From aa2c8f31b92b74e2eca59bdcf1acb5b92792764b Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 14 Sep 2021 02:59:18 +0100 Subject: [PATCH] Add patch to login to the NSS software token when in FIPS mode. --- java-1.8.0-openjdk.spec | 8 ++- rh1996182-login_to_nss_software_token.patch | 55 +++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 rh1996182-login_to_nss_software_token.patch diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 3d857b9..dfda03b 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -309,7 +309,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 1 +%global rpmrelease 2 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1310,6 +1310,8 @@ Patch1005: rh1906862-always_initialise_configurator_access.patch # RH1929465: Improve system FIPS detection Patch1006: rh1929465-improve_system_FIPS_detection-root.patch Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1008: rh1996182-login_to_nss_software_token.patch ############################################# # @@ -1838,6 +1840,7 @@ sh %{SOURCE12} %patch1005 %patch1006 %patch1007 +%patch1008 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -2595,6 +2598,9 @@ cjc.mainProgram(args) %endif %changelog +* Fri Sep 10 2021 Andrew Hughes - 1:1.8.0.312.b03-0.2.ea +- Add patch to login to the NSS software token when in FIPS mode. + * Mon Sep 13 2021 Andrew Hughes - 1:1.8.0.312.b03-0.1.ea - Update to aarch64-shenandoah-jdk8u312-b03 (EA) - Update release notes for 8u312-b03. diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..341e092 --- /dev/null +++ b/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,55 @@ +# HG changeset patch +# User mbalao +# Date 1630103180 -3600 +# Fri Aug 27 23:26:20 2021 +0100 +# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3 +# Parent c90394a76ee02a689f95199559d5724824b4b25e +RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,8 @@ + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import sun.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + +@@ -58,6 +60,9 @@ + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -368,6 +373,24 @@ + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException