Update Java to 13

vendor/generate_jre.sh

@@ -3,7 +3,7 @@
 # This script is used as a reference to generate a stripped-down OpenJ9 JRE for the server
 
 rm -rf java/
-wget https://github.com/AdoptOpenJDK/openjdk11-binaries/releases/download/jdk-11.0.5%2B10_openj9-0.17.0/OpenJDK11U-jdk_x64_linux_openj9_11.0.5_10_openj9-0.17.0.tar.gz
+wget https://github.com/AdoptOpenJDK/openjdk13-binaries/releases/download/jdk-13.0.1%2B9_openj9-0.17.0/OpenJDK13U-jdk_x64_linux_openj9_13.0.1_9_openj9-0.17.0.tar.gz
 tar -zxvf OpenJDK*
 rm OpenJDK*
 mv jdk* jdk/

vendor/java/conf/logging.properties

@@ -60,4 +60,4 @@ java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
 
 # For example, set the com.xyz.foo logger to only log SEVERE
 # messages:
-com.xyz.foo.level = SEVERE
+# com.xyz.foo.level = SEVERE

vendor/java/conf/net.properties

@@ -51,13 +51,6 @@ http.nonProxyHosts=localhost|127.*|[::1]
 # ftp.proxyPort=80
 ftp.nonProxyHosts=localhost|127.*|[::1]
 #
-# Gopher Proxy settings. proxyHost is the name of the proxy server
-# (e.g. proxy.mydomain.com), proxyPort is the port number to use (default
-# value is 80)
-#
-# gopher.proxyHost=
-# gopher.proxyPort=80
-#
 # Socks proxy settings. socksProxyHost is the name of the proxy server
 # (e.g. socks.domain.com), socksProxyPort is the port number to use
 # (default value is 1080)
@@ -99,6 +92,24 @@ ftp.nonProxyHosts=localhost|127.*|[::1]
 #jdk.http.auth.proxying.disabledSchemes=
 jdk.http.auth.tunneling.disabledSchemes=Basic
 
+#
+# Allow restricted HTTP request headers
+#
+# By default, the following request headers are not allowed to be set by user code
+# in HttpRequests: "connection", "content-length", "expect", "host" and "upgrade".
+# The 'jdk.httpclient.allowRestrictedHeaders' property allows one or more of these
+# headers to be specified as a comma separated list to override the default restriction.
+# The names are case-insensitive and white-space is ignored (removed before processing
+# the list). Note, this capability is mostly intended for testing and isn't expected
+# to be used in real deployments. Protocol errors or other undefined behavior is likely
+# to occur when using them. The property is not set by default.
+# Note also, that there may be other headers that are restricted from being set
+# depending on the context. This includes the "Authorization" header when the
+# relevant HttpClient has an authenticator set. These restrictions cannot be
+# overridden by this property.
+#
+# jdk.httpclient.allowRestrictedHeaders=host
+#
 #
 # Transparent NTLM HTTP authentication mode on Windows. Transparent authentication
 # can be used for the NTLM scheme, where the security credentials based on the

vendor/java/conf/sdp/sdp.conf.template

@@ -0,0 +1,30 @@
+#
+# Configuration file to enable InfiniBand Sockets Direct Protocol.
+#
+# Each line that does not start with a comment (#) is a rule to indicate when
+# the SDP transport protocol should be used. The format of a rule is as follows:
+#   ("bind"|"connect") 1*LWSP-char (hostname|ipaddress["/"prefix]) 1*LWSP-char ("*"|port)["-"("*"|port)]
+#
+# A "bind" rule indicates that the SDP protocol transport should be used when
+# a TCP socket binds to an address/port that matches the rule. A "connect" rule
+# indicates that the SDP protocol transport should be used when an unbound
+# TCP socket attempts to connect to an address/port that matches the rule.
+# Addresses may be specified as hostnames or literal Internet Protocol (IP)
+# addresses. When a literal IP address is used then a prefix length may be used
+# to indicate the number of bits for matching (useful when a block of addresses
+# or subnet is allocated to the InfiniBand fabric). 
+
+# Use SDP for all sockets that bind to specific local addresses
+#bind    192.168.1.1    *
+#bind    fe80::21b:24ff:fe3d:7896    *
+
+# Use SDP for all sockets that bind to the wildcard address in a port range
+#bind    0.0.0.0    5000-5999
+#bind    ::0        5000-5999
+
+# Use SDP when connecting to all application services on 192.168.1.*
+#connect 192.168.1.0/24       1024-*
+
+# Use SDP when connecting to the http server or MySQL database on hpccluster.
+#connect hpccluster.foo.com   80
+#connect hpccluster.foo.com   3306

vendor/java/conf/security/java.security

@@ -451,6 +451,31 @@ networkaddress.cache.negative.ttl=10
 #
 krb5.kdc.bad.policy = tryLast
 
+#
+# Kerberos cross-realm referrals (RFC 6806)
+#
+# OpenJDK's Kerberos client supports cross-realm referrals as defined in
+# RFC 6806. This allows to setup more dynamic environments in which clients
+# do not need to know in advance how to reach the realm of a target principal
+# (either a user or service).
+#
+# When a client issues an AS or a TGS request, the "canonicalize" option
+# is set to announce support of this feature. A KDC server may fulfill the
+# request or reply referring the client to a different one. If referred,
+# the client will issue a new request and the cycle repeats.
+#
+# In addition to referrals, the "canonicalize" option allows the KDC server
+# to change the client name in response to an AS request. For security reasons,
+# RFC 6806 (section 11) FAST scheme is enforced.
+#
+# Disable Kerberos cross-realm referrals. Value may be overwritten with a
+# System property (-Dsun.security.krb5.disableReferrals).
+sun.security.krb5.disableReferrals=false
+
+# Maximum number of AS or TGS referrals to avoid infinite loops. Value may
+# be overwritten with a System property (-Dsun.security.krb5.maxReferrals).
+sun.security.krb5.maxReferrals=5
+
 #
 # Algorithm restrictions for certification path (CertPath) processing
 #
@@ -897,7 +922,7 @@ jdk.xml.dsig.secureValidationPolicy=\
     noRetrievalMethodLoops
 
 #
-# Serialization process-wide filter
+# Serialization system-wide filter
 #
 # A filter, if configured, is used by java.io.ObjectInputStream during
 # deserialization to check the contents of the stream.
@@ -999,27 +1024,6 @@ jdk.xml.dsig.secureValidationPolicy=\
 #    java.rmi.dgc.Lease;\
 #    maxdepth=5;maxarray=10000
 
-# CORBA ORBIorTypeCheckRegistryFilter
-# Type check enhancement for ORB::string_to_object processing
-#
-# An IOR type check filter, if configured, is used by an ORB during
-# an ORB::string_to_object invocation to check the veracity of the type encoded
-# in the ior string.
-#
-# The filter pattern consists of a semi-colon separated list of class names.
-# The configured list contains the binary class names of the IDL interface types
-# corresponding to the IDL stub class to be instantiated.
-# As such, a filter specifies a list of IDL stub classes that will be
-# allowed by an ORB when an ORB::string_to_object is invoked.
-# It is used to specify a white list configuration of acceptable
-# IDL stub types which may be contained in a stringified IOR
-# parameter passed as input to an ORB::string_to_object method.
-#
-# Note: This property is currently used by the JDK Reference implementation.
-# It is not guaranteed to be examined and used by other implementations.
-#
-#com.sun.CORBA.ORBIorTypeCheckRegistryFilter=binary_class_name;binary_class_name
-
 #
 # JCEKS Encrypted Key Serial Filter
 #
@@ -1037,6 +1041,77 @@ jdk.xml.dsig.secureValidationPolicy=\
 jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\
   java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*
 
+#
+# PKCS12 KeyStore properties
+#
+# The following properties, if configured, are used by the PKCS12 KeyStore
+# implementation during the creation of a new keystore. Several of the
+# properties may also be used when modifying an existing keystore. The
+# properties can be overridden by a KeyStore API that specifies its own
+# algorithms and parameters.
+#
+# If an existing PKCS12 keystore is loaded and then stored, the algorithm and
+# parameter used to generate the existing Mac will be reused. If the existing
+# keystore does not have a Mac, no Mac will be created while storing. If there
+# is at least one certificate in the existing keystore, the algorithm and
+# parameters used to encrypt the last certificate in the existing keystore will
+# be reused to encrypt all certificates while storing. If the last certificate
+# in the existing keystore is not encrypted, all certificates will be stored
+# unencrypted. If there is no certificate in the existing keystore, any newly
+# added certificate will be encrypted (or stored unencrypted if algorithm
+# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and
+# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private
+# and secret key(s) are not changed. Newly set private and secret key(s) will
+# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and
+# "keystore.pkcs12.keyPbeIterationCount" values defined here.
+#
+# In order to apply new algorithms and parameters to all entries in an
+# existing keystore, one can create a new keystore and add entries in the
+# existing keystore into the new keystore. This can be achieved by calling the
+# "keytool -importkeystore" command.
+#
+# If a system property of the same name is also specified, it supersedes the
+# security property value defined here.
+#
+# If the property is set to an illegal value,
+# an iteration count that is not a positive integer, or an unknown algorithm
+# name, an exception will be thrown when the property is used.
+# If the property is not set or empty, a default value will be used.
+#
+# Note: These properties are currently used by the JDK Reference implementation.
+# They are not guaranteed to be examined and used by other implementations.
+
+# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE
+# algorithm defined in the Cipher section of the Java Security Standard
+# Algorithm Names Specification. When set to "NONE", the certificate
+# is not encrypted. The default value is "PBEWithSHA1AndRC2_40".
+#keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
+
+# The iteration count used by the PBE algorithm when encrypting a certificate.
+# This value must be a positive integer. The default value is 50000.
+#keystore.pkcs12.certPbeIterationCount = 50000
+
+# The algorithm used to encrypt a private key or secret key. This can be
+# any non-Hmac PBE algorithm defined in the Cipher section of the Java
+# Security Standard Algorithm Names Specification. The value must not be "NONE".
+# The default value is "PBEWithSHA1AndDESede".
+#keystore.pkcs12.keyProtectionAlgorithm = PBEWithSHA1AndDESede
+
+# The iteration count used by the PBE algorithm when encrypting a private key
+# or a secret key. This value must be a positive integer. The default value
+# is 50000.
+#keystore.pkcs12.keyPbeIterationCount = 50000
+
+# The algorithm used to calculate the optional MacData at the end of a PKCS12
+# file. This can be any HmacPBE algorithm defined in the Mac section of the
+# Java Security Standard Algorithm Names Specification. When set to "NONE",
+# no Mac is generated. The default value is "HmacPBESHA1".
+#keystore.pkcs12.macAlgorithm = HmacPBESHA1
+
+# The iteration count used by the MacData algorithm. This value must be a
+# positive integer. The default value is 100000.
+#keystore.pkcs12.macIterationCount = 100000
+
 #
 # Enhanced exception message information
 #
@@ -1058,18 +1133,20 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep
 #             java.nio.channels package will contain enhanced exception
 #             message information
 #
+#  jar      - enables more detailed information in the IOExceptions thrown
+#             by classes in the java.util.jar package
+#
 # The property setting in this file can be overridden by a system property of
 # the same name, with the same syntax and possible values.
 #
-#jdk.includeInExceptions=hostInfo
+#jdk.includeInExceptions=hostInfo,jar
 
 #
 # Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
 #
 # Disabled mechanisms will not be negotiated by both SASL clients and servers.
-# These mechanisms will be ignored if they are specified in the "mechanisms"
-# argument of "Sasl.createSaslClient" or the "mechanism" argument of
-# "Sasl.createSaslServer".
+# These mechanisms will be ignored if they are specified in the mechanisms argument
+# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
 #
 # The value of this property is a comma-separated list of SASL mechanisms.
 # The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
@@ -1158,4 +1235,3 @@ jdk.io.permissionsUseCanonicalPath=false
 # security property value defined here.
 #
 #jdk.security.krb5.default.initiate.credential=always-impersonate
-

vendor/java/lib/java.properties

@@ -1,4 +1,4 @@
-#Wed Oct 16 11:04:37 UTC 2019
+#Mon Oct 21 13:10:59 UTC 2019
 EXEL070=ROM image is wrong version
 EXEL079=\  -Xscmx<x>       set size of new shared class cache to <x>
 J9VM151=Failed to open jimage library

vendor/java/lib/security/default.policy

@@ -154,10 +154,6 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
     permission java.io.FilePermission "<<ALL FILES>>", "read";
 };
 
-grant codeBase "jrt:/jdk.desktop" {
-    permission java.lang.RuntimePermission "accessClassInPackage.com.sun.awt";
-};
-
 grant codeBase "jrt:/jdk.dynalink" {
     permission java.security.AllPermission;
 };
@@ -175,10 +171,15 @@ grant codeBase "jrt:/jdk.internal.vm.compiler" {
 };
 
 grant codeBase "jrt:/jdk.internal.vm.compiler.management" {
-    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.hotspot";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.compiler.collections";
     permission java.lang.RuntimePermission "accessClassInPackage.jdk.vm.ci.runtime";
-    permission java.lang.RuntimePermission "accessClassInPackage.sun.management.spi";
-    permission java.lang.RuntimePermission "sun.management.spi.PlatformMBeanProvider.subclass";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.vm.ci.services";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.core.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.debug";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.hotspot";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.options";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.phases.common.jmx";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.serviceprovider";
 };
 
 grant codeBase "jrt:/jdk.jsobject" {
@@ -214,6 +215,7 @@ grant codeBase "jrt:/jdk.zipfs" {
     permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
     permission java.lang.RuntimePermission "fileSystemProvider";
     permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "user.dir", "read";
 };
 
 grant codeBase "jrt:/openj9.cuda" {

vendor/java/release

@@ -1,2 +1,2 @@
-JAVA_VERSION="11.0.5"
+JAVA_VERSION="13.0.1"
 MODULES="java.base java.datatransfer java.xml java.prefs java.desktop java.logging java.management java.security.sasl java.naming java.net.http java.scripting java.transaction.xa java.sql jdk.crypto.ec jdk.unsupported jdk.zipfs openj9.sharedclasses"