Merge pull request #1927 from SAP/pr-jdk-17.0.15+3

Merge to tag jdk-17.0.15+3

Author: RealCLanger

make/conf/github-actions.conf

@@ -29,17 +29,17 @@ GTEST_VERSION=1.13.0
 JTREG_VERSION=7.3.1+1
 
 LINUX_X64_BOOT_JDK_EXT=tar.gz
-LINUX_X64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.12/sapmachine-jdk-17.0.12_linux-x64_bin.tar.gz
-LINUX_X64_BOOT_JDK_SHA256=53c035d9d496f6a29a2beb19181d69597796c0903385207f76c3d63671681673
-
-MACOS_X64_BOOT_JDK_EXT=tar.gz
-MACOS_X64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.12/sapmachine-jdk-17.0.12_macos-x64_bin.tar.gz
-MACOS_X64_BOOT_JDK_SHA256=fdb96f4ca96aa54bd90cfe0fcf1863f226be250e5ce942bc70f6bd41602f36d5
+LINUX_X64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.14/sapmachine-jdk-17.0.14_linux-x64_bin.tar.gz
+LINUX_X64_BOOT_JDK_SHA256=5d42032738a1d2e5ce7c0b08a9ace3f678158c01670b8f21b9701e38eda6127b
 
 MACOS_AARCH64_BOOT_JDK_EXT=tar.gz
-MACOS_AARCH64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.12/sapmachine-jdk-17.0.12_macos-aarch64_bin.tar.gz
-MACOS_AARCH64_BOOT_JDK_SHA256=a6af44b288551a3394ad7a9ec16623d05e56ee7f0dda0f5751ad1a977c0dea9e
+MACOS_AARCH64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.14/sapmachine-jdk-17.0.14_macos-aarch64_bin.tar.gz
+MACOS_AARCH64_BOOT_JDK_SHA256=8dfd53f5cc6a00d85500fc637b68e256c0b8ed6770e9b9c9779297761a24f276
+
+MACOS_X64_BOOT_JDK_EXT=tar.gz
+MACOS_X64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.14/sapmachine-jdk-17.0.14_macos-x64_bin.tar.gz
+MACOS_X64_BOOT_JDK_SHA256=eca737bbc29de298da04856fdc9c856c2638df4151885050f710675a989cd31f
 
 WINDOWS_X64_BOOT_JDK_EXT=zip
-WINDOWS_X64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.12/sapmachine-jdk-17.0.12_windows-x64_bin.zip
-WINDOWS_X64_BOOT_JDK_SHA256=fa2ac8287963cbd2e23714253c50fc2edfdcc5bd511a42f36afe1f1982fef50d
+WINDOWS_X64_BOOT_JDK_URL=https://github.com/SAP/SapMachine/releases/download/sapmachine-17.0.14/sapmachine-jdk-17.0.14_windows-x64_bin.zip
+WINDOWS_X64_BOOT_JDK_SHA256=dce037469441f3f71d01b839cee4a95755b3f6deba34aa8c1c5649e07ecdac61

src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -69,6 +69,22 @@ void checkDistrust(String variant, X509Certificate[] chain)
             }
             EntrustTLSPolicy.checkDistrust(chain);
         }
+    },
+
+    /**
+     * Distrust TLS Server certificates anchored by a CAMERFIRMA root CA and
+     * issued after April 15, 2025. If enabled, this policy is currently
+     * enforced by the PKIX and SunX509 TrustManager implementations
+     * of the SunJSSE provider implementation.
+     */
+    CAMERFIRMA_TLS {
+        void checkDistrust(String variant, X509Certificate[] chain)
+                           throws ValidatorException {
+            if (!variant.equals(Validator.VAR_TLS_SERVER)) {
+                return;
+            }
+            CamerfirmaTLSPolicy.checkDistrust(chain);
+        }
     };
 
     /**

src/java.base/share/classes/sun/security/validator/CamerfirmaTLSPolicy.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.validator;
+
+import java.security.cert.X509Certificate;
+import java.time.LocalDate;
+import java.time.Month;
+import java.time.ZoneOffset;
+import java.util.Date;
+import java.util.Map;
+import java.util.Set;
+
+import sun.security.util.Debug;
+import sun.security.x509.X509CertImpl;
+
+/**
+ * This class checks if Camerfirma issued TLS Server certificates should be
+ * restricted.
+ */
+final class CamerfirmaTLSPolicy {
+
+    private static final Debug debug = Debug.getInstance("certpath");
+
+    // SHA-256 certificate fingerprints of distrusted roots
+    private static final Set<String> FINGERPRINTS = Set.of(
+        // cacerts alias: camerfirmachamberscommerceca
+        // DN: CN=Chambers of Commerce Root,
+        //     OU=http://www.chambersign.org,
+        //     O=AC Camerfirma SA CIF A82743287, C=EU
+        "0C258A12A5674AEF25F28BA7DCFAECEEA348E541E6F5CC4EE63B71B361606AC3",
+        // cacerts alias: camerfirmachambersca
+        // DN: CN=Chambers of Commerce Root - 2008,
+        //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
+        //     L=Madrid (see current address at www.camerfirma.com/address),
+        //     C=EU
+        "063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0",
+        // cacerts alias: camerfirmachambersignca
+        // DN: CN=Global Chambersign Root - 2008,
+        //     O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
+        //     L=Madrid (see current address at www.camerfirma.com/address),
+        //     C=EU
+        "136335439334A7698016A0D324DE72284E079D7B5220BB8FBD747816EEBEBACA"
+    );
+
+    // Any TLS Server certificate that is anchored by one of the Camerfirma
+    // roots above and is issued after this date will be distrusted.
+    private static final LocalDate APRIL_15_2025 =
+        LocalDate.of(2025, Month.APRIL, 15);
+
+    /**
+     * This method assumes the eeCert is a TLS Server Cert and chains back to
+     * the anchor.
+     *
+     * @param chain the end-entity's certificate chain. The end entity cert
+     *              is at index 0, the trust anchor at index n-1.
+     * @throws ValidatorException if the certificate is distrusted
+     */
+    static void checkDistrust(X509Certificate[] chain)
+                              throws ValidatorException {
+        X509Certificate anchor = chain[chain.length-1];
+        String fp = fingerprint(anchor);
+        if (fp == null) {
+            throw new ValidatorException("Cannot generate fingerprint for "
+                + "trust anchor of TLS server certificate");
+        }
+        if (FINGERPRINTS.contains(fp)) {
+            Date notBefore = chain[0].getNotBefore();
+            LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(),
+                                                        ZoneOffset.UTC);
+            // reject if certificate is issued after April 15, 2025
+            checkNotBefore(ldNotBefore, APRIL_15_2025, anchor);
+        }
+    }
+
+    private static String fingerprint(X509Certificate cert) {
+        return X509CertImpl.getFingerprint("SHA-256", cert, debug);
+    }
+
+    private static void checkNotBefore(LocalDate notBeforeDate,
+            LocalDate distrustDate, X509Certificate anchor)
+            throws ValidatorException {
+        if (notBeforeDate.isAfter(distrustDate)) {
+            throw new ValidatorException
+                ("TLS Server certificate issued after " + distrustDate +
+                 " and anchored by a distrusted legacy Camerfirma root CA: "
+                 + anchor.getSubjectX500Principal(),
+                 ValidatorException.T_UNTRUSTED_CERT, anchor);
+        }
+    }
+
+    private CamerfirmaTLSPolicy() {}
+}

src/java.base/share/conf/security/java.security

@@ -1289,6 +1289,9 @@ jdk.sasl.disabledMechanisms=
 #   ENTRUST_TLS : Distrust TLS Server certificates anchored by
 #   an Entrust root CA and issued after November 11, 2024.
 #
+#   CAMERFIRMA_TLS : Distrust TLS Server certificates anchored by
+#   a Camerfirma root CA and issued after April 15, 2025.
+#
 # Leading and trailing whitespace surrounding each value are ignored.
 # Unknown values are ignored. If the property is commented out or set to the
 # empty String, no policies are enforced.
@@ -1300,7 +1303,7 @@ jdk.sasl.disabledMechanisms=
 # jdk.certpath.disabledAlgorithms; those restrictions are still enforced even
 # if this property is not enabled.
 #
-jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS
+jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS,CAMERFIRMA_TLS
 
 #
 # FilePermission path canonicalization

src/java.desktop/windows/classes/sun/awt/PlatformGraphicsInfo.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,41 +28,20 @@
 import java.awt.GraphicsEnvironment;
 import java.awt.Toolkit;
 
-import sun.awt.windows.WToolkit;
-
 public class PlatformGraphicsInfo {
 
-    private static final boolean hasDisplays;
-
-    static {
-        loadAWTLibrary();
-        hasDisplays = hasDisplays0();
-    }
-
-    @SuppressWarnings("removal")
-    private static void loadAWTLibrary() {
-        java.security.AccessController.doPrivileged(
-            new java.security.PrivilegedAction<Void>() {
-                public Void run() {
-                    System.loadLibrary("awt");
-                    return null;
-                }
-            });
-    }
-
-    private static native boolean hasDisplays0();
-
     public static GraphicsEnvironment createGE() {
         return new Win32GraphicsEnvironment();
     }
 
     public static Toolkit createToolkit() {
-        return new WToolkit();
+        return new sun.awt.windows.WToolkit();
     }
 
     public static boolean getDefaultHeadlessProperty() {
-        // If we don't find usable displays, we run headless.
-        return !hasDisplays;
+        // On Windows, we assume we can always create headful apps.
+        // Here is where we can add code that would actually check.
+        return false;
     }
 
     /*

src/java.desktop/windows/classes/sun/awt/Win32GraphicsEnvironment.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -60,8 +60,7 @@ public final class Win32GraphicsEnvironment extends SunGraphicsEnvironment {
         WToolkit.loadLibraries();
         // setup flags before initializing native layer
         WindowsFlags.initFlags();
-
-        initDisplay();
+        initDisplayWrapper();
 
         // Install correct surface manager factory.
         SurfaceManagerFactory.setInstance(new WindowsSurfaceManagerFactory());
@@ -89,6 +88,14 @@ public final class Win32GraphicsEnvironment extends SunGraphicsEnvironment {
      */
     private static native void initDisplay();
 
+    private static boolean displayInitialized;      // = false;
+    public static void initDisplayWrapper() {
+        if (!displayInitialized) {
+            displayInitialized = true;
+            initDisplay();
+        }
+    }
+
     public Win32GraphicsEnvironment() {
     }
 

src/java.desktop/windows/native/libawt/windows/Devices.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -85,75 +85,60 @@
 #include "Trace.h"
 #include "D3DPipelineManager.h"
 
-typedef struct {
-    int monitorCounter;
-    int monitorLimit;
-    HMONITOR* hmpMonitors;
-} MonitorData;
 
+/* Some helper functions (from awt_MMStub.h/cpp) */
 
-// Only monitors where CreateDC does not fail are valid
-static BOOL IsValidMonitor(HMONITOR hMon)
-{
-    MONITORINFOEX mieInfo;
-    memset((void*)(&mieInfo), 0, sizeof(MONITORINFOEX));
-    mieInfo.cbSize = sizeof(MONITORINFOEX);
-    if (!::GetMonitorInfo(hMon, (LPMONITORINFOEX)(&mieInfo))) {
-        J2dTraceLn1(J2D_TRACE_INFO, "Devices::IsValidMonitor: GetMonitorInfo failed for monitor with handle %p", hMon);
-        return FALSE;
-    }
-
-    HDC hDC = CreateDC(mieInfo.szDevice, NULL, NULL, NULL);
-    if (NULL == hDC) {
-        J2dTraceLn2(J2D_TRACE_INFO, "Devices::IsValidMonitor: CreateDC failed for monitor with handle %p, device: %S", hMon, mieInfo.szDevice);
-        return FALSE;
-    }
-
-    ::DeleteDC(hDC);
-    return TRUE;
-}
+int g_nMonitorCounter;
+int g_nMonitorLimit;
+HMONITOR* g_hmpMonitors;
 
 // Callback for CountMonitors below
-static BOOL WINAPI clb_fCountMonitors(HMONITOR hMon, HDC hDC, LPRECT rRect, LPARAM lpMonitorCounter)
+BOOL WINAPI clb_fCountMonitors(HMONITOR hMon, HDC hDC, LPRECT rRect, LPARAM lP)
 {
-    if (IsValidMonitor(hMon)) {
-        (*((int *)lpMonitorCounter))++;
-    }
-
+    g_nMonitorCounter ++;
     return TRUE;
 }
 
 int WINAPI CountMonitors(void)
 {
-    int monitorCounter = 0;
-    ::EnumDisplayMonitors(NULL, NULL, clb_fCountMonitors, (LPARAM)&monitorCounter);
-    return monitorCounter;
+    g_nMonitorCounter = 0;
+    ::EnumDisplayMonitors(NULL, NULL, clb_fCountMonitors, 0L);
+    return g_nMonitorCounter;
+
 }
 
 // Callback for CollectMonitors below
-static BOOL WINAPI clb_fCollectMonitors(HMONITOR hMon, HDC hDC, LPRECT rRect, LPARAM lpMonitorData)
+BOOL WINAPI clb_fCollectMonitors(HMONITOR hMon, HDC hDC, LPRECT rRect, LPARAM lP)
 {
-    MonitorData* pMonitorData = (MonitorData *)lpMonitorData;
-    if ((pMonitorData->monitorCounter < pMonitorData->monitorLimit) && (IsValidMonitor(hMon))) {
-        pMonitorData->hmpMonitors[pMonitorData->monitorCounter] = hMon;
-        pMonitorData->monitorCounter++;
+
+    if ((g_nMonitorCounter < g_nMonitorLimit) && (NULL != g_hmpMonitors)) {
+        g_hmpMonitors[g_nMonitorCounter] = hMon;
+        g_nMonitorCounter ++;
     }
 
     return TRUE;
 }
 
-static int WINAPI CollectMonitors(HMONITOR* hmpMonitors, int nNum)
+int WINAPI CollectMonitors(HMONITOR* hmpMonitors, int nNum)
 {
+    int retCode = 0;
+
     if (NULL != hmpMonitors) {
-        MonitorData monitorData;
-        monitorData.monitorCounter = 0;
-        monitorData.monitorLimit = nNum;
-        monitorData.hmpMonitors = hmpMonitors;
-        ::EnumDisplayMonitors(NULL, NULL, clb_fCollectMonitors, (LPARAM)&monitorData);
-        return monitorData.monitorCounter;
-    } else {
-        return 0;
+
+        g_nMonitorCounter   = 0;
+        g_nMonitorLimit     = nNum;
+        g_hmpMonitors       = hmpMonitors;
+
+        ::EnumDisplayMonitors(NULL, NULL, clb_fCollectMonitors, 0L);
+
+        retCode             = g_nMonitorCounter;
+
+        g_nMonitorCounter   = 0;
+        g_nMonitorLimit     = 0;
+        g_hmpMonitors       = NULL;
+
     }
+    return retCode;
 }
 
 BOOL WINAPI MonitorBounds(HMONITOR hmMonitor, RECT* rpBounds)