# HG changeset patch # User mbalao # Date 1630103180 -3600 # Fri Aug 27 23:26:20 2021 +0100 # Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3 # Parent c90394a76ee02a689f95199559d5724824b4b25e RH1996182: Login to the NSS Software Token in FIPS Mode diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java --- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -42,6 +42,8 @@ import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.TextOutputCallback; +import sun.misc.SharedSecrets; + import sun.security.util.Debug; import sun.security.util.ResourcesMgr; @@ -58,6 +60,9 @@ */ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); @@ -368,6 +373,24 @@ if (nssModule != null) { nssModule.setProvider(this); } + if (systemFipsEnabled) { + // The NSS Software Token in FIPS 140-2 mode requires a user + // login for most operations. See sftk_fipsCheck. The NSS DB + // (/etc/pki/nssdb) PIN is empty. + Session session = null; + try { + session = token.getOpSession(); + p11.C_Login(session.id(), CKU_USER, new char[] {}); + } catch (PKCS11Exception p11e) { + if (debug != null) { + debug.println("Error during token login: " + + p11e.getMessage()); + } + throw p11e; + } finally { + token.releaseSession(session); + } + } } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException