From f830fdccdcc694a1ee327d6bf884166712629671 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Fri, 27 Aug 2021 23:42:57 +0100 Subject: [PATCH] Add patch to login to the NSS software token when in FIPS mode. Resolves: rhbz#1997363 --- java-1.8.0-openjdk.spec | 9 +++- rh1996182-login_to_nss_software_token.patch | 55 +++++++++++++++++++++ 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 rh1996182-login_to_nss_software_token.patch diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 05c0ae7..eeaf80b 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -289,7 +289,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 3 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1289,6 +1289,8 @@ Patch1005: rh1906862-always_initialise_configurator_access.patch # RH1929465: Improve system FIPS detection Patch1006: rh1929465-improve_system_FIPS_detection-root.patch Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1008: rh1996182-login_to_nss_software_token.patch ############################################# # @@ -1762,6 +1764,7 @@ sh %{SOURCE12} %patch1005 %patch1006 %patch1007 +%patch1008 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -2457,6 +2460,10 @@ cjc.mainProgram(args) %endif %changelog +* Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-3 +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997363 + * Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-2 - Port FIPS system detection support to OpenJDK 8u - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..341e092 --- /dev/null +++ b/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,55 @@ +# HG changeset patch +# User mbalao +# Date 1630103180 -3600 +# Fri Aug 27 23:26:20 2021 +0100 +# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3 +# Parent c90394a76ee02a689f95199559d5724824b4b25e +RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,8 @@ + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import sun.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + +@@ -58,6 +60,9 @@ + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -368,6 +373,24 @@ + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException