2021-08-27 19:35:51 +00:00
|
|
|
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
|
|
|
|
Author: Martin Balao <mbalao@redhat.com>
|
|
|
|
Date: Fri Aug 27 19:42:07 2021 +0100
|
|
|
|
|
|
|
|
RH1996182: Login to the NSS Software Token in FIPS Mode
|
|
|
|
|
|
|
|
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
2022-02-11 12:17:59 +00:00
|
|
|
index 5460efcf8c..f08dc2fafc 100644
|
2021-08-27 19:35:51 +00:00
|
|
|
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
|
|
|
+++ openjdk/src/java.base/share/classes/module-info.java
|
|
|
|
@@ -182,6 +182,7 @@ module java.base {
|
|
|
|
java.security.jgss,
|
|
|
|
java.sql,
|
|
|
|
java.xml,
|
|
|
|
+ jdk.crypto.cryptoki,
|
|
|
|
jdk.jartool,
|
|
|
|
jdk.attach,
|
|
|
|
jdk.charsets,
|
|
|
|
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
2022-02-11 12:17:59 +00:00
|
|
|
index 5e227f4531..164de8ff08 100644
|
2021-08-27 19:35:51 +00:00
|
|
|
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
|
|
|
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
2022-02-11 12:17:59 +00:00
|
|
|
@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
|
2021-08-27 19:35:51 +00:00
|
|
|
import javax.security.auth.callback.PasswordCallback;
|
|
|
|
|
2022-02-11 12:17:59 +00:00
|
|
|
import jdk.internal.misc.InnocuousThread;
|
2021-08-27 19:35:51 +00:00
|
|
|
+import jdk.internal.misc.SharedSecrets;
|
|
|
|
+
|
|
|
|
import sun.security.util.Debug;
|
|
|
|
import sun.security.util.ResourcesMgr;
|
|
|
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
2022-02-11 12:17:59 +00:00
|
|
|
@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
2021-08-27 19:35:51 +00:00
|
|
|
*/
|
|
|
|
public final class SunPKCS11 extends AuthProvider {
|
|
|
|
|
|
|
|
+ private static final boolean systemFipsEnabled = SharedSecrets
|
|
|
|
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
|
|
|
+
|
|
|
|
private static final long serialVersionUID = -1354835039035306505L;
|
|
|
|
|
|
|
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
2022-02-11 12:17:59 +00:00
|
|
|
@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
|
2021-08-27 19:35:51 +00:00
|
|
|
if (nssModule != null) {
|
|
|
|
nssModule.setProvider(this);
|
|
|
|
}
|
|
|
|
+ if (systemFipsEnabled) {
|
|
|
|
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
|
|
|
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
|
|
|
+ // (/etc/pki/nssdb) PIN is empty.
|
|
|
|
+ Session session = null;
|
|
|
|
+ try {
|
|
|
|
+ session = token.getOpSession();
|
|
|
|
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
|
|
|
+ } catch (PKCS11Exception p11e) {
|
|
|
|
+ if (debug != null) {
|
|
|
|
+ debug.println("Error during token login: " +
|
|
|
|
+ p11e.getMessage());
|
|
|
|
+ }
|
|
|
|
+ throw p11e;
|
|
|
|
+ } finally {
|
|
|
|
+ token.releaseSession(session);
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
} catch (Exception e) {
|
|
|
|
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
|
|
|
throw new UnsupportedOperationException
|