssl/JsseJce.java
@@ -23,6 +23,12 @@
  * questions.
  */
 
+/*
+ * ===========================================================================
+ * (c) Copyright IBM Corp. 2023, 2023 All Rights Reserved
+ * ===========================================================================
+ */
+
 package sun.security.ssl;
 
 import java.math.BigInteger;
@@ -90,6 +96,26 @@ final class JsseJce {
      */
     static final String SIGNATURE_ECDSA = "SHA1withECDSA";
 
+    /**
+     * JCA identifier string for ECDSA, i.e. a ECDSA with SHA224.
+     */
+    static final String SIGNATURE_ECDSA_224 = "SHA224withECDSA";
+
+    /**
+     * JCA identifier string for ECDSA, i.e. a ECDSA with SHA256.
+     */
+    static final String SIGNATURE_ECDSA_256 = "SHA256withECDSA";
+
+    /**
+     * JCA identifier string for ECDSA, i.e. a ECDSA with SHA384.
+     */
+    static final String SIGNATURE_ECDSA_384 = "SHA384withECDSA";
+
+    /**
+     * JCA identifier string for ECDSA, i.e. a ECDSA with SHA512.
+     */
+    static final String SIGNATURE_ECDSA_512 = "SHA512withECDSA";
+
     /**
      * JCA identifier for EdDSA signatures.
      */
@@ -163,10 +189,38 @@ private static class EcAvailability {
         // Is EC crypto available?
         private static final boolean isAvailable;
 
+        /**
+         * Checks if a particular signature algorithm is available.
+         *
+         * @param algorithm the algorithm we will attempt to instantiate to check if it is available
+         * @return true if the signature algorithm is found, false otherwise
+         */
+        private static boolean isSignatureAlgorithmAvailable(String algorithm) {
+            try {
+                // Attempt to create a Cipher instance with the specified algorithm.
+                Signature.getInstance(algorithm);
+                return true;
+            } catch (NoSuchAlgorithmException e) {
+                return false;
+            }
+        }
+
         static {
             boolean mediator = true;
             try {
-                Signature.getInstance(SIGNATURE_ECDSA);
+                // When running in FIPS mode, the signature "SHA1withECDSA" is not
+                // available by default. In this scenario we should still set EC
+                // availability to true since other algorithms in the ECDSA signature
+                // family are available for use in various ECDSA TLS ciphers. All
+                // FIPS solutions are expected to have an algorithm such as
+                // "SHA512withECDSA", "SHA384withECDSA", "SHA256withECDSA", or
+                // "SHA224withECDSA" available so we will also check for these algorithms.
+                mediator = isSignatureAlgorithmAvailable(SIGNATURE_ECDSA)
+                    || isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_224)
+                    || isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_256)
+                    || isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_384)
+                    || isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_512);
+
                 Signature.getInstance(SIGNATURE_RAWECDSA);
                 KeyAgreement.getInstance("ECDH");
                 KeyFactory.getInstance("EC");

From 531210c35328c8bebe5cb4c1b49298da37d88072 Mon Sep 17 00:00:00 2001
From: "Keith W. Campbell" <keithc@ca.ibm.com>
Date: Wed, 22 Nov 2023 15:00:46 -0500
Subject: [PATCH 3/5] Include new "access" shared library in test-image

Signed-off-by: Keith W. Campbell <keithc@ca.ibm.com>
---
 closed/OpenJ9.gmk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/closed/OpenJ9.gmk b/closed/OpenJ9.gmk
index df8bceb7b22..70f196ecc6a 100644
--- a/closed/OpenJ9.gmk
+++ b/closed/OpenJ9.gmk
@@ -195,6 +195,7 @@ $(foreach file, \
 		vmtest \
 		) \
 	$(patsubst %, $(OPENJ9_VM_BUILD_DIR)/$(call SHARED_LIBRARY,%), \
+		access \
 		anntests \
 		balloon29 \
 		bcuwhite \

From 6ac01aa1ef76aeccca22015116c14ca9867d8839 Mon Sep 17 00:00:00 2001
From: LongyuZhang <longyu.zhang@ibm.com>
Date: Tue, 5 Dec 2023 17:48:19 -0500
Subject: [PATCH 4/5] Add FIPS exclude files for multiple profiles to JDK17 -
 Add FIPS exclude files for multiple profiles

Signed-off-by: LongyuZhang <longyu.zhang@ibm.com>
---
 ...ist-fips.txt => ProblemList-FIPS140_2.txt} |  0
 .../jdk/ProblemList-FIPS140_3_OpenJcePlus.txt | 19 +++++++++++++++++++
 2 files changed, 19 insertions(+)
 rename test/jdk/{ProblemList-fips.txt => ProblemList-FIPS140_2.txt} (100%)
 create mode 100644 test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt

diff --git a/test/jdk/ProblemList-fips.txt b/test/jdk/ProblemList-FIPS140_2.txt
similarity index 100%
rename from test/jdk/ProblemList-fips.txt
rename to test/jdk/ProblemList-FIPS140_2.txt
diff --git a/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt b/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt
new file mode 100644
index 00000000000..3b6107954b4
--- /dev/null
+++ b/test/jdk/ProblemList-FIPS140_3_OpenJcePlus.txt
@@ -0,0 +1,19 @@
+# ===========================================================================
+# (c) Copyright IBM Corp. 2023, 2023 All Rights Reserved
+# ===========================================================================
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# IBM designates this particular file as subject to the "Classpath" exception
+# as provided by IBM in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, see <http://www.gnu.org/licenses/>.
+# ===========================================================================

From d6f3819d93483d6a76dc3562b768347802fab35d Mon Sep 17 00:00:00 2001
From: J9 Build <j9build@ca.ibm.com>
Date: Thu, 7 Dec 2023 04:18:55 +0000
Subject: [PATCH 5/5] Update OPENJDK_TAG to merged level jdk-17.0.10+6

Signed-off-by: J9 Build <j9build@ca.ibm.com>
---
 closed/openjdk-tag.gmk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/closed/openjdk-tag.gmk b/closed/openjdk-tag.gmk
index ceacb0a9cb1..b33a19cffa0 100644
--- a/closed/openjdk-tag.gmk
+++ b/closed/openjdk-tag.gmk
@@ -1 +1 @@
-OPENJDK_TAG := jdk-17.0.10+5
+OPENJDK_TAG := jdk-17.0.10+6