8009280: JCE jurisdiction policy files not copied into jdk/lib/security

Reviewed-by: tbell, ihse
2013-10-24 10:43:51 +02:00 · 2013-10-24 10:43:51 +02:00 · a1a132996a
commit a1a132996a
parent 53fb16b381
5 changed files with 390 additions and 296 deletions
--- a/jdk/makefiles/BuildJdk.gmk
+++ b/jdk/makefiles/BuildJdk.gmk
@ -80,7 +80,11 @@ genclasses-only:
        # to execute launchers.
 	+$(MAKE) -f GenerateClasses.gmk

-jdk: genclasses
+securityjars: genclasses securityjars-only
+securityjars-only:
+	+$(MAKE) -f CreateSecurityJars.gmk
+
+jdk: securityjars
        # Now we have a complete jdk, which you can run.
        # It is not yet wrapped up as an installed image.

--- a/jdk/makefiles/CompileJavaClasses.gmk
+++ b/jdk/makefiles/CompileJavaClasses.gmk
@ -281,6 +281,19 @@ ifeq ($(OPENJDK_TARGET_OS), macosx)
  EXCLUDES += com/apple/jobjc
 endif

+# The security classes should not end up in the classes directory as that will prevent them
+# from working when running the exploded jdk image. Compile them separately to a different
+# directory from where the jars can be created.
+SECURITY_PKGS := \
+    com/oracle/security/ucrypto \
+    com/sun/crypto/provider \
+    javax/crypto \
+    sun/security/ec \
+    sun/security/internal \
+    sun/security/mscapi \
+    sun/security/pkcs11 \
+    #
+
 # The exception handling of swing beaninfo
 # These resources violates the convention of having code and resources together under
 # $(JDK_TOPDIR)/src/.../classes directories
@ -293,22 +306,46 @@ $(JDK_OUTPUTDIR)/classes/javax/swing/beaninfo/images/%.gif: $(JDK_TOPDIR)/make/t
 # space separated list.
 JDK_USER_DEFINED_FILTER := $(strip $(subst $(COMMA),$(SPACE), $(JDK_FILTER)))

-$(eval $(call SetupJavaCompilation,BUILD_JDK, \
+ifeq ($(ENABLE_SJAVAC),yes)
+  # With sjavac enabled, excluded sources are not even considered for linking. 
+  # Explicitly add the security sources to sourcepath for linking.
+  BUILD_JDK_SOURCEPATH:=$(patsubst %,-i$(SPACE)%.*,$(subst /,.,$(SECURITY_PKGS))) \
+      -sourcepath $(JDK_TOPDIR)/src/share/classes
+endif
+
+$(eval $(call SetupJavaCompilation,BUILD_JDK,\
+    SETUP:=GENERATE_JDKBYTECODE,\
+    SRC:=$(JDK_TOPDIR)/src/share/classes \
+        $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/classes \
+        $(MACOSX_SRC_DIRS) \
+        $(JDK_OUTPUTDIR)/gensrc \
+        $(JDK_OUTPUTDIR)/gensrc_no_srczip \
+        $(CLOSED_SRC_DIRS),\
+    INCLUDES:=$(JDK_USER_DEFINED_FILTER),\
+    EXCLUDES:=$(EXCLUDES) $(SECURITY_PKGS),\
+    EXCLUDE_FILES:=$(EXFILES),\
+    BIN:=$(JDK_OUTPUTDIR)/classes,\
+    COPY:=$(COPY_PATTERNS),\
+    COPY_FILES:=$(COPY_FILES),\
+    HEADERS:=$(JDK_OUTPUTDIR)/gensrc_headers,\
+    ADD_JAVAC_FLAGS:=$(BUILD_JDK_SOURCEPATH)))
+
+##########################################################################################
+
+$(eval $(call SetupJavaCompilation,BUILD_SECURITY, \
    SETUP := GENERATE_JDKBYTECODE, \
    SRC := $(JDK_TOPDIR)/src/share/classes \
-         $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/classes \
-         $(MACOSX_SRC_DIRS) \
-         $(JDK_OUTPUTDIR)/gensrc \
-         $(JDK_OUTPUTDIR)/gensrc_no_srczip \
-         $(CLOSED_SRC_DIRS), \
-    INCLUDES := $(JDK_USER_DEFINED_FILTER), \
+        $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/classes \
+        $(MACOSX_SRC_DIRS) \
+        $(CLOSED_SRC_DIRS), \
+    INCLUDES := $(SECURITY_PKGS), \
    EXCLUDES := $(EXCLUDES), \
    EXCLUDE_FILES := $(EXFILES), \
-    BIN := $(JDK_OUTPUTDIR)/classes, \
-    COPY := $(COPY_PATTERNS), \
-    COPY_FILES := $(COPY_FILES), \
+    BIN := $(JDK_OUTPUTDIR)/classes_security, \
    HEADERS := $(JDK_OUTPUTDIR)/gensrc_headers))

+$(BUILD_SECURITY): $(BUILD_JDK)
+
 ##########################################################################################

 $(JDK_OUTPUTDIR)/classes/META-INF/services/com.sun.tools.xjc.Plugin:
@ -393,7 +430,7 @@ endif

 ##########################################################################################

-all: $(BUILD_JDK) $(BUILD_JOBJC) $(BUILD_JOBJC_HEADERS) $(COPY_EXTRA) \
+all: $(BUILD_JDK) $(BUILD_SECURITY) $(BUILD_JOBJC) $(BUILD_JOBJC_HEADERS) $(COPY_EXTRA) \
    $(JDK_OUTPUTDIR)/classes/META-INF/services/com.sun.tools.xjc.Plugin \
    $(BUILD_ACCESSBRIDGE_32) $(BUILD_ACCESSBRIDGE_64) \
    $(BUILD_ACCESSBRIDGE_LEGACY)
--- a/jdk/makefiles/CreateJars.gmk
+++ b/jdk/makefiles/CreateJars.gmk
@ -102,7 +102,6 @@ $(eval $(call SetupArchive,BUILD_LOCALEDATA_JAR, , \
 # This value should exclude types destined for jars other than rt.jar and resources.jar.
 # When building a Profile this value augments the profile specific exclusions
 RT_JAR_EXCLUDES += \
-    com/oracle/security \
    com/sun/codemodel \
    com/sun/crypto/provider \
    com/sun/istack/internal/tools \
@ -414,86 +413,6 @@ $(eval $(call SetupArchive,BUILD_JSSE_JAR, , \
    MANIFEST := $(MAINMANIFEST), \
    CHECK_COMPRESS_JAR := true))

-##########################################################################################
-# Create manifest for security jars
-
-#
-# Include these extra attributes for now, should probably take out.
-#
-JCE_MANIFEST := $(IMAGES_OUTPUTDIR)/lib/_the.security.manifest.mf
-$(JCE_MANIFEST): $(MAINMANIFEST)
-	$(MKDIR) -p $(@D)
-	$(RM) $@ $@.tmp
-	$(SED) -e "s#@@RELEASE@@#$(JDK_VERSION)#" \
-	    -e "s#@@COMPANY_NAME@@#$(COMPANY_NAME)#" \
-	    $(MAINMANIFEST) >> $@.tmp
-	$(ECHO) "Extension-Name: javax.crypto" >> $@.tmp
-	$(ECHO) "Implementation-Vendor-Id: com.sun" >> $@.tmp
-	$(MV) $@.tmp $@
-
-##########################################################################################
-# For security and crypto jars, always build the jar, but for closed, install the prebuilt
-# signed version instead of the newly built jar. Unsigned jars are treated as intermediate
-# targets and explicitly added to the JARS list. For open, signing is not needed. See
-# SignJars.gmk for more information.
-#
-# The source for the crypto jars is not available for all licensees. The BUILD_CRYPTO
-# variable is set to no if these jars can't be built to skip that step of the build.
-# Note that for OPENJDK, the build will fail if BUILD_CRYPTO=no since then there is no
-# other way to get the jars than to build them.
-
-SUNPKCS11_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunpkcs11.jar
-SUNPKCS11_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunpkcs11.jar
-
-$(eval $(call SetupArchive,BUILD_SUNPKCS11_JAR, , \
-    SRCS := $(JDK_OUTPUTDIR)/classes, \
-    SUFFIXES := .class, \
-    INCLUDES := sun/security/pkcs11, \
-    JAR := $(SUNPKCS11_JAR_UNSIGNED), \
-    MANIFEST := $(JCE_MANIFEST), \
-    SKIP_METAINF := true))
-
-$(SUNPKCS11_JAR_UNSIGNED): $(JCE_MANIFEST)
-
-ifndef OPENJDK
-  SUNPKCS11_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/pkcs11/sunpkcs11.jar
-  $(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunPKCS11 provider..."
-	$(install-file)
-else
-  $(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_UNSIGNED)
-	$(install-file)
-endif
-
-JARS += $(SUNPKCS11_JAR_UNSIGNED)
-
-##########################################################################################
-
-SUNEC_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunec.jar
-SUNEC_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunec.jar
-
-$(eval $(call SetupArchive,BUILD_SUNEC_JAR, , \
-    SRCS := $(JDK_OUTPUTDIR)/classes, \
-    SUFFIXES := .class, \
-    INCLUDES := sun/security/ec, \
-    JAR := $(SUNEC_JAR_UNSIGNED), \
-    MANIFEST := $(JCE_MANIFEST), \
-    SKIP_METAINF := true))
-
-$(SUNEC_JAR_UNSIGNED): $(JCE_MANIFEST)
-
-ifndef OPENJDK
-  SUNEC_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ec/sunec.jar
-  $(SUNEC_JAR_DST): $(SUNEC_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunEC provider..."
-	$(install-file)
-else
-  $(SUNEC_JAR_DST): $(SUNEC_JAR_UNSIGNED)
-	$(install-file)
-endif
-
-JARS += $(SUNEC_JAR_UNSIGNED)
-
 ##########################################################################################

 $(eval $(call SetupArchive,BUILD_SWINGBEANS_JAR, , \
@ -507,208 +426,6 @@ $(eval $(call SetupArchive,BUILD_SWINGBEANS_JAR, , \

 ##########################################################################################

-SUNJCE_PROVIDER_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunjce_provider.jar
-SUNJCE_PROVIDER_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunjce_provider.jar
-
-ifneq ($(BUILD_CRYPTO), no)
-  $(eval $(call SetupArchive,BUILD_SUNJCE_PROVIDER_JAR, , \
-      SRCS := $(JDK_OUTPUTDIR)/classes, \
-      SUFFIXES := .class, \
-      INCLUDES := com/sun/crypto/provider, \
-      JAR := $(SUNJCE_PROVIDER_JAR_UNSIGNED), \
-      MANIFEST := $(JCE_MANIFEST), \
-      SKIP_METAINF := true))
-
-  $(SUNJCE_PROVIDER_JAR_UNSIGNED): $(JCE_MANIFEST)
-
-  JARS += $(SUNJCE_PROVIDER_JAR_UNSIGNED)
-endif
-
-ifndef OPENJDK
-  SUNJCE_PROVIDER_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/sunjce_provider.jar
-  $(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunJCE provider..."
-	$(install-file)
-else
-  $(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_UNSIGNED)
-	$(install-file)
-endif
-
-##########################################################################################
-
-JCE_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/jce.jar
-JCE_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/jce.jar
-
-ifneq ($(BUILD_CRYPTO), no)
-  $(eval $(call SetupArchive,BUILD_JCE_JAR, , \
-      SRCS := $(JDK_OUTPUTDIR)/classes, \
-      SUFFIXES := .class, \
-      INCLUDES := javax/crypto sun/security/internal, \
-      JAR := $(JCE_JAR_UNSIGNED), \
-      MANIFEST := $(JCE_MANIFEST), \
-      SKIP_METAINF := true))
-
-  $(JCE_JAR_UNSIGNED): $(JCE_MANIFEST)
-
-  JARS += $(JCE_JAR_UNSIGNED)
-endif
-
-ifndef OPENJDK
-  JCE_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/jce.jar
-  $(JCE_JAR_DST): $(JCE_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt jce.jar..."
-	$(install-file)
-else
-  $(JCE_JAR_DST): $(JCE_JAR_UNSIGNED)
-	$(install-file)
-endif
-
-##########################################################################################
-
-US_EXPORT_POLICY_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/security/US_export_policy.jar
-US_EXPORT_POLICY_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/US_export_policy.jar
-
-ifneq ($(BUILD_CRYPTO), no)
-  #
-  # TODO fix so that SetupArchive does not write files into SRCS
-  # then we don't need this extra copying
-
-  # NOTE: We currently do not place restrictions on our limited export
-  # policy. This was not a typo.
-  #
-  US_EXPORT_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
-  US_EXPORT_POLICY_JAR_TMP := $(IMAGES_OUTPUTDIR)/US_export_policy_jar.tmp
-
-  $(US_EXPORT_POLICY_JAR_TMP)/%: $(US_EXPORT_POLICY_JAR_SRC_DIR)/%
-	$(install-file)
-
-  US_EXPORT_POLICY_JAR_DEPS := $(US_EXPORT_POLICY_JAR_TMP)/default_US_export.policy
-
-  $(eval $(call SetupArchive,BUILD_US_EXPORT_POLICY_JAR, $(US_EXPORT_POLICY_JAR_DEPS), \
-      SRCS := $(US_EXPORT_POLICY_JAR_TMP), \
-      SUFFIXES := .policy, \
-      JAR := $(US_EXPORT_POLICY_JAR_UNSIGNED), \
-      EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
-      SKIP_METAINF := true))
-
-  JARS += $(US_EXPORT_POLICY_JAR_UNSIGNED)
-endif
-
-ifndef OPENJDK
-  $(US_EXPORT_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/US_export_policy.jar
-	$(ECHO) $(LOG_INFO) Copying $(@F)
-	$(install-file)
-else
-  $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNSIGNED)
-	$(install-file)
-endif
-
-##########################################################################################
-
-LOCAL_POLICY_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/security/local_policy.jar
-LOCAL_POLICY_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/local_policy.jar
-
-ifneq ($(BUILD_CRYPTO), no)
-  #
-  # TODO fix so that SetupArchive does not write files into SRCS
-  # then we don't need this extra copying
-  #
-  LOCAL_POLICY_JAR_TMP := $(IMAGES_OUTPUTDIR)/local_policy_jar.tmp
-
-  ifeq ($(UNLIMITED_CRYPTO), true)
-    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
-    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/default_local.policy
-    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: unlimited
-  else
-    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/limited
-    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/exempt_local.policy \
-        $(LOCAL_POLICY_JAR_TMP)/default_local.policy
-    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: limited
-  endif
-
-  $(LOCAL_POLICY_JAR_TMP)/%: $(LOCAL_POLICY_JAR_SRC_DIR)/%
-	$(install-file)
-
-  $(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR, $(LOCAL_POLICY_JAR_DEPS), \
-      SRCS := $(LOCAL_POLICY_JAR_TMP), \
-      SUFFIXES := .policy, \
-      JAR := $(LOCAL_POLICY_JAR_UNSIGNED), \
-      EXTRA_MANIFEST_ATTR := $(LOCAL_POLICY_JAR_ATTR), \
-      SKIP_METAINF := true))
-
-  JARS += $(LOCAL_POLICY_JAR_UNSIGNED)
-endif
-
-ifndef OPENJDK
-  $(LOCAL_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/local_policy.jar
-	$(ECHO) $(LOG_INFO) Copying $(@F)
-	$(install-file)
-else
-  $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNSIGNED)
-	$(install-file)
-endif
-
-##########################################################################################
-
-ifeq ($(OPENJDK_TARGET_OS), windows)
-
-  SUNMSCAPI_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunmscapi.jar
-  SUNMSCAPI_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunmscapi.jar
-
-  $(eval $(call SetupArchive,BUILD_SUNMSCAPI_JAR, , \
-      SRCS := $(JDK_OUTPUTDIR)/classes, \
-      SUFFIXES := .class, \
-      INCLUDES := sun/security/mscapi, \
-      JAR := $(SUNMSCAPI_JAR_UNSIGNED), \
-      MANIFEST := $(JCE_MANIFEST), \
-      SKIP_METAINF := true))
-
-  $(SUNMSCAPI_JAR_UNSIGNED): $(JCE_MANIFEST)
-
-  ifndef OPENJDK
-    SUNMSCAPI_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/mscapi/sunmscapi.jar
-    $(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunMSCAPI provider..."
-	$(install-file)
-  else
-    $(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_UNSIGNED)
-	$(install-file)
-  endif
-
-  JARS += $(SUNMSCAPI_JAR_UNSIGNED)
-
-endif
-
-##########################################################################################
-
-ifeq ($(OPENJDK_TARGET_OS), solaris)
-  ifndef OPENJDK
-
-    UCRYPTO_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/ucrypto.jar
-    UCRYPTO_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/ucrypto.jar
-    UCRYPTO_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ucrypto/ucrypto.jar
-
-    $(eval $(call SetupArchive,BUILD_UCRYPTO_JAR, , \
-        SRCS := $(JDK_OUTPUTDIR)/classes, \
-        SUFFIXES := .class, \
-        INCLUDES := com/oracle/security/ucrypto, \
-        JAR := $(UCRYPTO_JAR_UNSIGNED), \
-        MANIFEST := $(JCE_MANIFEST), \
-        SKIP_METAINF := true))
-
-    $(UCRYPTO_JAR_UNSIGNED): $(JCE_MANIFEST)
-
-    $(UCRYPTO_JAR_DST): $(UCRYPTO_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt OracleUcrypto provider..."
-	$(install-file)
-
-    JARS += $(UCRYPTO_JAR_UNSIGNED)
-
-  endif
-endif
-
-##########################################################################################
-
 # Get the CLDRVERSION
 include gensrc/GensrcCLDR.gmk

@ -1047,6 +764,13 @@ endif

 ##########################################################################################

+# This rule copies all jars from jdk/lib/... to images/lib/... to avoid having to track 
+# which jars are where
+$(IMAGES_OUTPUTDIR)/lib/%: $(JDK_OUTPUTDIR)/lib/%
+	$(install-file)
+
+##########################################################################################
+
 # Import nashorn.jar from nashorn dist dir.
 $(IMAGES_OUTPUTDIR)/lib/ext/nashorn.jar: $(NASHORN_DIST)/nashorn.jar
 	$(install-file)
--- a/jdk/makefiles/CreateSecurityJars.gmk
+++ b/jdk/makefiles/CreateSecurityJars.gmk
@ -0,0 +1,329 @@
+#
+# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+default: all
+
+include $(SPEC)
+include MakeBase.gmk
+include JavaCompilation.gmk
+include Setup.gmk
+
+# The jars created in this file are required for the exploded jdk image to function and
+# cannot wait to be built in the images target.
+
+##########################################################################################
+# Create manifest for security jars
+#
+# Include these extra attributes for now, should probably take out.
+#
+MAINMANIFEST := $(JDK_TOPDIR)/make/tools/manifest.mf
+JCE_MANIFEST := $(JDK_OUTPUTDIR)/lib/_the.security.manifest.mf
+
+$(JCE_MANIFEST): $(MAINMANIFEST)
+	$(MKDIR) -p $(@D)
+	$(RM) $@ $@.tmp
+	$(SED) -e "s#@@RELEASE@@#$(JDK_VERSION)#" \
+	    -e "s#@@COMPANY_NAME@@#$(COMPANY_NAME)#" \
+	    $(MAINMANIFEST) >> $@.tmp
+	$(ECHO) "Extension-Name: javax.crypto" >> $@.tmp
+	$(ECHO) "Implementation-Vendor-Id: com.sun" >> $@.tmp
+	$(MV) $@.tmp $@
+
+##########################################################################################
+# For security and crypto jars, always build the jar, but for closed, install the prebuilt
+# signed version instead of the newly built jar. Unsigned jars are treated as intermediate
+# targets and explicitly added to the JARS list. For open, signing is not needed. See
+# SignJars.gmk for more information.
+#
+# The source for the crypto jars is not available for all licensees. The BUILD_CRYPTO
+# variable is set to no if these jars can't be built to skip that step of the build.
+# Note that for OPENJDK, the build will fail if BUILD_CRYPTO=no since then there is no
+# other way to get the jars than to build them.
+
+SUNPKCS11_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunpkcs11.jar
+SUNPKCS11_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunpkcs11.jar
+
+$(eval $(call SetupArchive,BUILD_SUNPKCS11_JAR, , \
+    SRCS := $(JDK_OUTPUTDIR)/classes_security, \
+    SUFFIXES := .class, \
+    INCLUDES := sun/security/pkcs11, \
+    JAR := $(SUNPKCS11_JAR_UNSIGNED), \
+    MANIFEST := $(JCE_MANIFEST), \
+    SKIP_METAINF := true))
+
+$(SUNPKCS11_JAR_UNSIGNED): $(JCE_MANIFEST)
+
+ifndef OPENJDK
+  SUNPKCS11_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/pkcs11/sunpkcs11.jar
+  $(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_SRC)
+	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunPKCS11 provider..."
+	$(install-file)
+else
+  $(SUNPKCS11_JAR_DST): $(SUNPKCS11_JAR_UNSIGNED)
+	$(install-file)
+endif
+
+JARS += $(SUNPKCS11_JAR_UNSIGNED) $(SUNPKCS11_JAR_DST)
+
+##########################################################################################
+
+SUNEC_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunec.jar
+SUNEC_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunec.jar
+
+$(eval $(call SetupArchive,BUILD_SUNEC_JAR, , \
+    SRCS := $(JDK_OUTPUTDIR)/classes_security, \
+    SUFFIXES := .class, \
+    INCLUDES := sun/security/ec, \
+    JAR := $(SUNEC_JAR_UNSIGNED), \
+    MANIFEST := $(JCE_MANIFEST), \
+    SKIP_METAINF := true))
+
+$(SUNEC_JAR_UNSIGNED): $(JCE_MANIFEST)
+
+ifndef OPENJDK
+  SUNEC_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ec/sunec.jar
+  $(SUNEC_JAR_DST): $(SUNEC_JAR_SRC)
+	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunEC provider..."
+	$(install-file)
+else
+  $(SUNEC_JAR_DST): $(SUNEC_JAR_UNSIGNED)
+	$(install-file)
+endif
+
+JARS += $(SUNEC_JAR_UNSIGNED) $(SUNEC_JAR_DST)
+
+##########################################################################################
+
+SUNJCE_PROVIDER_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunjce_provider.jar
+SUNJCE_PROVIDER_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunjce_provider.jar
+
+ifneq ($(BUILD_CRYPTO), no)
+  $(eval $(call SetupArchive,BUILD_SUNJCE_PROVIDER_JAR, , \
+      SRCS := $(JDK_OUTPUTDIR)/classes_security, \
+      SUFFIXES := .class, \
+      INCLUDES := com/sun/crypto/provider, \
+      JAR := $(SUNJCE_PROVIDER_JAR_UNSIGNED), \
+      MANIFEST := $(JCE_MANIFEST), \
+      SKIP_METAINF := true))
+
+  $(SUNJCE_PROVIDER_JAR_UNSIGNED): $(JCE_MANIFEST)
+
+  JARS += $(SUNJCE_PROVIDER_JAR_UNSIGNED)
+endif
+
+ifndef OPENJDK
+  SUNJCE_PROVIDER_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/sunjce_provider.jar
+  $(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_SRC)
+	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunJCE provider..."
+	$(install-file)
+else
+  $(SUNJCE_PROVIDER_JAR_DST): $(SUNJCE_PROVIDER_JAR_UNSIGNED)
+	$(install-file)
+endif
+
+JARS += $(SUNJCE_PROVIDER_JAR_DST)
+
+##########################################################################################
+
+JCE_JAR_DST := $(JDK_OUTPUTDIR)/lib/jce.jar
+JCE_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/jce.jar
+
+ifneq ($(BUILD_CRYPTO), no)
+  $(eval $(call SetupArchive,BUILD_JCE_JAR, , \
+      SRCS := $(JDK_OUTPUTDIR)/classes_security, \
+      SUFFIXES := .class, \
+      INCLUDES := javax/crypto sun/security/internal, \
+      JAR := $(JCE_JAR_UNSIGNED), \
+      MANIFEST := $(JCE_MANIFEST), \
+      SKIP_METAINF := true))
+
+  $(JCE_JAR_UNSIGNED): $(JCE_MANIFEST)
+
+  JARS += $(JCE_JAR_UNSIGNED)
+endif
+
+ifndef OPENJDK
+  JCE_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/jce.jar
+  $(JCE_JAR_DST): $(JCE_JAR_SRC)
+	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt jce.jar..."
+	$(install-file)
+else
+  $(JCE_JAR_DST): $(JCE_JAR_UNSIGNED)
+	$(install-file)
+endif
+
+JARS += $(JCE_JAR_DST)
+
+##########################################################################################
+
+US_EXPORT_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/US_export_policy.jar
+US_EXPORT_POLICY_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/US_export_policy.jar
+
+ifneq ($(BUILD_CRYPTO), no)
+  #
+  # TODO fix so that SetupArchive does not write files into SRCS
+  # then we don't need this extra copying
+  #
+  # NOTE: We currently do not place restrictions on our limited export
+  # policy. This was not a typo.
+  #
+  US_EXPORT_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
+  US_EXPORT_POLICY_JAR_TMP := $(JDK_OUTPUTDIR)/US_export_policy_jar.tmp
+
+  $(US_EXPORT_POLICY_JAR_TMP)/%: $(US_EXPORT_POLICY_JAR_SRC_DIR)/%
+	$(install-file)
+
+  US_EXPORT_POLICY_JAR_DEPS := $(US_EXPORT_POLICY_JAR_TMP)/default_US_export.policy
+
+  $(eval $(call SetupArchive,BUILD_US_EXPORT_POLICY_JAR, $(US_EXPORT_POLICY_JAR_DEPS), \
+      SRCS := $(US_EXPORT_POLICY_JAR_TMP), \
+      SUFFIXES := .policy, \
+      JAR := $(US_EXPORT_POLICY_JAR_UNSIGNED), \
+      EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
+      SKIP_METAINF := true))
+
+  JARS += $(US_EXPORT_POLICY_JAR_UNSIGNED)
+endif
+
+ifndef OPENJDK
+  $(US_EXPORT_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/US_export_policy.jar
+	$(ECHO) $(LOG_INFO) Copying $(@F)
+	$(install-file)
+else
+  $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNSIGNED)
+	$(install-file)
+endif
+
+JARS += $(US_EXPORT_POLICY_JAR_DST)
+
+##########################################################################################
+
+LOCAL_POLICY_JAR_DST := $(JDK_OUTPUTDIR)/lib/security/local_policy.jar
+LOCAL_POLICY_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/local_policy.jar
+
+ifneq ($(BUILD_CRYPTO), no)
+  #
+  # TODO fix so that SetupArchive does not write files into SRCS
+  # then we don't need this extra copying
+  #
+  LOCAL_POLICY_JAR_TMP := $(JDK_OUTPUTDIR)/local_policy_jar.tmp
+
+  ifeq ($(UNLIMITED_CRYPTO), true)
+    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
+    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/default_local.policy
+    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: unlimited
+  else
+    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/limited
+    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/exempt_local.policy \
+        $(LOCAL_POLICY_JAR_TMP)/default_local.policy
+    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: limited
+  endif
+
+  $(LOCAL_POLICY_JAR_TMP)/%: $(LOCAL_POLICY_JAR_SRC_DIR)/%
+	$(install-file)
+
+  $(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR, $(LOCAL_POLICY_JAR_DEPS), \
+      SRCS := $(LOCAL_POLICY_JAR_TMP), \
+      SUFFIXES := .policy, \
+      JAR := $(LOCAL_POLICY_JAR_UNSIGNED), \
+      EXTRA_MANIFEST_ATTR := $(LOCAL_POLICY_JAR_ATTR), \
+      SKIP_METAINF := true))
+
+  JARS += $(LOCAL_POLICY_JAR_UNSIGNED)
+endif
+
+ifndef OPENJDK
+  $(LOCAL_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/local_policy.jar
+	$(ECHO) $(LOG_INFO) Copying $(@F)
+	$(install-file)
+else
+  $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNSIGNED)
+	$(install-file)
+endif
+
+JARS += $(LOCAL_POLICY_JAR_DST)
+
+##########################################################################################
+
+ifeq ($(OPENJDK_TARGET_OS), windows)
+
+  SUNMSCAPI_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/sunmscapi.jar
+  SUNMSCAPI_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/sunmscapi.jar
+
+  $(eval $(call SetupArchive,BUILD_SUNMSCAPI_JAR, , \
+      SRCS := $(JDK_OUTPUTDIR)/classes_security, \
+      SUFFIXES := .class, \
+      INCLUDES := sun/security/mscapi, \
+      JAR := $(SUNMSCAPI_JAR_UNSIGNED), \
+      MANIFEST := $(JCE_MANIFEST), \
+      SKIP_METAINF := true))
+
+  $(SUNMSCAPI_JAR_UNSIGNED): $(JCE_MANIFEST)
+
+  ifndef OPENJDK
+    SUNMSCAPI_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/mscapi/sunmscapi.jar
+    $(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_SRC)
+	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunMSCAPI provider..."
+	$(install-file)
+  else
+    $(SUNMSCAPI_JAR_DST): $(SUNMSCAPI_JAR_UNSIGNED)
+	$(install-file)
+  endif
+
+  JARS += $(SUNMSCAPI_JAR_UNSIGNED) $(SUNMSCAPI_JAR_DST)
+
+endif
+
+##########################################################################################
+
+ifeq ($(OPENJDK_TARGET_OS), solaris)
+  ifndef OPENJDK
+
+    UCRYPTO_JAR_DST := $(JDK_OUTPUTDIR)/lib/ext/ucrypto.jar
+    UCRYPTO_JAR_UNSIGNED := $(JDK_OUTPUTDIR)/unsigned/ucrypto.jar
+    UCRYPTO_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ucrypto/ucrypto.jar
+
+    $(eval $(call SetupArchive,BUILD_UCRYPTO_JAR, , \
+        SRCS := $(JDK_OUTPUTDIR)/classes_security, \
+        SUFFIXES := .class, \
+        INCLUDES := com/oracle/security/ucrypto, \
+        JAR := $(UCRYPTO_JAR_UNSIGNED), \
+        MANIFEST := $(JCE_MANIFEST), \
+        SKIP_METAINF := true))
+
+    $(UCRYPTO_JAR_UNSIGNED): $(JCE_MANIFEST)
+
+    $(UCRYPTO_JAR_DST): $(UCRYPTO_JAR_SRC)
+	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt OracleUcrypto provider..."
+	$(install-file)
+
+    JARS += $(UCRYPTO_JAR_UNSIGNED) $(UCRYPTO_JAR_DST)
+
+  endif
+endif
+
+all: $(JARS)
+
+.PHONY: default all
--- a/jdk/makefiles/SignJars.gmk
+++ b/jdk/makefiles/SignJars.gmk
@ -78,7 +78,7 @@ check-keystore:
 	  exit 2; \
 	fi

-$(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/%
+$(JCE_OUTPUTDIR)/%: $(JDK_OUTPUTDIR)/unsigned/%
 	$(call install-file)
 	$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
 	    $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)