From 83375279dfc102b3357869ac141fe4c069a2ea03 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Mon, 6 Sep 2021 01:02:37 +0100 Subject: [PATCH] Add patch to login to the NSS software token when in FIPS mode. Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. --- java-11-openjdk.spec | 11 +++- rh1996182-extend_security_policy.patch | 18 ++++++ rh1996182-login_to_nss_software_token.patch | 66 +++++++++++++++++++++ 3 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 rh1996182-extend_security_policy.patch create mode 100644 rh1996182-login_to_nss_software_token.patch diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index f36c50d..cad39ec 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -343,7 +343,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 6 +%global rpmrelease 7 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -1232,6 +1232,9 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch Patch1007: rh1915071-always_initialise_configurator_access.patch # RH1929465: Improve system FIPS detection Patch1008: rh1929465-improve_system_FIPS_detection.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1009: rh1996182-login_to_nss_software_token.patch +Patch1010: rh1996182-extend_security_policy.patch ############################################# # @@ -1668,6 +1671,8 @@ popd # openjdk %patch1004 %patch1007 %patch1008 +%patch1009 +%patch1010 # Extract systemtap tapsets %if %{with_systemtap} @@ -2400,6 +2405,10 @@ end %endif %changelog +* Sun Sep 05 2021 Andrew Hughes - 1:11.0.12.0.7-7 +- Add patch to login to the NSS software token when in FIPS mode. +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. + * Thu Sep 02 2021 Jiri Vanek - 1:11.0.12.0.7-6 - added posttrans hook which persist sanity of dir->symlink change in case of udpate from ancient versions diff --git a/rh1996182-extend_security_policy.patch b/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..78552c3 --- /dev/null +++ b/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit 598fe421216b0a437fa36ee91a29966599867aa3 +Author: Andrew Hughes +Date: Mon Aug 30 16:12:52 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index ab59a334cd..5db744ff17 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..d3a1dde --- /dev/null +++ b/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,66 @@ +commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e +Author: Martin Balao +Date: Fri Aug 27 19:42:07 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 0cf61732d7..2cd851587c 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index b00b738b85..1eca1f8f0a 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException