Add patch to login to the NSS software token when in FIPS mode.

Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
2021-09-06 01:02:37 +01:00 · 2021-09-06 01:02:37 +01:00 · 83375279df
commit 83375279df
parent e782dfa8d3
3 changed files with 94 additions and 1 deletions
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@ -343,7 +343,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        7
-%global rpmrelease      6
+%global rpmrelease      7
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@ -1232,6 +1232,9 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
 Patch1007: rh1915071-always_initialise_configurator_access.patch
 # RH1929465: Improve system FIPS detection
 Patch1008: rh1929465-improve_system_FIPS_detection.patch
 # RH1996182: Login to the NSS software token in FIPS mode
 Patch1009: rh1996182-login_to_nss_software_token.patch
 Patch1010: rh1996182-extend_security_policy.patch
 #############################################
 #
@ -1668,6 +1671,8 @@ popd # openjdk
 %patch1004
 %patch1007
 %patch1008
 %patch1009
 %patch1010
 # Extract systemtap tapsets
 %if %{with_systemtap}
@ -2400,6 +2405,10 @@ end
 %endif
 %changelog
 * Sun Sep 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-7
 - Add patch to login to the NSS software token when in FIPS mode.
 - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
 * Thu Sep 02 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-6
 - added posttrans hook which persist sanity of dir->symlink change in case of udpate from ancient versions
--- a/rh1996182-extend_security_policy.patch
+++ b/rh1996182-extend_security_policy.patch
@ -0,0 +1,18 @@
 commit 598fe421216b0a437fa36ee91a29966599867aa3
 Author: Andrew Hughes <gnu.andrew@redhat.com>
 Date:   Mon Aug 30 16:12:52 2021 +0100
    RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
 diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
 index ab59a334cd..5db744ff17 100644
 --- openjdk.orig/src/java.base/share/lib/security/default.policy
 +++ openjdk/src/java.base/share/lib/security/default.policy
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
 grant codeBase "jrt:/jdk.crypto.cryptoki" {
     permission java.lang.RuntimePermission
                    "accessClassInPackage.com.sun.crypto.provider";
 +    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
     permission java.lang.RuntimePermission
                    "accessClassInPackage.sun.security.*";
     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
--- a/rh1996182-login_to_nss_software_token.patch
+++ b/rh1996182-login_to_nss_software_token.patch
@ -0,0 +1,66 @@
 commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
 Author: Martin Balao <mbalao@redhat.com>
 Date:   Fri Aug 27 19:42:07 2021 +0100
    RH1996182: Login to the NSS Software Token in FIPS Mode
 diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
 index 0cf61732d7..2cd851587c 100644
 --- openjdk.orig/src/java.base/share/classes/module-info.java
 +++ openjdk/src/java.base/share/classes/module-info.java
@@ -182,6 +182,7 @@ module java.base {
         java.security.jgss,
         java.sql,
         java.xml,
 +        jdk.crypto.cryptoki,
         jdk.jartool,
         jdk.attach,
         jdk.charsets,
 diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 index b00b738b85..1eca1f8f0a 100644
 --- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.TextOutputCallback;
 +import jdk.internal.misc.SharedSecrets;
 +
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
  */
 public final class SunPKCS11 extends AuthProvider {
 +    private static final boolean systemFipsEnabled = SharedSecrets
 +            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
 +
     private static final long serialVersionUID = -1354835039035306505L;
     static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
             if (nssModule != null) {
                 nssModule.setProvider(this);
             }
 +            if (systemFipsEnabled) {
 +                // The NSS Software Token in FIPS 140-2 mode requires a user
 +                // login for most operations. See sftk_fipsCheck. The NSS DB
 +                // (/etc/pki/nssdb) PIN is empty.
 +                Session session = null;
 +                try {
 +                    session = token.getOpSession();
 +                    p11.C_Login(session.id(), CKU_USER, new char[] {});
 +                } catch (PKCS11Exception p11e) {
 +                    if (debug != null) {
 +                        debug.println("Error during token login: " +
 +                                p11e.getMessage());
 +                    }
 +                    throw p11e;
 +                } finally {
 +                    token.releaseSession(session);
 +                }
 +            }
         } catch (Exception e) {
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
                 throw new UnsupportedOperationException