Add patch to login to the NSS software token when in FIPS mode.
This commit is contained in:
parent
0cb1fbdb0b
commit
aa2c8f31b9
@ -309,7 +309,7 @@
|
|||||||
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
|
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
|
||||||
# eg jdk8u60-b27 -> b27
|
# eg jdk8u60-b27 -> b27
|
||||||
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
|
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
|
||||||
%global rpmrelease 1
|
%global rpmrelease 2
|
||||||
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
|
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
|
||||||
# Release will be (where N is usually a number starting at 1):
|
# Release will be (where N is usually a number starting at 1):
|
||||||
# - 0.N%%{?extraver}%%{?dist} for EA releases,
|
# - 0.N%%{?extraver}%%{?dist} for EA releases,
|
||||||
@ -1310,6 +1310,8 @@ Patch1005: rh1906862-always_initialise_configurator_access.patch
|
|||||||
# RH1929465: Improve system FIPS detection
|
# RH1929465: Improve system FIPS detection
|
||||||
Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
|
Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
|
||||||
Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
|
Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
|
||||||
|
# RH1996182: Login to the NSS software token in FIPS mode
|
||||||
|
Patch1008: rh1996182-login_to_nss_software_token.patch
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
#
|
#
|
||||||
@ -1838,6 +1840,7 @@ sh %{SOURCE12}
|
|||||||
%patch1005
|
%patch1005
|
||||||
%patch1006
|
%patch1006
|
||||||
%patch1007
|
%patch1007
|
||||||
|
%patch1008
|
||||||
|
|
||||||
# RHEL-only patches
|
# RHEL-only patches
|
||||||
%if ! 0%{?fedora} && 0%{?rhel} <= 7
|
%if ! 0%{?fedora} && 0%{?rhel} <= 7
|
||||||
@ -2595,6 +2598,9 @@ cjc.mainProgram(args)
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.2.ea
|
||||||
|
- Add patch to login to the NSS software token when in FIPS mode.
|
||||||
|
|
||||||
* Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.1.ea
|
* Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.1.ea
|
||||||
- Update to aarch64-shenandoah-jdk8u312-b03 (EA)
|
- Update to aarch64-shenandoah-jdk8u312-b03 (EA)
|
||||||
- Update release notes for 8u312-b03.
|
- Update release notes for 8u312-b03.
|
||||||
|
55
rh1996182-login_to_nss_software_token.patch
Normal file
55
rh1996182-login_to_nss_software_token.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User mbalao
|
||||||
|
# Date 1630103180 -3600
|
||||||
|
# Fri Aug 27 23:26:20 2021 +0100
|
||||||
|
# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
|
||||||
|
# Parent c90394a76ee02a689f95199559d5724824b4b25e
|
||||||
|
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||||
|
|
||||||
|
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
@@ -42,6 +42,8 @@
|
||||||
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
|
import javax.security.auth.callback.TextOutputCallback;
|
||||||
|
|
||||||
|
+import sun.misc.SharedSecrets;
|
||||||
|
+
|
||||||
|
import sun.security.util.Debug;
|
||||||
|
import sun.security.util.ResourcesMgr;
|
||||||
|
|
||||||
|
@@ -58,6 +60,9 @@
|
||||||
|
*/
|
||||||
|
public final class SunPKCS11 extends AuthProvider {
|
||||||
|
|
||||||
|
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||||
|
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||||
|
+
|
||||||
|
private static final long serialVersionUID = -1354835039035306505L;
|
||||||
|
|
||||||
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
|
@@ -368,6 +373,24 @@
|
||||||
|
if (nssModule != null) {
|
||||||
|
nssModule.setProvider(this);
|
||||||
|
}
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
||||||
|
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
||||||
|
+ // (/etc/pki/nssdb) PIN is empty.
|
||||||
|
+ Session session = null;
|
||||||
|
+ try {
|
||||||
|
+ session = token.getOpSession();
|
||||||
|
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
||||||
|
+ } catch (PKCS11Exception p11e) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Error during token login: " +
|
||||||
|
+ p11e.getMessage());
|
||||||
|
+ }
|
||||||
|
+ throw p11e;
|
||||||
|
+ } finally {
|
||||||
|
+ token.releaseSession(session);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
} catch (Exception e) {
|
||||||
|
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||||
|
throw new UnsupportedOperationException
|
Loading…
Reference in New Issue
Block a user