From 25304fcaf5ff06bc15e9901723d179fafa316988 Mon Sep 17 00:00:00 2001
From: Andrew Hughes <gnu.andrew@redhat.com>
Date: Fri, 27 Aug 2021 20:35:51 +0100
Subject: [PATCH] Add patch to login to the NSS software token when in FIPS
 mode.

Resolves: rhbz#1997360
---
 java-11-openjdk.spec                        | 11 +++-
 rh1996182-login_to_nss_software_token.patch | 66 +++++++++++++++++++++
 2 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 rh1996182-login_to_nss_software_token.patch

diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index 9e42c3b..03dd310 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -343,7 +343,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        7
-%global rpmrelease      0
+%global rpmrelease      1
 #%%global tagsuffix      ""
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -1124,7 +1124,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
 
 Name:    java-%{javaver}-%{origin}
 Version: %{newjavaver}.%{buildver}
-Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
 # and this change was brought into RHEL-4. java-1.5.0-ibm packages
 # also included the epoch in their virtual provides. This created a
@@ -1220,6 +1220,8 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 Patch1007: rh1915071-always_initialise_configurator_access.patch
 # RH1929465: Improve system FIPS detection
 Patch1008: rh1929465-improve_system_FIPS_detection.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1009: rh1996182-login_to_nss_software_token.patch
 
 #############################################
 #
@@ -1619,6 +1621,7 @@ popd # openjdk
 %patch1004
 %patch1007
 %patch1008
+%patch1009
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -2310,6 +2313,10 @@ require "copy_jdk_configs.lua"
 %endif
 
 %changelog
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997360
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:11.0.12.0.7-0.1
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688
diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch
new file mode 100644
index 0000000..d3a1dde
--- /dev/null
+++ b/rh1996182-login_to_nss_software_token.patch
@@ -0,0 +1,66 @@
+commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
+Author: Martin Balao <mbalao@redhat.com>
+Date:   Fri Aug 27 19:42:07 2021 +0100
+
+    RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 0cf61732d7..2cd851587c 100644
+--- openjdk.orig/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -182,6 +182,7 @@ module java.base {
+         java.security.jgss,
+         java.sql,
+         java.xml,
++        jdk.crypto.cryptoki,
+         jdk.jartool,
+         jdk.attach,
+         jdk.charsets,
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index b00b738b85..1eca1f8f0a 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+ 
++import jdk.internal.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+  */
+ public final class SunPKCS11 extends AuthProvider {
+ 
++    private static final boolean systemFipsEnabled = SharedSecrets
++            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+     private static final long serialVersionUID = -1354835039035306505L;
+ 
+     static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
+             if (nssModule != null) {
+                 nssModule.setProvider(this);
+             }
++            if (systemFipsEnabled) {
++                // The NSS Software Token in FIPS 140-2 mode requires a user
++                // login for most operations. See sftk_fipsCheck. The NSS DB
++                // (/etc/pki/nssdb) PIN is empty.
++                Session session = null;
++                try {
++                    session = token.getOpSession();
++                    p11.C_Login(session.id(), CKU_USER, new char[] {});
++                } catch (PKCS11Exception p11e) {
++                    if (debug != null) {
++                        debug.println("Error during token login: " +
++                                p11e.getMessage());
++                    }
++                    throw p11e;
++                } finally {
++                    token.releaseSession(session);
++                }
++            }
+         } catch (Exception e) {
+             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+                 throw new UnsupportedOperationException