Add patch to login to the NSS software token when in FIPS mode.
Resolves: rhbz#1997360
This commit is contained in:
parent
f61cab7066
commit
25304fcaf5
@ -343,7 +343,7 @@
|
|||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||||
%global buildver 7
|
%global buildver 7
|
||||||
%global rpmrelease 0
|
%global rpmrelease 1
|
||||||
#%%global tagsuffix ""
|
#%%global tagsuffix ""
|
||||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
@ -1124,7 +1124,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
|
|||||||
|
|
||||||
Name: java-%{javaver}-%{origin}
|
Name: java-%{javaver}-%{origin}
|
||||||
Version: %{newjavaver}.%{buildver}
|
Version: %{newjavaver}.%{buildver}
|
||||||
Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1
|
Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
|
||||||
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
|
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
|
||||||
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
|
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
|
||||||
# also included the epoch in their virtual provides. This created a
|
# also included the epoch in their virtual provides. This created a
|
||||||
@ -1220,6 +1220,8 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
|
|||||||
Patch1007: rh1915071-always_initialise_configurator_access.patch
|
Patch1007: rh1915071-always_initialise_configurator_access.patch
|
||||||
# RH1929465: Improve system FIPS detection
|
# RH1929465: Improve system FIPS detection
|
||||||
Patch1008: rh1929465-improve_system_FIPS_detection.patch
|
Patch1008: rh1929465-improve_system_FIPS_detection.patch
|
||||||
|
# RH1996182: Login to the NSS software token in FIPS mode
|
||||||
|
Patch1009: rh1996182-login_to_nss_software_token.patch
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
#
|
#
|
||||||
@ -1619,6 +1621,7 @@ popd # openjdk
|
|||||||
%patch1004
|
%patch1004
|
||||||
%patch1007
|
%patch1007
|
||||||
%patch1008
|
%patch1008
|
||||||
|
%patch1009
|
||||||
|
|
||||||
# Extract systemtap tapsets
|
# Extract systemtap tapsets
|
||||||
%if %{with_systemtap}
|
%if %{with_systemtap}
|
||||||
@ -2310,6 +2313,10 @@ require "copy_jdk_configs.lua"
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
|
||||||
|
- Add patch to login to the NSS software token when in FIPS mode.
|
||||||
|
- Resolves: rhbz#1997360
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:11.0.12.0.7-0.1
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:11.0.12.0.7-0.1
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
Related: rhbz#1991688
|
Related: rhbz#1991688
|
||||||
|
66
rh1996182-login_to_nss_software_token.patch
Normal file
66
rh1996182-login_to_nss_software_token.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
|
||||||
|
Author: Martin Balao <mbalao@redhat.com>
|
||||||
|
Date: Fri Aug 27 19:42:07 2021 +0100
|
||||||
|
|
||||||
|
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||||
|
|
||||||
|
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||||
|
index 0cf61732d7..2cd851587c 100644
|
||||||
|
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||||
|
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||||
|
@@ -182,6 +182,7 @@ module java.base {
|
||||||
|
java.security.jgss,
|
||||||
|
java.sql,
|
||||||
|
java.xml,
|
||||||
|
+ jdk.crypto.cryptoki,
|
||||||
|
jdk.jartool,
|
||||||
|
jdk.attach,
|
||||||
|
jdk.charsets,
|
||||||
|
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
index b00b738b85..1eca1f8f0a 100644
|
||||||
|
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||||
|
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
|
||||||
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
|
import javax.security.auth.callback.TextOutputCallback;
|
||||||
|
|
||||||
|
+import jdk.internal.misc.SharedSecrets;
|
||||||
|
+
|
||||||
|
import sun.security.util.Debug;
|
||||||
|
import sun.security.util.ResourcesMgr;
|
||||||
|
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||||
|
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||||
|
*/
|
||||||
|
public final class SunPKCS11 extends AuthProvider {
|
||||||
|
|
||||||
|
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||||
|
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||||
|
+
|
||||||
|
private static final long serialVersionUID = -1354835039035306505L;
|
||||||
|
|
||||||
|
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||||
|
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
|
||||||
|
if (nssModule != null) {
|
||||||
|
nssModule.setProvider(this);
|
||||||
|
}
|
||||||
|
+ if (systemFipsEnabled) {
|
||||||
|
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
||||||
|
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
||||||
|
+ // (/etc/pki/nssdb) PIN is empty.
|
||||||
|
+ Session session = null;
|
||||||
|
+ try {
|
||||||
|
+ session = token.getOpSession();
|
||||||
|
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
||||||
|
+ } catch (PKCS11Exception p11e) {
|
||||||
|
+ if (debug != null) {
|
||||||
|
+ debug.println("Error during token login: " +
|
||||||
|
+ p11e.getMessage());
|
||||||
|
+ }
|
||||||
|
+ throw p11e;
|
||||||
|
+ } finally {
|
||||||
|
+ token.releaseSession(session);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
} catch (Exception e) {
|
||||||
|
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||||
|
throw new UnsupportedOperationException
|
Loading…
Reference in New Issue
Block a user