Add patch to login to the NSS software token when in FIPS mode.

This commit is contained in:
Andrew Hughes 2021-09-14 02:59:18 +01:00
parent 0cb1fbdb0b
commit aa2c8f31b9
2 changed files with 62 additions and 1 deletions

View File

@ -309,7 +309,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27 # eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
%global rpmrelease 1 %global rpmrelease 2
# Define milestone (EA for pre-releases, GA ("fcs") for releases) # Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1): # Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases, # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -1310,6 +1310,8 @@ Patch1005: rh1906862-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection # RH1929465: Improve system FIPS detection
Patch1006: rh1929465-improve_system_FIPS_detection-root.patch Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1008: rh1996182-login_to_nss_software_token.patch
############################################# #############################################
# #
@ -1838,6 +1840,7 @@ sh %{SOURCE12}
%patch1005 %patch1005
%patch1006 %patch1006
%patch1007 %patch1007
%patch1008
# RHEL-only patches # RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@ -2595,6 +2598,9 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Fri Sep 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.2.ea
- Add patch to login to the NSS software token when in FIPS mode.
* Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.1.ea * Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.1.ea
- Update to aarch64-shenandoah-jdk8u312-b03 (EA) - Update to aarch64-shenandoah-jdk8u312-b03 (EA)
- Update release notes for 8u312-b03. - Update release notes for 8u312-b03.

View File

@ -0,0 +1,55 @@
# HG changeset patch
# User mbalao
# Date 1630103180 -3600
# Fri Aug 27 23:26:20 2021 +0100
# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
# Parent c90394a76ee02a689f95199559d5724824b4b25e
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,8 @@
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
+import sun.misc.SharedSecrets;
+
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -58,6 +60,9 @@
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -368,6 +373,24 @@
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException