RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode

Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION Resolves: rhbz#2102434
2022-06-30 14:51:35 -03:00 · 2022-06-30 14:51:35 -03:00 · ecd7dd9860
commit ecd7dd9860
parent 57e78ff50f
2 changed files with 7 additions and 1 deletions
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@ -367,7 +367,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        10
-%global rpmrelease      2
+%global rpmrelease      3
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@ -2593,6 +2593,10 @@ require "copy_jdk_configs.lua"
 %endif
 %changelog
 * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:11.0.15.0.10-3
 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
 - Resolves: rhbz#2102434
 * Thu Jun 30 2022 Stephan Bergmann <sbergman@redhat.com> - 1:11.0.15.0.10-2
 - Fix flatpak builds by exempting them from bootstrap
 - Resolves: rhbz#2067189
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
 nssDbMode = readOnly
 nssModule = fips
 attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }