Add patch to login to the NSS software token when in FIPS mode.

Resolves: rhbz#1997363

java-1.8.0-openjdk.spec

@@ -289,7 +289,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      2
+%global rpmrelease      3
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -1289,6 +1289,8 @@ Patch1005: rh1906862-always_initialise_configurator_access.patch
 # RH1929465: Improve system FIPS detection
 Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
 Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1008: rh1996182-login_to_nss_software_token.patch
 
 #############################################
 #
@@ -1762,6 +1764,7 @@ sh %{SOURCE12}
 %patch1005
 %patch1006
 %patch1007
+%patch1008
 
 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -2457,6 +2460,10 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-3
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997363
+
 * Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
 - Port FIPS system detection support to OpenJDK 8u
 - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.

rh1996182-login_to_nss_software_token.patch

@@ -0,0 +1,55 @@
+# HG changeset patch
+# User mbalao
+# Date 1630103180 -3600
+#      Fri Aug 27 23:26:20 2021 +0100
+# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
+# Parent  c90394a76ee02a689f95199559d5724824b4b25e
+RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,8 @@
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+ 
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ 
+@@ -58,6 +60,9 @@
+  */
+ public final class SunPKCS11 extends AuthProvider {
+ 
++    private static final boolean systemFipsEnabled = SharedSecrets
++            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+     private static final long serialVersionUID = -1354835039035306505L;
+ 
+     static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -368,6 +373,24 @@
+             if (nssModule != null) {
+                 nssModule.setProvider(this);
+             }
++            if (systemFipsEnabled) {
++                // The NSS Software Token in FIPS 140-2 mode requires a user
++                // login for most operations. See sftk_fipsCheck. The NSS DB
++                // (/etc/pki/nssdb) PIN is empty.
++                Session session = null;
++                try {
++                    session = token.getOpSession();
++                    p11.C_Login(session.id(), CKU_USER, new char[] {});
++                } catch (PKCS11Exception p11e) {
++                    if (debug != null) {
++                        debug.println("Error during token login: " +
++                                p11e.getMessage());
++                    }
++                    throw p11e;
++                } finally {
++                    token.releaseSession(session);
++                }
++            }
+         } catch (Exception e) {
+             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+                 throw new UnsupportedOperationException