Merge

jdk/src/macosx/native/sun/awt/CRobot.m

@@ -47,10 +47,6 @@
 
 #define k_JAVA_ROBOT_WHEEL_COUNT 1
 
-#if !defined(kCGBitmapByteOrder32Host)
-#define kCGBitmapByteOrder32Host 0
-#endif
-
 // In OS X, left and right mouse button share the same click count.
 // That is, if one starts clicking the left button rapidly and then
 // switches to the right button, then the click count will continue
@@ -324,7 +320,7 @@ static void PostMouseEvent(const CGPoint point, CGMouseButton button,
                                             8, picWidth * sizeof(jint),
                                             picColorSpace,
                                             kCGBitmapByteOrder32Host |
-                                            kCGImageAlphaPremultipliedFirst);
+                                            kCGImageAlphaNoneSkipFirst);
 
     CGColorSpaceRelease(picColorSpace);
 

jdk/src/macosx/native/sun/awt/QuartzSurfaceData.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,14 +28,6 @@
 #import "AWTFont.h"
 #import <Cocoa/Cocoa.h>
 
-// these flags are not defined on Tiger on PPC, so we need to make them a no-op
-#if !defined(kCGBitmapByteOrder32Host)
-#define kCGBitmapByteOrder32Host 0
-#endif
-#if !defined(kCGBitmapByteOrder16Host)
-#define kCGBitmapByteOrder16Host 0
-#endif
-
 // NOTE : Modify the printSurfaceDataDiagnostics API if you change this enum
 enum SDRenderType
 {

jdk/src/share/classes/java/util/zip/Deflater.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -559,6 +559,16 @@ private void ensureOpen() {
             throw new NullPointerException("Deflater has been closed");
     }
 
+    /**
+     * Returns the value of 'finish' flag.
+     * 'finish' will be set to true if def.finish() method is called.
+     */
+    boolean shouldFinish() {
+        synchronized (zsRef) {
+            return finish;
+        }
+    }
+
     private static native void initIDs();
     private native static long init(int level, int strategy, boolean nowrap);
     private native static void setDictionary(long addr, byte[] b, int off, int len);

jdk/src/share/classes/java/util/zip/DeflaterOutputStream.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -221,9 +221,15 @@ public void write(byte[] b, int off, int len) throws IOException {
      */
     public void finish() throws IOException {
         if (!def.finished()) {
-            def.finish();
-            while (!def.finished()) {
-                deflate();
+            try{
+                def.finish();
+                while (!def.finished()) {
+                    deflate();
+                }
+            } catch(IOException e) {
+                if (usesDefaultDeflater)
+                    def.end();
+                throw e;
             }
         }
     }

jdk/src/share/classes/java/util/zip/ZipOutputStream.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -304,7 +304,7 @@ public void closeEntry() throws IOException {
                 crc.reset();
                 current = null;
             } catch (IOException e) {
-                if (usesDefaultDeflater && !(e instanceof ZipException))
+                if (def.shouldFinish() && usesDefaultDeflater && !(e instanceof ZipException))
                     def.end();
                 throw e;
             }

jdk/src/share/classes/sun/security/validator/CADistrustPolicy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,6 +53,22 @@ void checkDistrust(String variant, X509Certificate[] chain)
             }
             SymantecTLSPolicy.checkDistrust(chain);
         }
+    },
+
+    /**
+     * Distrust TLS Server certificates anchored by an Entrust root CA and
+     * issued after October 31, 2024. If enabled, this policy is currently
+     * enforced by the PKIX and SunX509 TrustManager implementations
+     * of the SunJSSE provider implementation.
+     */
+    ENTRUST_TLS {
+        void checkDistrust(String variant, X509Certificate[] chain)
+                           throws ValidatorException {
+            if (!variant.equals(Validator.VAR_TLS_SERVER)) {
+                return;
+            }
+            EntrustTLSPolicy.checkDistrust(chain);
+        }
     };
 
     /**

jdk/src/share/classes/sun/security/validator/EntrustTLSPolicy.java

@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.validator;
+
+import java.security.cert.X509Certificate;
+import java.time.LocalDate;
+import java.time.Month;
+import java.time.ZoneOffset;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import sun.security.util.Debug;
+import sun.security.x509.X509CertImpl;
+
+/**
+ * This class checks if Entrust issued TLS Server certificates should be
+ * restricted.
+ */
+final class EntrustTLSPolicy {
+
+    private static final Debug debug = Debug.getInstance("certpath");
+
+    // SHA-256 certificate fingerprints of distrusted roots
+    private static final Set<String> FINGERPRINTS =
+            Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
+        // cacerts alias: entrustevca
+        // DN: CN=Entrust Root Certification Authority,
+        //     OU=(c) 2006 Entrust, Inc.,
+        //     OU=www.entrust.net/CPS is incorporated by reference,
+        //     O=Entrust, Inc., C=US
+        "73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C",
+        // cacerts alias: entrustrootcaec1
+        // DN: CN=Entrust Root Certification Authority - EC1,
+        //     OU=(c) 2012 Entrust, Inc. - for authorized use only,
+        //     OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
+        "02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5",
+        // cacerts alias: entrustrootcag2
+        // DN: CN=Entrust Root Certification Authority - G2,
+        //     OU=(c) 2009 Entrust, Inc. - for authorized use only,
+        //     OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US
+        "43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339",
+        // cacerts alias: entrustrootcag4
+        // DN: CN=Entrust Root Certification Authority - G4
+        //     OU=(c) 2015 Entrust, Inc. - for authorized use only,
+        //     OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US,
+        "DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88",
+        // cacerts alias: entrust2048ca
+        // DN: CN=Entrust.net Certification Authority (2048),
+        //     OU=(c) 1999 Entrust.net Limited,
+        //     OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
+        //     O=Entrust.net
+        "6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177",
+        // cacerts alias: affirmtrustcommercialca
+        // DN: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
+        "0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7",
+        // cacerts alias: affirmtrustnetworkingca
+        // DN: CN=AffirmTrust Networking, O=AffirmTrust, C=US
+        "0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B",
+        // cacerts alias: affirmtrustpremiumca
+        // DN: CN=AffirmTrust Premium, O=AffirmTrust, C=US
+        "70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A",
+        // cacerts alias: affirmtrustpremiumeccca
+        // DN: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
+        "BD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423"
+    )));
+
+    // Any TLS Server certificate that is anchored by one of the Entrust
+    // roots above and is issued after this date will be distrusted.
+    private static final LocalDate OCTOBER_31_2024 =
+        LocalDate.of(2024, Month.OCTOBER, 31);
+
+    /**
+     * This method assumes the eeCert is a TLS Server Cert and chains back to
+     * the anchor.
+     *
+     * @param chain the end-entity's certificate chain. The end entity cert
+     *              is at index 0, the trust anchor at index n-1.
+     * @throws ValidatorException if the certificate is distrusted
+     */
+    static void checkDistrust(X509Certificate[] chain)
+                              throws ValidatorException {
+        X509Certificate anchor = chain[chain.length-1];
+        String fp = fingerprint(anchor);
+        if (fp == null) {
+            throw new ValidatorException("Cannot generate fingerprint for "
+                + "trust anchor of TLS server certificate");
+        }
+        if (FINGERPRINTS.contains(fp)) {
+            Date notBefore = chain[0].getNotBefore();
+            LocalDate ldNotBefore = notBefore.toInstant()
+                    .atZone(ZoneOffset.UTC).toLocalDate();
+            // reject if certificate is issued after October 31, 2024
+            checkNotBefore(ldNotBefore, OCTOBER_31_2024, anchor);
+        }
+    }
+
+    private static String fingerprint(X509Certificate cert) {
+        return X509CertImpl.getFingerprint("SHA-256", cert);
+    }
+
+    private static void checkNotBefore(LocalDate notBeforeDate,
+            LocalDate distrustDate, X509Certificate anchor)
+            throws ValidatorException {
+        if (notBeforeDate.isAfter(distrustDate)) {
+            throw new ValidatorException
+                ("TLS Server certificate issued after " + distrustDate +
+                 " and anchored by a distrusted legacy Entrust root CA: "
+                 + anchor.getSubjectX500Principal(),
+                 ValidatorException.T_UNTRUSTED_CERT, anchor);
+        }
+    }
+
+    private EntrustTLSPolicy() {}
+}

jdk/src/share/lib/security/java.security-aix

@@ -1211,6 +1211,10 @@ jdk.sasl.disabledMechanisms=
 #     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
 #        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
 #        Distrust after December 31, 2019.
+#
+#   ENTRUST_TLS : Distrust TLS Server certificates anchored by
+#   an Entrust root CA and issued after October 31, 2024.
+#
 # Leading and trailing whitespace surrounding each value are ignored.
 # Unknown values are ignored. If the property is commented out or set to the
 # empty String, no policies are enforced.
@@ -1222,7 +1226,7 @@ jdk.sasl.disabledMechanisms=
 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
 # if this property is not enabled.
 #
-jdk.security.caDistrustPolicies=SYMANTEC_TLS
+jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS
 
 #
 # Policies for the proxy_impersonator Kerberos ccache configuration entry

jdk/src/share/lib/security/java.security-linux

@@ -1217,6 +1217,10 @@ jdk.sasl.disabledMechanisms=
 #     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
 #        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
 #        Distrust after December 31, 2019.
+#
+#   ENTRUST_TLS : Distrust TLS Server certificates anchored by
+#   an Entrust root CA and issued after October 31, 2024.
+#
 # Leading and trailing whitespace surrounding each value are ignored.
 # Unknown values are ignored. If the property is commented out or set to the
 # empty String, no policies are enforced.
@@ -1228,7 +1232,7 @@ jdk.sasl.disabledMechanisms=
 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
 # if this property is not enabled.
 #
-jdk.security.caDistrustPolicies=SYMANTEC_TLS
+jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS
 
 #
 # Policies for the proxy_impersonator Kerberos ccache configuration entry

jdk/src/share/lib/security/java.security-macosx

@@ -1215,6 +1215,10 @@ jdk.sasl.disabledMechanisms=
 #     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
 #        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
 #        Distrust after December 31, 2019.
+#
+#   ENTRUST_TLS : Distrust TLS Server certificates anchored by
+#   an Entrust root CA and issued after October 31, 2024.
+#
 # Leading and trailing whitespace surrounding each value are ignored.
 # Unknown values are ignored. If the property is commented out or set to the
 # empty String, no policies are enforced.
@@ -1226,7 +1230,7 @@ jdk.sasl.disabledMechanisms=
 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
 # if this property is not enabled.
 #
-jdk.security.caDistrustPolicies=SYMANTEC_TLS
+jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS
 
 #
 # Policies for the proxy_impersonator Kerberos ccache configuration entry

jdk/src/share/lib/security/java.security-solaris

@@ -1213,6 +1213,10 @@ jdk.sasl.disabledMechanisms=
 #     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
 #        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
 #        Distrust after December 31, 2019.
+#
+#   ENTRUST_TLS : Distrust TLS Server certificates anchored by
+#   an Entrust root CA and issued after October 31, 2024.
+#
 # Leading and trailing whitespace surrounding each value are ignored.
 # Unknown values are ignored. If the property is commented out or set to the
 # empty String, no policies are enforced.
@@ -1224,7 +1228,7 @@ jdk.sasl.disabledMechanisms=
 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
 # if this property is not enabled.
 #
-jdk.security.caDistrustPolicies=SYMANTEC_TLS
+jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS
 
 #
 # Policies for the proxy_impersonator Kerberos ccache configuration entry

jdk/src/share/lib/security/java.security-windows

@@ -1215,6 +1215,10 @@ jdk.sasl.disabledMechanisms=
 #     2. Apple IST CA 8 - G1, SHA-256 fingerprint:
 #        A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED
 #        Distrust after December 31, 2019.
+#
+#   ENTRUST_TLS : Distrust TLS Server certificates anchored by
+#   an Entrust root CA and issued after October 31, 2024.
+#
 # Leading and trailing whitespace surrounding each value are ignored.
 # Unknown values are ignored. If the property is commented out or set to the
 # empty String, no policies are enforced.
@@ -1226,7 +1230,7 @@ jdk.sasl.disabledMechanisms=
 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
 # if this property is not enabled.
 #
-jdk.security.caDistrustPolicies=SYMANTEC_TLS
+jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS
 
 #
 # Policies for the proxy_impersonator Kerberos ccache configuration entry

jdk/test/java/awt/Robot/CheckCommonColors/CheckCommonColors.java

@@ -38,7 +38,7 @@
 /**
  * @test
  * @key headful
- * @bug 8215105
+ * @bug 8215105 8298887
  * @summary tests that Robot can capture the common colors without artifacts
  */
 public final class CheckCommonColors {

jdk/test/java/awt/font/GlyphVector/MultiSlotFontTest.java

@@ -23,7 +23,7 @@
 
 /**
  * @test
- * @bug 8240756
+ * @bug 8240756 8298887
  * @summary Non-English characters are printed with wrong glyphs on MacOS
  * @modules java.desktop/sun.java2d java.desktop/sun.java2d.loops java.desktop/sun.font
  * @requires os.family == "mac"