From 5b6071b3926edbc0ae13e661af5530dc7fcb7115 Mon Sep 17 00:00:00 2001
From: Francisco Ferrari Bihurriet <fferrari@redhat.com>
Date: Thu, 30 Jun 2022 14:59:36 -0300
Subject: [PATCH] RH2007331: SecretKey generate/import operations don't add the
 CKA_SIGN attribute in FIPS mode

Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#ATTRS

Resolves: rhbz#2102435
---
 java-1.8.0-openjdk.spec | 6 +++++-
 nss.fips.cfg.in         | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec
index 15fd21c..e32c6b4 100644
--- a/java-1.8.0-openjdk.spec
+++ b/java-1.8.0-openjdk.spec
@@ -324,7 +324,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      1
+%global rpmrelease      2
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -2658,6 +2658,10 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:1.8.0.332.b09-2
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102435
+
 * Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b09-1
 - Update to shenandoah-jdk8u332-b09 (GA)
 - Update release notes for 8u332-b09.
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
index 1aff153..2d9ec35 100644
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
 nssDbMode = readOnly
 nssModule = fips
 
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+