Mercurial > hg > icedtea8-forest > jdk
changeset 14982:2d5d2c77faa3 default tip
Merge jdk8u292-ga
line wrap: on
line diff
--- a/.hgtags Mon Apr 19 04:23:30 2021 +0100 +++ b/.hgtags Mon Apr 26 14:01:43 2021 +0100 @@ -1163,3 +1163,9 @@ daac853357a501b21955518977d11b9121ff3197 jdk8u292-b03 37cc96fde9118f2422db288dcecc4b3f51c1dacf jdk8u292-b04 7c8bbbfe6acbe08eadae04e1ec46d94e9f98b743 jdk8u292-b05 +42f6981cebc518fd4d33f8d55351b32dbd900478 jdk8u292-b06 +99b8202e7f718c01393f373609615a9c2721abe3 jdk8u292-b07 +d103481ecd91690051bbd06e4eb4d3f3b4938dfc jdk8u292-b08 +364cf530fbd346293f4fe51e725b1b3a807fd30f jdk8u292-b09 +4eae74c62a511317a50759f5faad3e748d34be95 jdk8u292-b10 +4eae74c62a511317a50759f5faad3e748d34be95 jdk8u292-ga
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/make/data/cacerts/haricaeccrootca2015 Mon Apr 26 14:01:43 2021 +0100 @@ -0,0 +1,24 @@ +Owner: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR +Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR +Serial number: 0 +Valid from: Tue Jul 07 10:37:12 GMT 2015 until: Sat Jun 30 10:37:12 GMT 2040 +Signature algorithm name: SHA256withECDSA +Subject Public Key Algorithm: 384-bit EC key +Version: 3 +-----BEGIN CERTIFICATE----- +MIICwzCCAkqgAwIBAgIBADAKBggqhkjOPQQDAjCBqjELMAkGA1UEBhMCR1IxDzAN +BgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNVBAMTO0hl +bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv +b3RDQSAyMDE1MB4XDTE1MDcwNzEwMzcxMloXDTQwMDYzMDEwMzcxMlowgaoxCzAJ +BgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmljIEFj +YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5 +MUQwQgYDVQQDEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0 +dXRpb25zIEVDQyBSb290Q0EgMjAxNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJKg +QehLgoRc4vgxEZmGZE4JJS+dQS8KrjVPdJWyUWRrjWvmP3CV8AVER6ZyOFB2lQJa +jq4onvktTpnvLEhvTCUp6NFxW98dwXU3tNf6e3pCnGoKVlp8aQuqgAkkbH7BRqNC +MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLQi +C4KZJAEOnLvkDv2/+5cgk5kqMAoGCCqGSM49BAMCA2cAMGQCMGfOFmI4oqxiRaep +lSTAGiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7Sof +TUwJCA3sS61kFyjndc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR +-----END CERTIFICATE-----
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/make/data/cacerts/haricarootca2015 Mon Apr 26 14:01:43 2021 +0100 @@ -0,0 +1,42 @@ +Owner: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR +Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR +Serial number: 0 +Valid from: Tue Jul 07 10:11:21 GMT 2015 until: Sat Jun 30 10:11:21 GMT 2040 +Signature algorithm name: SHA256withRSA +Subject Public Key Algorithm: 4096-bit RSA key +Version: 3 +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCR1Ix +DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5k +IFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMT +N0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9v +dENBIDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkG +A1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh +ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkx +QDA+BgNVBAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1 +dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/TSNTt5AA4xMqKKYx8ZEA +4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL0BgzuNtFajT0 +AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQZe10 +4S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06C +ojXdFPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV +9Cz82XBST3i4vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrD +gfgXy5I2XdGj2HUb4Ysn6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6 +Y5ZLKTBOhE5iGV48zpeQpX8B653g+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargq +NhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+OAXqlD3pk9Q0Yh9muiNX6hME6wGko +LfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZSRm2Ekax+0VVFqmjZayc +Bw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVd +ctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0I +XtVsyIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMI +M4GwVhO+5lFc2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot +9L/J9UUbzjgQKjeKeaO04wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2V +Z5fkscWrv2oj6NSU4kQoYsRL4vDY4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/ea +j8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK07/grfoxSwIuEVPkvPuNVqNxmsdnh +X9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEVvo2FXDtKK4F5D7Rpn0lQ +l033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI/CbM1xyQVqdf +bzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evIIVM4 +pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHK +e7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0 +vm9qp/UsQu0yrbYhnr68 +-----END CERTIFICATE-----
--- a/make/data/tzdata/VERSION Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/VERSION Mon Apr 26 14:01:43 2021 +0100 @@ -21,4 +21,4 @@ # or visit www.oracle.com if you need additional information or have any # questions. # -tzdata2020d +tzdata2021a
--- a/make/data/tzdata/africa Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/africa Mon Apr 26 14:01:43 2021 +0100 @@ -409,36 +409,87 @@ # Ghana -# From Paul Eggert (2018-01-30): -# Whitman says DST was observed from 1931 to "the present"; -# Shanks & Pottenger say 1936 to 1942 with 20 minutes of DST, -# with transitions on 09-01 and 12-31 at 00:00. -# Page 33 of Parish GCB, Colonial Reports - Annual. No. 1066. Gold -# Coast. Report for 1919. (March 1921), OCLC 784024077 -# http://libsysdigi.library.illinois.edu/ilharvest/africana/books2011-05/5530214/5530214_1919/5530214_1919_opt.pdf -# lists the Determination of the Time Ordinance, 1919, No. 18, -# "to advance the time observed locally by the space of twenty minutes -# during the last four months of each year; the object in view being -# to extend during those months the period of daylight-time available -# for evening recreation after office hours." -# Vanessa Ogle, The Global Transformation of Time, 1870-1950 (2015), p 33, -# writes "In 1919, the Gold Coast (Ghana as of 1957) made Greenwich -# time its legal time and simultaneously legalized a summer time of -# UTC - 00:20 minutes from March to October."; a footnote lists -# the ordinance as being dated 1919-11-24. -# The Crown Colonist, Volume 12 (1942), p 176, says "the Government -# intend advancing Gold Coast time half an hour ahead of G.M.T. -# The actual date of the alteration has not yet been announced." -# These sources are incomplete and contradictory. Possibly what is -# now Ghana observed different DST regimes in different years. For -# lack of better info, use Shanks except treat the minus sign as a -# typo, and assume DST started in 1920 not 1936. +# From P Chan (2020-11-20): +# Interpretation Amendment Ordinance, 1915 (No.24 of 1915) [1915-11-02] +# Ordinances of the Gold Coast, Ashanti, Northern Territories 1915, p 69-71 +# https://books.google.com/books?id=ErA-AQAAIAAJ&pg=PA70 +# This Ordinance added "'Time' shall mean Greenwich Mean Time" to the +# Interpretation Ordinance, 1876. +# +# Determination of the Time Ordinance, 1919 (No. 18 of 1919) [1919-11-24] +# Ordinances of the Gold Coast, Ashanti, Northern Territories 1919, p 75-76 +# https://books.google.com/books?id=MbA-AQAAIAAJ&pg=PA75 +# This Ordinance removed the previous definition of time and introduced DST. +# +# Time Determination Ordinance (Cap. 214) +# The Laws of the Gold Coast (including Togoland Under British Mandate) +# Vol. II (1937), p 2328 +# https://books.google.com/books?id=Z7M-AQAAIAAJ&pg=PA2328 +# Revised edition of the 1919 Ordinance. +# +# Time Determination (Amendment) Ordinance, 1940 (No. 9 of 1940) [1940-04-06] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1940, p 22 +# https://books.google.com/books?id=1ao-AQAAIAAJ&pg=PA22 +# This Ordinance changed the forward transition from September to May. +# +# Defence (Time Determination Ordinance Amendment) Regulations, 1942 +# (Regulations No. 6 of 1942) [1942-01-31, commenced on 1942-02-08] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1942, p 48 +# https://books.google.com/books?id=Das-AQAAIAAJ&pg=PA48 +# These regulations advanced the [standard] time by thirty minutes. +# +# Defence (Time Determination Ordinance Amendment (No.2)) Regulations, +# 1942 (Regulations No. 28 of 1942) [1942-04-25] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1942, p 87 +# https://books.google.com/books?id=Das-AQAAIAAJ&pg=PA87 +# These regulations abolished DST and changed the time to GMT+0:30. +# +# Defence (Revocation) (No.4) Regulations, 1945 (Regulations No. 45 of +# 1945) [1945-10-24, commenced on 1946-01-06] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1945, p 256 +# https://books.google.com/books?id=9as-AQAAIAAJ&pg=PA256 +# These regulations revoked the previous two sets of Regulations. +# +# Time Determination (Amendment) Ordinance, 1945 (No. 18 of 1945) [1946-01-06] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1945, p 69 +# https://books.google.com/books?id=9as-AQAAIAAJ&pg=PA69 +# This Ordinance abolished DST. +# +# Time Determination (Amendment) Ordinance, 1950 (No. 26 of 1950) [1950-07-22] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1950, p 35 +# https://books.google.com/books?id=e60-AQAAIAAJ&pg=PA35 +# This Ordinance restored DST but with thirty minutes offset. +# +# Time Determination Ordinance (Cap. 264) +# The Laws of the Gold Coast, Vol. V (1954), p 380 +# https://books.google.com/books?id=Mqc-AQAAIAAJ&pg=PA380 +# Revised edition of the Time Determination Ordinance. +# +# Time Determination (Amendment) Ordinance, 1956 (No. 21 of 1956) [1956-08-29] +# Annual Volume of the Ordinances of the Gold Coast Enacted During the +# Year 1956, p 83 +# https://books.google.com/books?id=VLE-AQAAIAAJ&pg=PA83 +# This Ordinance abolished DST. + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Ghana 1920 1942 - Sep 1 0:00 0:20 - -Rule Ghana 1920 1942 - Dec 31 0:00 0 - +Rule Ghana 1919 only - Nov 24 0:00 0:20 +0020 +Rule Ghana 1920 1942 - Jan 1 2:00 0 GMT +Rule Ghana 1920 1939 - Sep 1 2:00 0:20 +0020 +Rule Ghana 1940 1941 - May 1 2:00 0:20 +0020 +Rule Ghana 1950 1955 - Sep 1 2:00 0:30 +0030 +Rule Ghana 1951 1956 - Jan 1 2:00 0 GMT + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Africa/Accra -0:00:52 - LMT 1918 - 0:00 Ghana GMT/+0020 +Zone Africa/Accra -0:00:52 - LMT 1915 Nov 2 + 0:00 Ghana %s 1942 Feb 8 + 0:30 - +0030 1946 Jan 6 + 0:00 Ghana %s # Guinea # See Africa/Abidjan. @@ -456,11 +507,54 @@ 0:00 - GMT # Kenya + +# From P Chan (2020-10-24): +# +# The standard time of GMT+2:30 was adopted in the East Africa Protectorate.... +# [The Official Gazette, 1908-05-01, p 274] +# https://books.google.com/books?id=e-cAC-sjPSEC&pg=PA274 +# +# At midnight on 30 June 1928 the clocks throughout Kenya was put forward +# half an hour by the Alteration of Time Ordinance, 1928. +# https://gazettes.africa/archive/ke/1928/ke-government-gazette-dated-1928-05-11-no-28.pdf +# [Ordinance No. 11 of 1928, The Offical Gazette, 1928-06-26, p 813] +# https://books.google.com/books?id=2S0S6os32ZUC&pg=PA813 +# +# The 1928 ordinance was repealed by the Alteration of Time (repeal) Ordinance, +# 1929 and the time was restored to GMT+2:30 at midnight on 4 January 1930. +# [Ordinance No. 97 of 1929, The Official Gazette, 1929-12-31, p 2701] +# https://books.google.com/books?id=_g18jIZQlwwC&pg=PA2701 +# +# The Alteration of Time Ordinance, 1936 changed the time to GMT+2:45 +# and repealed the previous ordinance at midnight on 31 December 1936. +# [The Official Gazette, 1936-07-21, p 705] +# https://books.google.com/books?id=K7j41z0aC5wC&pg=PA705 +# +# The Defence (Amendment of Laws No. 120) Regulations changed the time +# to GMT+3 at midnight on 31 July 1942. +# [Kenya Official Gazette Supplement No. 32, 1942-07-21, p 331] +# https://books.google.com/books?hl=zh-TW&id=c_E-AQAAIAAJ&pg=PA331 +# The provision of the 1936 ordinance was not repealed and was later +# incorporated in the Interpretation and General Clauses Ordinance in 1948. +# Although it was overridden by the 1942 regulations. +# [The Laws of Kenya in force on 1948-09-21, Title I, Chapter 1, 31] +# https://dds.crl.edu/item/217517 (p.101) +# In 1950 the Interpretation and General Clauses Ordinance was amended to adopt +# GMT+3 permanently as the 1942 regulations were due to expire on 10 December. +# https://books.google.com/books?id=jvR8mUDAwR0C&pg=PA787 +# [Ordinance No. 44 of 1950, Kenya Ordinances 1950, Vol. XXIX, p 294] +# https://books.google.com/books?id=-_dQAQAAMAAJ&pg=PA294 + +# From Paul Eggert (2020-10-24): +# The 1908-05-01 announcement does not give an effective date, +# so just say "1908 May". + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Africa/Nairobi 2:27:16 - LMT 1928 Jul - 3:00 - EAT 1930 - 2:30 - +0230 1940 - 2:45 - +0245 1960 +Zone Africa/Nairobi 2:27:16 - LMT 1908 May + 2:30 - +0230 1928 Jun 30 24:00 + 3:00 - EAT 1930 Jan 4 24:00 + 2:30 - +0230 1936 Dec 31 24:00 + 2:45 - +0245 1942 Jul 31 24:00 3:00 - EAT Link Africa/Nairobi Africa/Addis_Ababa # Ethiopia Link Africa/Nairobi Africa/Asmara # Eritrea @@ -1247,8 +1341,69 @@ # See Africa/Lagos. # Nigeria + +# From P Chan (2020-12-03): +# GMT was adopted as the standard time of Lagos on 1905-07-01. +# Lagos Weekly Record, 1905-06-24, p 3 +# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446%2C5221%2C1931%2C1235 +# says "It is officially notified that on and after the 1st of July 1905 +# Greenwich Mean Solar Time will be adopted thought the Colony and +# Protectorate, and that it will be necessary to put all clocks 13 minutes and +# 35 seconds back, recording local mean time." +# +# It seemed that Lagos returned to LMT on 1908-07-01. +# [The Lagos Standard], 1908-07-01, p 5 +# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92%2C3590%2C3944%2C2523 +# says "Scarcely have the people become accustomed to this new time, when +# another official notice has now appeared announcing that from and after the +# 1st July next, return will be made to local mean time." +# +# From P Chan (2020-11-27): +# On 1914-01-01, standard time of GMT+0:30 was adopted for the unified Nigeria. +# Colonial Reports - Annual. No. 878. Nigeria. Report for 1914. (April 1916), +# p 27 +# https://libsysdigi.library.illinois.edu/ilharvest/Africana/Books2011-05/3064634/3064634_1914/3064634_1914_opt.pdf#page=27 +# "On January 1st [1914], a universal standard time for Nigeria was adopted, +# viz., half an hour fast on Greenwich mean time, corresponding to the meridian +# 7 [degrees] 30' E. long." +# Lloyd's Register of Shipping (1915) says "Hitherto the time observed in Lagos +# was the local mean time. On 1st January, 1914, standard time for the whole of +# Nigeria was introduced ... Lagos time has been advanced about 16 minutes +# accordingly." +# +# In 1919, standard time was changed to GMT+1. +# Interpretation Ordinance (Cap 2) +# The Laws of Nigeria, Containing the Ordinances of Nigeria, in Force on the +# 1st Day of January, 1923, Vol.I [p 16] +# https://books.google.com/books?id=BOMrAQAAMAAJ&pg=PA16 +# "The expression 'Standard time' means standard time as used in Nigeria: +# namely, 60 minutes in advance of Greenwich mean time. (As amended by 18 of +# 1919, s. 2.)" +# From Tim Parenti (2020-12-10): +# The Lagos Weekly Record, 1919-09-20, p 3 details discussion on the first +# reading of this Bill by the Legislative Council of the Colony of Nigeria on +# Thursday 1919-08-28: +# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261%2C3408%2C2994%2C1915 +# "The proposal is that the Globe should be divided into twelve zones East and +# West of Greenwich, of one hour each, Nigeria falling into the zone with a +# standard of one hour fast on Greenwich Mean Time. Nigeria standard time is +# now 30 minutes in advance of Greenwich Mean Time ... according to the new +# proposal, standard time will be advanced another 30 minutes". It was further +# proposed that the firing of the time guns likewise be adjusted by 30 minutes +# to compensate. +# From Tim Parenti (2020-12-10), per P Chan (2020-12-11): +# The text of Ordinance 18 of 1919, published in Nigeria Gazette, Vol 6, No 52, +# shows that the change was assented to the following day and took effect "on +# the 1st day of September, 1919." +# Nigeria Gazette and Supplements 1919 Jan-Dec, Reference: 73266B-40, +# img 245-246 +# https://microform.digital/boa/collections/77/volumes/539/nigeria-lagos-1887-1919 + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Africa/Lagos 0:13:36 - LMT 1919 Sep +Zone Africa/Lagos 0:13:35 - LMT 1905 Jul 1 + 0:00 - GMT 1908 Jul 1 + 0:13:35 - LMT 1914 Jan 1 + 0:30 - +0030 1919 Sep 1 1:00 - WAT Link Africa/Lagos Africa/Bangui # Central African Republic Link Africa/Lagos Africa/Brazzaville # Rep. of the Congo @@ -1321,8 +1476,21 @@ # See Africa/Abidjan. # Seychelles + +# From P Chan (2020-11-27): +# Standard Time was adopted on 1907-01-01. +# +# Standard Time Ordinance (Chapter 237) +# The Laws of Seychelles in Force on the 31st December, 1971, Vol. 6, p 571 +# https://books.google.com/books?id=efE-AQAAIAAJ&pg=PA571 +# +# From Tim Parenti (2020-12-05): +# A footnote on https://books.google.com/books?id=DYdDAQAAMAAJ&pg=PA1689 +# confirms that Ordinance No. 9 of 1906 "was brought into force on the 1st +# January, 1907." + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Indian/Mahe 3:41:48 - LMT 1906 Jun # Victoria +Zone Indian/Mahe 3:41:48 - LMT 1907 Jan 1 # Victoria 4:00 - +04 # From Paul Eggert (2001-05-30): # Aldabra, Farquhar, and Desroches, originally dependencies of the @@ -1382,11 +1550,17 @@ 3:00 - EAT 2017 Nov 1 2:00 - CAT +# From Steffen Thorsen (2021-01-18): +# "South Sudan will change its time zone by setting the clock back 1 +# hour on February 1, 2021...." +# from https://eyeradio.org/south-sudan-adopts-new-time-zone-makuei/ + # South Sudan # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone Africa/Juba 2:06:28 - LMT 1931 2:00 Sudan CA%sT 2000 Jan 15 12:00 - 3:00 - EAT + 3:00 - EAT 2021 Feb 1 00:00 + 2:00 - CAT # Tanzania # See Africa/Nairobi.
--- a/make/data/tzdata/asia Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/asia Mon Apr 26 14:01:43 2021 +0100 @@ -1746,40 +1746,180 @@ # high on my favorite-country list (and not only because my wife's # family is from India). -# From Shanks & Pottenger: +# From P Chan (2020-10-27), with corrections: +# +# 1940-1946 Supplement No. 2 to the Palestine Gazette +# # issue page Order No. dated start end note +# 1 1010 729 67 of 1940 1940-05-22 1940-05-31* 1940-09-30* revoked by #2 +# 2 1013 758 73 of 1940 1940-05-31 1940-05-31 1940-09-30 +# 3 1055 1574 196 of 1940 1940-11-06 1940-11-16 1940-12-31 +# 4 1066 1811 208 of 1940 1940-12-17 1940-12-31 1941-12-31 +# 5 1156 1967 116 of 1941 1941-12-16 1941-12-31 1942-12-31* amended by #6 +# 6 1228 1608 86 of 1942 1942-10-14 1941-12-31 1942-10-31 +# 7 1256 279 21 of 1943 1943-03-18 1943-03-31 1943-10-31 +# 8 1323 249 19 of 1944 1944-03-13 1944-03-31 1944-10-31 +# 9 1402 328 20 of 1945 1945-04-05 1945-04-15 1945-10-31 +#10 1487 596 14 of 1946 1946-04-04 1946-04-15 1946-10-31 +# +# 1948 Iton Rishmi (Official Gazette of the Provisional Government) +# # issue page dated start end +#11 2 7 1948-05-20 1948-05-22 1948-10-31* +# ^This moved timezone to +04, replaced by #12 from 1948-08-31 24:00 GMT. +#12 17 (Annex B) 84 1948-08-22 1948-08-31 1948-10-31 +# +# 1949-2000 Kovetz HaTakanot (Collection of Regulations) +# # issue page dated start end note +#13 6 133 1949-03-23 1949-04-30 1949-10-31 +#14 80 755 1950-03-17 1950-04-15 1950-09-14 +#15 164 782 1951-03-22 1951-03-31 1951-09-29* amended by #16 +#16 206 1940 1951-09-23 ---------- 1951-10-22* amended by #17 +#17 212 78 1951-10-19 ---------- 1951-11-10 +#18 254 652 1952-03-03 1952-04-19 1952-09-27* amended by #19 +#19 300 11 1952-09-15 ---------- 1952-10-18 +#20 348 817 1953-03-03 1953-04-11 1953-09-12 +#21 420 385 1954-02-17 1954-06-12 1954-09-11 +#22 497 548 1955-01-14 1955-06-11 1955-09-10 +#23 591 608 1956-03-12 1956-06-02 1956-09-29 +#24 680 957 1957-02-08 1957-04-27 1957-09-21 +#25 3192 1418 1974-06-28 1974-07-06 1974-10-12 +#26 3322 1389 1975-04-03 1975-04-19 1975-08-30 +#27 4146 2089 1980-07-15 1980-08-02 1980-09-13 +#28 4604 1081 1984-02-22 1984-05-05* 1984-08-25* revoked by #29 +#29 4619 1312 1984-04-06 1984-05-05 1984-08-25 +#30 4744 475 1984-12-23 1985-04-13 1985-09-14* amended by #31 +#31 4851 1848 1985-08-18 ---------- 1985-08-31 +#32 4932 899 1986-04-22 1986-05-17 1986-09-06 +#33 5013 580 1987-02-15 1987-04-18* 1987-08-22* revoked by #34 +#34 5021 744 1987-03-30 1987-04-14 1987-09-12 +#35 5096 659 1988-02-14 1988-04-09 1988-09-03 +#36 5167 514 1989-02-03 1989-04-29 1989-09-02 +#37 5248 375 1990-01-23 1990-03-24 1990-08-25 +#38 5335 612 1991-02-10 1991-03-09* 1991-08-31 amended by #39 +# 1992-03-28 1992-09-05 +#39 5339 709 1991-03-04 1991-03-23 ---------- +#40 5506 503 1993-02-18 1993-04-02 1993-09-05 +# 1994-04-01 1994-08-28 +# 1995-03-31 1995-09-03 +#41 5731 438 1996-01-01 1996-03-14 1996-09-15 +# 1997-03-13* 1997-09-18* overridden by 1997 Temp Prov +# 1998-03-19* 1998-09-17* revoked by #42 +#42 5853 1243 1997-09-18 1998-03-19 1998-09-05 +#43 5937 77 1998-10-18 1999-04-02 1999-09-03 +# 2000-04-14* 2000-09-15* revoked by #44 +# 2001-04-13* 2001-09-14* revoked by #44 +#44 6024 39 2000-03-14 2000-04-14 2000-10-22* overridden by 2000 Temp Prov +# 2001-04-06* 2001-10-10* overridden by 2000 Temp Prov +# 2002-03-29* 2002-10-29* overridden by 2000 Temp Prov +# +# These are laws enacted by the Knesset since the Minister could only alter the +# transition dates at least six months in advanced under the 1992 Law. +# dated start end +# 1997 Temporary Provisions 1997-03-06 1997-03-20 1997-09-13 +# 2000 Temporary Provisions 2000-07-28 ---------- 2000-10-06 +# 2001-04-09 2001-09-24 +# 2002-03-29 2002-10-07 +# 2003-03-28 2003-10-03 +# 2004-04-07 2004-09-22 +# Note: +# Transition times in 1940-1957 (#1-#24) were midnight GMT, +# in 1974-1998 (#25-#42 and the 1997 Temporary Provisions) were midnight, +# in 1999-April 2000 (#43,#44) were 02:00, +# in the 2000 Temporary Provisions were 01:00. +# +# ----------------------------------------------------------------------------- +# Links: +# 1 https://findit.library.yale.edu/images_layout/view?parentoid=15537490&increment=687 +# 2 https://findit.library.yale.edu/images_layout/view?parentoid=15537490&increment=716 +# 3 https://findit.library.yale.edu/images_layout/view?parentoid=15537491&increment=721 +# 4 https://findit.library.yale.edu/images_layout/view?parentoid=15537491&increment=958 +# 5 https://findit.library.yale.edu/images_layout/view?parentoid=15537502&increment=558 +# 6 https://findit.library.yale.edu/images_layout/view?parentoid=15537511&increment=105 +# 7 https://findit.library.yale.edu/images_layout/view?parentoid=15537516&increment=278 +# 8 https://findit.library.yale.edu/images_layout/view?parentoid=15537522&increment=248 +# 9 https://findit.library.yale.edu/images_layout/view?parentoid=15537530&increment=329 +#10 https://findit.library.yale.edu/images_layout/view?parentoid=15537537&increment=601 +#11 https://www.nevo.co.il/law_word/law12/er-002.pdf#page=3 +#12 https://www.nevo.co.il/law_word/law12/er-017-t2.pdf#page=4 +#13 https://www.nevo.co.il/law_word/law06/tak-0006.pdf#page=3 +#14 https://www.nevo.co.il/law_word/law06/tak-0080.pdf#page=7 +#15 https://www.nevo.co.il/law_word/law06/tak-0164.pdf#page=10 +#16 https://www.nevo.co.il/law_word/law06/tak-0206.pdf#page=4 +#17 https://www.nevo.co.il/law_word/law06/tak-0212.pdf#page=2 +#18 https://www.nevo.co.il/law_word/law06/tak-0254.pdf#page=4 +#19 https://www.nevo.co.il/law_word/law06/tak-0300.pdf#page=5 +#20 https://www.nevo.co.il/law_word/law06/tak-0348.pdf#page=3 +#21 https://www.nevo.co.il/law_word/law06/tak-0420.pdf#page=5 +#22 https://www.nevo.co.il/law_word/law06/tak-0497.pdf#page=10 +#23 https://www.nevo.co.il/law_word/law06/tak-0591.pdf#page=6 +#24 https://www.nevo.co.il/law_word/law06/tak-0680.pdf#page=3 +#25 https://www.nevo.co.il/law_word/law06/tak-3192.pdf#page=2 +#26 https://www.nevo.co.il/law_word/law06/tak-3322.pdf#page=5 +#27 https://www.nevo.co.il/law_word/law06/tak-4146.pdf#page=2 +#28 https://www.nevo.co.il/law_word/law06/tak-4604.pdf#page=7 +#29 https://www.nevo.co.il/law_word/law06/tak-4619.pdf#page=2 +#30 https://www.nevo.co.il/law_word/law06/tak-4744.pdf#page=11 +#31 https://www.nevo.co.il/law_word/law06/tak-4851.pdf#page=2 +#32 https://www.nevo.co.il/law_word/law06/tak-4932.pdf#page=19 +#33 https://www.nevo.co.il/law_word/law06/tak-5013.pdf#page=8 +#34 https://www.nevo.co.il/law_word/law06/tak-5021.pdf#page=8 +#35 https://www.nevo.co.il/law_word/law06/tak-5096.pdf#page=3 +#36 https://www.nevo.co.il/law_word/law06/tak-5167.pdf#page=2 +#37 https://www.nevo.co.il/law_word/law06/tak-5248.pdf#page=7 +#38 https://www.nevo.co.il/law_word/law06/tak-5335.pdf#page=6 +#39 https://www.nevo.co.il/law_word/law06/tak-5339.pdf#page=7 +#40 https://www.nevo.co.il/law_word/law06/tak-5506.pdf#page=19 +#41 https://www.nevo.co.il/law_word/law06/tak-5731.pdf#page=2 +#42 https://www.nevo.co.il/law_word/law06/tak-5853.pdf#page=3 +#43 https://www.nevo.co.il/law_word/law06/tak-5937.pdf#page=9 +#44 https://www.nevo.co.il/law_word/law06/tak-6024.pdf#page=4 +# +# Time Determination (Temporary Provisions) Law, 1997 +# https://www.nevo.co.il/law_html/law19/p201_003.htm +# +# Time Determination (Temporary Provisions) Law, 2000 +# https://www.nevo.co.il/law_html/law19/p201_004.htm +# +# Time Determination Law, 1992 and amendments +# https://www.nevo.co.il/law_html/law01/p201_002.htm +# https://main.knesset.gov.il/Activity/Legislation/Laws/Pages/LawPrimary.aspx?lawitemid=2001174 + +# From Paul Eggert (2020-10-27): +# Several of the midnight transitions mentioned above are ambiguous; +# are they 00:00, 00:00s, 24:00, or 24:00s? When resolving these ambiguities, +# try to minimize changes from previous tzdb versions, for lack of better info. +# Commentary from previous versions is included below, to help explain this. + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Zion 1940 only - Jun 1 0:00 1:00 D -Rule Zion 1942 1944 - Nov 1 0:00 0 S -Rule Zion 1943 only - Apr 1 2:00 1:00 D -Rule Zion 1944 only - Apr 1 0:00 1:00 D -Rule Zion 1945 only - Apr 16 0:00 1:00 D -Rule Zion 1945 only - Nov 1 2:00 0 S -Rule Zion 1946 only - Apr 16 2:00 1:00 D -Rule Zion 1946 only - Nov 1 0:00 0 S -Rule Zion 1948 only - May 23 0:00 2:00 DD -Rule Zion 1948 only - Sep 1 0:00 1:00 D -Rule Zion 1948 1949 - Nov 1 2:00 0 S -Rule Zion 1949 only - May 1 0:00 1:00 D -Rule Zion 1950 only - Apr 16 0:00 1:00 D -Rule Zion 1950 only - Sep 15 3:00 0 S -Rule Zion 1951 only - Apr 1 0:00 1:00 D -Rule Zion 1951 only - Nov 11 3:00 0 S -Rule Zion 1952 only - Apr 20 2:00 1:00 D -Rule Zion 1952 only - Oct 19 3:00 0 S -Rule Zion 1953 only - Apr 12 2:00 1:00 D -Rule Zion 1953 only - Sep 13 3:00 0 S -Rule Zion 1954 only - Jun 13 0:00 1:00 D -Rule Zion 1954 only - Sep 12 0:00 0 S -Rule Zion 1955 only - Jun 11 2:00 1:00 D -Rule Zion 1955 only - Sep 11 0:00 0 S -Rule Zion 1956 only - Jun 3 0:00 1:00 D -Rule Zion 1956 only - Sep 30 3:00 0 S -Rule Zion 1957 only - Apr 29 2:00 1:00 D -Rule Zion 1957 only - Sep 22 0:00 0 S -Rule Zion 1974 only - Jul 7 0:00 1:00 D -Rule Zion 1974 only - Oct 13 0:00 0 S -Rule Zion 1975 only - Apr 20 0:00 1:00 D -Rule Zion 1975 only - Aug 31 0:00 0 S +Rule Zion 1940 only - May 31 24:00u 1:00 D +Rule Zion 1940 only - Sep 30 24:00u 0 S +Rule Zion 1940 only - Nov 16 24:00u 1:00 D +Rule Zion 1942 1946 - Oct 31 24:00u 0 S +Rule Zion 1943 1944 - Mar 31 24:00u 1:00 D +Rule Zion 1945 1946 - Apr 15 24:00u 1:00 D +Rule Zion 1948 only - May 22 24:00u 2:00 DD +Rule Zion 1948 only - Aug 31 24:00u 1:00 D +Rule Zion 1948 1949 - Oct 31 24:00u 0 S +Rule Zion 1949 only - Apr 30 24:00u 1:00 D +Rule Zion 1950 only - Apr 15 24:00u 1:00 D +Rule Zion 1950 only - Sep 14 24:00u 0 S +Rule Zion 1951 only - Mar 31 24:00u 1:00 D +Rule Zion 1951 only - Nov 10 24:00u 0 S +Rule Zion 1952 only - Apr 19 24:00u 1:00 D +Rule Zion 1952 only - Oct 18 24:00u 0 S +Rule Zion 1953 only - Apr 11 24:00u 1:00 D +Rule Zion 1953 only - Sep 12 24:00u 0 S +Rule Zion 1954 only - Jun 12 24:00u 1:00 D +Rule Zion 1954 only - Sep 11 24:00u 0 S +Rule Zion 1955 only - Jun 11 24:00u 1:00 D +Rule Zion 1955 only - Sep 10 24:00u 0 S +Rule Zion 1956 only - Jun 2 24:00u 1:00 D +Rule Zion 1956 only - Sep 29 24:00u 0 S +Rule Zion 1957 only - Apr 27 24:00u 1:00 D +Rule Zion 1957 only - Sep 21 24:00u 0 S +Rule Zion 1974 only - Jul 6 24:00 1:00 D +Rule Zion 1974 only - Oct 12 24:00 0 S +Rule Zion 1975 only - Apr 19 24:00 1:00 D +Rule Zion 1975 only - Aug 30 24:00 0 S # From Alois Treindl (2019-03-06): # http://www.moin.gov.il/Documents/שעון%20קיץ/clock-50-years-7-2014.pdf @@ -1792,25 +1932,24 @@ # From Paul Eggert (2019-03-06): # Also see this thread about the moin.gov.il URL: # https://mm.icann.org/pipermail/tz/2018-November/027194.html -Rule Zion 1980 only - Aug 2 0:00 1:00 D -Rule Zion 1980 only - Sep 13 1:00 0 S -Rule Zion 1984 only - May 5 0:00 1:00 D -Rule Zion 1984 only - Aug 25 1:00 0 S - -# From Shanks & Pottenger: -Rule Zion 1985 only - Apr 14 0:00 1:00 D -Rule Zion 1985 only - Sep 15 0:00 0 S -Rule Zion 1986 only - May 18 0:00 1:00 D -Rule Zion 1986 only - Sep 7 0:00 0 S -Rule Zion 1987 only - Apr 15 0:00 1:00 D -Rule Zion 1987 only - Sep 13 0:00 0 S +Rule Zion 1980 only - Aug 2 24:00s 1:00 D +Rule Zion 1980 only - Sep 13 24:00s 0 S +Rule Zion 1984 only - May 5 24:00s 1:00 D +Rule Zion 1984 only - Aug 25 24:00s 0 S + +Rule Zion 1985 only - Apr 13 24:00 1:00 D +Rule Zion 1985 only - Aug 31 24:00 0 S +Rule Zion 1986 only - May 17 24:00 1:00 D +Rule Zion 1986 only - Sep 6 24:00 0 S +Rule Zion 1987 only - Apr 14 24:00 1:00 D +Rule Zion 1987 only - Sep 12 24:00 0 S # From Avigdor Finkelstein (2014-03-05): # I check the Parliament (Knesset) records and there it's stated that the # [1988] transition should take place on Saturday night, when the Sabbath # ends and changes to Sunday. -Rule Zion 1988 only - Apr 10 0:00 1:00 D -Rule Zion 1988 only - Sep 4 0:00 0 S +Rule Zion 1988 only - Apr 9 24:00 1:00 D +Rule Zion 1988 only - Sep 3 24:00 0 S # From Ephraim Silverberg # (1997-03-04, 1998-03-16, 1998-12-28, 2000-01-17, 2000-07-25, 2004-12-22, @@ -1840,14 +1979,14 @@ # (the eve of the 7th of Tishrei in the lunar Hebrew calendar). # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Zion 1989 only - Apr 30 0:00 1:00 D -Rule Zion 1989 only - Sep 3 0:00 0 S -Rule Zion 1990 only - Mar 25 0:00 1:00 D -Rule Zion 1990 only - Aug 26 0:00 0 S -Rule Zion 1991 only - Mar 24 0:00 1:00 D -Rule Zion 1991 only - Sep 1 0:00 0 S -Rule Zion 1992 only - Mar 29 0:00 1:00 D -Rule Zion 1992 only - Sep 6 0:00 0 S +Rule Zion 1989 only - Apr 29 24:00 1:00 D +Rule Zion 1989 only - Sep 2 24:00 0 S +Rule Zion 1990 only - Mar 24 24:00 1:00 D +Rule Zion 1990 only - Aug 25 24:00 0 S +Rule Zion 1991 only - Mar 23 24:00 1:00 D +Rule Zion 1991 only - Aug 31 24:00 0 S +Rule Zion 1992 only - Mar 28 24:00 1:00 D +Rule Zion 1992 only - Sep 5 24:00 0 S Rule Zion 1993 only - Apr 2 0:00 1:00 D Rule Zion 1993 only - Sep 5 0:00 0 S @@ -1876,10 +2015,10 @@ # where YYYY is the relevant year. # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Zion 1996 only - Mar 15 0:00 1:00 D -Rule Zion 1996 only - Sep 16 0:00 0 S -Rule Zion 1997 only - Mar 21 0:00 1:00 D -Rule Zion 1997 only - Sep 14 0:00 0 S +Rule Zion 1996 only - Mar 14 24:00 1:00 D +Rule Zion 1996 only - Sep 15 24:00 0 S +Rule Zion 1997 only - Mar 20 24:00 1:00 D +Rule Zion 1997 only - Sep 13 24:00 0 S Rule Zion 1998 only - Mar 20 0:00 1:00 D Rule Zion 1998 only - Sep 6 0:00 0 S Rule Zion 1999 only - Apr 2 2:00 1:00 D @@ -1931,14 +2070,15 @@ Rule Zion 2011 only - Oct 2 2:00 0 S Rule Zion 2012 only - Sep 23 2:00 0 S -# From Ephraim Silverberg (2013-06-27): -# On June 23, 2013, the Israeli government approved changes to the -# Time Decree Law. The next day, the changes passed the First Reading -# in the Knesset. The law is expected to pass the Second and Third -# (final) Readings by the beginning of September 2013. -# -# As of 2013, DST starts at 02:00 on the Friday before the last Sunday -# in March. DST ends at 02:00 on the last Sunday of October. +# From Ephraim Silverberg (2020-10-26): +# The current time law (2013) from the State of Israel can be viewed +# (in Hebrew) at: +# ftp://ftp.cs.huji.ac.il/pub/tz/israel/announcements/2013+law.pdf +# It translates to: +# Every year, in the period from the Friday before the last Sunday in +# the month of March at 02:00 a.m. until the last Sunday of the month +# of October at 02:00 a.m., Israel Time will be advanced an additional +# hour such that it will be UTC+3. # Rule NAME FROM TO - IN ON AT SAVE LETTER/S Rule Zion 2013 max - Mar Fri>=23 2:00 1:00 D
--- a/make/data/tzdata/australasia Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/australasia Mon Apr 26 14:01:43 2021 +0100 @@ -37,16 +37,13 @@ # Please see the notes below for the controversy about "EST" versus "AEST" etc. # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Aus 1917 only - Jan 1 0:01 1:00 D -Rule Aus 1917 only - Mar 25 2:00 0 S -Rule Aus 1942 only - Jan 1 2:00 1:00 D -Rule Aus 1942 only - Mar 29 2:00 0 S -Rule Aus 1942 only - Sep 27 2:00 1:00 D -Rule Aus 1943 1944 - Mar lastSun 2:00 0 S -Rule Aus 1943 only - Oct 3 2:00 1:00 D -# Go with Whitman and the Australian National Standards Commission, which -# says W Australia didn't use DST in 1943/1944. Ignore Whitman's claim that -# 1944/1945 was just like 1943/1944. +Rule Aus 1917 only - Jan 1 2:00s 1:00 D +Rule Aus 1917 only - Mar lastSun 2:00s 0 S +Rule Aus 1942 only - Jan 1 2:00s 1:00 D +Rule Aus 1942 only - Mar lastSun 2:00s 0 S +Rule Aus 1942 only - Sep 27 2:00s 1:00 D +Rule Aus 1943 1944 - Mar lastSun 2:00s 0 S +Rule Aus 1943 only - Oct 3 2:00s 1:00 D # Zone NAME STDOFF RULES FORMAT [UNTIL] # Northern Territory @@ -138,8 +135,12 @@ # says King Island didn't observe DST from WWII until late 1971. # # Rule NAME FROM TO - IN ON AT SAVE LETTER/S +Rule AT 1916 only - Oct Sun>=1 2:00s 1:00 D +Rule AT 1917 only - Mar lastSun 2:00s 0 S +Rule AT 1917 1918 - Oct Sun>=22 2:00s 1:00 D +Rule AT 1918 1919 - Mar Sun>=1 2:00s 0 S Rule AT 1967 only - Oct Sun>=1 2:00s 1:00 D -Rule AT 1968 only - Mar lastSun 2:00s 0 S +Rule AT 1968 only - Mar Sun>=29 2:00s 0 S Rule AT 1968 1985 - Oct lastSun 2:00s 1:00 D Rule AT 1969 1971 - Mar Sun>=8 2:00s 0 S Rule AT 1972 only - Feb lastSun 2:00s 0 S @@ -159,15 +160,9 @@ Rule AT 2008 max - Apr Sun>=1 2:00s 0 S # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone Australia/Hobart 9:49:16 - LMT 1895 Sep - 10:00 - AEST 1916 Oct 1 2:00 - 10:00 1:00 AEDT 1917 Feb + 10:00 AT AE%sT 1919 Oct 24 10:00 Aus AE%sT 1967 10:00 AT AE%sT -Zone Australia/Currie 9:35:28 - LMT 1895 Sep - 10:00 - AEST 1916 Oct 1 2:00 - 10:00 1:00 AEDT 1917 Feb - 10:00 Aus AE%sT 1971 Jul - 10:00 AT AE%sT # Victoria # Rule NAME FROM TO - IN ON AT SAVE LETTER/S @@ -896,13 +891,36 @@ # Vanuatu + +# From P Chan (2020-11-27): +# Joint Daylight Saving Regulation No 59 of 1973 +# New Hebrides Condominium Gazette No 336. December 1973 +# http://www.paclii.org/vu/other/VUNHGovGaz//1973/11.pdf#page=15 +# +# Joint Daylight Saving (Repeal) Regulation No 10 of 1974 +# New Hebrides Condominium Gazette No 336. March 1974 +# http://www.paclii.org/vu/other/VUNHGovGaz//1974/3.pdf#page=11 +# +# Summer Time Act No. 35 of 1982 [commenced 1983-09-01] +# http://www.paclii.org/vu/other/VUGovGaz/1982/32.pdf#page=48 +# +# Summer Time Act (Cap 157) +# Laws of the Republic of Vanuatu Revised Edition 1988 +# http://www.paclii.org/cgi-bin/sinodisp/vu/legis/consol_act1988/sta147/sta147.html +# +# Summer Time (Amendment) Act No. 6 of 1991 [commenced 1991-11-11] +# http://www.paclii.org/vu/legis/num_act/sta1991227/ +# +# Summer Time (Repeal) Act No. 4 of 1993 [commenced 1993-05-03] +# http://www.paclii.org/vu/other/VUGovGaz/1993/15.pdf#page=59 + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Vanuatu 1983 only - Sep 25 0:00 1:00 - -Rule Vanuatu 1984 1991 - Mar Sun>=23 0:00 0 - -Rule Vanuatu 1984 only - Oct 23 0:00 1:00 - -Rule Vanuatu 1985 1991 - Sep Sun>=23 0:00 1:00 - -Rule Vanuatu 1992 1993 - Jan Sun>=23 0:00 0 - -Rule Vanuatu 1992 only - Oct Sun>=23 0:00 1:00 - +Rule Vanuatu 1973 only - Dec 22 12:00u 1:00 - +Rule Vanuatu 1974 only - Mar 30 12:00u 0 - +Rule Vanuatu 1983 1991 - Sep Sat>=22 24:00 1:00 - +Rule Vanuatu 1984 1991 - Mar Sat>=22 24:00 0 - +Rule Vanuatu 1992 1993 - Jan Sat>=22 24:00 0 - +Rule Vanuatu 1992 only - Oct Sat>=22 24:00 1:00 - # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila 11:00 Vanuatu +11/+12 @@ -981,6 +999,25 @@ # Electronic Journal of Australian and New Zealand History (1997-03-03) # http://www.jcu.edu.au/aff/history/reviews/davison.htm +# From P Chan (2020-11-20): +# Daylight Saving Act 1916 (No. 40 of 1916) [1916-12-21, commenced 1917-01-01] +# http://classic.austlii.edu.au/au/legis/cth/num_act/dsa1916401916192/ +# +# Daylight Saving Repeal Act 1917 (No. 35 of 1917) [1917-09-25] +# http://classic.austlii.edu.au/au/legis/cth/num_act/dsra1917351917243/ +# +# Statutory Rules 1941, No. 323 [1941-12-24] +# https://www.legislation.gov.au/Details/C1941L00323 +# +# Statutory Rules 1942, No. 392 [1942-09-10] +# https://www.legislation.gov.au/Details/C1942L00392 +# +# Statutory Rules 1943, No. 241 [1943-09-29] +# https://www.legislation.gov.au/Details/C1943L00241 +# +# All transition times should be 02:00 standard time. + + # From Paul Eggert (2005-12-08): # Implementation Dates of Daylight Saving Time within Australia # http://www.bom.gov.au/climate/averages/tables/dst_times.shtml @@ -1373,6 +1410,27 @@ # Tasmania +# From P Chan (2020-11-20): +# Tasmania observed DST in 1916-1919. +# +# Daylight Saving Act, 1916 (7 Geo V, No 2) [1916-09-22] +# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsa19167gvn2267/ +# +# Daylight Saving Amendment Act, 1917 (8 Geo V, No 5) [1917-10-01] +# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsaa19178gvn5347/ +# +# Daylight Saving Act Repeal Act, 1919 (10 Geo V, No 9) [1919-10-24] +# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsara191910gvn9339/ +# +# King Island is mentioned in the 1967 Act but not the 1968 Act. +# Therefore it possibly observed DST from 1968/69. +# +# Daylight Saving Act 1967 (No. 33 of 1967) [1967-09-22] +# http://classic.austlii.edu.au/au/legis/tas/num_act/dsa196733o1967211/ +# +# Daylight Saving Act 1968 (No. 42 of 1968) [1968-10-15] +# http://classic.austlii.edu.au/au/legis/tas/num_act/dsa196842o1968211/ + # The rules for 1967 through 1991 were reported by George Shepherd # via Simon Woodhead via Robert Elz (1991-03-06): # # The state of TASMANIA.. [Courtesy Tasmanian Dept of Premier + Cabinet ]
--- a/make/data/tzdata/backward Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/backward Mon Apr 26 14:01:43 2021 +0100 @@ -72,6 +72,7 @@ Link Europe/Oslo Atlantic/Jan_Mayen Link Australia/Sydney Australia/ACT Link Australia/Sydney Australia/Canberra +Link Australia/Hobart Australia/Currie Link Australia/Lord_Howe Australia/LHI Link Australia/Sydney Australia/NSW Link Australia/Darwin Australia/North
--- a/make/data/tzdata/etcetera Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/etcetera Mon Apr 26 14:01:43 2021 +0100 @@ -26,12 +26,11 @@ # This file is in the public domain, so clarified as of # 2009-05-17 by Arthur David Olson. -# These entries are mostly present for historical reasons, so that -# people in areas not otherwise covered by the tz files could "zic -l" -# to a timezone that was right for their area. These days, the -# tz files cover almost all the inhabited world, and the only practical -# need now for the entries that are not on UTC are for ships at sea -# that cannot use POSIX TZ settings. +# These entries are for uses not otherwise covered by the tz database. +# Their main practical use is for platforms like Android that lack +# support for POSIX-style TZ strings. On such platforms these entries +# can be useful if the timezone database is wrong or if a ship or +# aircraft at sea is not in a timezone. # Starting with POSIX 1003.1-2001, the entries below are all # unnecessary as settings for the TZ environment variable. E.g.,
--- a/make/data/tzdata/europe Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/europe Mon Apr 26 14:01:43 2021 +0100 @@ -2915,6 +2915,19 @@ # The law has been published today on # http://publication.pravo.gov.ru/Document/View/0001201810110037 +# From Alexander Krivenyshev (2020-11-27): +# The State Duma approved (Nov 24, 2020) the transition of the Volgograd +# region to the Moscow time zone.... +# https://sozd.duma.gov.ru/bill/1012130-7 +# +# From Stepan Golosunov (2020-12-05): +# Currently proposed text for the second reading (expected on December 8) ... +# changes the date to December 27. https://v1.ru/text/gorod/2020/12/04/69601031/ +# +# From Stepan Golosunov (2020-12-22): +# The law was published today on +# http://publication.pravo.gov.ru/Document/View/0001202012220002 + Zone Europe/Volgograd 2:57:40 - LMT 1920 Jan 3 3:00 - +03 1930 Jun 21 4:00 - +04 1961 Nov 11 @@ -2924,7 +2937,8 @@ 3:00 Russia +03/+04 2011 Mar 27 2:00s 4:00 - +04 2014 Oct 26 2:00s 3:00 - +03 2018 Oct 28 2:00s - 4:00 - +04 + 4:00 - +04 2020 Dec 27 2:00s + 3:00 - +03 # From Paul Eggert (2016-11-11): # Europe/Saratov covers:
--- a/make/data/tzdata/leapseconds Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/leapseconds Mon Apr 26 14:01:43 2021 +0100 @@ -29,6 +29,10 @@ # NIST format leap-seconds.list file, which can be copied from # <ftp://ftp.nist.gov/pub/time/leap-seconds.list> # or <ftp://ftp.boulder.nist.gov/pub/time/leap-seconds.list>. +# The NIST file is used instead of its IERS upstream counterpart +# <https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list> +# because under US law the NIST file is public domain +# whereas the IERS file's copyright and license status is unclear. # For more about leap-seconds.list, please see # The NTP Timescale and Leap Seconds # <https://www.eecis.udel.edu/~mills/leap.html>. @@ -91,11 +95,11 @@ # Any additional leap seconds will come after this. # This Expires line is commented out for now, # so that pre-2020a zic implementations do not reject this file. -#Expires 2021 Jun 28 00:00:00 +#Expires 2021 Dec 28 00:00:00 # POSIX timestamps for the data in this file: #updated 1467936000 (2016-07-08 00:00:00 UTC) -#expires 1624838400 (2021-06-28 00:00:00 UTC) +#expires 1640649600 (2021-12-28 00:00:00 UTC) -# Updated through IERS Bulletin C60 -# File expires on: 28 June 2021 +# Updated through IERS Bulletin C61 +# File expires on: 28 December 2021
--- a/make/data/tzdata/northamerica Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/northamerica Mon Apr 26 14:01:43 2021 +0100 @@ -2257,7 +2257,7 @@ # to say eight hours behind Greenwich Time. # # * O.I.C. 1980/02 INTERPRETATION ACT -# [no online source found] +# https://mm.icann.org/pipermail/tz/attachments/20201125/d5adc93b/CAYTOIC1980-02DST1980-01-04-0001.pdf # # * Yukon Daylight Saving Time, YOIC 1987/56 # https://www.canlii.org/en/yk/laws/regu/yoic-1987-56/latest/yoic-1987-56.html @@ -2958,12 +2958,38 @@ # # For 1899 Milne gives -5:09:29.5; round that. # +# From P Chan (2020-11-27, corrected on 2020-12-02): +# There were two periods of DST observed in 1942-1945: 1942-05-01 +# midnight to 1944-12-31 midnight and 1945-02-01 to 1945-10-17 midnight. +# "midnight" should mean 24:00 from the context. +# +# War Time Order 1942 [1942-05-01] and War Time (No. 2) Order 1942 [1942-09-29] +# Appendix to the Statutes of 7 George VI. and the Year 1942. p 34, 43 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA3-PA34 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA3-PA43 +# +# War Time Order 1943 [1943-03-31] and War Time Order 1944 [1943-12-29] +# Appendix to the Statutes of 8 George VI. and the Year 1943. p 9-10, 28-29 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA4-PA9 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA4-PA28 +# +# War Time Order 1945 [1945-01-31] and the Order which revoke War Time Order +# 1945 [1945-10-16] Appendix to the Statutes of 9 George VI. and the Year +# 1945. p 160, 247-248 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA6-PA160 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA6-PA247 +# # From Sue Williams (2006-12-07): # The Bahamas announced about a month ago that they plan to change their DST # rules to sync with the U.S. starting in 2007.... # http://www.jonesbahamas.com/?c=45&a=10412 # Rule NAME FROM TO - IN ON AT SAVE LETTER/S +Rule Bahamas 1942 only - May 1 24:00 1:00 W +Rule Bahamas 1944 only - Dec 31 24:00 0 S +Rule Bahamas 1945 only - Feb 1 0:00 1:00 W +Rule Bahamas 1945 only - Aug 14 23:00u 1:00 P # Peace +Rule Bahamas 1945 only - Oct 17 24:00 0 S Rule Bahamas 1964 1975 - Oct lastSun 2:00 0 S Rule Bahamas 1964 1975 - Apr lastSun 2:00 1:00 D # Zone NAME STDOFF RULES FORMAT [UNTIL] @@ -2987,34 +3013,161 @@ -4:00 Barb A%sT # Belize -# Whitman entirely disagrees with Shanks; go with Shanks & Pottenger. + +# From P Chan (2020-11-03): +# Below are some laws related to the time in British Honduras/Belize: +# +# Definition of Time Ordinance, 1927 (No.4 of 1927) [1927-04-01] +# Ordinances of British Honduras Passed in the Year 1927, p 19-20 +# https://books.google.com/books?id=LqEpAQAAMAAJ&pg=RA3-PA19 +# +# Definition of Time (Amendment) Ordinance, 1942 (No. 5 of 1942) [1942-06-27] +# Ordinances of British Honduras Passed in the Year 1942, p 31-32 +# https://books.google.com/books?id=h6MpAQAAMAAJ&pg=RA6-PA95-IA44 +# +# Definition of Time Ordinance, 1945 (No. 19 of 1945) [1945-12-15] +# Ordinances of British Honduras Passed in the Year 1945, p 49-50 +# https://books.google.com/books?id=xaMpAQAAMAAJ&pg=RA2-PP1 +# +# Definition of Time Ordinance, 1947 (No. 1 of 1947) [1947-03-11] +# Ordinances of British Honduras Passed in the Year 1947, p 1-2 +# https://books.google.com/books?id=xaMpAQAAMAAJ&pg=RA3-PA1 +# +# Time (Definition of) Ordinance (Chapter 180) +# The Laws of British Honduras in Force on the 15th Day of September, 1958 , Volume IV, p 2580 +# https://books.google.com/books?id=v5QpAQAAMAAJ&pg=PA2580 +# +# Time (Definition of) (Amendment) Ordinance, 1968 (No. 13 of 1968) [1968-08-03] +# https://books.google.com/books?id=xij7KEB_58wC&pg=RA1-PA428-IA9 +# +# Definition of Time Act (Chapter 339) +# Law of Belize, Revised Edition 2000 +# http://www.belizelaw.org/web/lawadmin/PDF%20files/cap339.pdf + +# From Paul Eggert (2020-11-03): +# The transitions below are derived from P Chan's sources, except that the +# 1973 through 1983 transitions are from Shanks & Pottenger since we have +# no better data there. + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Belize 1918 1942 - Oct Sun>=2 0:00 0:30 -0530 -Rule Belize 1919 1943 - Feb Sun>=9 0:00 0 CST +Rule Belize 1918 1941 - Oct Sat>=1 24:00 0:30 -0530 +Rule Belize 1919 1942 - Feb Sat>=8 24:00 0 CST +Rule Belize 1942 only - Jun 27 24:00 1:00 CWT +Rule Belize 1945 only - Aug 14 23:00u 1:00 CPT +Rule Belize 1945 only - Dec 15 24:00 0 CST +Rule Belize 1947 1967 - Oct Sat>=1 24:00 0:30 -0530 +Rule Belize 1948 1968 - Feb Sat>=8 24:00 0 CST Rule Belize 1973 only - Dec 5 0:00 1:00 CDT Rule Belize 1974 only - Feb 9 0:00 0 CST Rule Belize 1982 only - Dec 18 0:00 1:00 CDT Rule Belize 1983 only - Feb 12 0:00 0 CST # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone America/Belize -5:52:48 - LMT 1912 Apr +Zone America/Belize -5:52:48 - LMT 1912 Apr 1 -6:00 Belize %s # Bermuda +# From Paul Eggert (2020-11-24): # For 1899 Milne gives -4:19:18.3 as the meridian of the clock tower, -# Bermuda dockyard, Ireland I; round that. +# Bermuda dockyard, Ireland I. This agrees with standard offset given in the +# Daylight Saving Act, 1917 cited below. Round that to the nearest second. +# It is not known when this time became standard for Bermuda; guess 1890. +# The transition to -04 was specified by: +# 1930: The Time Zone Act, 1929 (1929: No. 39) [1929-11-08] +# https://books.google.com/books?id=7tdMAQAAIAAJ&pg=RA54-PP1 + +# From P Chan (2020-11-20): +# Most of the information can be found online from the Bermuda National +# Library - Digital Collection which includes The Royal Gazette (RG) until 1957 +# https://bnl.contentdm.oclc.org/digital/ +# I will cite the ID. For example, [10000] means +# https://bnl.contentdm.oclc.org/digital/collection/BermudaNP02/id/10000 +# +# 1917: Apr 5 midnight to Sep 30 midnight +# Daylight Saving Act, 1917 (1917 No. 13) [1917-04-02] +# Bermuda Acts and Resolves 1917, p 37-38 +# https://books.google.com/books?id=M-lCAQAAMAAJ&pg=PA36-IA2 +# RG, 1917-04-04, p 6 [42340] gives the spring forward date. +# +# 1918: Apr 13 midnight to Sep 15 midnight +# Daylight Saving Act, 1918 (1918 No. 9) [1918-04-06] +# Bermuda Acts and Resolves 1917, p 13 +# https://books.google.com/books?id=K-lCAQAAMAAJ&pg=RA1-PA7 +# +# Note that local mean time was still used before 1930. +# +# During WWII, DST was introduced by Defence Regulations +# 1942: Jan 11 02:00 to Oct 18 02:00 [113646], [115726] +# 1943: Mar 21 02:00 to Oct 31 02:00 [116704], [118193] +# 1944: Mar 12 02:00 to Nov 5 02:00 [119225], [121593] +# 1945: Mar 11 02:00 to Nov 4 02:00 [122369], [124461] +# RG, 1942-01-08, p 2, 1942-10-12, p 2 , 1943-03-06, p 2, 1943-09-03, p 1, +# 1944-02-29, p 6, 1944-09-20, p 2, 1945-02-13, p 2, 1945-11-03, p 1 +# +# In 1946, the House of Assembly rejected DST twice. [128686], [128076] +# RG, 1946-03-16 p 1,1946-04-13 p 1 +# +# 1947: third Sunday in May 02:00 to second Sunday in September 02:00 +# DST in 1947 was defined in the Daylight Saving Act, 1947 (1947: No. 12) +# which expired at the end of the year. [125784] ,[132405], [144454], [138226] +# RG, 1947-02-27, p 1, 1947-05-15, p 1, 1947-09-13, p 1, 1947-12-30, p 1 +# +# 1948-1952: fourth Sunday in May 02:00 to first Sunday in September 02:00 +# DST in 1948 was defined in the Daylight Saving Act, 1948 (1948 : No. 12) +# which was set to expired at the end of the year but it was extended until +# the end of 1952 and was not further extended. +# [129802], [139403], [146008], [135240], [144330], [139049], [143309], +# [148271], [149773], [153589], [153802], [155924] +# RG, 1948-04-13, p 1, 1948-05-22, p 1, 1948-09-04, p 1, 1949-05-21, p1, +# 1949-09-03, p 1, 1950-05-27 p 1, 1950-09-02, p 1, 1951-05-27, p 1, +# 1951-09-01, p 1, 1952-05-23, p 1, 1952-09-26, p 1, 1952-12-21, p 8 +# +# In 1953-1955, the House of Assembly rejected DST each year. [158996], +# [162620], [166720] RG, 1953-05-02, p 1, 1954-04-01 p 1, 1955-03-12, p 1 +# +# 1956: fourth Sunday in May 02:00 to last Sunday in October 02:00 +# Time Zone (Seasonal Variation) Act, 1956 (1956: No.44) [1956-05-25] +# Bermuda Public Acts 1956, p 331-332 +# https://books.google.com/books?id=Xs1AlmD_cEwC&pg=PA63 +# +# The extension of the Act was rejected by the House of Assembly. [176218] +# RG, 1956-12-13, p 1 +# +# From the Chronological Table of Public and Private Acts up to 1985, it seems +# that there does not exist other Acts related to DST before 1973. +# https://books.google.com/books?id=r9hMAQAAIAAJ&pg=RA23-PA1 +# Public Acts of the Legislature of the Islands of Bermuda, Together with +# Statutory Instruments in Force Thereunder, Vol VII # From Dan Jones, reporting in The Royal Gazette (2006-06-26): - # Next year, however, clocks in the US will go forward on the second Sunday # in March, until the first Sunday in November. And, after the Time Zone # (Seasonal Variation) Bill 2006 was passed in the House of Assembly on # Friday, the same thing will happen in Bermuda. # http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060529/NEWS/105290135 +# Rule NAME FROM TO - IN ON AT SAVE LETTER/S +Rule Bermuda 1917 only - Apr 5 24:00 1:00 - +Rule Bermuda 1917 only - Sep 30 24:00 0 - +Rule Bermuda 1918 only - Apr 13 24:00 1:00 - +Rule Bermuda 1918 only - Sep 15 24:00 0 S +Rule Bermuda 1942 only - Jan 11 2:00 1:00 D +Rule Bermuda 1942 only - Oct 18 2:00 0 S +Rule Bermuda 1943 only - Mar 21 2:00 1:00 D +Rule Bermuda 1943 only - Oct 31 2:00 0 S +Rule Bermuda 1944 1945 - Mar Sun>=8 2:00 1:00 D +Rule Bermuda 1944 1945 - Nov Sun>=1 2:00 0 S +Rule Bermuda 1947 only - May Sun>=15 2:00 1:00 D +Rule Bermuda 1947 only - Sep Sun>=8 2:00 0 S +Rule Bermuda 1948 1952 - May Sun>=22 2:00 1:00 D +Rule Bermuda 1948 1952 - Sep Sun>=1 2:00 0 S +Rule Bermuda 1956 only - May Sun>=22 2:00 1:00 D +Rule Bermuda 1956 only - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Atlantic/Bermuda -4:19:18 - LMT 1930 Jan 1 2:00 # Hamilton - -4:00 - AST 1974 Apr 28 2:00 +Zone Atlantic/Bermuda -4:19:18 - LMT 1890 # Hamilton + -4:19:18 Bermuda BMT/BST 1930 Jan 1 2:00 + -4:00 Bermuda A%sT 1974 Apr 28 2:00 -4:00 Canada A%sT 1976 -4:00 US A%sT @@ -3597,7 +3750,7 @@ # "Eastern Standard Times Begins 2007 # Clocks are set back one hour at 2:00 a.m. local Daylight Saving Time" # indicating that the normal ET rules are followed. -# + # From Paul Eggert (2014-08-19): # The 2014-08-13 Cabinet meeting decided to stay on UT -04 year-round. See: # http://tcweeklynews.com/daylight-savings-time-to-be-maintained-p5353-127.htm @@ -3612,19 +3765,42 @@ # during the summer months and Standard Time, also known as Local # Time, during the winter months with effect from April 2018 ... # https://www.gov.uk/government/news/turks-and-caicos-post-cabinet-meeting-statement--3 -# # From Paul Eggert (2017-08-26): # The date of effect of the spring 2018 change appears to be March 11, # which makes more sense. See: Hamilton D. Time change back # by March 2018 for TCI. Magnetic Media. 2017-08-25. # http://magneticmediatv.com/2017/08/time-change-back-by-march-2018-for-tci/ # +# From P Chan (2020-11-27): +# Standard Time Declaration Order 2015 (L.N. 15/2015) +# http://online.fliphtml5.com/fizd/czin/#p=2 +# +# Standard Time Declaration Order 2017 (L.N. 31/2017) +# http://online.fliphtml5.com/fizd/dmcu/#p=2 +# +# From Tim Parenti (2020-12-05): +# Although L.N. 31/2017 reads that it "shall come into operation at 2:00 a.m. +# on 11th March 2018", a precise interpretation here poses some problems. The +# order states that "the standard time to be observed throughout the Turks and +# Caicos Islands shall be the same time zone as the Eastern United States of +# America" and further clarifies "[f]or the avoidance of doubt" that it +# "applies to the Eastern Standard Time as well as any changes thereto for +# Daylight Saving Time." However, as clocks in Turks and Caicos approached +# 02:00 -04, and thus the declared implementation time, it was still 01:00 EST +# (-05), as DST in the Eastern US would not start until an hour later. +# +# Since it is unlikely that those on the islands switched their clocks twice in +# the span of an hour, we assume instead that the adoption of EDT actually took +# effect once clocks in the Eastern US had sprung forward, from 03:00 -04. +# This discrepancy only affects the time zone abbreviation and DST flag for the +# intervening hour, not wall clock times, as -04 was maintained throughout. + # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone America/Grand_Turk -4:44:32 - LMT 1890 -5:07:10 - KMT 1912 Feb # Kingston Mean Time -5:00 - EST 1979 - -5:00 US E%sT 2015 Nov Sun>=1 2:00 - -4:00 - AST 2018 Mar 11 3:00 + -5:00 US E%sT 2015 Mar 8 2:00 + -4:00 - AST 2018 Mar 11 3:00 -5:00 US E%sT # British Virgin Is
--- a/make/data/tzdata/zone.tab Mon Apr 19 04:23:30 2021 +0100 +++ b/make/data/tzdata/zone.tab Mon Apr 26 14:01:43 2021 +0100 @@ -79,8 +79,7 @@ AT +4813+01620 Europe/Vienna AU -3133+15905 Australia/Lord_Howe Lord Howe Island AU -5430+15857 Antarctica/Macquarie Macquarie Island -AU -4253+14719 Australia/Hobart Tasmania (most areas) -AU -3956+14352 Australia/Currie Tasmania (King Island) +AU -4253+14719 Australia/Hobart Tasmania AU -3749+14458 Australia/Melbourne Victoria AU -3352+15113 Australia/Sydney New South Wales (most areas) AU -3157+14127 Australia/Broken_Hill New South Wales (Yancowinna) @@ -153,9 +152,9 @@ CA +4906-11631 America/Creston MST - BC (Creston) CA +5946-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John) CA +5848-12242 America/Fort_Nelson MST - BC (Ft Nelson) +CA +6043-13503 America/Whitehorse MST - Yukon (east) +CA +6404-13925 America/Dawson MST - Yukon (west) CA +4916-12307 America/Vancouver Pacific - BC (most areas) -CA +6043-13503 America/Whitehorse Pacific - Yukon (east) -CA +6404-13925 America/Dawson Pacific - Yukon (west) CC -1210+09655 Indian/Cocos CD -0418+01518 Africa/Kinshasa Dem. Rep. of Congo (west) CD -1140+02728 Africa/Lubumbashi Dem. Rep. of Congo (east) @@ -360,8 +359,8 @@ # Programs should use zone1970.tab instead; see above. UA +4457+03406 Europe/Simferopol Crimea RU +5836+04939 Europe/Kirov MSK+00 - Kirov +RU +4844+04425 Europe/Volgograd MSK+00 - Volgograd RU +4621+04803 Europe/Astrakhan MSK+01 - Astrakhan -RU +4844+04425 Europe/Volgograd MSK+01 - Volgograd RU +5134+04602 Europe/Saratov MSK+01 - Saratov RU +5420+04824 Europe/Ulyanovsk MSK+01 - Ulyanovsk RU +5312+05009 Europe/Samara MSK+01 - Samara, Udmurtia
--- a/src/share/classes/com/sun/jndi/ldap/Obj.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/com/sun/jndi/ldap/Obj.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -235,6 +235,9 @@ String[] codebases = getCodebases(attrs.get(JAVA_ATTRIBUTES[CODEBASE])); try { if ((attr = attrs.get(JAVA_ATTRIBUTES[SERIALIZED_DATA])) != null) { + if (!VersionHelper12.isSerialDataAllowed()) { + throw new NamingException("Object deserialization is not allowed"); + } ClassLoader cl = helper.getURLClassLoader(codebases); return deserializeObject((byte[])attr.get(), cl); } else if ((attr = attrs.get(JAVA_ATTRIBUTES[REMOTE_LOC])) != null) {
--- a/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/com/sun/jndi/ldap/VersionHelper12.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -39,19 +39,48 @@ private static final String TRUST_URL_CODEBASE_PROPERTY = "com.sun.jndi.ldap.object.trustURLCodebase"; + // System property to control whether classes are allowed to be loaded from + // 'javaSerializedData' attribute + private static final String TRUST_SERIAL_DATA_PROPERTY = + "com.sun.jndi.ldap.object.trustSerialData"; + + /** + * Determines whether objects may be deserialized from the content of + * 'javaSerializedData' attribute. + */ + private static final boolean trustSerialData; + // Determine whether classes may be loaded from an arbitrary URL code base. - private static final String trustURLCodebase = - AccessController.doPrivileged( - new PrivilegedAction<String>() { - public String run() { - return System.getProperty(TRUST_URL_CODEBASE_PROPERTY, - "false"); - } - } - ); + private static final boolean trustURLCodebase; + + static { + String trust = getPrivilegedProperty(TRUST_URL_CODEBASE_PROPERTY, "false"); + trustURLCodebase = "true".equalsIgnoreCase(trust); + String trustSDString = getPrivilegedProperty(TRUST_SERIAL_DATA_PROPERTY, "true"); + trustSerialData = "true".equalsIgnoreCase(trustSDString); + } + + private static String getPrivilegedProperty(String propertyName, String defaultVal) { + PrivilegedAction<String> action = () -> System.getProperty(propertyName, defaultVal); + if (System.getSecurityManager() == null) { + return action.run(); + } else { + return AccessController.doPrivileged(action); + } + } VersionHelper12() {} // Disallow external from creating one of these. + /** + * Returns true if deserialization of objects from 'javaSerializedData' + * LDAP attribute is allowed. + * + * @return true if deserialization is allowed; false - otherwise + */ + public static boolean isSerialDataAllowed() { + return trustSerialData; + } + ClassLoader getURLClassLoader(String[] url) throws MalformedURLException { ClassLoader parent = getContextClassLoader(); @@ -60,7 +89,7 @@ * the system property com.sun.jndi.ldap.object.trustURLCodebase * has been set to "true". */ - if (url != null && "true".equalsIgnoreCase(trustURLCodebase)) { + if (url != null && trustURLCodebase) { return URLClassLoader.newInstance(getUrlArray(url), parent); } else { return parent;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/com/sun/naming/internal/ObjectFactoriesFilter.java Mon Apr 26 14:01:43 2021 +0100 @@ -0,0 +1,115 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package com.sun.naming.internal; + +import javax.naming.Reference; + +import sun.misc.ObjectInputFilter; +import sun.misc.ObjectInputFilter.FilterInfo; +import sun.misc.ObjectInputFilter.Status; + +import sun.security.util.SecurityProperties; + +/** + * This class implements the filter that validates object factories classes instantiated + * during {@link Reference} lookups. + * There is one system-wide filter instance per VM that can be set via + * the {@code "jdk.jndi.object.factoriesFilter"} system property value, or via + * setting the property in the security properties file. The system property value supersedes + * the security property value. If none of the properties are specified the default + * "*" value is used. + * The filter is implemented as {@link ObjectInputFilter} with capabilities limited to the + * validation of a factory's class types only ({@linkplain FilterInfo#serialClass()}). + * Array length, number of object references, depth, and stream size filtering capabilities are + * not supported by the filter. + */ +public final class ObjectFactoriesFilter { + + /** + * Checks if serial filter configured with {@code "jdk.jndi.object.factoriesFilter"} + * system property value allows instantiation of the specified objects factory class. + * If the filter result is not {@linkplain Status#REJECTED REJECTED}, the filter will + * allow the instantiation of objects factory class. + * + * @param factoryClass objects factory class + * @return true - if the factory is allowed to be instantiated; false - otherwise + */ + public static boolean canInstantiateObjectsFactory(Class<?> factoryClass) { + return checkInput(() -> factoryClass); + } + + private static boolean checkInput(FactoryInfo factoryInfo) { + Status result = GLOBAL.checkInput(factoryInfo); + return result != Status.REJECTED; + } + + // FilterInfo to check if objects factory class is allowed by the system-wide + // filter. Array length, number of object references, depth, and stream size + // capabilities are ignored. + @FunctionalInterface + private interface FactoryInfo extends FilterInfo { + @Override + default long arrayLength() { + return -1; + } + + @Override + default long depth() { + return 1; + } + + @Override + default long references() { + return 0; + } + + @Override + default long streamBytes() { + return 0; + } + } + + // Prevent instantiation of the factories filter class + private ObjectFactoriesFilter() { + throw new InternalError("Not instantiable"); + } + + // System property name that contains the patterns to filter object factory names + private static final String FACTORIES_FILTER_PROPNAME = "jdk.jndi.object.factoriesFilter"; + + // Default system property value that allows the load of any object factory classes + private static final String DEFAULT_SP_VALUE = "*"; + + // System wide object factories filter constructed from the system property + private static final ObjectInputFilter GLOBAL = + ObjectInputFilter.Config.createFilter(getFilterPropertyValue()); + + // Get security or system property value + private static String getFilterPropertyValue() { + String propVal = SecurityProperties.privilegedGetOverridable(FACTORIES_FILTER_PROPNAME); + return propVal != null ? propVal : DEFAULT_SP_VALUE; + } +}
--- a/src/share/classes/com/sun/naming/internal/VersionHelper.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/com/sun/naming/internal/VersionHelper.java Mon Apr 26 14:01:43 2021 +0100 @@ -77,6 +77,9 @@ return helper; } + public abstract Class<?> loadClassWithoutInit(String className) + throws ClassNotFoundException; + public abstract Class<?> loadClass(String className) throws ClassNotFoundException;
--- a/src/share/classes/com/sun/naming/internal/VersionHelper12.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/com/sun/naming/internal/VersionHelper12.java Mon Apr 26 14:01:43 2021 +0100 @@ -61,6 +61,10 @@ return loadClass(className, getContextClassLoader()); } + public Class<?> loadClassWithoutInit(String className) throws ClassNotFoundException { + return loadClass(className, false, getContextClassLoader()); + } + /** * Determines whether classes may be loaded from an arbitrary URL code base. */ @@ -86,10 +90,15 @@ * This internal method is used with Thread Context Class Loader (TCCL), * please don't expose this method as public. */ + Class<?> loadClass(String className, boolean initialize, ClassLoader cl) + throws ClassNotFoundException { + Class<?> cls = Class.forName(className, initialize, cl); + return cls; + } + Class<?> loadClass(String className, ClassLoader cl) throws ClassNotFoundException { - Class<?> cls = Class.forName(className, true, cl); - return cls; + return loadClass(className, true, cl); } /**
--- a/src/share/classes/java/io/File.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/java/io/File.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1994, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -500,6 +500,9 @@ public File getParentFile() { String p = this.getParent(); if (p == null) return null; + if (getClass() != File.class) { + p = fs.normalize(p); + } return new File(p, this.prefixLength); } @@ -572,6 +575,9 @@ */ public File getAbsoluteFile() { String absPath = getAbsolutePath(); + if (getClass() != File.class) { + absPath = fs.normalize(absPath); + } return new File(absPath, fs.prefixLength(absPath)); } @@ -643,6 +649,9 @@ */ public File getCanonicalFile() throws IOException { String canonPath = getCanonicalPath(); + if (getClass() != File.class) { + canonPath = fs.normalize(canonPath); + } return new File(canonPath, fs.prefixLength(canonPath)); } @@ -1114,6 +1123,26 @@ * the directory */ public String[] list() { + return normalizedList(); + } + + /** + * Returns an array of strings naming the files and directories in the + * directory denoted by this abstract pathname. The strings are + * ensured to represent normalized paths. + * + * @return An array of strings naming the files and directories in the + * directory denoted by this abstract pathname. The array will be + * empty if the directory is empty. Returns {@code null} if + * this abstract pathname does not denote a directory, or if an + * I/O error occurs. + * + * @throws SecurityException + * If a security manager exists and its {@link + * SecurityManager#checkRead(String)} method denies read access to + * the directory + */ + private final String[] normalizedList() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkRead(path); @@ -1121,7 +1150,15 @@ if (isInvalid()) { return null; } - return fs.list(this); + String[] s = fs.list(this); + if (s != null && getClass() != File.class) { + String[] normalized = new String[s.length]; + for (int i = 0; i < s.length; i++) { + normalized[i] = fs.normalize(s[i]); + } + s = normalized; + } + return s; } /** @@ -1154,7 +1191,7 @@ * @see java.nio.file.Files#newDirectoryStream(Path,String) */ public String[] list(FilenameFilter filter) { - String names[] = list(); + String names[] = normalizedList(); if ((names == null) || (filter == null)) { return names; } @@ -1206,7 +1243,7 @@ * @since 1.2 */ public File[] listFiles() { - String[] ss = list(); + String[] ss = normalizedList(); if (ss == null) return null; int n = ss.length; File[] fs = new File[n]; @@ -1247,7 +1284,7 @@ * @see java.nio.file.Files#newDirectoryStream(Path,String) */ public File[] listFiles(FilenameFilter filter) { - String ss[] = list(); + String ss[] = normalizedList(); if (ss == null) return null; ArrayList<File> files = new ArrayList<>(); for (String s : ss) @@ -1285,7 +1322,7 @@ * @see java.nio.file.Files#newDirectoryStream(Path,java.nio.file.DirectoryStream.Filter) */ public File[] listFiles(FileFilter filter) { - String ss[] = list(); + String ss[] = normalizedList(); if (ss == null) return null; ArrayList<File> files = new ArrayList<>(); for (String s : ss) {
--- a/src/share/classes/java/security/cert/CertPathHelperImpl.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/java/security/cert/CertPathHelperImpl.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -63,4 +63,8 @@ protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) { sel.setDateAndTime(date, skew); } + + protected boolean implIsJdkCA(TrustAnchor anchor) { + return anchor.isJdkCA(); + } }
--- a/src/share/classes/java/security/cert/TrustAnchor.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/java/security/cert/TrustAnchor.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,7 @@ import javax.security.auth.x500.X500Principal; +import sun.security.util.AnchorCertificates; import sun.security.x509.NameConstraintsExtension; import sun.security.x509.X500Name; @@ -68,6 +69,12 @@ private final X509Certificate trustedCert; private byte[] ncBytes; private NameConstraintsExtension nc; + private boolean jdkCA; + private boolean hasJdkCABeenChecked; + + static { + CertPathHelperImpl.initialize(); + } /** * Creates an instance of {@code TrustAnchor} with the specified @@ -330,4 +337,18 @@ sb.append(" Name Constraints: " + nc.toString() + "\n"); return sb.toString(); } + + /** + * Returns true if anchor is a JDK CA (a root CA that is included by + * default in the cacerts keystore). + */ + synchronized boolean isJdkCA() { + if (!hasJdkCABeenChecked) { + if (trustedCert != null) { + jdkCA = AnchorCertificates.contains(trustedCert); + } + hasJdkCABeenChecked = true; + } + return jdkCA; + } }
--- a/src/share/classes/javax/naming/spi/NamingManager.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/javax/naming/spi/NamingManager.java Mon Apr 26 14:01:43 2021 +0100 @@ -31,6 +31,8 @@ import java.net.MalformedURLException; import javax.naming.*; + +import com.sun.naming.internal.ObjectFactoriesFilter; import com.sun.naming.internal.VersionHelper; import com.sun.naming.internal.ResourceManager; import com.sun.naming.internal.FactoryEnumeration; @@ -143,7 +145,11 @@ // Try to use current class loader try { - clas = helper.loadClass(factoryName); + clas = helper.loadClassWithoutInit(factoryName); + // Validate factory's class with the objects factory serial filter + if (!ObjectFactoriesFilter.canInstantiateObjectsFactory(clas)) { + return null; + } } catch (ClassNotFoundException e) { // ignore and continue // e.printStackTrace(); @@ -156,6 +162,11 @@ (codebase = ref.getFactoryClassLocation()) != null) { try { clas = helper.loadClass(factoryName, codebase); + // Validate factory's class with the objects factory serial filter + if (clas == null || + !ObjectFactoriesFilter.canInstantiateObjectsFactory(clas)) { + return null; + } } catch (ClassNotFoundException e) { } }
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java Mon Apr 26 14:01:43 2021 +0100 @@ -35,26 +35,28 @@ import java.security.cert.X509Certificate; import java.security.*; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; -import java.util.EnumSet; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; import java.util.Set; import sun.misc.HexDumpEncoder; import sun.security.timestamp.TimestampToken; -import sun.security.util.ConstraintsParameters; import sun.security.util.Debug; import sun.security.util.DerEncoder; import sun.security.util.DerInputStream; import sun.security.util.DerOutputStream; import sun.security.util.DerValue; import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.util.JarConstraintsParameters; import sun.security.util.KeyUtil; import sun.security.util.ObjectIdentifier; +import sun.security.util.SignatureUtil; import sun.security.x509.AlgorithmId; import sun.security.x509.X500Name; import sun.security.x509.KeyUsageExtension; -import sun.security.util.SignatureUtil; /** * A SignerInfo, as defined in PKCS#7's signedData type. @@ -63,16 +65,8 @@ */ public class SignerInfo implements DerEncoder { - // Digest and Signature restrictions - private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = - Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST)); - - private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = - Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); - private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = - new DisabledAlgorithmConstraints( - DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); + DisabledAlgorithmConstraints.jarConstraints(); BigInteger version; X500Name issuerName; @@ -87,6 +81,14 @@ PKCS9Attributes authenticatedAttributes; PKCS9Attributes unauthenticatedAttributes; + /** + * A map containing the algorithms in this SignerInfo. This is used to + * avoid checking algorithms to see if they are disabled more than once. + * The key is the AlgorithmId of the algorithm, and the value is the name of + * the field or attribute. + */ + private Map<AlgorithmId, String> algorithms = new HashMap<>(); + public SignerInfo(X500Name issuerName, BigInteger serial, AlgorithmId digestAlgorithmId, @@ -313,21 +315,15 @@ throws NoSuchAlgorithmException, SignatureException { try { + Timestamp timestamp = getTimestamp(); ContentInfo content = block.getContentInfo(); if (data == null) { data = content.getContentBytes(); } - Timestamp timestamp = null; - try { - timestamp = getTimestamp(); - } catch (Exception ignore) { - } - - ConstraintsParameters cparams = - new ConstraintsParameters(timestamp); - String digestAlgname = getDigestAlgorithmId().getName(); + String digestAlgName = digestAlgorithmId.getName(); + algorithms.put(digestAlgorithmId, "SignerInfo digestAlgorithm field"); byte[] dataSigned; @@ -353,21 +349,11 @@ if (messageDigest == null) // fail if there is no message digest return null; - // check that digest algorithm is not restricted - try { - JAR_DISABLED_CHECK.permits(digestAlgname, cparams); - } catch (CertPathValidatorException e) { - throw new SignatureException(e.getMessage(), e); - } - - MessageDigest md = MessageDigest.getInstance(digestAlgname); + MessageDigest md = MessageDigest.getInstance(digestAlgName); byte[] computedMessageDigest = md.digest(data); - if (messageDigest.length != computedMessageDigest.length) + if (!MessageDigest.isEqual(messageDigest, computedMessageDigest)) { return null; - for (int i = 0; i < messageDigest.length; i++) { - if (messageDigest[i] != computedMessageDigest[i]) - return null; } // message digest attribute matched @@ -381,21 +367,23 @@ // put together digest algorithm and encryption algorithm // to form signing algorithm - String encryptionAlgname = + String encryptionAlgName = getDigestEncryptionAlgorithmId().getName(); // Workaround: sometimes the encryptionAlgname is actually // a signature name - String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname); - if (tmp != null) encryptionAlgname = tmp; - String algname = AlgorithmId.makeSigAlg( - digestAlgname, encryptionAlgname); - - // check that jar signature algorithm is not restricted + String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgName); + if (tmp != null) encryptionAlgName = tmp; + String sigAlgName = AlgorithmId.makeSigAlg( + digestAlgName, encryptionAlgName); try { - JAR_DISABLED_CHECK.permits(algname, cparams); - } catch (CertPathValidatorException e) { - throw new SignatureException(e.getMessage(), e); + ObjectIdentifier oid = AlgorithmId.get(sigAlgName).getOID(); + AlgorithmId sigAlgId = + new AlgorithmId(oid, + digestEncryptionAlgorithmId.getParameters()); + algorithms.put(sigAlgId, + "SignerInfo digestEncryptionAlgorithm field"); + } catch (NoSuchAlgorithmException ignore) { } X509Certificate cert = getCertificate(block); @@ -404,14 +392,6 @@ } PublicKey key = cert.getPublicKey(); - // check if the public key is restricted - if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { - throw new SignatureException("Public key check failed. " + - "Disabled key used: " + - KeyUtil.getKeySize(key) + " bit " + - key.getAlgorithm()); - } - if (cert.hasUnsupportedCriticalExtension()) { throw new SignatureException("Certificate has unsupported " + "critical extension(s)"); @@ -448,13 +428,13 @@ } } - Signature sig = Signature.getInstance(algname); + Signature sig = Signature.getInstance(sigAlgName); AlgorithmParameters ap = digestEncryptionAlgorithmId.getParameters(); try { SignatureUtil.initVerifyWithParam(sig, key, - SignatureUtil.getParamSpec(algname, ap)); + SignatureUtil.getParamSpec(sigAlgName, ap)); } catch (ProviderException | InvalidAlgorithmParameterException | InvalidKeyException e) { throw new SignatureException(e.getMessage(), e); @@ -464,9 +444,8 @@ if (sig.verify(encryptedDigest)) { return this; } - } catch (IOException e) { - throw new SignatureException("IO error verifying signature:\n" + - e.getMessage()); + } catch (IOException | CertificateException e) { + throw new SignatureException("Error verifying signature", e); } return null; } @@ -564,6 +543,9 @@ // Extract the signer (the Timestamping Authority) // while verifying the content SignerInfo[] tsa = tsToken.verify(encTsTokenInfo); + if (tsa == null || tsa.length == 0) { + throw new SignatureException("Unable to verify timestamp"); + } // Expect only one signer ArrayList<X509Certificate> chain = tsa[0].getCertificateChain(tsToken); CertificateFactory cf = CertificateFactory.getInstance("X.509"); @@ -572,6 +554,7 @@ TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); // Check that the signature timestamp applies to this signature verifyTimestamp(tsTokenInfo); + algorithms.putAll(tsa[0].algorithms); // Create a timestamp object timestamp = new Timestamp(tsTokenInfo.getDate(), tsaChain); return timestamp; @@ -584,18 +567,13 @@ */ private void verifyTimestamp(TimestampToken token) throws NoSuchAlgorithmException, SignatureException { - String digestAlgname = token.getHashAlgorithm().getName(); - // check that algorithm is not restricted - if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, digestAlgname, - null)) { - throw new SignatureException("Timestamp token digest check failed. " + - "Disabled algorithm used: " + digestAlgname); - } + + AlgorithmId digestAlgId = token.getHashAlgorithm(); + algorithms.put(digestAlgId, "TimestampToken digestAlgorithm field"); - MessageDigest md = - MessageDigest.getInstance(digestAlgname); + MessageDigest md = MessageDigest.getInstance(digestAlgId.getName()); - if (!Arrays.equals(token.getHashedMessage(), + if (!MessageDigest.isEqual(token.getHashedMessage(), md.digest(encryptedDigest))) { throw new SignatureException("Signature timestamp (#" + @@ -636,4 +614,35 @@ } return out; } + + /** + * Verify all of the algorithms in the array of SignerInfos against the + * constraints in the jdk.jar.disabledAlgorithms security property. + * + * @param infos array of SignerInfos + * @param params constraint parameters + * @param name the name of the signer's PKCS7 file + * @return a set of algorithms that passed the checks and are not disabled + */ + public static Set<String> verifyAlgorithms(SignerInfo[] infos, + JarConstraintsParameters params, String name) throws SignatureException { + Map<AlgorithmId, String> algorithms = new HashMap<>(); + for (SignerInfo info : infos) { + algorithms.putAll(info.algorithms); + } + + Set<String> enabledAlgorithms = new HashSet<>(); + try { + for (Map.Entry<AlgorithmId, String> algorithm : algorithms.entrySet()) { + params.setExtendedExceptionMsg(name, algorithm.getValue()); + AlgorithmId algId = algorithm.getKey(); + JAR_DISABLED_CHECK.permits(algId.getName(), + algId.getParameters(), params); + enabledAlgorithms.add(algId.getName()); + } + } catch (CertPathValidatorException e) { + throw new SignatureException(e); + } + return enabledAlgorithms; + } }
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,8 +27,6 @@ import java.security.AlgorithmConstraints; import java.security.CryptoPrimitive; -import java.security.Timestamp; -import java.security.cert.CertPathValidator; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -53,14 +51,13 @@ import java.security.interfaces.DSAPublicKey; import java.security.spec.DSAPublicKeySpec; -import sun.security.util.AnchorCertificates; import sun.security.util.ConstraintsParameters; import sun.security.util.Debug; import sun.security.util.DisabledAlgorithmConstraints; import sun.security.validator.Validator; +import sun.security.x509.AlgorithmId; import sun.security.x509.X509CertImpl; import sun.security.x509.X509CRLImpl; -import sun.security.x509.AlgorithmId; /** * A {@code PKIXCertPathChecker} implementation to check whether a @@ -78,10 +75,10 @@ private final AlgorithmConstraints constraints; private final PublicKey trustedPubKey; - private final Date pkixdate; + private final Date date; private PublicKey prevPubKey; - private final Timestamp jarTimestamp; private final String variant; + private TrustAnchor anchor; private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); @@ -94,95 +91,70 @@ CryptoPrimitive.KEY_AGREEMENT)); private static final DisabledAlgorithmConstraints - certPathDefaultConstraints = new DisabledAlgorithmConstraints( - DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); - - // If there is no "cacerts" keyword, then disable anchor checking - private static final boolean publicCALimits = - certPathDefaultConstraints.checkProperty("jdkCA"); - - // If anchor checking enabled, this will be true if the trust anchor - // has a match in the cacerts file - private boolean trustedMatch = false; + certPathDefaultConstraints = + DisabledAlgorithmConstraints.certPathConstraints(); /** - * Create a new {@code AlgorithmChecker} with the given algorithm - * given {@code TrustAnchor} and {@code String} variant. + * Create a new {@code AlgorithmChecker} with the given + * {@code TrustAnchor} and {@code String} variant. * * @param anchor the trust anchor selected to validate the target * certificate - * @param variant is the Validator variants of the operation. A null value + * @param variant the Validator variant of the operation. A null value * passed will set it to Validator.GENERIC. */ public AlgorithmChecker(TrustAnchor anchor, String variant) { - this(anchor, certPathDefaultConstraints, null, null, variant); + this(anchor, certPathDefaultConstraints, null, variant); } /** * Create a new {@code AlgorithmChecker} with the given - * {@code AlgorithmConstraints}, {@code Timestamp}, and {@code String} - * variant. + * {@code AlgorithmConstraints} and {@code String} variant. * * Note that this constructor can initialize a variation of situations where - * the AlgorithmConstraints, Timestamp, or Variant maybe known. + * the AlgorithmConstraints or Variant maybe known. * * @param constraints the algorithm constraints (or null) - * @param jarTimestamp Timestamp passed for JAR timestamp constraint - * checking. Set to null if not applicable. - * @param variant is the Validator variants of the operation. A null value + * @param variant the Validator variant of the operation. A null value * passed will set it to Validator.GENERIC. */ - public AlgorithmChecker(AlgorithmConstraints constraints, - Timestamp jarTimestamp, String variant) { - this(null, constraints, null, jarTimestamp, variant); + public AlgorithmChecker(AlgorithmConstraints constraints, String variant) { + this(null, constraints, null, variant); } /** * Create a new {@code AlgorithmChecker} with the - * given {@code TrustAnchor}, {@code AlgorithmConstraints}, - * {@code Timestamp}, and {@code String} variant. + * given {@code TrustAnchor}, {@code AlgorithmConstraints}, {@code Date}, + * and {@code String} variant. * * @param anchor the trust anchor selected to validate the target * certificate * @param constraints the algorithm constraints (or null) - * @param pkixdate The date specified by the PKIXParameters date. If the - * PKIXParameters is null, the current date is used. This - * should be null when jar files are being checked. - * @param jarTimestamp Timestamp passed for JAR timestamp constraint - * checking. Set to null if not applicable. - * @param variant is the Validator variants of the operation. A null value + * @param date the date specified by the PKIXParameters date, or the + * JAR timestamp if jar files are being validated and the + * JAR is timestamped. May be null if no timestamp or + * PKIXParameter date is set. + * @param variant the Validator variant of the operation. A null value * passed will set it to Validator.GENERIC. */ public AlgorithmChecker(TrustAnchor anchor, - AlgorithmConstraints constraints, Date pkixdate, - Timestamp jarTimestamp, String variant) { + AlgorithmConstraints constraints, Date date, String variant) { if (anchor != null) { if (anchor.getTrustedCert() != null) { this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); - // Check for anchor certificate restrictions - trustedMatch = checkFingerprint(anchor.getTrustedCert()); - if (trustedMatch && debug != null) { - debug.println("trustedMatch = true"); - } } else { this.trustedPubKey = anchor.getCAPublicKey(); } + this.anchor = anchor; } else { this.trustedPubKey = null; - if (debug != null) { - debug.println("TrustAnchor is null, trustedMatch is false."); - } } this.prevPubKey = this.trustedPubKey; this.constraints = (constraints == null ? certPathDefaultConstraints : constraints); - // If we are checking jar files, set pkixdate the same as the timestamp - // for certificate checking - this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() : - pkixdate); - this.jarTimestamp = jarTimestamp; + this.date = date; this.variant = (variant == null ? Validator.VAR_GENERIC : variant); } @@ -194,24 +166,11 @@ * certificate * @param pkixdate Date the constraints are checked against. The value is * either the PKIXParameters date or null for the current date. - * @param variant is the Validator variants of the operation. A null value + * @param variant the Validator variant of the operation. A null value * passed will set it to Validator.GENERIC. */ public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) { - this(anchor, certPathDefaultConstraints, pkixdate, null, variant); - } - - // Check this 'cert' for restrictions in the AnchorCertificates - // trusted certificates list - private static boolean checkFingerprint(X509Certificate cert) { - if (!publicCALimits) { - return false; - } - - if (debug != null) { - debug.println("AlgorithmChecker.contains: " + cert.getSigAlgName()); - } - return AnchorCertificates.contains(cert); + this(anchor, certPathDefaultConstraints, pkixdate, variant); } @Override @@ -318,18 +277,19 @@ } ConstraintsParameters cp = - new ConstraintsParameters((X509Certificate)cert, - trustedMatch, pkixdate, jarTimestamp, variant); + new CertPathConstraintsParameters(x509Cert, variant, + anchor, date); // Check against local constraints if it is DisabledAlgorithmConstraints if (constraints instanceof DisabledAlgorithmConstraints) { - ((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, cp); + ((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, + currSigAlgParams, cp); // DisabledAlgorithmsConstraints does not check primitives, so key // additional key check. } else { // Perform the default constraints checking anyway. - certPathDefaultConstraints.permits(currSigAlg, cp); + certPathDefaultConstraints.permits(currSigAlg, currSigAlgParams, cp); // Call locally set constraints to check key with primitives. if (!constraints.permits(primitives, currPubKey)) { throw new CertPathValidatorException( @@ -408,14 +368,10 @@ // Don't bother to change the trustedPubKey. if (anchor.getTrustedCert() != null) { prevPubKey = anchor.getTrustedCert().getPublicKey(); - // Check for anchor certificate restrictions - trustedMatch = checkFingerprint(anchor.getTrustedCert()); - if (trustedMatch && debug != null) { - debug.println("trustedMatch = true"); - } } else { prevPubKey = anchor.getCAPublicKey(); } + this.anchor = anchor; } } @@ -424,11 +380,12 @@ * * @param key the public key to verify the CRL signature * @param crl the target CRL - * @param variant is the Validator variants of the operation. A null value + * @param variant the Validator variant of the operation. A null value * passed will set it to Validator.GENERIC. + * @param anchor the trust anchor selected to validate the CRL issuer */ - static void check(PublicKey key, X509CRL crl, String variant) - throws CertPathValidatorException { + static void check(PublicKey key, X509CRL crl, String variant, + TrustAnchor anchor) throws CertPathValidatorException { X509CRLImpl x509CRLImpl = null; try { @@ -438,7 +395,7 @@ } AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); - check(key, algorithmId, variant); + check(key, algorithmId, variant, anchor); } /** @@ -446,16 +403,16 @@ * * @param key the public key to verify the CRL signature * @param algorithmId signature algorithm Algorithm ID - * @param variant is the Validator variants of the operation. A null value - * passed will set it to Validator.GENERIC. + * @param variant the Validator variant of the operation. A null + * value passed will set it to Validator.GENERIC. + * @param anchor the trust anchor selected to validate the public key */ - static void check(PublicKey key, AlgorithmId algorithmId, String variant) - throws CertPathValidatorException { - String sigAlgName = algorithmId.getName(); - AlgorithmParameters sigAlgParams = algorithmId.getParameters(); + static void check(PublicKey key, AlgorithmId algorithmId, String variant, + TrustAnchor anchor) throws CertPathValidatorException { - certPathDefaultConstraints.permits(new ConstraintsParameters( - sigAlgName, sigAlgParams, key, variant)); + certPathDefaultConstraints.permits(algorithmId.getName(), + algorithmId.getParameters(), + new CertPathConstraintsParameters(key, variant, anchor)); } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/sun/security/provider/certpath/CertPathConstraintsParameters.java Mon Apr 26 14:01:43 2021 +0100 @@ -0,0 +1,127 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.provider.certpath; + +import java.security.Key; +import java.security.cert.TrustAnchor; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Set; +import java.util.Collections; + +import sun.security.util.ConstraintsParameters; +import sun.security.validator.Validator; + +/** + * This class contains parameters for checking certificates against + * constraints specified in the jdk.certpath.disabledAlgorithms security + * property. + */ +class CertPathConstraintsParameters implements ConstraintsParameters { + // The public key of the certificate + private final Key key; + // The certificate's trust anchor which will be checked against the + // jdkCA constraint, if specified. + private final TrustAnchor anchor; + // The PKIXParameter validity date or the timestamp of the signed JAR + // file, if this chain is associated with a timestamped signed JAR. + private final Date date; + // The variant or usage of this certificate + private final String variant; + // The certificate being checked (may be null if a CRL or OCSPResponse is + // being checked) + private final X509Certificate cert; + + public CertPathConstraintsParameters(X509Certificate cert, + String variant, TrustAnchor anchor, Date date) { + this(cert.getPublicKey(), variant, anchor, date, cert); + } + + public CertPathConstraintsParameters(Key key, String variant, + TrustAnchor anchor) { + this(key, variant, anchor, null, null); + } + + private CertPathConstraintsParameters(Key key, String variant, + TrustAnchor anchor, Date date, X509Certificate cert) { + this.key = key; + this.variant = (variant == null ? Validator.VAR_GENERIC : variant); + this.anchor = anchor; + this.date = date; + this.cert = cert; + } + + @Override + public boolean anchorIsJdkCA() { + return CertPathHelper.isJdkCA(anchor); + } + + @Override + public Set<Key> getKeys() { + return (key == null) ? Collections.emptySet() + : Collections.singleton(key); + } + + @Override + public Date getDate() { + return date; + } + + @Override + public String getVariant() { + return variant; + } + + @Override + public String extendedExceptionMsg() { + return (cert == null ? "." + : " used with certificate: " + + cert.getSubjectX500Principal()); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("[\n"); + sb.append("\n Variant: ").append(variant); + if (anchor != null) { + sb.append("\n Anchor: ").append(anchor); + } + if (cert != null) { + sb.append("\n Cert Issuer: ") + .append(cert.getIssuerX500Principal()); + sb.append("\n Cert Subject: ") + .append(cert.getSubjectX500Principal()); + } + if (key != null) { + sb.append("\n Key: ").append(key.getAlgorithm()); + } + if (date != null) { + sb.append("\n Date: ").append(date); + } + sb.append("\n]"); + return sb.toString(); + } +}
--- a/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,13 +28,14 @@ import java.util.Date; import java.util.Set; +import java.security.cert.TrustAnchor; import java.security.cert.X509CertSelector; import java.security.cert.X509CRLSelector; import sun.security.x509.GeneralNameInterface; /** - * Helper class that allows access to Sun specific known-public methods in the + * Helper class that allows access to JDK specific known-public methods in the * java.security.cert package. It relies on a subclass in the * java.security.cert packages that is initialized before any of these methods * are called (achieved via static initializers). @@ -59,6 +60,8 @@ protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew); + protected abstract boolean implIsJdkCA(TrustAnchor anchor); + static void setPathToNames(X509CertSelector sel, Set<GeneralNameInterface> names) { instance.implSetPathToNames(sel, names); @@ -67,4 +70,8 @@ public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { instance.implSetDateAndTime(sel, date, skew); } + + public static boolean isJdkCA(TrustAnchor anchor) { + return (anchor == null) ? false : instance.implIsJdkCA(anchor); + } }
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Mon Apr 26 14:01:43 2021 +0100 @@ -73,7 +73,7 @@ throws CertStoreException { return getCRLs(selector, signFlag, prevKey, null, provider, certStores, - reasonsMask, trustAnchors, validity, variant); + reasonsMask, trustAnchors, validity, variant, null); } /** * Return the X509CRLs matching this selector. The selector must be @@ -90,8 +90,14 @@ Date validity) throws CertStoreException { + if (trustAnchors.isEmpty()) { + throw new CertStoreException( + "at least one TrustAnchor must be specified"); + } + TrustAnchor anchor = trustAnchors.iterator().next(); return getCRLs(selector, signFlag, prevKey, null, provider, certStores, - reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC); + reasonsMask, trustAnchors, validity, + Validator.VAR_PLUGIN_CODE_SIGNING, anchor); } /** @@ -107,7 +113,8 @@ boolean[] reasonsMask, Set<TrustAnchor> trustAnchors, Date validity, - String variant) + String variant, + TrustAnchor anchor) throws CertStoreException { X509Certificate cert = selector.getCertificateChecking(); @@ -136,7 +143,7 @@ DistributionPoint point = t.next(); Collection<X509CRL> crls = getCRLs(selector, certImpl, point, reasonsMask, signFlag, prevKey, prevCert, provider, - certStores, trustAnchors, validity, variant); + certStores, trustAnchors, validity, variant, anchor); results.addAll(crls); } if (debug != null) { @@ -161,7 +168,8 @@ X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, X509Certificate prevCert, String provider, List<CertStore> certStores, - Set<TrustAnchor> trustAnchors, Date validity, String variant) + Set<TrustAnchor> trustAnchors, Date validity, String variant, + TrustAnchor anchor) throws CertStoreException { // check for full name @@ -224,7 +232,7 @@ selector.setIssuerNames(null); if (selector.match(crl) && verifyCRL(certImpl, point, crl, reasonsMask, signFlag, prevKey, prevCert, provider, - trustAnchors, certStores, validity, variant)) { + trustAnchors, certStores, validity, variant, anchor)) { crls.add(crl); } } catch (IOException | CRLException e) { @@ -333,7 +341,8 @@ X509CRL crl, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, X509Certificate prevCert, String provider, Set<TrustAnchor> trustAnchors, List<CertStore> certStores, - Date validity, String variant) throws CRLException, IOException { + Date validity, String variant, TrustAnchor anchor) + throws CRLException, IOException { if (debug != null) { debug.println("DistributionPointFetcher.verifyCRL: " + @@ -680,7 +689,7 @@ // check the crl signature algorithm try { - AlgorithmChecker.check(prevKey, crl, variant); + AlgorithmChecker.check(prevKey, crl, variant, anchor); } catch (CertPathValidatorException cpve) { if (debug != null) { debug.println("CRL signature algorithm check failed: " + cpve);
--- a/src/share/classes/sun/security/provider/certpath/OCSP.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/OCSP.java Mon Apr 26 14:01:43 2021 +0100 @@ -121,7 +121,8 @@ throws IOException, CertPathValidatorException { return check(cert, issuerCert, responderURI, responderCert, date, - Collections.<Extension>emptyList(), Validator.VAR_GENERIC); + Collections.<Extension>emptyList(), + Validator.VAR_PLUGIN_CODE_SIGNING); }
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -465,6 +465,7 @@ } // Check whether the signer cert returned by the responder is trusted + boolean signedByTrustedResponder = false; if (signerCert != null) { // Check if the response is signed by the issuing CA if (signerCert.getSubjectX500Principal().equals( @@ -479,6 +480,7 @@ // Check if the response is signed by a trusted responder } else if (signerCert.equals(responderCert)) { + signedByTrustedResponder = true; if (debug != null) { debug.println("OCSP response is signed by a Trusted " + "Responder"); @@ -569,7 +571,10 @@ if (signerCert != null) { // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". - AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId, variant); + AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId, variant, + signedByTrustedResponder + ? new TrustAnchor(responderCert, null) + : issuerInfo.getAnchor()); if (!verifySignature(signerCert)) { throw new CertPathValidatorException(
--- a/src/share/classes/sun/security/provider/certpath/PKIX.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/PKIX.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import javax.security.auth.x500.X500Principal; import sun.security.util.Debug; +import sun.security.validator.Validator; /** * Common utility methods and classes used by the PKIX CertPathValidator and @@ -87,7 +88,7 @@ private Set<TrustAnchor> anchors; private List<X509Certificate> certs; private Timestamp timestamp; - private String variant; + private String variant = Validator.VAR_GENERIC; ValidatorParams(CertPath cp, PKIXParameters params) throws InvalidAlgorithmParameterException @@ -155,9 +156,17 @@ } Date date() { if (!gotDate) { - date = params.getDate(); - if (date == null) - date = new Date(); + // use timestamp if checking signed code that is + // timestamped, otherwise use date parameter + if (timestamp != null && + (variant.equals(Validator.VAR_CODE_SIGNING) || + variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING))) { + date = timestamp.getTimestamp(); + } else { + date = params.getDate(); + if (date == null) + date = new Date(); + } gotDate = true; } return date; @@ -198,10 +207,6 @@ return params; } - Timestamp timestamp() { - return timestamp; - } - String variant() { return variant; }
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,7 +31,6 @@ import java.util.*; import sun.security.provider.certpath.PKIX.ValidatorParams; -import sun.security.validator.Validator; import sun.security.x509.X509CertImpl; import sun.security.util.Debug; @@ -174,7 +173,7 @@ // add standard checkers that we will be using certPathCheckers.add(untrustedChecker); certPathCheckers.add(new AlgorithmChecker(anchor, null, params.date(), - params.timestamp(), params.variant())); + params.variant())); certPathCheckers.add(new KeyChecker(certPathLen, params.targetCertConstraints())); certPathCheckers.add(new ConstraintsChecker(certPathLen)); @@ -191,19 +190,7 @@ rootNode); certPathCheckers.add(pc); - // the time that the certificate validity period should be - // checked against - Date timeToCheck = null; - // use timestamp if checking signed code that is timestamped, otherwise - // use date parameter from PKIXParameters - if ((params.variant() == Validator.VAR_CODE_SIGNING || - params.variant() == Validator.VAR_PLUGIN_CODE_SIGNING) && - params.timestamp() != null) { - timeToCheck = params.timestamp().getTimestamp(); - } else { - timeToCheck = params.date(); - } - BasicChecker bc = new BasicChecker(anchor, timeToCheck, + BasicChecker bc = new BasicChecker(anchor, params.date(), params.sigProvider(), false); certPathCheckers.add(bc);
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Mon Apr 26 14:01:43 2021 +0100 @@ -579,7 +579,7 @@ approvedCRLs.addAll(DistributionPointFetcher.getCRLs( sel, signFlag, prevKey, prevCert, params.sigProvider(), certStores, reasonsMask, - anchors, null, params.variant())); + anchors, null, params.variant(), anchor)); } } catch (CertStoreException e) { if (e instanceof CertStoreTypeException) { @@ -853,7 +853,7 @@ if (DistributionPointFetcher.verifyCRL( certImpl, point, crl, reasonsMask, signFlag, prevKey, null, params.sigProvider(), anchors, - certStores, params.date(), params.variant())) + certStores, params.date(), params.variant(), anchor)) { results.add(crl); }
--- a/src/share/classes/sun/security/ssl/SSLContextImpl.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java Mon Apr 26 14:01:43 2021 +0100 @@ -1374,7 +1374,7 @@ // A forward checker, need to check from trust to target if (checkedLength >= 0) { AlgorithmChecker checker = - new AlgorithmChecker(constraints, null, + new AlgorithmChecker(constraints, (checkClientTrusted ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER)); checker.init(false);
--- a/src/share/classes/sun/security/ssl/X509KeyManagerImpl.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/ssl/X509KeyManagerImpl.java Mon Apr 26 14:01:43 2021 +0100 @@ -831,8 +831,7 @@ AlgorithmConstraints constraints, Certificate[] chain, String variant) { - AlgorithmChecker checker = - new AlgorithmChecker(constraints, null, variant); + AlgorithmChecker checker = new AlgorithmChecker(constraints, variant); try { checker.init(false); } catch (CertPathValidatorException cpve) {
--- a/src/share/classes/sun/security/util/AnchorCertificates.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/util/AnchorCertificates.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -35,6 +35,7 @@ import java.util.Enumeration; import java.util.HashSet; import java.util.Set; +import javax.security.auth.x500.X500Principal; import sun.security.x509.X509CertImpl; @@ -47,6 +48,7 @@ private static final Debug debug = Debug.getInstance("certpath"); private static final String HASH = "SHA-256"; private static Set<String> certs = Collections.emptySet(); + private static Set<X500Principal> certIssuers = Collections.emptySet(); static { AccessController.doPrivileged(new PrivilegedAction<Void>() { @@ -60,15 +62,16 @@ try (FileInputStream fis = new FileInputStream(f)) { cacerts.load(fis, null); certs = new HashSet<>(); + certIssuers = new HashSet<>(); Enumeration<String> list = cacerts.aliases(); - String alias; while (list.hasMoreElements()) { - alias = list.nextElement(); + String alias = list.nextElement(); // Check if this cert is labeled a trust anchor. if (alias.contains(" [jdk")) { X509Certificate cert = (X509Certificate) cacerts .getCertificate(alias); certs.add(X509CertImpl.getFingerprint(HASH, cert)); + certIssuers.add(cert.getSubjectX500Principal()); } } } @@ -84,10 +87,10 @@ } /** - * Checks if a certificate is a trust anchor. + * Checks if a certificate is a JDK trust anchor. * * @param cert the certificate to check - * @return true if the certificate is trusted. + * @return true if the certificate is a JDK trust anchor */ public static boolean contains(X509Certificate cert) { String key = X509CertImpl.getFingerprint(HASH, cert); @@ -99,5 +102,15 @@ return result; } + /** + * Checks if a JDK trust anchor is the issuer of a certificate. + * + * @param cert the certificate to check + * @return true if the certificate is issued by a trust anchor + */ + public static boolean issuerOf(X509Certificate cert) { + return certIssuers.contains(cert.getIssuerX500Principal()); + } + private AnchorCertificates() {} }
--- a/src/share/classes/sun/security/util/ConstraintsParameters.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/util/ConstraintsParameters.java Mon Apr 26 14:01:43 2021 +0100 @@ -25,160 +25,42 @@ package sun.security.util; -import sun.security.validator.Validator; - -import java.security.AlgorithmParameters; import java.security.Key; -import java.security.Timestamp; -import java.security.cert.X509Certificate; -import java.security.interfaces.ECKey; import java.util.Date; +import java.util.Set; /** - * This class contains parameters for checking against constraints that extend - * past the publicly available parameters in java.security.AlgorithmConstraints. - - * This is currently on passed between between PKIX, AlgorithmChecker, - * and DisabledAlgorithmConstraints. + * This interface contains parameters for checking against constraints that + * extend past the publicly available parameters in + * java.security.AlgorithmConstraints. */ -public class ConstraintsParameters { - /* - * The below 3 values are used the same as the permit() methods - * published in java.security.AlgorithmConstraints. - */ - // Algorithm string to be checked against constraints - private final String algorithm; - // AlgorithmParameters to the algorithm being checked - private final AlgorithmParameters algParams; - // Key being checked against constraints - private final Key key; - - /* - * New values that are checked against constraints that the current public - * API does not support. - */ - // A certificate being passed to check against constraints. - private final X509Certificate cert; - // This is true if the trust anchor in the certificate chain matches a cert - // in AnchorCertificates - private final boolean trustedMatch; - // PKIXParameter date - private final Date pkixDate; - // Timestamp of the signed JAR file - private final Timestamp jarTimestamp; - private final String variant; - // Named Curve - private final String[] curveStr; - private static final String[] EMPTYLIST = new String[0]; +public interface ConstraintsParameters { - public ConstraintsParameters(X509Certificate c, boolean match, - Date pkixdate, Timestamp jarTime, String variant) { - cert = c; - trustedMatch = match; - pkixDate = pkixdate; - jarTimestamp = jarTime; - this.variant = (variant == null ? Validator.VAR_GENERIC : variant); - algorithm = null; - algParams = null; - key = null; - if (c != null) { - curveStr = getNamedCurveFromKey(c.getPublicKey()); - } else { - curveStr = EMPTYLIST; - } - } + /** + * Returns true if a certificate chains back to a trusted JDK root CA. + */ + boolean anchorIsJdkCA(); - public ConstraintsParameters(String algorithm, AlgorithmParameters params, - Key key, String variant) { - this.algorithm = algorithm; - algParams = params; - this.key = key; - curveStr = getNamedCurveFromKey(key); - cert = null; - trustedMatch = false; - pkixDate = null; - jarTimestamp = null; - this.variant = (variant == null ? Validator.VAR_GENERIC : variant); - } - - - public ConstraintsParameters(X509Certificate c) { - this(c, false, null, null, - Validator.VAR_GENERIC); - } + /** + * Returns the set of keys that should be checked against the + * constraints, or an empty set if there are no keys to be checked. + */ + Set<Key> getKeys(); - public ConstraintsParameters(Timestamp jarTime) { - this(null, false, null, jarTime, Validator.VAR_GENERIC); - } - - public String getAlgorithm() { - return algorithm; - } - - public AlgorithmParameters getAlgParams() { - return algParams; - } - - public Key getKey() { - return key; - } - - // Returns if the trust anchor has a match if anchor checking is enabled. - public boolean isTrustedMatch() { - return trustedMatch; - } - - public X509Certificate getCertificate() { - return cert; - } - - public Date getPKIXParamDate() { - return pkixDate; - } - - public Timestamp getJARTimestamp() { - return jarTimestamp; - } - - public String getVariant() { - return variant; - } + /** + * Returns the date that should be checked against the constraints, or + * null if not set. + */ + Date getDate(); - public String[] getNamedCurve() { - return curveStr; - } - - public static String[] getNamedCurveFromKey(Key key) { - if (key instanceof ECKey) { - NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams()); - return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId())); - } else { - return EMPTYLIST; - } - } + /** + * Returns the Validator variant. + */ + String getVariant(); - public String toString() { - StringBuilder s = new StringBuilder(); - s.append("Cert: "); - if (cert != null) { - s.append(cert.toString()); - s.append("\nSigAlgo: "); - s.append(cert.getSigAlgName()); - } else { - s.append("None"); - } - s.append("\nAlgParams: "); - if (getAlgParams() != null) { - getAlgParams().toString(); - } else { - s.append("None"); - } - s.append("\nNamedCurves: "); - for (String c : getNamedCurve()) { - s.append(c + " "); - } - s.append("\nVariant: " + getVariant()); - return s.toString(); - } - + /** + * Returns an extended message used in exceptions. See + * DisabledAlgorithmConstraints for usage. + */ + String extendedExceptionMsg(); }
--- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Mon Apr 26 14:01:43 2021 +0100 @@ -29,14 +29,19 @@ import java.io.ByteArrayOutputStream; import java.io.PrintStream; +import java.security.AlgorithmParameters; import java.security.CryptoPrimitive; -import java.security.AlgorithmParameters; import java.security.Key; import java.security.cert.CertPathValidatorException; import java.security.cert.CertPathValidatorException.BasicReason; -import java.security.cert.X509Certificate; +import java.security.interfaces.ECKey; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.InvalidParameterSpecException; +import java.security.spec.MGF1ParameterSpec; +import java.security.spec.PSSParameterSpec; import java.text.SimpleDateFormat; import java.util.ArrayList; +import java.util.Arrays; import java.util.Calendar; import java.util.Date; import java.util.HashMap; @@ -46,6 +51,7 @@ import java.util.Map; import java.util.Set; import java.util.Collection; +import java.util.Collections; import java.util.StringTokenizer; import java.util.TimeZone; import java.util.regex.Pattern; @@ -80,9 +86,27 @@ private static final String PROPERTY_DISABLED_EC_CURVES = "jdk.disabled.namedCurves"; + private static class CertPathHolder { + static final DisabledAlgorithmConstraints CONSTRAINTS = + new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS); + } + + private static class JarHolder { + static final DisabledAlgorithmConstraints CONSTRAINTS = + new DisabledAlgorithmConstraints(PROPERTY_JAR_DISABLED_ALGS); + } + private final List<String> disabledAlgorithms; private final Constraints algorithmConstraints; + public static DisabledAlgorithmConstraints certPathConstraints() { + return CertPathHolder.CONSTRAINTS; + } + + public static DisabledAlgorithmConstraints jarConstraints() { + return JarHolder.CONSTRAINTS; + } + /** * Initialize algorithm constraints with the specified security property. * @@ -123,7 +147,7 @@ disabledAlgorithms.addAll(ecindex, getAlgorithms(PROPERTY_DISABLED_EC_CURVES)); } - algorithmConstraints = new Constraints(disabledAlgorithms); + algorithmConstraints = new Constraints(propertyName, disabledAlgorithms); } /* @@ -168,32 +192,54 @@ return checkConstraints(primitives, algorithm, key, parameters); } - public final void permits(ConstraintsParameters cp) - throws CertPathValidatorException { - permits(cp.getAlgorithm(), cp); + public final void permits(String algorithm, AlgorithmParameters ap, + ConstraintsParameters cp) throws CertPathValidatorException { + + permits(algorithm, cp); + if (ap != null) { + permits(ap, cp); + } + } + + private void permits(AlgorithmParameters ap, ConstraintsParameters cp) + throws CertPathValidatorException { + + switch (ap.getAlgorithm().toUpperCase(Locale.ENGLISH)) { + case "RSASSA-PSS": + permitsPSSParams(ap, cp); + break; + default: + // unknown algorithm, just ignore + } } - public final void permits(String algorithm, Key key, - AlgorithmParameters params, String variant) - throws CertPathValidatorException { - permits(algorithm, new ConstraintsParameters(algorithm, params, key, - (variant == null) ? Validator.VAR_GENERIC : variant)); - } + private void permitsPSSParams(AlgorithmParameters ap, + ConstraintsParameters cp) throws CertPathValidatorException { - /* - * Check if a x509Certificate object is permitted. Check if all - * algorithms are allowed, certificate constraints, and the - * public key against key constraints. - * - * Uses new style permit() which throws exceptions. - */ + try { + PSSParameterSpec pssParams = + ap.getParameterSpec(PSSParameterSpec.class); + String digestAlg = pssParams.getDigestAlgorithm(); + permits(digestAlg, cp); + AlgorithmParameterSpec mgfParams = pssParams.getMGFParameters(); + if (mgfParams instanceof MGF1ParameterSpec) { + String mgfDigestAlg = + ((MGF1ParameterSpec)mgfParams).getDigestAlgorithm(); + if (!mgfDigestAlg.equalsIgnoreCase(digestAlg)) { + permits(mgfDigestAlg, cp); + } + } + } catch (InvalidParameterSpecException ipse) { + // ignore + } + } public final void permits(String algorithm, ConstraintsParameters cp) throws CertPathValidatorException { - // Check if named curves in the ConstraintParameters are disabled. - if (cp.getNamedCurve() != null) { - for (String curve : cp.getNamedCurve()) { + // Check if named curves in the key are disabled. + for (Key key : cp.getKeys()) { + for (String curve : getNamedCurveFromKey(key)) { if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) { throw new CertPathValidatorException( "Algorithm constraints check failed on disabled " + @@ -206,15 +252,14 @@ algorithmConstraints.permits(algorithm, cp); } - // Check if a string is contained inside the property - public boolean checkProperty(String param) { - param = param.toLowerCase(Locale.ENGLISH); - for (String block : disabledAlgorithms) { - if (block.toLowerCase(Locale.ENGLISH).indexOf(param) >= 0) { - return true; - } + private static List<String> getNamedCurveFromKey(Key key) { + if (key instanceof ECKey) { + NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams()); + return (nc == null ? Collections.emptyList() + : Arrays.asList(CurveDB.getNamesByOID(nc.getObjectId()))); + } else { + return Collections.emptyList(); } - return false; } // Check algorithm constraints with key and algorithm @@ -238,8 +283,8 @@ return false; } - // If this is an elliptic curve, check disabled the named curve. - for (String curve : ConstraintsParameters.getNamedCurveFromKey(key)) { + // If this is an elliptic curve, check if it is disabled + for (String curve : getNamedCurveFromKey(key)) { if (!permits(primitives, curve, null)) { return false; } @@ -276,7 +321,7 @@ "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})"); } - public Constraints(List<String> constraintArray) { + public Constraints(String propertyName, List<String> constraintArray) { for (String constraintEntry : constraintArray) { if (constraintEntry == null || constraintEntry.isEmpty()) { continue; @@ -391,7 +436,7 @@ } } - // Get applicable constraints based off the signature algorithm + // Get applicable constraints based off the algorithm private List<Constraint> getConstraints(String algorithm) { return constraintsMap.get(algorithm.toUpperCase(Locale.ENGLISH)); } @@ -435,13 +480,12 @@ return true; } - // Check if constraints permit this cert. public void permits(String algorithm, ConstraintsParameters cp) throws CertPathValidatorException { - X509Certificate cert = cp.getCertificate(); if (debug != null) { - debug.println("Constraints.permits(): " + cp.toString()); + debug.println("Constraints.permits(): " + algorithm + ", " + + cp.toString()); } // Get all signature algorithms to check for constraints @@ -451,13 +495,10 @@ algorithms.add(algorithm); } - // Attempt to add the public key algorithm if cert provided - if (cert != null) { - algorithms.add(cert.getPublicKey().getAlgorithm()); + for (Key key : cp.getKeys()) { + algorithms.add(key.getAlgorithm()); } - if (cp.getKey() != null) { - algorithms.add(cp.getKey().getAlgorithm()); - } + // Check all applicable constraints for (String alg : algorithms) { List<Constraint> list = getConstraints(alg); @@ -548,7 +589,7 @@ * {@code next()} with the same {@code ConstraintsParameters} * parameter passed if multiple constraints need to be checked. * - * @param cp CertConstraintParameter containing certificate info + * @param cp ConstraintsParameter containing certificate info * @throws CertPathValidatorException if constraint disallows. * */ @@ -597,14 +638,6 @@ boolean next(Key key) { return nextConstraint != null && nextConstraint.permits(key); } - - String extendedMsg(ConstraintsParameters cp) { - return (cp.getCertificate() == null ? "." : - " used with certificate: " + - cp.getCertificate().getSubjectX500Principal() + - (cp.getVariant() != Validator.VAR_GENERIC ? - ". Usage was " + cp.getVariant() : ".")); - } } /* @@ -628,14 +661,15 @@ debug.println("jdkCAConstraints.permits(): " + algorithm); } - // Check chain has a trust anchor in cacerts - if (cp.isTrustedMatch()) { + // Check if any certs chain back to at least one trust anchor in + // cacerts + if (cp.anchorIsJdkCA()) { if (next(cp)) { return; } throw new CertPathValidatorException( "Algorithm constraints check failed on certificate " + - "anchor limits. " + algorithm + extendedMsg(cp), + "anchor limits. " + algorithm + cp.extendedExceptionMsg(), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -700,15 +734,10 @@ Date currentDate; String errmsg; - if (cp.getJARTimestamp() != null) { - currentDate = cp.getJARTimestamp().getTimestamp(); - errmsg = "JAR Timestamp date: "; - } else if (cp.getPKIXParamDate() != null) { - currentDate = cp.getPKIXParamDate(); - errmsg = "PKIXParameter date: "; + if (cp.getDate() != null) { + currentDate = cp.getDate(); } else { currentDate = new Date(); - errmsg = "Current date: "; } if (!denyAfterDate.after(currentDate)) { @@ -718,8 +747,8 @@ throw new CertPathValidatorException( "denyAfter constraint check failed: " + algorithm + " used with Constraint date: " + - dateFormat.format(denyAfterDate) + "; " + errmsg + - dateFormat.format(currentDate) + extendedMsg(cp), + dateFormat.format(denyAfterDate) + "; params date: " + + dateFormat.format(currentDate) + cp.extendedExceptionMsg(), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -756,19 +785,27 @@ @Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { + String variant = cp.getVariant(); for (String usage : usages) { - String v = null; - if (usage.compareToIgnoreCase("TLSServer") == 0) { - v = Validator.VAR_TLS_SERVER; - } else if (usage.compareToIgnoreCase("TLSClient") == 0) { - v = Validator.VAR_TLS_CLIENT; - } else if (usage.compareToIgnoreCase("SignedJAR") == 0) { - v = Validator.VAR_PLUGIN_CODE_SIGNING; + boolean match = false; + switch (usage.toLowerCase()) { + case "tlsserver": + match = variant.equals(Validator.VAR_TLS_SERVER); + break; + case "tlsclient": + match = variant.equals(Validator.VAR_TLS_CLIENT); + break; + case "signedjar": + match = + variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING) || + variant.equals(Validator.VAR_CODE_SIGNING) || + variant.equals(Validator.VAR_TSA_SERVER); + break; } if (debug != null) { - debug.println("Checking if usage constraint \"" + v + + debug.println("Checking if usage constraint \"" + usage + "\" matches \"" + cp.getVariant() + "\""); // Because usage checking can come from many places // a stack trace is very helpful. @@ -777,13 +814,13 @@ (new Exception()).printStackTrace(ps); debug.println(ba.toString()); } - if (cp.getVariant().compareTo(v) == 0) { + if (match) { if (next(cp)) { return; } throw new CertPathValidatorException("Usage constraint " + usage + " check failed: " + algorithm + - extendedMsg(cp), + cp.extendedExceptionMsg(), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -837,31 +874,25 @@ } /* - * If we are passed a certificate, extract the public key and use it. - * - * Check if each constraint fails and check if there is a linked - * constraint Any permitted constraint will exit the linked list - * to allow the operation. + * For each key, check if each constraint fails and check if there is + * a linked constraint. Any permitted constraint will exit the linked + * list to allow the operation. */ @Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { - Key key = null; - if (cp.getKey() != null) { - key = cp.getKey(); - } else if (cp.getCertificate() != null) { - key = cp.getCertificate().getPublicKey(); - } - if (key != null && !permitsImpl(key)) { - if (nextConstraint != null) { - nextConstraint.permits(cp); - return; + for (Key key : cp.getKeys()) { + if (!permitsImpl(key)) { + if (nextConstraint != null) { + nextConstraint.permits(cp); + continue; + } + throw new CertPathValidatorException( + "Algorithm constraints check failed on keysize limits: " + + algorithm + " " + KeyUtil.getKeySize(key) + " bit key" + + cp.extendedExceptionMsg(), + null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } - throw new CertPathValidatorException( - "Algorithm constraints check failed on keysize limits. " + - algorithm + " " + KeyUtil.getKeySize(key) + "bit key" + - extendedMsg(cp), - null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -938,7 +969,7 @@ throws CertPathValidatorException { throw new CertPathValidatorException( "Algorithm constraints check failed on disabled " + - "algorithm: " + algorithm + extendedMsg(cp), + "algorithm: " + algorithm + cp.extendedExceptionMsg(), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/sun/security/util/JarConstraintsParameters.java Mon Apr 26 14:01:43 2021 +0100 @@ -0,0 +1,188 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import java.security.CodeSigner; +import java.security.Key; +import java.security.Timestamp; +import java.security.cert.CertPath; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import sun.security.util.AnchorCertificates; +import sun.security.util.ConstraintsParameters; +import sun.security.validator.Validator; + +/** + * This class contains parameters for checking signed JARs against + * constraints specified in the jdk.jar.disabledAlgorithms security + * property. + */ +public class JarConstraintsParameters implements ConstraintsParameters { + + // true if chain is anchored by a JDK root CA + private boolean anchorIsJdkCA; + private boolean anchorIsJdkCASet; + // The timestamp of the signed JAR file, if timestamped + private Date timestamp; + // The keys of the signers + private final Set<Key> keys; + // The certs in the signers' chains that are issued by the trust anchor + private final Set<X509Certificate> certsIssuedByAnchor; + // The extended exception message + private String message; + + /** + * Create a JarConstraintsParameters. + * + * @param signers the CodeSigners that signed the JAR + */ + public JarConstraintsParameters(CodeSigner[] signers) { + this.keys = new HashSet<>(); + this.certsIssuedByAnchor = new HashSet<>(); + Date latestTimestamp = null; + boolean skipTimestamp = false; + + // Iterate over the signers and extract the keys, the latest + // timestamp, and the last certificate of each chain which can be + // used for checking if the signer's certificate chains back to a + // JDK root CA + for (CodeSigner signer : signers) { + init(signer.getSignerCertPath()); + Timestamp timestamp = signer.getTimestamp(); + if (timestamp == null) { + // this means one of the signers doesn't have a timestamp + // and the JAR should be treated as if it isn't timestamped + latestTimestamp = null; + skipTimestamp = true; + } else { + // add the key and last cert of TSA too + init(timestamp.getSignerCertPath()); + if (!skipTimestamp) { + Date timestampDate = timestamp.getTimestamp(); + if (latestTimestamp == null) { + latestTimestamp = timestampDate; + } else { + if (latestTimestamp.before(timestampDate)) { + latestTimestamp = timestampDate; + } + } + } + } + } + this.timestamp = latestTimestamp; + } + + // extract last certificate and key from chain + private void init(CertPath cp) { + @SuppressWarnings("unchecked") + List<X509Certificate> chain = + (List<X509Certificate>)cp.getCertificates(); + if (!chain.isEmpty()) { + this.certsIssuedByAnchor.add(chain.get(chain.size() - 1)); + this.keys.add(chain.get(0).getPublicKey()); + } + } + + @Override + public String getVariant() { + return Validator.VAR_GENERIC; + } + + /** + * Since loading the cacerts keystore can be an expensive operation, + * this is only performed if this method is called during a "jdkCA" + * constraints check of a disabled algorithm, and the result is cached. + * + * @return true if at least one of the certificates are issued by a + * JDK root CA + */ + @Override + public boolean anchorIsJdkCA() { + if (anchorIsJdkCASet) { + return anchorIsJdkCA; + } + for (X509Certificate cert : certsIssuedByAnchor) { + if (AnchorCertificates.issuerOf(cert)) { + anchorIsJdkCA = true; + break; + } + } + anchorIsJdkCASet = true; + return anchorIsJdkCA; + } + + @Override + public Date getDate() { + return timestamp; + } + + @Override + public Set<Key> getKeys() { + return keys; + } + + /** + * Sets the extended error message. Note: this should be used + * carefully as it is specific to the attribute/entry/file being checked. + * + * @param file the name of the signature related file being verified + * @param target the attribute containing the algorithm that is being + * checked + */ + public void setExtendedExceptionMsg(String file, String target) { + message = " used" + (target != null ? " with " + target : "") + + " in " + file + " file."; + } + + @Override + public String extendedExceptionMsg() { + return message; + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("[\n"); + sb.append("\n Variant: ").append(getVariant()); + sb.append("\n Certs Issued by Anchor:"); + for (X509Certificate cert : certsIssuedByAnchor) { + sb.append("\n Cert Issuer: ") + .append(cert.getIssuerX500Principal()); + sb.append("\n Cert Subject: ") + .append(cert.getSubjectX500Principal()); + } + for (Key key : keys) { + sb.append("\n Key: ").append(key.getAlgorithm()); + } + if (timestamp != null) { + sb.append("\n Timestamp: ").append(timestamp); + } + sb.append("\n]"); + return sb.toString(); + } +}
--- a/src/share/classes/sun/security/util/ManifestEntryVerifier.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/util/ManifestEntryVerifier.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,13 +27,12 @@ import java.security.*; import java.io.*; -import java.security.CodeSigner; import java.util.*; import java.util.jar.*; -import java.util.Base64; - import sun.security.jca.Providers; +import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.util.JarConstraintsParameters; /** * This class is used to verify each entry in a jar file with its @@ -202,12 +201,29 @@ throw new SecurityException("digest missing for " + name); } - if (signers != null) + if (signers != null) { return signers; + } + + JarConstraintsParameters params = + getParams(verifiedSigners, sigFileSigners); for (int i=0; i < digests.size(); i++) { - MessageDigest digest = digests.get(i); + MessageDigest digest = digests.get(i); + if (params != null) { + try { + params.setExtendedExceptionMsg(JarFile.MANIFEST_NAME, + name + " entry"); + DisabledAlgorithmConstraints.jarConstraints() + .permits(digest.getAlgorithm(), params); + } catch (GeneralSecurityException e) { + if (debug != null) { + debug.println("Digest algorithm is restricted: " + e); + } + return null; + } + } byte [] manHash = manifestHashes.get(i); byte [] theHash = digest.digest(); @@ -232,6 +248,38 @@ return signers; } + /** + * Get constraints parameters for JAR. The constraints should be + * checked against all code signers. Returns the parameters, + * or null if the signers for this entry have already been checked. + */ + private JarConstraintsParameters getParams( + Map<String, CodeSigner[]> verifiedSigners, + Map<String, CodeSigner[]> sigFileSigners) { + + // verifiedSigners is usually preloaded with the Manifest's signers. + // If verifiedSigners contains the Manifest, then it will have all of + // the signers of the JAR. But if it doesn't then we need to fallback + // and check verifiedSigners to see if the signers of this entry have + // been checked already. + if (verifiedSigners.containsKey(JarFile.MANIFEST_NAME)) { + if (verifiedSigners.size() > 1) { + // this means we already checked it previously + return null; + } else { + return new JarConstraintsParameters( + verifiedSigners.get(JarFile.MANIFEST_NAME)); + } + } else { + CodeSigner[] signers = sigFileSigners.get(name); + if (verifiedSigners.containsValue(signers)) { + return null; + } else { + return new JarConstraintsParameters(signers); + } + } + } + // for the toHex function private static final char[] hexc = {'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'};
--- a/src/share/classes/sun/security/util/SignatureFileVerifier.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/util/SignatureFileVerifier.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,6 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.SignatureException; -import java.security.Timestamp; import java.security.cert.CertPath; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; @@ -45,6 +44,7 @@ import java.util.List; import java.util.Locale; import java.util.Map; +import java.util.Set; import java.util.jar.Attributes; import java.util.jar.JarException; import java.util.jar.JarFile; @@ -59,10 +59,6 @@ /* Are we debugging ? */ private static final Debug debug = Debug.getInstance("jar"); - private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = - new DisabledAlgorithmConstraints( - DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); - private ArrayList<CodeSigner[]> signerCache; private static final String ATTR_DIGEST = @@ -92,13 +88,13 @@ /* for generating certpath objects */ private CertificateFactory certificateFactory = null; - /** Algorithms that have been checked if they are weak. */ - private Map<String, Boolean> permittedAlgs= new HashMap<>(); + /** Algorithms that have been previously checked against disabled + * constraints. + */ + private Map<String, Boolean> permittedAlgs = new HashMap<>(); - /** TSA timestamp of signed jar. The newest timestamp is used. If there - * was no TSA timestamp used when signed, current time is used ("null"). - */ - private Timestamp timestamp = null; + /** ConstraintsParameters for checking disabled algorithms */ + private JarConstraintsParameters params; /** * Create the named SignatureFileVerifier. @@ -291,32 +287,23 @@ name); } - CodeSigner[] newSigners = getSigners(infos, block); // make sure we have something to do all this work for... - if (newSigners == null) + if (newSigners == null) { return; + } - /* - * Look for the latest timestamp in the signature block. If an entry - * has no timestamp, use current time (aka null). - */ - for (CodeSigner s: newSigners) { - if (debug != null) { - debug.println("Gathering timestamp for: " + s.toString()); - } - if (s.getTimestamp() == null) { - timestamp = null; - break; - } else if (timestamp == null) { - timestamp = s.getTimestamp(); - } else { - if (timestamp.getTimestamp().before( - s.getTimestamp().getTimestamp())) { - timestamp = s.getTimestamp(); - } - } + // check if any of the algorithms used to verify the SignerInfos + // are disabled + params = new JarConstraintsParameters(newSigners); + Set<String> notDisabledAlgorithms = + SignerInfo.verifyAlgorithms(infos, params, name + " PKCS7"); + + // add the SignerInfo algorithms that are ok to the permittedAlgs map + // so they are not checked again + for (String algorithm : notDisabledAlgorithms) { + permittedAlgs.put(algorithm, Boolean.TRUE); } Iterator<Map.Entry<String,Attributes>> entries = @@ -367,13 +354,14 @@ * store the result. If the algorithm is in the map use that result. * False is returned for weak algorithm, true for good algorithms. */ - boolean permittedCheck(String key, String algorithm) { + private boolean permittedCheck(String key, String algorithm) { Boolean permitted = permittedAlgs.get(algorithm); if (permitted == null) { try { - JAR_DISABLED_CHECK.permits(algorithm, - new ConstraintsParameters(timestamp)); - } catch(GeneralSecurityException e) { + params.setExtendedExceptionMsg(name + ".SF", key + " attribute"); + DisabledAlgorithmConstraints + .jarConstraints().permits(algorithm, params); + } catch (GeneralSecurityException e) { permittedAlgs.put(algorithm, Boolean.FALSE); permittedAlgs.put(key.toUpperCase(), Boolean.FALSE); if (debug != null) {
--- a/src/share/classes/sun/security/validator/PKIXValidator.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/validator/PKIXValidator.java Mon Apr 26 14:01:43 2021 +0100 @@ -239,7 +239,7 @@ // add a new algorithm constraints checker if (constraints != null) { pkixParameters.addCertPathChecker( - new AlgorithmChecker(constraints, null, variant)); + new AlgorithmChecker(constraints, variant)); } // attach it to the PKIXBuilderParameters.
--- a/src/share/classes/sun/security/validator/SimpleValidator.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/validator/SimpleValidator.java Mon Apr 26 14:01:43 2021 +0100 @@ -162,7 +162,7 @@ AlgorithmChecker appAlgChecker = null; if (constraints != null) { appAlgChecker = new AlgorithmChecker(anchor, constraints, null, - null, variant); + variant); } // verify top down, starting at the certificate issued by
--- a/src/share/classes/sun/security/x509/AlgorithmId.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/classes/sun/security/x509/AlgorithmId.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -81,6 +81,7 @@ */ protected DerValue params; + private transient byte[] encodedParams; /** * Constructs an algorithm ID which will be initialized @@ -109,6 +110,18 @@ algid = oid; algParams = algparams; constructedFromDer = false; + if (algParams != null) { + try { + encodedParams = algParams.getEncoded(); + } catch (IOException ioe) { + // It should be safe to ignore this. + // This exception can occur if AlgorithmParameters was not + // initialized (which should not occur), or if it was + // initialized with bogus parameters, which should have + // been detected when init was called. + assert false; + } + } } private AlgorithmId(ObjectIdentifier oid, DerValue params) @@ -116,6 +129,7 @@ this.algid = oid; this.params = params; if (this.params != null) { + encodedParams = params.toByteArray(); decodeParams(); } } @@ -134,7 +148,7 @@ } // Decode (parse) the parameters - algParams.init(params.toByteArray()); + algParams.init(encodedParams.clone()); } /** @@ -153,6 +167,7 @@ * * @exception IOException on encoding error. */ + @Override public void derEncode (OutputStream out) throws IOException { DerOutputStream bytes = new DerOutputStream(); DerOutputStream tmp = new DerOutputStream(); @@ -160,8 +175,8 @@ bytes.putOID(algid); // Setup params from algParams since no DER encoding is given if (constructedFromDer == false) { - if (algParams != null) { - params = new DerValue(algParams.getEncoded()); + if (encodedParams != null) { + params = new DerValue(encodedParams); } else { params = null; } @@ -248,7 +263,7 @@ if ((params != null) && algid.equals((Object)specifiedWithECDSA_oid)) { try { AlgorithmId paramsId = - AlgorithmId.parse(new DerValue(params.toByteArray())); + AlgorithmId.parse(new DerValue(encodedParams)); String paramsName = paramsId.getName(); algName = makeSigAlg(paramsName, "EC"); } catch (IOException e) { @@ -266,6 +281,10 @@ * Returns the DER encoded parameter, which can then be * used to initialize java.security.AlgorithmParameters. * + * Note that this* method should always return a new array as it is called + * directly by the JDK implementation of X509Certificate.getSigAlgParams() + * and X509CRL.getSigAlgParams(). + * * Note: for ecdsa-with-SHA2 plus hash algorithm (Ex: SHA-256), this method * returns null because {@link #getName()} has already returned the "full" * signature algorithm (Ex: SHA256withECDSA). @@ -273,9 +292,9 @@ * @return DER encoded parameters, or null not present. */ public byte[] getEncodedParams() throws IOException { - return (params == null || algid.equals(specifiedWithECDSA_oid)) + return (encodedParams == null || algid.equals(specifiedWithECDSA_oid)) ? null - : params.toByteArray(); + : encodedParams.clone(); } /** @@ -283,9 +302,8 @@ * with the same parameters. */ public boolean equals(AlgorithmId other) { - boolean paramsEqual = - (params == null ? other.params == null : params.equals(other.params)); - return (algid.equals((Object)other.algid) && paramsEqual); + return algid.equals((Object)other.algid) && + Arrays.equals(encodedParams, other.encodedParams); } /** @@ -295,6 +313,7 @@ * * @param other preferably an AlgorithmId, else an ObjectIdentifier */ + @Override public boolean equals(Object other) { if (this == other) { return true; @@ -321,11 +340,11 @@ * * @return a hashcode for this AlgorithmId. */ + @Override public int hashCode() { - StringBuilder sbuf = new StringBuilder(); - sbuf.append(algid.toString()); - sbuf.append(paramsToString()); - return sbuf.toString().hashCode(); + int hashCode = algid.hashCode(); + hashCode = 31 * hashCode + Arrays.hashCode(encodedParams); + return hashCode; } /** @@ -333,10 +352,10 @@ * This may be redefined by subclasses which parse those parameters. */ protected String paramsToString() { - if (params == null) { + if (encodedParams == null) { return ""; } else if (algParams != null) { - return algParams.toString(); + return ", " + algParams.toString(); } else { return ", params unparsed"; } @@ -345,6 +364,7 @@ /** * Returns a string describing the algorithm and its parameters. */ + @Override public String toString() { return getName() + paramsToString(); }
--- a/src/share/lib/security/java.security-aix Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/lib/security/java.security-aix Mon Apr 26 14:01:43 2021 +0100 @@ -1198,3 +1198,26 @@ # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* \ No newline at end of file
--- a/src/share/lib/security/java.security-linux Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/lib/security/java.security-linux Mon Apr 26 14:01:43 2021 +0100 @@ -1204,3 +1204,26 @@ # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* \ No newline at end of file
--- a/src/share/lib/security/java.security-macosx Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/lib/security/java.security-macosx Mon Apr 26 14:01:43 2021 +0100 @@ -1202,3 +1202,26 @@ # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* \ No newline at end of file
--- a/src/share/lib/security/java.security-solaris Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/lib/security/java.security-solaris Mon Apr 26 14:01:43 2021 +0100 @@ -1200,3 +1200,26 @@ # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* \ No newline at end of file
--- a/src/share/lib/security/java.security-windows Mon Apr 19 04:23:30 2021 +0100 +++ b/src/share/lib/security/java.security-windows Mon Apr 26 14:01:43 2021 +0100 @@ -1202,3 +1202,26 @@ # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* \ No newline at end of file
--- a/src/windows/classes/java/lang/ProcessImpl.java Mon Apr 19 04:23:30 2021 +0100 +++ b/src/windows/classes/java/lang/ProcessImpl.java Mon Apr 26 14:01:43 2021 +0100 @@ -181,9 +181,9 @@ private static final char ESCAPE_VERIFICATION[][] = { // We guarantee the only command file execution for implicit [cmd.exe] run. // http://technet.microsoft.com/en-us/library/bb490954.aspx - {' ', '\t', '<', '>', '&', '|', '^'}, - {' ', '\t', '<', '>'}, - {' ', '\t', '<', '>'}, + {' ', '\t', '\"', '<', '>', '&', '|', '^'}, + {' ', '\t', '\"', '<', '>'}, + {' ', '\t', '\"', '<', '>'}, {' ', '\t'} }; @@ -243,18 +243,27 @@ } /** - * Return the argument without quotes (1st and last) if present, else the arg. + * Return the argument without quotes (1st and last) if properly quoted, else the arg. + * A properly quoted string has first and last characters as quote and + * the last quote is not escaped. * @param str a string - * @return the string without 1st and last quotes + * @return the string without quotes */ private static String unQuote(String str) { - int len = str.length(); - return (len >= 2 && str.charAt(0) == DOUBLEQUOTE && str.charAt(len - 1) == DOUBLEQUOTE) - ? str.substring(1, len - 1) - : str; + if (!str.startsWith("\"") || !str.endsWith("\"") || str.length() < 2) + return str; // no beginning or ending quote, or too short not quoted + + if (str.endsWith("\\\"")) { + return str; // not properly quoted, treat as unquoted + } + // Strip leading and trailing quotes + return str.substring(1, str.length() - 1); } private static boolean needsEscaping(int verificationType, String arg) { + if (arg.isEmpty()) + return true; // Empty string is to be quoted + // Switch off MS heuristic for internal ["]. // Please, use the explicit [cmd.exe] call // if you need the internal ["].
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/java/security/cert/X509Certificate/GetSigAlgParams.java Mon Apr 26 14:01:43 2021 +0100 @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8259428 + * @summary Verify X509Certificate.getSigAlgParams() returns new array each + * time it is called + */ + +import java.security.cert.X509Certificate; +import sun.security.tools.keytool.CertAndKeyGen; +import sun.security.x509.X500Name; + +public class GetSigAlgParams { + + public static void main(String[] args) throws Exception { + + CertAndKeyGen cakg = new CertAndKeyGen("RSASSA-PSS", "RSASSA-PSS"); + cakg.generate(1024); + X509Certificate c = cakg.getSelfCertificate(new X500Name("CN=Me"), 100); + if (c.getSigAlgParams() == c.getSigAlgParams()) { + throw new Exception("Encoded params are the same byte array"); + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/security/infra/java/security/cert/CertPathValidator/certification/HaricaCA.java Mon Apr 26 14:01:43 2021 +0100 @@ -0,0 +1,320 @@ +/* + * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8256421 + * @summary Interoperability tests with Harica CAs + * @build ValidatePathWithParams + * @run main/othervm -Djava.security.debug=certpath HaricaCA OCSP + * @run main/othervm -Djava.security.debug=certpath HaricaCA CRL + */ + +/* + * Obtain test artifacts for Harica CA from: + * + * CA has no published test sites so we will need to communicate with CA for test. + */ +public class HaricaCA { + + public static void main(String[] args) throws Exception { + + ValidatePathWithParams pathValidator = new ValidatePathWithParams(null); + boolean ocspEnabled = false; + + if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) { + pathValidator.enableCRLCheck(); + } else { + // OCSP check by default + pathValidator.enableOCSPCheck(); + ocspEnabled = true; + } + + new Harica_CA().runTest(pathValidator, ocspEnabled); + new Harica_ECC().runTest(pathValidator, ocspEnabled); + } +} + +class Harica_CA { + + // Owner: CN=Hellenic Academic and Research Institutions Code Signing CA R1, + // O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + // Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015, + // O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + // Serial number: 1bc8b59e0cea0b7c + // Valid from: Fri Apr 08 00:37:41 PDT 2016 until: Sat Apr 06 00:37:41 PDT 2024 + private static final String INT = "-----BEGIN CERTIFICATE-----\n" + + "MIIHnjCCBYagAwIBAgIIG8i1ngzqC3wwDQYJKoZIhvcNAQELBQAwgaYxCzAJBgNV\n" + + "BAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmljIEFjYWRl\n" + + "bWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAw\n" + + "PgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRp\n" + + "b25zIFJvb3RDQSAyMDE1MB4XDTE2MDQwODA3Mzc0MVoXDTI0MDQwNjA3Mzc0MVow\n" + + "ga0xCzAJBgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxl\n" + + "bmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0\n" + + "aG9yaXR5MUcwRQYDVQQDEz5IZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2gg\n" + + "SW5zdGl0dXRpb25zIENvZGUgU2lnbmluZyBDQSBSMTCCAiIwDQYJKoZIhvcNAQEB\n" + + "BQADggIPADCCAgoCggIBAJYQhJz8QjfP1wOc1sHxTKe9wy7d3oBScTslX5Yn1IE8\n" + + "j5SzsKilvbu9rp8bd8IKHnPrl1Vnjpvna/Vx/XKlXDxnIxgfLINfmbjJRoEbzj1t\n" + + "fxdTnZSN5c6vHYr5112/XCr2VQ7gIL+2jujXlJQYs/aUzAb9RR35dy4z2tQJQwtA\n" + + "gG/paNGgnOU2ROrcaEYfvG4YQWaHAwqjJ53ZY5HVD7NmLp5SZTA5Q3eHAYae99fq\n" + + "iEgMti3zMejzrAM1h+iVpLUxA7iMFh5nwCOvYJWVYqN3YOEmksxh7HOWlpe1PgDT\n" + + "5SezPCHmOilNizMSRsdW7fE8apYVq/O0yStFW32kS9RQzYiBsdgPvNzDGec7Jj8X\n" + + "SozhS6to+A6RdgfpHccHc2jhIRkFocA63OEde3Eo/NPf/WbFX2tpgDIv+HF/YZV3\n" + + "iaMeKeOKDIxa4c3t3qBsZNtFEGOQyDouVH4g2Y8gHhUCcR7gQrHEYy/9FbtUDviu\n" + + "abBVPFnNbEwT0uKS20aLgldkJ4/b3UzeTVzXVwLB8ruBfZX/e60YFaUJAZbbYRbE\n" + + "mD6KmDOCTfalpBRhXar6U1wf+GRp1wv01Vw88EJ6VEBxXAYrfQ28ER9IuLqVQRlN\n" + + "xpZCP71DRCvWljkXAKvWrs3JAw926n5K7sL+fv6mn+6iGBHrSEcyX8g8EZv6XuLP\n" + + "AgMBAAGjggHFMIIBwTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAT\n" + + "BgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDyz8Ez5xsy3SqelOr4FBCaaY\n" + + "3UgwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybHYxLmhhcmljYS5nci9IYXJp\n" + + "Y2FSb290Q0EyMDE1L2NybHYxLmRlci5jcmwwHwYDVR0jBBgwFoAUcRVnyMjJvXVd\n" + + "ctA4GGqd83EkVAswbgYIKwYBBQUHAQEEYjBgMCEGCCsGAQUFBzABhhVodHRwOi8v\n" + + "b2NzcC5oYXJpY2EuZ3IwOwYIKwYBBQUHMAKGL2h0dHA6Ly93d3cuaGFyaWNhLmdy\n" + + "L2NlcnRzL0hhcmljYVJvb3RDQTIwMTUuY3J0MIGQBgNVHSAEgYgwgYUwgYIGBFUd\n" + + "IAAwejAyBggrBgEFBQcCARYmaHR0cDovL3d3dy5oYXJpY2EuZ3IvZG9jdW1lbnRz\n" + + "L0NQUy5waHAwRAYIKwYBBQUHAgIwOAw2VGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdWJq\n" + + "ZWN0IHRvIEdyZWVrIGxhd3MgYW5kIG91ciBDUFMuMA0GCSqGSIb3DQEBCwUAA4IC\n" + + "AQA2t84B3ImFaWsnaYoPxwYu9njKaDc/QsaxT4AKP8env/Zr+fjD5s0Bjd1gZijC\n" + + "9LRTzIovpldc/yADy7SVboIH0uNEiBC0kc0DaCq0ceCGIe6dw92Mu9DJ3UpMGAuF\n" + + "fLpyearmfX9qzi0KhPGhjTxSTD4vWw3E0nvDVMBG54Im0OUGeVzZ9SpvRRhRnPOk\n" + + "1eplEYRRDVTGYQJ84GdVC4H4U3TjlbO9gppeSnBoVHyCqDDpyd8HhTuY3P5VRWaf\n" + + "dvAkwrW2Vv53zIYpDtcwG7mf4UXKbfYGtOIg/xaqHV82J6MYZHW1RNIlSh7F+1S5\n" + + "XamkPCQZZI87CMt/OZH+RaO87Vr2V02wkYwEeAvjOwq9l7LtOJaOznKS+BlMi009\n" + + "ljgHWUQcA2wk25hOAS3YtvhI1l2UrRHSqmHd7Jah4clskIjURt3b2Ez9nuZh1dC8\n" + + "NfaoPCkpK3leLBezubtq48MRe5jkAgen5UXvxq9zOZSen4pYeBK72ugNyLjzOhY8\n" + + "GrSeE1voLnvyZIguM2hrI8nEjI4rSXL6lsqXyG/ODzDMMdKq4FrjoW3y9KnV/n8t\n" + + "BvKTAlDcXQTqfdTykDWnxwNTp6dU+MOom9LGy6ZNFbei7XuvjrREiXUEJ/I2dGSD\n" + + "3zeNek32BS2BBZNN8jeP4szLs85G5HWql59OyePZfARA6Q==\n" + + "-----END CERTIFICATE-----"; + + // Owner: OID.1.3.6.1.4.1.311.60.2.1.3=GR, OID.2.5.4.15=Private Organization, + // CN=Greek Universities Network (GUnet), SERIALNUMBER=VATGR-099028220, + // OU=Class A - Private Key created and stored in hardware CSP, O=Greek Universities Network, L=Athens, C=GR + // Issuer: CN=Hellenic Academic and Research Institutions Code Signing CA R1, + // O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + // Serial number: 2c9a7af519251c645c1bed40b9d1aeca + // Valid from: Mon Sep 09 01:15:13 PDT 2019 until: Wed Sep 08 01:15:13 PDT 2021 + private static final String VALID = "-----BEGIN CERTIFICATE-----\n" + + "MIIGyzCCBLOgAwIBAgIQLJp69RklHGRcG+1AudGuyjANBgkqhkiG9w0BAQsFADCB\n" + + "rTELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVu\n" + + "aWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRo\n" + + "b3JpdHkxRzBFBgNVBAMTPkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJ\n" + + "bnN0aXR1dGlvbnMgQ29kZSBTaWduaW5nIENBIFIxMB4XDTE5MDkwOTA4MTUxM1oX\n" + + "DTIxMDkwODA4MTUxM1owggEBMQswCQYDVQQGEwJHUjEPMA0GA1UEBwwGQXRoZW5z\n" + + "MSMwIQYDVQQKDBpHcmVlayBVbml2ZXJzaXRpZXMgTmV0d29yazFBMD8GA1UECww4\n" + + "Q2xhc3MgQSAtIFByaXZhdGUgS2V5IGNyZWF0ZWQgYW5kIHN0b3JlZCBpbiBoYXJk\n" + + "d2FyZSBDU1AxGDAWBgNVBAUTD1ZBVEdSLTA5OTAyODIyMDErMCkGA1UEAwwiR3Jl\n" + + "ZWsgVW5pdmVyc2l0aWVzIE5ldHdvcmsgKEdVbmV0KTEdMBsGA1UEDwwUUHJpdmF0\n" + + "ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCR1IwggEiMA0GCSqGSIb3\n" + + "DQEBAQUAA4IBDwAwggEKAoIBAQDdkvuJzgjD3Hr1RoDtPZPp5ZelMl6Xh5vnKVuG\n" + + "KX9gwHbDaXpLkp2bF2497R3olBaeYcEgappsWLPvLMEA75BSRopFQmhX3PAsjfAG\n" + + "JZGM3A53n4NAQscCmtD6echJi4P6RThRcpfqObfe0vqZUVzSWRC8fU1P4lt/KzJj\n" + + "DGSJtOP/SJfgp3M7hEp54fn+15DlYp+0e4aa5HF2HpGIy2ghPbRvkMJWbHmp3KZG\n" + + "NOXViQdr/ogpqRsbdP7kN78WLhwrLu+xRUmf9A845jxyNO7269jOQHztfPAcgvDw\n" + + "NbZouGtN3IIWoXWMLipNgzC9CYdqgLsLI9lXV9oQrXaICQ27AgMBAAGjggGOMIIB\n" + + "ijAfBgNVHSMEGDAWgBQPLPwTPnGzLdKp6U6vgUEJppjdSDB0BggrBgEFBQcBAQRo\n" + + "MGYwQQYIKwYBBQUHMAKGNWh0dHA6Ly9yZXBvLmhhcmljYS5nci9jZXJ0cy9IYXJp\n" + + "Y2FDb2RlU2lnbmluZ0NBUjEuY3J0MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5o\n" + + "YXJpY2EuZ3IwYAYDVR0gBFkwVzAHBgVngQwBAzAIBgYEAI96AQIwQgYMKwYBBAGB\n" + + "zxEBAQMDMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vcmVwby5oYXJpY2EuZ3IvZG9j\n" + + "dW1lbnRzL0NQUzATBgNVHSUEDDAKBggrBgEFBQcDAzBLBgNVHR8ERDBCMECgPqA8\n" + + "hjpodHRwOi8vY3JsdjEuaGFyaWNhLmdyL0hhcmljYUNvZGVTaWduaW5nQ0FSMS9j\n" + + "cmx2MS5kZXIuY3JsMB0GA1UdDgQWBBR0K0c/UEGkfRtqAEwoONenOUa0WTAOBgNV\n" + + "HQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAHXVdzMwKeZSWmXZu/MyoyH8\n" + + "yTHYi/yvaPpR88/Q/j5wxzuceECZJgH74xgePCIXx74IKTADUyIj7eWuTkzEnZF9\n" + + "yqJyG+tArrIH7zdnjC0OgbJVFeUUY45rS24u8n/+46LnXy4A+bRa0qX/QikHxMvj\n" + + "0I0/RTZpdQFjhnmhZyZzUWReFlAEG1fUz9TNwcCfGrv3z6YHCNAh/HWFtM7te6H7\n" + + "LNjoRw0fC5edqI16ca2VrOLObbg64zdk7Ll/fu3Ll5UcAthve/PTez6R1wm47ETT\n" + + "ItjinmQI3vRhIls/UwvF4ey5Linz80rnzIlrrMgn3G2gRpfJ55CxsXOZDGS9iy8C\n" + + "jU8EiKkjbdDH6mOdQO11+FlwhBwSxVbr004RDPJJqKHKtKTWx6mEbW+ZrMXaEUNZ\n" + + "mSPwDCUgDzrFfSspYJL0UW7zV+SbK9u5nf09m6qOpkZ5OE91IEpkotTWqMe/yOJu\n" + + "Yey5wvAmEqQM6fcQCTfV5JBtzU5LOsm5Uwg728DcHfal21dJWtY3fi7+CgDRutU3\n" + + "Ee8uZUmCd/KCSQgP8B/QTu7wLXHd4IQz2EP2tmN9Zrv/MsDjpSHgRrU6Hwi49bPQ\n" + + "R43rmXHC7e2GZpBdPsfG0VDnpzgCx5Kogi5nJwwUevbvC2CT11AAlaOmTQPflqQj\n" + + "w2LPatMDMTAga/l+CE8j\n" + + "-----END CERTIFICATE-----"; + + // Owner: CN=Greek Universities Network (GUnet), SERIALNUMBER=VATGR-099028220, + // OU=Class B - Private Key created and stored in software CSP, O=Greek Universities Network, L=Athens, C=GR + // Issuer: CN=Hellenic Academic and Research Institutions Code Signing CA R1, + // O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + // Serial number: 29c4a7abf35bd0acb1638abbf22da1d3 + // Valid from: Mon Feb 17 01:47:19 PST 2020 until: Mon Feb 15 16:00:00 PST 2021 + private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n" + + "MIIGmDCCBICgAwIBAgIQKcSnq/Nb0KyxY4q78i2h0zANBgkqhkiG9w0BAQsFADCB\n" + + "rTELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVu\n" + + "aWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRo\n" + + "b3JpdHkxRzBFBgNVBAMTPkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJ\n" + + "bnN0aXR1dGlvbnMgQ29kZSBTaWduaW5nIENBIFIxMB4XDTIwMDIxNzA5NDcxOVoX\n" + + "DTIxMDIxNjAwMDAwMFowgc0xCzAJBgNVBAYTAkdSMQ8wDQYDVQQHDAZBdGhlbnMx\n" + + "IzAhBgNVBAoMGkdyZWVrIFVuaXZlcnNpdGllcyBOZXR3b3JrMUEwPwYDVQQLDDhD\n" + + "bGFzcyBCIC0gUHJpdmF0ZSBLZXkgY3JlYXRlZCBhbmQgc3RvcmVkIGluIHNvZnR3\n" + + "YXJlIENTUDEYMBYGA1UEBRMPVkFUR1ItMDk5MDI4MjIwMSswKQYDVQQDDCJHcmVl\n" + + "ayBVbml2ZXJzaXRpZXMgTmV0d29yayAoR1VuZXQpMIIBIjANBgkqhkiG9w0BAQEF\n" + + "AAOCAQ8AMIIBCgKCAQEArSBfy0xwIHpFxFrAHiYpMOkILjOvlhRCBmfzrJFSILou\n" + + "8vc1wxZw/olBa38khtIybE0GJnzZqoFTsalAcLg0CzfqucDoWL+uVLURmEmYZExj\n" + + "ngYfjrpB7ypjWqxfBVqqLgxugY1XV3oaQRNWgFEn/mrQhv+0azySJdRSiW0BH4rP\n" + + "wXp9LHgzHc7oxVOHsOKApwRN7TRVKz0/EoPhyUzdk5xoRTQMRalwZ0/E24v+CyoF\n" + + "bPl/v+dlRK5n9It8yjCtqOMZ1z7l8sKmJ7q9iLvzAF58a8B5lPueC+opHPEy4VD0\n" + + "7xZHYgdHliDsVIcWDXAzfcfo7l9EUX17onEXKMWKDwIDAQABo4IBkDCCAYwwHwYD\n" + + "VR0jBBgwFoAUDyz8Ez5xsy3SqelOr4FBCaaY3UgwdAYIKwYBBQUHAQEEaDBmMEEG\n" + + "CCsGAQUFBzAChjVodHRwOi8vcmVwby5oYXJpY2EuZ3IvY2VydHMvSGFyaWNhQ29k\n" + + "ZVNpZ25pbmdDQVIxLmNydDAhBggrBgEFBQcwAYYVaHR0cDovL29jc3AuaGFyaWNh\n" + + "LmdyMGIGA1UdIARbMFkwCAYGZ4EMAQQBMAgGBgQAj3oBATBDBg0rBgEEAYHPEQEB\n" + + "AwEBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vcmVwby5oYXJpY2EuZ3IvZG9jdW1l\n" + + "bnRzL0NQUzATBgNVHSUEDDAKBggrBgEFBQcDAzBLBgNVHR8ERDBCMECgPqA8hjpo\n" + + "dHRwOi8vY3JsdjEuaGFyaWNhLmdyL0hhcmljYUNvZGVTaWduaW5nQ0FSMS9jcmx2\n" + + "MS5kZXIuY3JsMB0GA1UdDgQWBBTj6v8Qkmosm+VNGsd/prwylbsM7TAOBgNVHQ8B\n" + + "Af8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBADYBQvc68KwX28UFeE/nXcowBTSd\n" + + "z+tQexloeBa4Z5G0yRr9URPc95H1R4SJiGQxb/KKqX2LqZtowc5rOXFBchI3da24\n" + + "kn8pmoi4/U2o8iS+DSlAMsn4ZW2lyDd0jyNeRiuZXvkdpqxa9u/x0TyXJ6qUxSYM\n" + + "oUC/H7RI1rxA+NgQ+otLHVs4ye53qzO44mXJv5Qq4dQ+GEdD+dShrYs69WMC0mV0\n" + + "mVs//R1qp8G3tThAiJJF55kV8w1JH2+yv8RXAdQ2cRpN2W6wsnm2DxldHKM4Kel4\n" + + "ON0TXlARGjoGqfEjFyZYtvpjzIPGoj3MHgCdiVb+zQJavYZJfLymlnIXajVb80Hh\n" + + "9xSar/uZ0NwtZgX8EwOrBiDUuCjyvlYrcbpSN26Q4fuUfPdIJQXMQDLTFMQLQ/o4\n" + + "5dn9FLLaJF7CA8VFeyJYi9pWEiIIpmPzIibd2+CAEQ43Q87GAvLpC09Rf6yggRh5\n" + + "by/FAOOzfbEQMhvJfGcJrPeG8JdzG95N5ycAeeyb/iboYptRwsLWwurASmUEKn0y\n" + + "BHlQPhut0mqNJQsoxvW6yIipFAQPBxfRHeLG71UO1kRxCleDTMsb3Zzt8hv1G4+m\n" + + "Nsm3ZMOV8TMdlBxYO/xA9dqwAxMuPvShx6LdiiyQhdeEmIFvKZeTD22cIOVLDsrd\n" + + "D2GbhbvPInvh21Qz\n" + + "-----END CERTIFICATE-----"; + + public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled) throws Exception { + // Validate valid + pathValidator.validate(new String[]{VALID, INT}, + ValidatePathWithParams.Status.GOOD, null, System.out); + + // Validate Revoked + pathValidator.validate(new String[]{REVOKED, INT}, + ValidatePathWithParams.Status.REVOKED, + "Mon Feb 17 02:00:10 PST 2020", System.out); + } +} + +class Harica_ECC { + + // Owner: CN=HARICA Code Signing ECC SubCA R2, + // O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + // Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, + // O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + // Serial number: 1f6ea9c2f4d7f80ee6a046d8b822dd3f + // Valid from: Wed Mar 06 02:49:26 PST 2019 until: Thu Mar 02 02:49:26 PST 2034 + private static final String INT = "-----BEGIN CERTIFICATE-----\n" + + "MIIDxzCCA02gAwIBAgIQH26pwvTX+A7moEbYuCLdPzAKBggqhkjOPQQDAzCBqjEL\n" + + "MAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMg\n" + + "QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3Jp\n" + + "dHkxRDBCBgNVBAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0\n" + + "aXR1dGlvbnMgRUNDIFJvb3RDQSAyMDE1MB4XDTE5MDMwNjEwNDkyNloXDTM0MDMw\n" + + "MjEwNDkyNlowgY8xCzAJBgNVBAYTAkdSMQ8wDQYDVQQHDAZBdGhlbnMxRDBCBgNV\n" + + "BAoMO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMg\n" + + "Q2VydC4gQXV0aG9yaXR5MSkwJwYDVQQDDCBIQVJJQ0EgQ29kZSBTaWduaW5nIEVD\n" + + "QyBTdWJDQSBSMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABKPWDfLT76KnCZ7dujms\n" + + "bFYFLTvCWTyk8l0JqdhvZ+Tk6dWYAViIX90fc8+3HPAdHvkofNWvI/PW0qlZoRn3\n" + + "De/Nrp+ZCWjg7UrUrmKH2z/N3A7lgZFqrwlWPxHSPSYVkqOCAU8wggFLMBIGA1Ud\n" + + "EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUtCILgpkkAQ6cu+QO/b/7lyCTmSow\n" + + "cgYIKwYBBQUHAQEEZjBkMD8GCCsGAQUFBzAChjNodHRwOi8vcmVwby5oYXJpY2Eu\n" + + "Z3IvY2VydHMvSGFyaWNhRUNDUm9vdENBMjAxNS5jcnQwIQYIKwYBBQUHMAGGFWh0\n" + + "dHA6Ly9vY3NwLmhhcmljYS5ncjARBgNVHSAECjAIMAYGBFUdIAAwEwYDVR0lBAww\n" + + "CgYIKwYBBQUHAwMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybHYxLmhhcmlj\n" + + "YS5nci9IYXJpY2FFQ0NSb290Q0EyMDE1L2NybHYxLmRlci5jcmwwHQYDVR0OBBYE\n" + + "FMdgA8SpJhybKTZTnW4Xu3NWRKZeMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQD\n" + + "AwNoADBlAjAcJj7q9ujC+87/b81QowGo87VJhn9XWzRtpwjQFbIilqEfO3ot1d5F\n" + + "MWT1Xn2Qg3sCMQCoM+eV2KkQluHn2N6+GMImJqVObVUyZv0E+BvvszdJubo1cAM0\n" + + "SUImVT1t2wZpJKg=\n" + + "-----END CERTIFICATE-----"; + + // Owner: CN=Dimitrios Zacharopoulos, GIVENNAME=Dimitrios, SURNAME=Zacharopoulos, + // OU=Class B - Private Key created and stored in software CSP, + // O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + // Issuer: CN=HARICA Code Signing ECC SubCA R2, O=Hellenic Academic and Research Institutions Cert. Authority, + // L=Athens, C=GR + // Serial number: 11a187e3b5b0eabea4ba4987e76cd09d + // Valid from: Fri Jul 31 02:11:08 PDT 2020 until: Sun Jul 31 02:11:08 PDT 2022 + private static final String VALID = "-----BEGIN CERTIFICATE-----\n" + + "MIIENTCCA7ugAwIBAgIQEaGH47Ww6r6kukmH52zQnTAKBggqhkjOPQQDAzCBjzEL\n" + + "MAkGA1UEBhMCR1IxDzANBgNVBAcMBkF0aGVuczFEMEIGA1UECgw7SGVsbGVuaWMg\n" + + "QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3Jp\n" + + "dHkxKTAnBgNVBAMMIEhBUklDQSBDb2RlIFNpZ25pbmcgRUNDIFN1YkNBIFIyMB4X\n" + + "DTIwMDczMTA5MTEwOFoXDTIyMDczMTA5MTEwOFowgfUxCzAJBgNVBAYTAkdSMQ8w\n" + + "DQYDVQQHDAZBdGhlbnMxRDBCBgNVBAoMO0hlbGxlbmljIEFjYWRlbWljIGFuZCBS\n" + + "ZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUEwPwYDVQQLDDhD\n" + + "bGFzcyBCIC0gUHJpdmF0ZSBLZXkgY3JlYXRlZCBhbmQgc3RvcmVkIGluIHNvZnR3\n" + + "YXJlIENTUDEWMBQGA1UEBAwNWmFjaGFyb3BvdWxvczESMBAGA1UEKgwJRGltaXRy\n" + + "aW9zMSAwHgYDVQQDDBdEaW1pdHJpb3MgWmFjaGFyb3BvdWxvczBZMBMGByqGSM49\n" + + "AgEGCCqGSM49AwEHA0IABOzRSqoI9HoxXjWerBBw8Croi1bJlUzoFXGjdszJIThf\n" + + "UG3YOiR1whG7wY5H5v8v4IIB5pJanArJk4CzxBLKob6jggGPMIIBizAfBgNVHSME\n" + + "GDAWgBTHYAPEqSYcmyk2U51uF7tzVkSmXjB6BggrBgEFBQcBAQRuMGwwRwYIKwYB\n" + + "BQUHMAKGO2h0dHA6Ly9yZXBvLmhhcmljYS5nci9jZXJ0cy9IYXJpY2FFQ0NDb2Rl\n" + + "U2lnbmluZ1N1YkNBUjIuY3J0MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5oYXJp\n" + + "Y2EuZ3IwYQYDVR0gBFowWDAIBgZngQwBBAEwCAYGBACPegEBMEIGDCsGAQQBgc8R\n" + + "AQMCATAyMDAGCCsGAQUFBwIBFiRodHRwczovL3JlcG8uaGFyaWNhLmdyL2RvY3Vt\n" + + "ZW50cy9DUFMwEwYDVR0lBAwwCgYIKwYBBQUHAwMwRQYDVR0fBD4wPDA6oDigNoY0\n" + + "aHR0cDovL2NybC5oYXJpY2EuZ3IvSGFyaWNhRUNDQ29kZVNpZ25pbmdTdWJDQVIy\n" + + "LmNybDAdBgNVHQ4EFgQUpNjChUi9LGgwz7E18N1EwXooEFcwDgYDVR0PAQH/BAQD\n" + + "AgeAMAoGCCqGSM49BAMDA2gAMGUCMQCDvQIjqgssTRHqp+gu7l21XmAQ4EMqr4+B\n" + + "05iU/edLxxV+z5roTswxnPnr43+EbvkCMHq4aFW1u1+RvPBQJNRnYmdXCnj0lUw4\n" + + "Ug7JnsEYMffLakDudzgsNv5ByJf9SO84Lw==\n" + + "-----END CERTIFICATE-----"; + + // Owner: CN=Greek Universities Network (GUnet), SERIALNUMBER=VATGR-099028220, + // OU=Class B - Private Key created and stored in software CSP, O=Greek Universities Network, L=Athens, C=GR + // Issuer: CN=HARICA Code Signing ECC SubCA R2, O=Hellenic Academic and Research Institutions Cert. Authority, + // L=Athens, C=GR + // Serial number: 4b14719c7195c96de8a5663724454205 + // Valid from: Mon Feb 17 01:48:32 PST 2020 until: Mon Feb 15 16:00:00 PST 2021 + private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n" + + "MIIEDjCCA5SgAwIBAgIQSxRxnHGVyW3opWY3JEVCBTAKBggqhkjOPQQDAzCBjzEL\n" + + "MAkGA1UEBhMCR1IxDzANBgNVBAcMBkF0aGVuczFEMEIGA1UECgw7SGVsbGVuaWMg\n" + + "QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3Jp\n" + + "dHkxKTAnBgNVBAMMIEhBUklDQSBDb2RlIFNpZ25pbmcgRUNDIFN1YkNBIFIyMB4X\n" + + "DTIwMDIxNzA5NDgzMloXDTIxMDIxNjAwMDAwMFowgc0xCzAJBgNVBAYTAkdSMQ8w\n" + + "DQYDVQQHDAZBdGhlbnMxIzAhBgNVBAoMGkdyZWVrIFVuaXZlcnNpdGllcyBOZXR3\n" + + "b3JrMUEwPwYDVQQLDDhDbGFzcyBCIC0gUHJpdmF0ZSBLZXkgY3JlYXRlZCBhbmQg\n" + + "c3RvcmVkIGluIHNvZnR3YXJlIENTUDEYMBYGA1UEBRMPVkFUR1ItMDk5MDI4MjIw\n" + + "MSswKQYDVQQDDCJHcmVlayBVbml2ZXJzaXRpZXMgTmV0d29yayAoR1VuZXQpMFkw\n" + + "EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECC+lD6hphUDLSGs/Vw4Tvj8RAuCQAyi+\n" + + "MUiXXXzGSp5e6ksBVlRlawluNR+BUtY93BRCjjNr3OuvSVALyrH7HKOCAZAwggGM\n" + + "MB8GA1UdIwQYMBaAFMdgA8SpJhybKTZTnW4Xu3NWRKZeMHoGCCsGAQUFBwEBBG4w\n" + + "bDBHBggrBgEFBQcwAoY7aHR0cDovL3JlcG8uaGFyaWNhLmdyL2NlcnRzL0hhcmlj\n" + + "YUVDQ0NvZGVTaWduaW5nU3ViQ0FSMi5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6Ly9v\n" + + "Y3NwLmhhcmljYS5ncjBiBgNVHSAEWzBZMAgGBmeBDAEEATAIBgYEAI96AQEwQwYN\n" + + "KwYBBAGBzxEBAQMBATAyMDAGCCsGAQUFBwIBFiRodHRwczovL3JlcG8uaGFyaWNh\n" + + "LmdyL2RvY3VtZW50cy9DUFMwEwYDVR0lBAwwCgYIKwYBBQUHAwMwRQYDVR0fBD4w\n" + + "PDA6oDigNoY0aHR0cDovL2NybC5oYXJpY2EuZ3IvSGFyaWNhRUNDQ29kZVNpZ25p\n" + + "bmdTdWJDQVIyLmNybDAdBgNVHQ4EFgQUT4+WfQu125tLqla60vhK7ijBBWkwDgYD\n" + + "VR0PAQH/BAQDAgeAMAoGCCqGSM49BAMDA2gAMGUCMQDADGDAxKpUkyEKBLzpX+88\n" + + "ONLYDgFSie5W2ULWk02sDRO/k5xcSSjTf0FFa4+l6E8CME/b27e7NUGHPVYTLTWL\n" + + "5yPiboyNsT8QpV+hZiWh/Qqiw1E/bR2SPIGEwYUrOV61fA==\n" + + "-----END CERTIFICATE-----"; + + public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled) throws Exception { + // Validate valid + pathValidator.validate(new String[]{VALID, INT}, + ValidatePathWithParams.Status.GOOD, null, System.out); + + // Validate Revoked + pathValidator.validate(new String[]{REVOKED, INT}, + ValidatePathWithParams.Status.REVOKED, + "Mon Feb 17 02:00:57 PST 2020", System.out); + } +}
--- a/test/sun/security/lib/cacerts/VerifyCACerts.java Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/security/lib/cacerts/VerifyCACerts.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2017, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -53,12 +53,12 @@ + File.separator + "security" + File.separator + "cacerts"; // The numbers of certs now. - private static final int COUNT = 95; + private static final int COUNT = 97; // SHA-256 of cacerts, can be generated with // shasum -a 256 cacerts | sed -e 's/../&:/g' | tr '[:lower:]' '[:upper:]' | cut -c1-95 private static final String CHECKSUM - = "84:BB:36:9E:B0:07:A7:C5:7F:38:EC:36:82:5C:0F:46:C0:35:3B:B1:1F:06:C2:D0:47:B9:39:FA:87:64:E5:9D"; + = "9F:6B:41:1D:05:AF:E3:C5:4F:E8:39:89:50:79:60:B1:F6:A4:02:40:0C:28:8D:73:78:08:E5:61:7C:17:EA:59"; // map of cert alias to SHA-256 fingerprint @SuppressWarnings("serial") @@ -255,6 +255,10 @@ "2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C"); put("sslrooteccca [jdk]", "34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65"); + put("haricarootca2015 [jdk]", + "A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36"); + put("haricaeccrootca2015 [jdk]", + "44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33"); } };
--- a/test/sun/security/pkcs/pkcs8/PKCS8Test.java Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/security/pkcs/pkcs8/PKCS8Test.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -53,7 +53,7 @@ static final DerOutputStream derOutput = new DerOutputStream(); static final String FORMAT = "PKCS#8"; - static final String EXPECTED_ALG_ID_CHRS = "DSA\n\tp: 02\n\tq: 03\n" + static final String EXPECTED_ALG_ID_CHRS = "DSA, \n\tp: 02\n\tq: 03\n" + "\tg: 04\n"; static final String ALGORITHM = "DSA"; static final String EXCEPTION_MESSAGE = "version mismatch: (supported: "
--- a/test/sun/security/tools/jarsigner/TimestampCheck.java Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/security/tools/jarsigner/TimestampCheck.java Mon Apr 26 14:01:43 2021 +0100 @@ -450,7 +450,7 @@ sign("tsdisabled", "-digestalg", "MD5", "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5") .shouldHaveExitValue(68) - .shouldContain("The timestamp is invalid. Without a valid timestamp") + .shouldContain("TSA certificate chain is invalid") .shouldMatch("MD5.*-digestalg.*is disabled") .shouldMatch("MD5.*-tsadigestalg.*is disabled") .shouldMatch("MD5withRSA.*-sigalg.*is disabled"); @@ -458,7 +458,6 @@ signVerbose("tsdisabled", "unsigned.jar", "tsdisabled2.jar", "signer") .shouldHaveExitValue(64) - .shouldContain("The timestamp is invalid. Without a valid timestamp") .shouldContain("TSA certificate chain is invalid"); // Disabled timestamp is an error and jar treated unsigned @@ -771,7 +770,7 @@ .shouldMatch("Timestamp signature algorithm: .*key.*(disabled)"); verify(file, "-J-Djava.security.debug=jar") .shouldHaveExitValue(16) - .shouldMatch("SignatureException:.*disabled"); + .shouldMatch("SignatureException:.*keysize"); } static void checkHalfWeak(String file) throws Exception {
--- a/test/sun/security/x509/AlgorithmId/AlgorithmIdEqualsHashCode.java Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/security/x509/AlgorithmId/AlgorithmIdEqualsHashCode.java Mon Apr 26 14:01:43 2021 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,12 +24,16 @@ /* * @test * @author Gary Ellison - * @bug 4170635 + * @bug 4170635 8258247 * @summary Verify equals()/hashCode() contract honored */ import java.io.*; +import java.security.AlgorithmParameters; +import java.security.spec.MGF1ParameterSpec; +import java.security.spec.PSSParameterSpec; +import sun.security.util.DerValue; import sun.security.x509.*; public class AlgorithmIdEqualsHashCode { @@ -40,7 +44,6 @@ AlgorithmId ai2 = AlgorithmId.get("DH"); AlgorithmId ai3 = AlgorithmId.get("DH"); - // supposedly transitivity is broken // System.out.println(ai1.equals(ai2)); // System.out.println(ai2.equals(ai3)); @@ -56,5 +59,42 @@ else throw new Exception("Failed equals()/hashCode() contract"); + // check that AlgorithmIds with same name but different params + // are not equal + AlgorithmParameters algParams1 = + AlgorithmParameters.getInstance("RSASSA-PSS"); + AlgorithmParameters algParams2 = + AlgorithmParameters.getInstance("RSASSA-PSS"); + algParams1.init(new PSSParameterSpec("SHA-1", "MGF1", + MGF1ParameterSpec.SHA1, 20, PSSParameterSpec.TRAILER_FIELD_BC)); + algParams2.init(new PSSParameterSpec("SHA-256", "MGF1", + MGF1ParameterSpec.SHA1, 20, PSSParameterSpec.TRAILER_FIELD_BC)); + ai1 = new AlgorithmId(AlgorithmId.RSASSA_PSS_oid, algParams1); + ai2 = new AlgorithmId(AlgorithmId.RSASSA_PSS_oid, algParams2); + if (ai1.equals(ai2)) { + throw new Exception("Failed equals() contract"); + } else { + System.out.println("PASSED equals() test"); + } + + // check that two AlgorithmIds created with the same parameters but + // one with DER encoded parameters and the other with + // AlgorithmParameters are equal + byte[] encoded = ai1.encode(); + ai3 = AlgorithmId.parse(new DerValue(encoded)); + if (!ai1.equals(ai3)) { + throw new Exception("Failed equals() contract"); + } else { + System.out.println("PASSED equals() test"); + } + + // check that two AlgorithmIds created with different parameters but + // one with DER encoded parameters and the other with + // AlgorithmParameters are not equal + if (ai2.equals(ai3)) { + throw new Exception("Failed equals() contract"); + } else { + System.out.println("PASSED equals() test"); + } } }
--- a/test/sun/util/calendar/zi/tzdata/VERSION Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/VERSION Mon Apr 26 14:01:43 2021 +0100 @@ -21,4 +21,4 @@ # or visit www.oracle.com if you need additional information or have any # questions. # -tzdata2020d +tzdata2021a
--- a/test/sun/util/calendar/zi/tzdata/africa Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/africa Mon Apr 26 14:01:43 2021 +0100 @@ -409,36 +409,87 @@ # Ghana -# From Paul Eggert (2018-01-30): -# Whitman says DST was observed from 1931 to "the present"; -# Shanks & Pottenger say 1936 to 1942 with 20 minutes of DST, -# with transitions on 09-01 and 12-31 at 00:00. -# Page 33 of Parish GCB, Colonial Reports - Annual. No. 1066. Gold -# Coast. Report for 1919. (March 1921), OCLC 784024077 -# http://libsysdigi.library.illinois.edu/ilharvest/africana/books2011-05/5530214/5530214_1919/5530214_1919_opt.pdf -# lists the Determination of the Time Ordinance, 1919, No. 18, -# "to advance the time observed locally by the space of twenty minutes -# during the last four months of each year; the object in view being -# to extend during those months the period of daylight-time available -# for evening recreation after office hours." -# Vanessa Ogle, The Global Transformation of Time, 1870-1950 (2015), p 33, -# writes "In 1919, the Gold Coast (Ghana as of 1957) made Greenwich -# time its legal time and simultaneously legalized a summer time of -# UTC - 00:20 minutes from March to October."; a footnote lists -# the ordinance as being dated 1919-11-24. -# The Crown Colonist, Volume 12 (1942), p 176, says "the Government -# intend advancing Gold Coast time half an hour ahead of G.M.T. -# The actual date of the alteration has not yet been announced." -# These sources are incomplete and contradictory. Possibly what is -# now Ghana observed different DST regimes in different years. For -# lack of better info, use Shanks except treat the minus sign as a -# typo, and assume DST started in 1920 not 1936. +# From P Chan (2020-11-20): +# Interpretation Amendment Ordinance, 1915 (No.24 of 1915) [1915-11-02] +# Ordinances of the Gold Coast, Ashanti, Northern Territories 1915, p 69-71 +# https://books.google.com/books?id=ErA-AQAAIAAJ&pg=PA70 +# This Ordinance added "'Time' shall mean Greenwich Mean Time" to the +# Interpretation Ordinance, 1876. +# +# Determination of the Time Ordinance, 1919 (No. 18 of 1919) [1919-11-24] +# Ordinances of the Gold Coast, Ashanti, Northern Territories 1919, p 75-76 +# https://books.google.com/books?id=MbA-AQAAIAAJ&pg=PA75 +# This Ordinance removed the previous definition of time and introduced DST. +# +# Time Determination Ordinance (Cap. 214) +# The Laws of the Gold Coast (including Togoland Under British Mandate) +# Vol. II (1937), p 2328 +# https://books.google.com/books?id=Z7M-AQAAIAAJ&pg=PA2328 +# Revised edition of the 1919 Ordinance. +# +# Time Determination (Amendment) Ordinance, 1940 (No. 9 of 1940) [1940-04-06] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1940, p 22 +# https://books.google.com/books?id=1ao-AQAAIAAJ&pg=PA22 +# This Ordinance changed the forward transition from September to May. +# +# Defence (Time Determination Ordinance Amendment) Regulations, 1942 +# (Regulations No. 6 of 1942) [1942-01-31, commenced on 1942-02-08] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1942, p 48 +# https://books.google.com/books?id=Das-AQAAIAAJ&pg=PA48 +# These regulations advanced the [standard] time by thirty minutes. +# +# Defence (Time Determination Ordinance Amendment (No.2)) Regulations, +# 1942 (Regulations No. 28 of 1942) [1942-04-25] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1942, p 87 +# https://books.google.com/books?id=Das-AQAAIAAJ&pg=PA87 +# These regulations abolished DST and changed the time to GMT+0:30. +# +# Defence (Revocation) (No.4) Regulations, 1945 (Regulations No. 45 of +# 1945) [1945-10-24, commenced on 1946-01-06] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1945, p 256 +# https://books.google.com/books?id=9as-AQAAIAAJ&pg=PA256 +# These regulations revoked the previous two sets of Regulations. +# +# Time Determination (Amendment) Ordinance, 1945 (No. 18 of 1945) [1946-01-06] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1945, p 69 +# https://books.google.com/books?id=9as-AQAAIAAJ&pg=PA69 +# This Ordinance abolished DST. +# +# Time Determination (Amendment) Ordinance, 1950 (No. 26 of 1950) [1950-07-22] +# Annual Volume of the Laws of the Gold Coast: +# Containing All Legislation Enacted During Year 1950, p 35 +# https://books.google.com/books?id=e60-AQAAIAAJ&pg=PA35 +# This Ordinance restored DST but with thirty minutes offset. +# +# Time Determination Ordinance (Cap. 264) +# The Laws of the Gold Coast, Vol. V (1954), p 380 +# https://books.google.com/books?id=Mqc-AQAAIAAJ&pg=PA380 +# Revised edition of the Time Determination Ordinance. +# +# Time Determination (Amendment) Ordinance, 1956 (No. 21 of 1956) [1956-08-29] +# Annual Volume of the Ordinances of the Gold Coast Enacted During the +# Year 1956, p 83 +# https://books.google.com/books?id=VLE-AQAAIAAJ&pg=PA83 +# This Ordinance abolished DST. + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Ghana 1920 1942 - Sep 1 0:00 0:20 - -Rule Ghana 1920 1942 - Dec 31 0:00 0 - +Rule Ghana 1919 only - Nov 24 0:00 0:20 +0020 +Rule Ghana 1920 1942 - Jan 1 2:00 0 GMT +Rule Ghana 1920 1939 - Sep 1 2:00 0:20 +0020 +Rule Ghana 1940 1941 - May 1 2:00 0:20 +0020 +Rule Ghana 1950 1955 - Sep 1 2:00 0:30 +0030 +Rule Ghana 1951 1956 - Jan 1 2:00 0 GMT + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Africa/Accra -0:00:52 - LMT 1918 - 0:00 Ghana GMT/+0020 +Zone Africa/Accra -0:00:52 - LMT 1915 Nov 2 + 0:00 Ghana %s 1942 Feb 8 + 0:30 - +0030 1946 Jan 6 + 0:00 Ghana %s # Guinea # See Africa/Abidjan. @@ -456,11 +507,54 @@ 0:00 - GMT # Kenya + +# From P Chan (2020-10-24): +# +# The standard time of GMT+2:30 was adopted in the East Africa Protectorate.... +# [The Official Gazette, 1908-05-01, p 274] +# https://books.google.com/books?id=e-cAC-sjPSEC&pg=PA274 +# +# At midnight on 30 June 1928 the clocks throughout Kenya was put forward +# half an hour by the Alteration of Time Ordinance, 1928. +# https://gazettes.africa/archive/ke/1928/ke-government-gazette-dated-1928-05-11-no-28.pdf +# [Ordinance No. 11 of 1928, The Offical Gazette, 1928-06-26, p 813] +# https://books.google.com/books?id=2S0S6os32ZUC&pg=PA813 +# +# The 1928 ordinance was repealed by the Alteration of Time (repeal) Ordinance, +# 1929 and the time was restored to GMT+2:30 at midnight on 4 January 1930. +# [Ordinance No. 97 of 1929, The Official Gazette, 1929-12-31, p 2701] +# https://books.google.com/books?id=_g18jIZQlwwC&pg=PA2701 +# +# The Alteration of Time Ordinance, 1936 changed the time to GMT+2:45 +# and repealed the previous ordinance at midnight on 31 December 1936. +# [The Official Gazette, 1936-07-21, p 705] +# https://books.google.com/books?id=K7j41z0aC5wC&pg=PA705 +# +# The Defence (Amendment of Laws No. 120) Regulations changed the time +# to GMT+3 at midnight on 31 July 1942. +# [Kenya Official Gazette Supplement No. 32, 1942-07-21, p 331] +# https://books.google.com/books?hl=zh-TW&id=c_E-AQAAIAAJ&pg=PA331 +# The provision of the 1936 ordinance was not repealed and was later +# incorporated in the Interpretation and General Clauses Ordinance in 1948. +# Although it was overridden by the 1942 regulations. +# [The Laws of Kenya in force on 1948-09-21, Title I, Chapter 1, 31] +# https://dds.crl.edu/item/217517 (p.101) +# In 1950 the Interpretation and General Clauses Ordinance was amended to adopt +# GMT+3 permanently as the 1942 regulations were due to expire on 10 December. +# https://books.google.com/books?id=jvR8mUDAwR0C&pg=PA787 +# [Ordinance No. 44 of 1950, Kenya Ordinances 1950, Vol. XXIX, p 294] +# https://books.google.com/books?id=-_dQAQAAMAAJ&pg=PA294 + +# From Paul Eggert (2020-10-24): +# The 1908-05-01 announcement does not give an effective date, +# so just say "1908 May". + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Africa/Nairobi 2:27:16 - LMT 1928 Jul - 3:00 - EAT 1930 - 2:30 - +0230 1940 - 2:45 - +0245 1960 +Zone Africa/Nairobi 2:27:16 - LMT 1908 May + 2:30 - +0230 1928 Jun 30 24:00 + 3:00 - EAT 1930 Jan 4 24:00 + 2:30 - +0230 1936 Dec 31 24:00 + 2:45 - +0245 1942 Jul 31 24:00 3:00 - EAT Link Africa/Nairobi Africa/Addis_Ababa # Ethiopia Link Africa/Nairobi Africa/Asmara # Eritrea @@ -1247,8 +1341,69 @@ # See Africa/Lagos. # Nigeria + +# From P Chan (2020-12-03): +# GMT was adopted as the standard time of Lagos on 1905-07-01. +# Lagos Weekly Record, 1905-06-24, p 3 +# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446%2C5221%2C1931%2C1235 +# says "It is officially notified that on and after the 1st of July 1905 +# Greenwich Mean Solar Time will be adopted thought the Colony and +# Protectorate, and that it will be necessary to put all clocks 13 minutes and +# 35 seconds back, recording local mean time." +# +# It seemed that Lagos returned to LMT on 1908-07-01. +# [The Lagos Standard], 1908-07-01, p 5 +# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92%2C3590%2C3944%2C2523 +# says "Scarcely have the people become accustomed to this new time, when +# another official notice has now appeared announcing that from and after the +# 1st July next, return will be made to local mean time." +# +# From P Chan (2020-11-27): +# On 1914-01-01, standard time of GMT+0:30 was adopted for the unified Nigeria. +# Colonial Reports - Annual. No. 878. Nigeria. Report for 1914. (April 1916), +# p 27 +# https://libsysdigi.library.illinois.edu/ilharvest/Africana/Books2011-05/3064634/3064634_1914/3064634_1914_opt.pdf#page=27 +# "On January 1st [1914], a universal standard time for Nigeria was adopted, +# viz., half an hour fast on Greenwich mean time, corresponding to the meridian +# 7 [degrees] 30' E. long." +# Lloyd's Register of Shipping (1915) says "Hitherto the time observed in Lagos +# was the local mean time. On 1st January, 1914, standard time for the whole of +# Nigeria was introduced ... Lagos time has been advanced about 16 minutes +# accordingly." +# +# In 1919, standard time was changed to GMT+1. +# Interpretation Ordinance (Cap 2) +# The Laws of Nigeria, Containing the Ordinances of Nigeria, in Force on the +# 1st Day of January, 1923, Vol.I [p 16] +# https://books.google.com/books?id=BOMrAQAAMAAJ&pg=PA16 +# "The expression 'Standard time' means standard time as used in Nigeria: +# namely, 60 minutes in advance of Greenwich mean time. (As amended by 18 of +# 1919, s. 2.)" +# From Tim Parenti (2020-12-10): +# The Lagos Weekly Record, 1919-09-20, p 3 details discussion on the first +# reading of this Bill by the Legislative Council of the Colony of Nigeria on +# Thursday 1919-08-28: +# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261%2C3408%2C2994%2C1915 +# "The proposal is that the Globe should be divided into twelve zones East and +# West of Greenwich, of one hour each, Nigeria falling into the zone with a +# standard of one hour fast on Greenwich Mean Time. Nigeria standard time is +# now 30 minutes in advance of Greenwich Mean Time ... according to the new +# proposal, standard time will be advanced another 30 minutes". It was further +# proposed that the firing of the time guns likewise be adjusted by 30 minutes +# to compensate. +# From Tim Parenti (2020-12-10), per P Chan (2020-12-11): +# The text of Ordinance 18 of 1919, published in Nigeria Gazette, Vol 6, No 52, +# shows that the change was assented to the following day and took effect "on +# the 1st day of September, 1919." +# Nigeria Gazette and Supplements 1919 Jan-Dec, Reference: 73266B-40, +# img 245-246 +# https://microform.digital/boa/collections/77/volumes/539/nigeria-lagos-1887-1919 + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Africa/Lagos 0:13:36 - LMT 1919 Sep +Zone Africa/Lagos 0:13:35 - LMT 1905 Jul 1 + 0:00 - GMT 1908 Jul 1 + 0:13:35 - LMT 1914 Jan 1 + 0:30 - +0030 1919 Sep 1 1:00 - WAT Link Africa/Lagos Africa/Bangui # Central African Republic Link Africa/Lagos Africa/Brazzaville # Rep. of the Congo @@ -1321,8 +1476,21 @@ # See Africa/Abidjan. # Seychelles + +# From P Chan (2020-11-27): +# Standard Time was adopted on 1907-01-01. +# +# Standard Time Ordinance (Chapter 237) +# The Laws of Seychelles in Force on the 31st December, 1971, Vol. 6, p 571 +# https://books.google.com/books?id=efE-AQAAIAAJ&pg=PA571 +# +# From Tim Parenti (2020-12-05): +# A footnote on https://books.google.com/books?id=DYdDAQAAMAAJ&pg=PA1689 +# confirms that Ordinance No. 9 of 1906 "was brought into force on the 1st +# January, 1907." + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Indian/Mahe 3:41:48 - LMT 1906 Jun # Victoria +Zone Indian/Mahe 3:41:48 - LMT 1907 Jan 1 # Victoria 4:00 - +04 # From Paul Eggert (2001-05-30): # Aldabra, Farquhar, and Desroches, originally dependencies of the @@ -1382,11 +1550,17 @@ 3:00 - EAT 2017 Nov 1 2:00 - CAT +# From Steffen Thorsen (2021-01-18): +# "South Sudan will change its time zone by setting the clock back 1 +# hour on February 1, 2021...." +# from https://eyeradio.org/south-sudan-adopts-new-time-zone-makuei/ + # South Sudan # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone Africa/Juba 2:06:28 - LMT 1931 2:00 Sudan CA%sT 2000 Jan 15 12:00 - 3:00 - EAT + 3:00 - EAT 2021 Feb 1 00:00 + 2:00 - CAT # Tanzania # See Africa/Nairobi.
--- a/test/sun/util/calendar/zi/tzdata/asia Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/asia Mon Apr 26 14:01:43 2021 +0100 @@ -1746,40 +1746,180 @@ # high on my favorite-country list (and not only because my wife's # family is from India). -# From Shanks & Pottenger: +# From P Chan (2020-10-27), with corrections: +# +# 1940-1946 Supplement No. 2 to the Palestine Gazette +# # issue page Order No. dated start end note +# 1 1010 729 67 of 1940 1940-05-22 1940-05-31* 1940-09-30* revoked by #2 +# 2 1013 758 73 of 1940 1940-05-31 1940-05-31 1940-09-30 +# 3 1055 1574 196 of 1940 1940-11-06 1940-11-16 1940-12-31 +# 4 1066 1811 208 of 1940 1940-12-17 1940-12-31 1941-12-31 +# 5 1156 1967 116 of 1941 1941-12-16 1941-12-31 1942-12-31* amended by #6 +# 6 1228 1608 86 of 1942 1942-10-14 1941-12-31 1942-10-31 +# 7 1256 279 21 of 1943 1943-03-18 1943-03-31 1943-10-31 +# 8 1323 249 19 of 1944 1944-03-13 1944-03-31 1944-10-31 +# 9 1402 328 20 of 1945 1945-04-05 1945-04-15 1945-10-31 +#10 1487 596 14 of 1946 1946-04-04 1946-04-15 1946-10-31 +# +# 1948 Iton Rishmi (Official Gazette of the Provisional Government) +# # issue page dated start end +#11 2 7 1948-05-20 1948-05-22 1948-10-31* +# ^This moved timezone to +04, replaced by #12 from 1948-08-31 24:00 GMT. +#12 17 (Annex B) 84 1948-08-22 1948-08-31 1948-10-31 +# +# 1949-2000 Kovetz HaTakanot (Collection of Regulations) +# # issue page dated start end note +#13 6 133 1949-03-23 1949-04-30 1949-10-31 +#14 80 755 1950-03-17 1950-04-15 1950-09-14 +#15 164 782 1951-03-22 1951-03-31 1951-09-29* amended by #16 +#16 206 1940 1951-09-23 ---------- 1951-10-22* amended by #17 +#17 212 78 1951-10-19 ---------- 1951-11-10 +#18 254 652 1952-03-03 1952-04-19 1952-09-27* amended by #19 +#19 300 11 1952-09-15 ---------- 1952-10-18 +#20 348 817 1953-03-03 1953-04-11 1953-09-12 +#21 420 385 1954-02-17 1954-06-12 1954-09-11 +#22 497 548 1955-01-14 1955-06-11 1955-09-10 +#23 591 608 1956-03-12 1956-06-02 1956-09-29 +#24 680 957 1957-02-08 1957-04-27 1957-09-21 +#25 3192 1418 1974-06-28 1974-07-06 1974-10-12 +#26 3322 1389 1975-04-03 1975-04-19 1975-08-30 +#27 4146 2089 1980-07-15 1980-08-02 1980-09-13 +#28 4604 1081 1984-02-22 1984-05-05* 1984-08-25* revoked by #29 +#29 4619 1312 1984-04-06 1984-05-05 1984-08-25 +#30 4744 475 1984-12-23 1985-04-13 1985-09-14* amended by #31 +#31 4851 1848 1985-08-18 ---------- 1985-08-31 +#32 4932 899 1986-04-22 1986-05-17 1986-09-06 +#33 5013 580 1987-02-15 1987-04-18* 1987-08-22* revoked by #34 +#34 5021 744 1987-03-30 1987-04-14 1987-09-12 +#35 5096 659 1988-02-14 1988-04-09 1988-09-03 +#36 5167 514 1989-02-03 1989-04-29 1989-09-02 +#37 5248 375 1990-01-23 1990-03-24 1990-08-25 +#38 5335 612 1991-02-10 1991-03-09* 1991-08-31 amended by #39 +# 1992-03-28 1992-09-05 +#39 5339 709 1991-03-04 1991-03-23 ---------- +#40 5506 503 1993-02-18 1993-04-02 1993-09-05 +# 1994-04-01 1994-08-28 +# 1995-03-31 1995-09-03 +#41 5731 438 1996-01-01 1996-03-14 1996-09-15 +# 1997-03-13* 1997-09-18* overridden by 1997 Temp Prov +# 1998-03-19* 1998-09-17* revoked by #42 +#42 5853 1243 1997-09-18 1998-03-19 1998-09-05 +#43 5937 77 1998-10-18 1999-04-02 1999-09-03 +# 2000-04-14* 2000-09-15* revoked by #44 +# 2001-04-13* 2001-09-14* revoked by #44 +#44 6024 39 2000-03-14 2000-04-14 2000-10-22* overridden by 2000 Temp Prov +# 2001-04-06* 2001-10-10* overridden by 2000 Temp Prov +# 2002-03-29* 2002-10-29* overridden by 2000 Temp Prov +# +# These are laws enacted by the Knesset since the Minister could only alter the +# transition dates at least six months in advanced under the 1992 Law. +# dated start end +# 1997 Temporary Provisions 1997-03-06 1997-03-20 1997-09-13 +# 2000 Temporary Provisions 2000-07-28 ---------- 2000-10-06 +# 2001-04-09 2001-09-24 +# 2002-03-29 2002-10-07 +# 2003-03-28 2003-10-03 +# 2004-04-07 2004-09-22 +# Note: +# Transition times in 1940-1957 (#1-#24) were midnight GMT, +# in 1974-1998 (#25-#42 and the 1997 Temporary Provisions) were midnight, +# in 1999-April 2000 (#43,#44) were 02:00, +# in the 2000 Temporary Provisions were 01:00. +# +# ----------------------------------------------------------------------------- +# Links: +# 1 https://findit.library.yale.edu/images_layout/view?parentoid=15537490&increment=687 +# 2 https://findit.library.yale.edu/images_layout/view?parentoid=15537490&increment=716 +# 3 https://findit.library.yale.edu/images_layout/view?parentoid=15537491&increment=721 +# 4 https://findit.library.yale.edu/images_layout/view?parentoid=15537491&increment=958 +# 5 https://findit.library.yale.edu/images_layout/view?parentoid=15537502&increment=558 +# 6 https://findit.library.yale.edu/images_layout/view?parentoid=15537511&increment=105 +# 7 https://findit.library.yale.edu/images_layout/view?parentoid=15537516&increment=278 +# 8 https://findit.library.yale.edu/images_layout/view?parentoid=15537522&increment=248 +# 9 https://findit.library.yale.edu/images_layout/view?parentoid=15537530&increment=329 +#10 https://findit.library.yale.edu/images_layout/view?parentoid=15537537&increment=601 +#11 https://www.nevo.co.il/law_word/law12/er-002.pdf#page=3 +#12 https://www.nevo.co.il/law_word/law12/er-017-t2.pdf#page=4 +#13 https://www.nevo.co.il/law_word/law06/tak-0006.pdf#page=3 +#14 https://www.nevo.co.il/law_word/law06/tak-0080.pdf#page=7 +#15 https://www.nevo.co.il/law_word/law06/tak-0164.pdf#page=10 +#16 https://www.nevo.co.il/law_word/law06/tak-0206.pdf#page=4 +#17 https://www.nevo.co.il/law_word/law06/tak-0212.pdf#page=2 +#18 https://www.nevo.co.il/law_word/law06/tak-0254.pdf#page=4 +#19 https://www.nevo.co.il/law_word/law06/tak-0300.pdf#page=5 +#20 https://www.nevo.co.il/law_word/law06/tak-0348.pdf#page=3 +#21 https://www.nevo.co.il/law_word/law06/tak-0420.pdf#page=5 +#22 https://www.nevo.co.il/law_word/law06/tak-0497.pdf#page=10 +#23 https://www.nevo.co.il/law_word/law06/tak-0591.pdf#page=6 +#24 https://www.nevo.co.il/law_word/law06/tak-0680.pdf#page=3 +#25 https://www.nevo.co.il/law_word/law06/tak-3192.pdf#page=2 +#26 https://www.nevo.co.il/law_word/law06/tak-3322.pdf#page=5 +#27 https://www.nevo.co.il/law_word/law06/tak-4146.pdf#page=2 +#28 https://www.nevo.co.il/law_word/law06/tak-4604.pdf#page=7 +#29 https://www.nevo.co.il/law_word/law06/tak-4619.pdf#page=2 +#30 https://www.nevo.co.il/law_word/law06/tak-4744.pdf#page=11 +#31 https://www.nevo.co.il/law_word/law06/tak-4851.pdf#page=2 +#32 https://www.nevo.co.il/law_word/law06/tak-4932.pdf#page=19 +#33 https://www.nevo.co.il/law_word/law06/tak-5013.pdf#page=8 +#34 https://www.nevo.co.il/law_word/law06/tak-5021.pdf#page=8 +#35 https://www.nevo.co.il/law_word/law06/tak-5096.pdf#page=3 +#36 https://www.nevo.co.il/law_word/law06/tak-5167.pdf#page=2 +#37 https://www.nevo.co.il/law_word/law06/tak-5248.pdf#page=7 +#38 https://www.nevo.co.il/law_word/law06/tak-5335.pdf#page=6 +#39 https://www.nevo.co.il/law_word/law06/tak-5339.pdf#page=7 +#40 https://www.nevo.co.il/law_word/law06/tak-5506.pdf#page=19 +#41 https://www.nevo.co.il/law_word/law06/tak-5731.pdf#page=2 +#42 https://www.nevo.co.il/law_word/law06/tak-5853.pdf#page=3 +#43 https://www.nevo.co.il/law_word/law06/tak-5937.pdf#page=9 +#44 https://www.nevo.co.il/law_word/law06/tak-6024.pdf#page=4 +# +# Time Determination (Temporary Provisions) Law, 1997 +# https://www.nevo.co.il/law_html/law19/p201_003.htm +# +# Time Determination (Temporary Provisions) Law, 2000 +# https://www.nevo.co.il/law_html/law19/p201_004.htm +# +# Time Determination Law, 1992 and amendments +# https://www.nevo.co.il/law_html/law01/p201_002.htm +# https://main.knesset.gov.il/Activity/Legislation/Laws/Pages/LawPrimary.aspx?lawitemid=2001174 + +# From Paul Eggert (2020-10-27): +# Several of the midnight transitions mentioned above are ambiguous; +# are they 00:00, 00:00s, 24:00, or 24:00s? When resolving these ambiguities, +# try to minimize changes from previous tzdb versions, for lack of better info. +# Commentary from previous versions is included below, to help explain this. + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Zion 1940 only - Jun 1 0:00 1:00 D -Rule Zion 1942 1944 - Nov 1 0:00 0 S -Rule Zion 1943 only - Apr 1 2:00 1:00 D -Rule Zion 1944 only - Apr 1 0:00 1:00 D -Rule Zion 1945 only - Apr 16 0:00 1:00 D -Rule Zion 1945 only - Nov 1 2:00 0 S -Rule Zion 1946 only - Apr 16 2:00 1:00 D -Rule Zion 1946 only - Nov 1 0:00 0 S -Rule Zion 1948 only - May 23 0:00 2:00 DD -Rule Zion 1948 only - Sep 1 0:00 1:00 D -Rule Zion 1948 1949 - Nov 1 2:00 0 S -Rule Zion 1949 only - May 1 0:00 1:00 D -Rule Zion 1950 only - Apr 16 0:00 1:00 D -Rule Zion 1950 only - Sep 15 3:00 0 S -Rule Zion 1951 only - Apr 1 0:00 1:00 D -Rule Zion 1951 only - Nov 11 3:00 0 S -Rule Zion 1952 only - Apr 20 2:00 1:00 D -Rule Zion 1952 only - Oct 19 3:00 0 S -Rule Zion 1953 only - Apr 12 2:00 1:00 D -Rule Zion 1953 only - Sep 13 3:00 0 S -Rule Zion 1954 only - Jun 13 0:00 1:00 D -Rule Zion 1954 only - Sep 12 0:00 0 S -Rule Zion 1955 only - Jun 11 2:00 1:00 D -Rule Zion 1955 only - Sep 11 0:00 0 S -Rule Zion 1956 only - Jun 3 0:00 1:00 D -Rule Zion 1956 only - Sep 30 3:00 0 S -Rule Zion 1957 only - Apr 29 2:00 1:00 D -Rule Zion 1957 only - Sep 22 0:00 0 S -Rule Zion 1974 only - Jul 7 0:00 1:00 D -Rule Zion 1974 only - Oct 13 0:00 0 S -Rule Zion 1975 only - Apr 20 0:00 1:00 D -Rule Zion 1975 only - Aug 31 0:00 0 S +Rule Zion 1940 only - May 31 24:00u 1:00 D +Rule Zion 1940 only - Sep 30 24:00u 0 S +Rule Zion 1940 only - Nov 16 24:00u 1:00 D +Rule Zion 1942 1946 - Oct 31 24:00u 0 S +Rule Zion 1943 1944 - Mar 31 24:00u 1:00 D +Rule Zion 1945 1946 - Apr 15 24:00u 1:00 D +Rule Zion 1948 only - May 22 24:00u 2:00 DD +Rule Zion 1948 only - Aug 31 24:00u 1:00 D +Rule Zion 1948 1949 - Oct 31 24:00u 0 S +Rule Zion 1949 only - Apr 30 24:00u 1:00 D +Rule Zion 1950 only - Apr 15 24:00u 1:00 D +Rule Zion 1950 only - Sep 14 24:00u 0 S +Rule Zion 1951 only - Mar 31 24:00u 1:00 D +Rule Zion 1951 only - Nov 10 24:00u 0 S +Rule Zion 1952 only - Apr 19 24:00u 1:00 D +Rule Zion 1952 only - Oct 18 24:00u 0 S +Rule Zion 1953 only - Apr 11 24:00u 1:00 D +Rule Zion 1953 only - Sep 12 24:00u 0 S +Rule Zion 1954 only - Jun 12 24:00u 1:00 D +Rule Zion 1954 only - Sep 11 24:00u 0 S +Rule Zion 1955 only - Jun 11 24:00u 1:00 D +Rule Zion 1955 only - Sep 10 24:00u 0 S +Rule Zion 1956 only - Jun 2 24:00u 1:00 D +Rule Zion 1956 only - Sep 29 24:00u 0 S +Rule Zion 1957 only - Apr 27 24:00u 1:00 D +Rule Zion 1957 only - Sep 21 24:00u 0 S +Rule Zion 1974 only - Jul 6 24:00 1:00 D +Rule Zion 1974 only - Oct 12 24:00 0 S +Rule Zion 1975 only - Apr 19 24:00 1:00 D +Rule Zion 1975 only - Aug 30 24:00 0 S # From Alois Treindl (2019-03-06): # http://www.moin.gov.il/Documents/שעון%20קיץ/clock-50-years-7-2014.pdf @@ -1792,25 +1932,24 @@ # From Paul Eggert (2019-03-06): # Also see this thread about the moin.gov.il URL: # https://mm.icann.org/pipermail/tz/2018-November/027194.html -Rule Zion 1980 only - Aug 2 0:00 1:00 D -Rule Zion 1980 only - Sep 13 1:00 0 S -Rule Zion 1984 only - May 5 0:00 1:00 D -Rule Zion 1984 only - Aug 25 1:00 0 S - -# From Shanks & Pottenger: -Rule Zion 1985 only - Apr 14 0:00 1:00 D -Rule Zion 1985 only - Sep 15 0:00 0 S -Rule Zion 1986 only - May 18 0:00 1:00 D -Rule Zion 1986 only - Sep 7 0:00 0 S -Rule Zion 1987 only - Apr 15 0:00 1:00 D -Rule Zion 1987 only - Sep 13 0:00 0 S +Rule Zion 1980 only - Aug 2 24:00s 1:00 D +Rule Zion 1980 only - Sep 13 24:00s 0 S +Rule Zion 1984 only - May 5 24:00s 1:00 D +Rule Zion 1984 only - Aug 25 24:00s 0 S + +Rule Zion 1985 only - Apr 13 24:00 1:00 D +Rule Zion 1985 only - Aug 31 24:00 0 S +Rule Zion 1986 only - May 17 24:00 1:00 D +Rule Zion 1986 only - Sep 6 24:00 0 S +Rule Zion 1987 only - Apr 14 24:00 1:00 D +Rule Zion 1987 only - Sep 12 24:00 0 S # From Avigdor Finkelstein (2014-03-05): # I check the Parliament (Knesset) records and there it's stated that the # [1988] transition should take place on Saturday night, when the Sabbath # ends and changes to Sunday. -Rule Zion 1988 only - Apr 10 0:00 1:00 D -Rule Zion 1988 only - Sep 4 0:00 0 S +Rule Zion 1988 only - Apr 9 24:00 1:00 D +Rule Zion 1988 only - Sep 3 24:00 0 S # From Ephraim Silverberg # (1997-03-04, 1998-03-16, 1998-12-28, 2000-01-17, 2000-07-25, 2004-12-22, @@ -1840,14 +1979,14 @@ # (the eve of the 7th of Tishrei in the lunar Hebrew calendar). # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Zion 1989 only - Apr 30 0:00 1:00 D -Rule Zion 1989 only - Sep 3 0:00 0 S -Rule Zion 1990 only - Mar 25 0:00 1:00 D -Rule Zion 1990 only - Aug 26 0:00 0 S -Rule Zion 1991 only - Mar 24 0:00 1:00 D -Rule Zion 1991 only - Sep 1 0:00 0 S -Rule Zion 1992 only - Mar 29 0:00 1:00 D -Rule Zion 1992 only - Sep 6 0:00 0 S +Rule Zion 1989 only - Apr 29 24:00 1:00 D +Rule Zion 1989 only - Sep 2 24:00 0 S +Rule Zion 1990 only - Mar 24 24:00 1:00 D +Rule Zion 1990 only - Aug 25 24:00 0 S +Rule Zion 1991 only - Mar 23 24:00 1:00 D +Rule Zion 1991 only - Aug 31 24:00 0 S +Rule Zion 1992 only - Mar 28 24:00 1:00 D +Rule Zion 1992 only - Sep 5 24:00 0 S Rule Zion 1993 only - Apr 2 0:00 1:00 D Rule Zion 1993 only - Sep 5 0:00 0 S @@ -1876,10 +2015,10 @@ # where YYYY is the relevant year. # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Zion 1996 only - Mar 15 0:00 1:00 D -Rule Zion 1996 only - Sep 16 0:00 0 S -Rule Zion 1997 only - Mar 21 0:00 1:00 D -Rule Zion 1997 only - Sep 14 0:00 0 S +Rule Zion 1996 only - Mar 14 24:00 1:00 D +Rule Zion 1996 only - Sep 15 24:00 0 S +Rule Zion 1997 only - Mar 20 24:00 1:00 D +Rule Zion 1997 only - Sep 13 24:00 0 S Rule Zion 1998 only - Mar 20 0:00 1:00 D Rule Zion 1998 only - Sep 6 0:00 0 S Rule Zion 1999 only - Apr 2 2:00 1:00 D @@ -1931,14 +2070,15 @@ Rule Zion 2011 only - Oct 2 2:00 0 S Rule Zion 2012 only - Sep 23 2:00 0 S -# From Ephraim Silverberg (2013-06-27): -# On June 23, 2013, the Israeli government approved changes to the -# Time Decree Law. The next day, the changes passed the First Reading -# in the Knesset. The law is expected to pass the Second and Third -# (final) Readings by the beginning of September 2013. -# -# As of 2013, DST starts at 02:00 on the Friday before the last Sunday -# in March. DST ends at 02:00 on the last Sunday of October. +# From Ephraim Silverberg (2020-10-26): +# The current time law (2013) from the State of Israel can be viewed +# (in Hebrew) at: +# ftp://ftp.cs.huji.ac.il/pub/tz/israel/announcements/2013+law.pdf +# It translates to: +# Every year, in the period from the Friday before the last Sunday in +# the month of March at 02:00 a.m. until the last Sunday of the month +# of October at 02:00 a.m., Israel Time will be advanced an additional +# hour such that it will be UTC+3. # Rule NAME FROM TO - IN ON AT SAVE LETTER/S Rule Zion 2013 max - Mar Fri>=23 2:00 1:00 D
--- a/test/sun/util/calendar/zi/tzdata/australasia Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/australasia Mon Apr 26 14:01:43 2021 +0100 @@ -37,16 +37,13 @@ # Please see the notes below for the controversy about "EST" versus "AEST" etc. # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Aus 1917 only - Jan 1 0:01 1:00 D -Rule Aus 1917 only - Mar 25 2:00 0 S -Rule Aus 1942 only - Jan 1 2:00 1:00 D -Rule Aus 1942 only - Mar 29 2:00 0 S -Rule Aus 1942 only - Sep 27 2:00 1:00 D -Rule Aus 1943 1944 - Mar lastSun 2:00 0 S -Rule Aus 1943 only - Oct 3 2:00 1:00 D -# Go with Whitman and the Australian National Standards Commission, which -# says W Australia didn't use DST in 1943/1944. Ignore Whitman's claim that -# 1944/1945 was just like 1943/1944. +Rule Aus 1917 only - Jan 1 2:00s 1:00 D +Rule Aus 1917 only - Mar lastSun 2:00s 0 S +Rule Aus 1942 only - Jan 1 2:00s 1:00 D +Rule Aus 1942 only - Mar lastSun 2:00s 0 S +Rule Aus 1942 only - Sep 27 2:00s 1:00 D +Rule Aus 1943 1944 - Mar lastSun 2:00s 0 S +Rule Aus 1943 only - Oct 3 2:00s 1:00 D # Zone NAME STDOFF RULES FORMAT [UNTIL] # Northern Territory @@ -138,8 +135,12 @@ # says King Island didn't observe DST from WWII until late 1971. # # Rule NAME FROM TO - IN ON AT SAVE LETTER/S +Rule AT 1916 only - Oct Sun>=1 2:00s 1:00 D +Rule AT 1917 only - Mar lastSun 2:00s 0 S +Rule AT 1917 1918 - Oct Sun>=22 2:00s 1:00 D +Rule AT 1918 1919 - Mar Sun>=1 2:00s 0 S Rule AT 1967 only - Oct Sun>=1 2:00s 1:00 D -Rule AT 1968 only - Mar lastSun 2:00s 0 S +Rule AT 1968 only - Mar Sun>=29 2:00s 0 S Rule AT 1968 1985 - Oct lastSun 2:00s 1:00 D Rule AT 1969 1971 - Mar Sun>=8 2:00s 0 S Rule AT 1972 only - Feb lastSun 2:00s 0 S @@ -159,15 +160,9 @@ Rule AT 2008 max - Apr Sun>=1 2:00s 0 S # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone Australia/Hobart 9:49:16 - LMT 1895 Sep - 10:00 - AEST 1916 Oct 1 2:00 - 10:00 1:00 AEDT 1917 Feb + 10:00 AT AE%sT 1919 Oct 24 10:00 Aus AE%sT 1967 10:00 AT AE%sT -Zone Australia/Currie 9:35:28 - LMT 1895 Sep - 10:00 - AEST 1916 Oct 1 2:00 - 10:00 1:00 AEDT 1917 Feb - 10:00 Aus AE%sT 1971 Jul - 10:00 AT AE%sT # Victoria # Rule NAME FROM TO - IN ON AT SAVE LETTER/S @@ -896,13 +891,36 @@ # Vanuatu + +# From P Chan (2020-11-27): +# Joint Daylight Saving Regulation No 59 of 1973 +# New Hebrides Condominium Gazette No 336. December 1973 +# http://www.paclii.org/vu/other/VUNHGovGaz//1973/11.pdf#page=15 +# +# Joint Daylight Saving (Repeal) Regulation No 10 of 1974 +# New Hebrides Condominium Gazette No 336. March 1974 +# http://www.paclii.org/vu/other/VUNHGovGaz//1974/3.pdf#page=11 +# +# Summer Time Act No. 35 of 1982 [commenced 1983-09-01] +# http://www.paclii.org/vu/other/VUGovGaz/1982/32.pdf#page=48 +# +# Summer Time Act (Cap 157) +# Laws of the Republic of Vanuatu Revised Edition 1988 +# http://www.paclii.org/cgi-bin/sinodisp/vu/legis/consol_act1988/sta147/sta147.html +# +# Summer Time (Amendment) Act No. 6 of 1991 [commenced 1991-11-11] +# http://www.paclii.org/vu/legis/num_act/sta1991227/ +# +# Summer Time (Repeal) Act No. 4 of 1993 [commenced 1993-05-03] +# http://www.paclii.org/vu/other/VUGovGaz/1993/15.pdf#page=59 + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Vanuatu 1983 only - Sep 25 0:00 1:00 - -Rule Vanuatu 1984 1991 - Mar Sun>=23 0:00 0 - -Rule Vanuatu 1984 only - Oct 23 0:00 1:00 - -Rule Vanuatu 1985 1991 - Sep Sun>=23 0:00 1:00 - -Rule Vanuatu 1992 1993 - Jan Sun>=23 0:00 0 - -Rule Vanuatu 1992 only - Oct Sun>=23 0:00 1:00 - +Rule Vanuatu 1973 only - Dec 22 12:00u 1:00 - +Rule Vanuatu 1974 only - Mar 30 12:00u 0 - +Rule Vanuatu 1983 1991 - Sep Sat>=22 24:00 1:00 - +Rule Vanuatu 1984 1991 - Mar Sat>=22 24:00 0 - +Rule Vanuatu 1992 1993 - Jan Sat>=22 24:00 0 - +Rule Vanuatu 1992 only - Oct Sat>=22 24:00 1:00 - # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila 11:00 Vanuatu +11/+12 @@ -981,6 +999,25 @@ # Electronic Journal of Australian and New Zealand History (1997-03-03) # http://www.jcu.edu.au/aff/history/reviews/davison.htm +# From P Chan (2020-11-20): +# Daylight Saving Act 1916 (No. 40 of 1916) [1916-12-21, commenced 1917-01-01] +# http://classic.austlii.edu.au/au/legis/cth/num_act/dsa1916401916192/ +# +# Daylight Saving Repeal Act 1917 (No. 35 of 1917) [1917-09-25] +# http://classic.austlii.edu.au/au/legis/cth/num_act/dsra1917351917243/ +# +# Statutory Rules 1941, No. 323 [1941-12-24] +# https://www.legislation.gov.au/Details/C1941L00323 +# +# Statutory Rules 1942, No. 392 [1942-09-10] +# https://www.legislation.gov.au/Details/C1942L00392 +# +# Statutory Rules 1943, No. 241 [1943-09-29] +# https://www.legislation.gov.au/Details/C1943L00241 +# +# All transition times should be 02:00 standard time. + + # From Paul Eggert (2005-12-08): # Implementation Dates of Daylight Saving Time within Australia # http://www.bom.gov.au/climate/averages/tables/dst_times.shtml @@ -1373,6 +1410,27 @@ # Tasmania +# From P Chan (2020-11-20): +# Tasmania observed DST in 1916-1919. +# +# Daylight Saving Act, 1916 (7 Geo V, No 2) [1916-09-22] +# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsa19167gvn2267/ +# +# Daylight Saving Amendment Act, 1917 (8 Geo V, No 5) [1917-10-01] +# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsaa19178gvn5347/ +# +# Daylight Saving Act Repeal Act, 1919 (10 Geo V, No 9) [1919-10-24] +# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsara191910gvn9339/ +# +# King Island is mentioned in the 1967 Act but not the 1968 Act. +# Therefore it possibly observed DST from 1968/69. +# +# Daylight Saving Act 1967 (No. 33 of 1967) [1967-09-22] +# http://classic.austlii.edu.au/au/legis/tas/num_act/dsa196733o1967211/ +# +# Daylight Saving Act 1968 (No. 42 of 1968) [1968-10-15] +# http://classic.austlii.edu.au/au/legis/tas/num_act/dsa196842o1968211/ + # The rules for 1967 through 1991 were reported by George Shepherd # via Simon Woodhead via Robert Elz (1991-03-06): # # The state of TASMANIA.. [Courtesy Tasmanian Dept of Premier + Cabinet ]
--- a/test/sun/util/calendar/zi/tzdata/backward Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/backward Mon Apr 26 14:01:43 2021 +0100 @@ -72,6 +72,7 @@ Link Europe/Oslo Atlantic/Jan_Mayen Link Australia/Sydney Australia/ACT Link Australia/Sydney Australia/Canberra +Link Australia/Hobart Australia/Currie Link Australia/Lord_Howe Australia/LHI Link Australia/Sydney Australia/NSW Link Australia/Darwin Australia/North
--- a/test/sun/util/calendar/zi/tzdata/etcetera Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/etcetera Mon Apr 26 14:01:43 2021 +0100 @@ -26,12 +26,11 @@ # This file is in the public domain, so clarified as of # 2009-05-17 by Arthur David Olson. -# These entries are mostly present for historical reasons, so that -# people in areas not otherwise covered by the tz files could "zic -l" -# to a timezone that was right for their area. These days, the -# tz files cover almost all the inhabited world, and the only practical -# need now for the entries that are not on UTC are for ships at sea -# that cannot use POSIX TZ settings. +# These entries are for uses not otherwise covered by the tz database. +# Their main practical use is for platforms like Android that lack +# support for POSIX-style TZ strings. On such platforms these entries +# can be useful if the timezone database is wrong or if a ship or +# aircraft at sea is not in a timezone. # Starting with POSIX 1003.1-2001, the entries below are all # unnecessary as settings for the TZ environment variable. E.g.,
--- a/test/sun/util/calendar/zi/tzdata/europe Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/europe Mon Apr 26 14:01:43 2021 +0100 @@ -2915,6 +2915,19 @@ # The law has been published today on # http://publication.pravo.gov.ru/Document/View/0001201810110037 +# From Alexander Krivenyshev (2020-11-27): +# The State Duma approved (Nov 24, 2020) the transition of the Volgograd +# region to the Moscow time zone.... +# https://sozd.duma.gov.ru/bill/1012130-7 +# +# From Stepan Golosunov (2020-12-05): +# Currently proposed text for the second reading (expected on December 8) ... +# changes the date to December 27. https://v1.ru/text/gorod/2020/12/04/69601031/ +# +# From Stepan Golosunov (2020-12-22): +# The law was published today on +# http://publication.pravo.gov.ru/Document/View/0001202012220002 + Zone Europe/Volgograd 2:57:40 - LMT 1920 Jan 3 3:00 - +03 1930 Jun 21 4:00 - +04 1961 Nov 11 @@ -2924,7 +2937,8 @@ 3:00 Russia +03/+04 2011 Mar 27 2:00s 4:00 - +04 2014 Oct 26 2:00s 3:00 - +03 2018 Oct 28 2:00s - 4:00 - +04 + 4:00 - +04 2020 Dec 27 2:00s + 3:00 - +03 # From Paul Eggert (2016-11-11): # Europe/Saratov covers:
--- a/test/sun/util/calendar/zi/tzdata/leapseconds Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/leapseconds Mon Apr 26 14:01:43 2021 +0100 @@ -29,6 +29,10 @@ # NIST format leap-seconds.list file, which can be copied from # <ftp://ftp.nist.gov/pub/time/leap-seconds.list> # or <ftp://ftp.boulder.nist.gov/pub/time/leap-seconds.list>. +# The NIST file is used instead of its IERS upstream counterpart +# <https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list> +# because under US law the NIST file is public domain +# whereas the IERS file's copyright and license status is unclear. # For more about leap-seconds.list, please see # The NTP Timescale and Leap Seconds # <https://www.eecis.udel.edu/~mills/leap.html>. @@ -91,11 +95,11 @@ # Any additional leap seconds will come after this. # This Expires line is commented out for now, # so that pre-2020a zic implementations do not reject this file. -#Expires 2021 Jun 28 00:00:00 +#Expires 2021 Dec 28 00:00:00 # POSIX timestamps for the data in this file: #updated 1467936000 (2016-07-08 00:00:00 UTC) -#expires 1624838400 (2021-06-28 00:00:00 UTC) +#expires 1640649600 (2021-12-28 00:00:00 UTC) -# Updated through IERS Bulletin C60 -# File expires on: 28 June 2021 +# Updated through IERS Bulletin C61 +# File expires on: 28 December 2021
--- a/test/sun/util/calendar/zi/tzdata/northamerica Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/northamerica Mon Apr 26 14:01:43 2021 +0100 @@ -2257,7 +2257,7 @@ # to say eight hours behind Greenwich Time. # # * O.I.C. 1980/02 INTERPRETATION ACT -# [no online source found] +# https://mm.icann.org/pipermail/tz/attachments/20201125/d5adc93b/CAYTOIC1980-02DST1980-01-04-0001.pdf # # * Yukon Daylight Saving Time, YOIC 1987/56 # https://www.canlii.org/en/yk/laws/regu/yoic-1987-56/latest/yoic-1987-56.html @@ -2958,12 +2958,38 @@ # # For 1899 Milne gives -5:09:29.5; round that. # +# From P Chan (2020-11-27, corrected on 2020-12-02): +# There were two periods of DST observed in 1942-1945: 1942-05-01 +# midnight to 1944-12-31 midnight and 1945-02-01 to 1945-10-17 midnight. +# "midnight" should mean 24:00 from the context. +# +# War Time Order 1942 [1942-05-01] and War Time (No. 2) Order 1942 [1942-09-29] +# Appendix to the Statutes of 7 George VI. and the Year 1942. p 34, 43 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA3-PA34 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA3-PA43 +# +# War Time Order 1943 [1943-03-31] and War Time Order 1944 [1943-12-29] +# Appendix to the Statutes of 8 George VI. and the Year 1943. p 9-10, 28-29 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA4-PA9 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA4-PA28 +# +# War Time Order 1945 [1945-01-31] and the Order which revoke War Time Order +# 1945 [1945-10-16] Appendix to the Statutes of 9 George VI. and the Year +# 1945. p 160, 247-248 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA6-PA160 +# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA6-PA247 +# # From Sue Williams (2006-12-07): # The Bahamas announced about a month ago that they plan to change their DST # rules to sync with the U.S. starting in 2007.... # http://www.jonesbahamas.com/?c=45&a=10412 # Rule NAME FROM TO - IN ON AT SAVE LETTER/S +Rule Bahamas 1942 only - May 1 24:00 1:00 W +Rule Bahamas 1944 only - Dec 31 24:00 0 S +Rule Bahamas 1945 only - Feb 1 0:00 1:00 W +Rule Bahamas 1945 only - Aug 14 23:00u 1:00 P # Peace +Rule Bahamas 1945 only - Oct 17 24:00 0 S Rule Bahamas 1964 1975 - Oct lastSun 2:00 0 S Rule Bahamas 1964 1975 - Apr lastSun 2:00 1:00 D # Zone NAME STDOFF RULES FORMAT [UNTIL] @@ -2987,34 +3013,161 @@ -4:00 Barb A%sT # Belize -# Whitman entirely disagrees with Shanks; go with Shanks & Pottenger. + +# From P Chan (2020-11-03): +# Below are some laws related to the time in British Honduras/Belize: +# +# Definition of Time Ordinance, 1927 (No.4 of 1927) [1927-04-01] +# Ordinances of British Honduras Passed in the Year 1927, p 19-20 +# https://books.google.com/books?id=LqEpAQAAMAAJ&pg=RA3-PA19 +# +# Definition of Time (Amendment) Ordinance, 1942 (No. 5 of 1942) [1942-06-27] +# Ordinances of British Honduras Passed in the Year 1942, p 31-32 +# https://books.google.com/books?id=h6MpAQAAMAAJ&pg=RA6-PA95-IA44 +# +# Definition of Time Ordinance, 1945 (No. 19 of 1945) [1945-12-15] +# Ordinances of British Honduras Passed in the Year 1945, p 49-50 +# https://books.google.com/books?id=xaMpAQAAMAAJ&pg=RA2-PP1 +# +# Definition of Time Ordinance, 1947 (No. 1 of 1947) [1947-03-11] +# Ordinances of British Honduras Passed in the Year 1947, p 1-2 +# https://books.google.com/books?id=xaMpAQAAMAAJ&pg=RA3-PA1 +# +# Time (Definition of) Ordinance (Chapter 180) +# The Laws of British Honduras in Force on the 15th Day of September, 1958 , Volume IV, p 2580 +# https://books.google.com/books?id=v5QpAQAAMAAJ&pg=PA2580 +# +# Time (Definition of) (Amendment) Ordinance, 1968 (No. 13 of 1968) [1968-08-03] +# https://books.google.com/books?id=xij7KEB_58wC&pg=RA1-PA428-IA9 +# +# Definition of Time Act (Chapter 339) +# Law of Belize, Revised Edition 2000 +# http://www.belizelaw.org/web/lawadmin/PDF%20files/cap339.pdf + +# From Paul Eggert (2020-11-03): +# The transitions below are derived from P Chan's sources, except that the +# 1973 through 1983 transitions are from Shanks & Pottenger since we have +# no better data there. + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -Rule Belize 1918 1942 - Oct Sun>=2 0:00 0:30 -0530 -Rule Belize 1919 1943 - Feb Sun>=9 0:00 0 CST +Rule Belize 1918 1941 - Oct Sat>=1 24:00 0:30 -0530 +Rule Belize 1919 1942 - Feb Sat>=8 24:00 0 CST +Rule Belize 1942 only - Jun 27 24:00 1:00 CWT +Rule Belize 1945 only - Aug 14 23:00u 1:00 CPT +Rule Belize 1945 only - Dec 15 24:00 0 CST +Rule Belize 1947 1967 - Oct Sat>=1 24:00 0:30 -0530 +Rule Belize 1948 1968 - Feb Sat>=8 24:00 0 CST Rule Belize 1973 only - Dec 5 0:00 1:00 CDT Rule Belize 1974 only - Feb 9 0:00 0 CST Rule Belize 1982 only - Dec 18 0:00 1:00 CDT Rule Belize 1983 only - Feb 12 0:00 0 CST # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone America/Belize -5:52:48 - LMT 1912 Apr +Zone America/Belize -5:52:48 - LMT 1912 Apr 1 -6:00 Belize %s # Bermuda +# From Paul Eggert (2020-11-24): # For 1899 Milne gives -4:19:18.3 as the meridian of the clock tower, -# Bermuda dockyard, Ireland I; round that. +# Bermuda dockyard, Ireland I. This agrees with standard offset given in the +# Daylight Saving Act, 1917 cited below. Round that to the nearest second. +# It is not known when this time became standard for Bermuda; guess 1890. +# The transition to -04 was specified by: +# 1930: The Time Zone Act, 1929 (1929: No. 39) [1929-11-08] +# https://books.google.com/books?id=7tdMAQAAIAAJ&pg=RA54-PP1 + +# From P Chan (2020-11-20): +# Most of the information can be found online from the Bermuda National +# Library - Digital Collection which includes The Royal Gazette (RG) until 1957 +# https://bnl.contentdm.oclc.org/digital/ +# I will cite the ID. For example, [10000] means +# https://bnl.contentdm.oclc.org/digital/collection/BermudaNP02/id/10000 +# +# 1917: Apr 5 midnight to Sep 30 midnight +# Daylight Saving Act, 1917 (1917 No. 13) [1917-04-02] +# Bermuda Acts and Resolves 1917, p 37-38 +# https://books.google.com/books?id=M-lCAQAAMAAJ&pg=PA36-IA2 +# RG, 1917-04-04, p 6 [42340] gives the spring forward date. +# +# 1918: Apr 13 midnight to Sep 15 midnight +# Daylight Saving Act, 1918 (1918 No. 9) [1918-04-06] +# Bermuda Acts and Resolves 1917, p 13 +# https://books.google.com/books?id=K-lCAQAAMAAJ&pg=RA1-PA7 +# +# Note that local mean time was still used before 1930. +# +# During WWII, DST was introduced by Defence Regulations +# 1942: Jan 11 02:00 to Oct 18 02:00 [113646], [115726] +# 1943: Mar 21 02:00 to Oct 31 02:00 [116704], [118193] +# 1944: Mar 12 02:00 to Nov 5 02:00 [119225], [121593] +# 1945: Mar 11 02:00 to Nov 4 02:00 [122369], [124461] +# RG, 1942-01-08, p 2, 1942-10-12, p 2 , 1943-03-06, p 2, 1943-09-03, p 1, +# 1944-02-29, p 6, 1944-09-20, p 2, 1945-02-13, p 2, 1945-11-03, p 1 +# +# In 1946, the House of Assembly rejected DST twice. [128686], [128076] +# RG, 1946-03-16 p 1,1946-04-13 p 1 +# +# 1947: third Sunday in May 02:00 to second Sunday in September 02:00 +# DST in 1947 was defined in the Daylight Saving Act, 1947 (1947: No. 12) +# which expired at the end of the year. [125784] ,[132405], [144454], [138226] +# RG, 1947-02-27, p 1, 1947-05-15, p 1, 1947-09-13, p 1, 1947-12-30, p 1 +# +# 1948-1952: fourth Sunday in May 02:00 to first Sunday in September 02:00 +# DST in 1948 was defined in the Daylight Saving Act, 1948 (1948 : No. 12) +# which was set to expired at the end of the year but it was extended until +# the end of 1952 and was not further extended. +# [129802], [139403], [146008], [135240], [144330], [139049], [143309], +# [148271], [149773], [153589], [153802], [155924] +# RG, 1948-04-13, p 1, 1948-05-22, p 1, 1948-09-04, p 1, 1949-05-21, p1, +# 1949-09-03, p 1, 1950-05-27 p 1, 1950-09-02, p 1, 1951-05-27, p 1, +# 1951-09-01, p 1, 1952-05-23, p 1, 1952-09-26, p 1, 1952-12-21, p 8 +# +# In 1953-1955, the House of Assembly rejected DST each year. [158996], +# [162620], [166720] RG, 1953-05-02, p 1, 1954-04-01 p 1, 1955-03-12, p 1 +# +# 1956: fourth Sunday in May 02:00 to last Sunday in October 02:00 +# Time Zone (Seasonal Variation) Act, 1956 (1956: No.44) [1956-05-25] +# Bermuda Public Acts 1956, p 331-332 +# https://books.google.com/books?id=Xs1AlmD_cEwC&pg=PA63 +# +# The extension of the Act was rejected by the House of Assembly. [176218] +# RG, 1956-12-13, p 1 +# +# From the Chronological Table of Public and Private Acts up to 1985, it seems +# that there does not exist other Acts related to DST before 1973. +# https://books.google.com/books?id=r9hMAQAAIAAJ&pg=RA23-PA1 +# Public Acts of the Legislature of the Islands of Bermuda, Together with +# Statutory Instruments in Force Thereunder, Vol VII # From Dan Jones, reporting in The Royal Gazette (2006-06-26): - # Next year, however, clocks in the US will go forward on the second Sunday # in March, until the first Sunday in November. And, after the Time Zone # (Seasonal Variation) Bill 2006 was passed in the House of Assembly on # Friday, the same thing will happen in Bermuda. # http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060529/NEWS/105290135 +# Rule NAME FROM TO - IN ON AT SAVE LETTER/S +Rule Bermuda 1917 only - Apr 5 24:00 1:00 - +Rule Bermuda 1917 only - Sep 30 24:00 0 - +Rule Bermuda 1918 only - Apr 13 24:00 1:00 - +Rule Bermuda 1918 only - Sep 15 24:00 0 S +Rule Bermuda 1942 only - Jan 11 2:00 1:00 D +Rule Bermuda 1942 only - Oct 18 2:00 0 S +Rule Bermuda 1943 only - Mar 21 2:00 1:00 D +Rule Bermuda 1943 only - Oct 31 2:00 0 S +Rule Bermuda 1944 1945 - Mar Sun>=8 2:00 1:00 D +Rule Bermuda 1944 1945 - Nov Sun>=1 2:00 0 S +Rule Bermuda 1947 only - May Sun>=15 2:00 1:00 D +Rule Bermuda 1947 only - Sep Sun>=8 2:00 0 S +Rule Bermuda 1948 1952 - May Sun>=22 2:00 1:00 D +Rule Bermuda 1948 1952 - Sep Sun>=1 2:00 0 S +Rule Bermuda 1956 only - May Sun>=22 2:00 1:00 D +Rule Bermuda 1956 only - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] -Zone Atlantic/Bermuda -4:19:18 - LMT 1930 Jan 1 2:00 # Hamilton - -4:00 - AST 1974 Apr 28 2:00 +Zone Atlantic/Bermuda -4:19:18 - LMT 1890 # Hamilton + -4:19:18 Bermuda BMT/BST 1930 Jan 1 2:00 + -4:00 Bermuda A%sT 1974 Apr 28 2:00 -4:00 Canada A%sT 1976 -4:00 US A%sT @@ -3597,7 +3750,7 @@ # "Eastern Standard Times Begins 2007 # Clocks are set back one hour at 2:00 a.m. local Daylight Saving Time" # indicating that the normal ET rules are followed. -# + # From Paul Eggert (2014-08-19): # The 2014-08-13 Cabinet meeting decided to stay on UT -04 year-round. See: # http://tcweeklynews.com/daylight-savings-time-to-be-maintained-p5353-127.htm @@ -3612,19 +3765,42 @@ # during the summer months and Standard Time, also known as Local # Time, during the winter months with effect from April 2018 ... # https://www.gov.uk/government/news/turks-and-caicos-post-cabinet-meeting-statement--3 -# # From Paul Eggert (2017-08-26): # The date of effect of the spring 2018 change appears to be March 11, # which makes more sense. See: Hamilton D. Time change back # by March 2018 for TCI. Magnetic Media. 2017-08-25. # http://magneticmediatv.com/2017/08/time-change-back-by-march-2018-for-tci/ # +# From P Chan (2020-11-27): +# Standard Time Declaration Order 2015 (L.N. 15/2015) +# http://online.fliphtml5.com/fizd/czin/#p=2 +# +# Standard Time Declaration Order 2017 (L.N. 31/2017) +# http://online.fliphtml5.com/fizd/dmcu/#p=2 +# +# From Tim Parenti (2020-12-05): +# Although L.N. 31/2017 reads that it "shall come into operation at 2:00 a.m. +# on 11th March 2018", a precise interpretation here poses some problems. The +# order states that "the standard time to be observed throughout the Turks and +# Caicos Islands shall be the same time zone as the Eastern United States of +# America" and further clarifies "[f]or the avoidance of doubt" that it +# "applies to the Eastern Standard Time as well as any changes thereto for +# Daylight Saving Time." However, as clocks in Turks and Caicos approached +# 02:00 -04, and thus the declared implementation time, it was still 01:00 EST +# (-05), as DST in the Eastern US would not start until an hour later. +# +# Since it is unlikely that those on the islands switched their clocks twice in +# the span of an hour, we assume instead that the adoption of EDT actually took +# effect once clocks in the Eastern US had sprung forward, from 03:00 -04. +# This discrepancy only affects the time zone abbreviation and DST flag for the +# intervening hour, not wall clock times, as -04 was maintained throughout. + # Zone NAME STDOFF RULES FORMAT [UNTIL] Zone America/Grand_Turk -4:44:32 - LMT 1890 -5:07:10 - KMT 1912 Feb # Kingston Mean Time -5:00 - EST 1979 - -5:00 US E%sT 2015 Nov Sun>=1 2:00 - -4:00 - AST 2018 Mar 11 3:00 + -5:00 US E%sT 2015 Mar 8 2:00 + -4:00 - AST 2018 Mar 11 3:00 -5:00 US E%sT # British Virgin Is
--- a/test/sun/util/calendar/zi/tzdata/zone.tab Mon Apr 19 04:23:30 2021 +0100 +++ b/test/sun/util/calendar/zi/tzdata/zone.tab Mon Apr 26 14:01:43 2021 +0100 @@ -79,8 +79,7 @@ AT +4813+01620 Europe/Vienna AU -3133+15905 Australia/Lord_Howe Lord Howe Island AU -5430+15857 Antarctica/Macquarie Macquarie Island -AU -4253+14719 Australia/Hobart Tasmania (most areas) -AU -3956+14352 Australia/Currie Tasmania (King Island) +AU -4253+14719 Australia/Hobart Tasmania AU -3749+14458 Australia/Melbourne Victoria AU -3352+15113 Australia/Sydney New South Wales (most areas) AU -3157+14127 Australia/Broken_Hill New South Wales (Yancowinna) @@ -153,9 +152,9 @@ CA +4906-11631 America/Creston MST - BC (Creston) CA +5946-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John) CA +5848-12242 America/Fort_Nelson MST - BC (Ft Nelson) +CA +6043-13503 America/Whitehorse MST - Yukon (east) +CA +6404-13925 America/Dawson MST - Yukon (west) CA +4916-12307 America/Vancouver Pacific - BC (most areas) -CA +6043-13503 America/Whitehorse Pacific - Yukon (east) -CA +6404-13925 America/Dawson Pacific - Yukon (west) CC -1210+09655 Indian/Cocos CD -0418+01518 Africa/Kinshasa Dem. Rep. of Congo (west) CD -1140+02728 Africa/Lubumbashi Dem. Rep. of Congo (east) @@ -360,8 +359,8 @@ # Programs should use zone1970.tab instead; see above. UA +4457+03406 Europe/Simferopol Crimea RU +5836+04939 Europe/Kirov MSK+00 - Kirov +RU +4844+04425 Europe/Volgograd MSK+00 - Volgograd RU +4621+04803 Europe/Astrakhan MSK+01 - Astrakhan -RU +4844+04425 Europe/Volgograd MSK+01 - Volgograd RU +5134+04602 Europe/Saratov MSK+01 - Saratov RU +5420+04824 Europe/Ulyanovsk MSK+01 - Ulyanovsk RU +5312+05009 Europe/Samara MSK+01 - Samara, Udmurtia