Add patch to login to the NSS software token when in FIPS mode.

2021-09-14 02:59:18 +01:00 · 2021-09-14 02:59:18 +01:00 · aa2c8f31b9
commit aa2c8f31b9
parent 0cb1fbdb0b
2 changed files with 62 additions and 1 deletions
--- a/java-1.8.0-openjdk.spec
+++ b/java-1.8.0-openjdk.spec
@ -309,7 +309,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      1
+%global rpmrelease      2
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -1310,6 +1310,8 @@ Patch1005: rh1906862-always_initialise_configurator_access.patch
 # RH1929465: Improve system FIPS detection
 Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
 Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1008: rh1996182-login_to_nss_software_token.patch

 #############################################
 #
@ -1838,6 +1840,7 @@ sh %{SOURCE12}
 %patch1005
 %patch1006
 %patch1007
+%patch1008

 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@ -2595,6 +2598,9 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Fri Sep 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.2.ea
+- Add patch to login to the NSS software token when in FIPS mode.
+
 * Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.1.ea
 - Update to aarch64-shenandoah-jdk8u312-b03 (EA)
 - Update release notes for 8u312-b03.
--- a/rh1996182-login_to_nss_software_token.patch
+++ b/rh1996182-login_to_nss_software_token.patch
@ -0,0 +1,55 @@
+# HG changeset patch
+# User mbalao
+# Date 1630103180 -3600
+#      Fri Aug 27 23:26:20 2021 +0100
+# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
+# Parent  c90394a76ee02a689f95199559d5724824b4b25e
+RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,8 @@
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+ 
+import sun.misc.SharedSecrets;
+
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ 
+@@ -58,6 +60,9 @@
+  */
+ public final class SunPKCS11 extends AuthProvider {
+ 
+    private static final boolean systemFipsEnabled = SharedSecrets
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
+     private static final long serialVersionUID = -1354835039035306505L;
+ 
+     static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -368,6 +373,24 @@
+             if (nssModule != null) {
+                 nssModule.setProvider(this);
+             }
+            if (systemFipsEnabled) {
+                // The NSS Software Token in FIPS 140-2 mode requires a user
+                // login for most operations. See sftk_fipsCheck. The NSS DB
+                // (/etc/pki/nssdb) PIN is empty.
+                Session session = null;
+                try {
+                    session = token.getOpSession();
+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
+                } catch (PKCS11Exception p11e) {
+                    if (debug != null) {
+                        debug.println("Error during token login: " +
+                                p11e.getMessage());
+                    }
+                    throw p11e;
+                } finally {
+                    token.releaseSession(session);
+                }
+            }
+         } catch (Exception e) {
+             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+                 throw new UnsupportedOperationException