From dd2637f80a36667c4a75c63e28dcc4090492729c Mon Sep 17 00:00:00 2001
From: Thomas Fitzsimmons <fitzsim@redhat.com>
Date: Wed, 11 Feb 2026 10:26:57 -0500
Subject: [PATCH] Set fipsver to e1780dd5d39

- Set fipsver to e1780dd5d39
---
 ...15ac9a.patch => fips-17u-e1780dd5d39.patch | 30 +++++++++----------
 java-17-openjdk.spec                          |  4 ++-
 2 files changed, 18 insertions(+), 16 deletions(-)
 rename fips-17u-df4c415ac9a.patch => fips-17u-e1780dd5d39.patch (99%)

diff --git a/fips-17u-df4c415ac9a.patch b/fips-17u-e1780dd5d39.patch
similarity index 99%
rename from fips-17u-df4c415ac9a.patch
rename to fips-17u-e1780dd5d39.patch
index 30c70ce..ebb9723 100644
--- a/fips-17u-df4c415ac9a.patch
+++ b/fips-17u-e1780dd5d39.patch
@@ -1798,7 +1798,7 @@ index ea28bb8747e..77161eb3844 100644
 +    }
  }
 diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
-index fad70bdc058..29a813a485f 100644
+index 8f1ecae3ed1..044056c7bc8 100644
 --- a/src/java.base/share/classes/module-info.java
 +++ b/src/java.base/share/classes/module-info.java
 @@ -152,6 +152,8 @@ module java.base {
@@ -2508,7 +2508,7 @@ index 00000000000..dc8bc72fccb
 +    }
 +}
 diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index e26b7f8c394..08effe23fce 100644
+index 50944836820..9391ad0d798 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
 @@ -82,6 +82,17 @@ security.provider.tbd=Apple
@@ -2593,7 +2593,7 @@ index e26b7f8c394..08effe23fce 100644
  # the javax.net.ssl package.
 diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
 new file mode 100644
-index 00000000000..55bbba98b7a
+index 00000000000..6de716e6b42
 --- /dev/null
 +++ b/src/java.base/share/conf/security/nss.fips.cfg.in
 @@ -0,0 +1,8 @@
@@ -2606,10 +2606,10 @@ index 00000000000..55bbba98b7a
 +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
 +
 diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
-index 4e3c326cb2f..c39faee2f43 100644
+index 9bd5dd53bd3..d1eba14c252 100644
 --- a/src/java.base/share/lib/security/default.policy
 +++ b/src/java.base/share/lib/security/default.policy
-@@ -123,6 +123,7 @@ grant codeBase "jrt:/jdk.charsets" {
+@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.charsets" {
  grant codeBase "jrt:/jdk.crypto.ec" {
      permission java.lang.RuntimePermission
                     "accessClassInPackage.sun.security.*";
@@ -2617,7 +2617,7 @@ index 4e3c326cb2f..c39faee2f43 100644
      permission java.lang.RuntimePermission "loadLibrary.sunec";
      permission java.security.SecurityPermission "putProviderProperty.SunEC";
      permission java.security.SecurityPermission "clearProviderProperties.SunEC";
-@@ -132,6 +133,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+@@ -133,6 +134,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
  grant codeBase "jrt:/jdk.crypto.cryptoki" {
      permission java.lang.RuntimePermission
                     "accessClassInPackage.com.sun.crypto.provider";
@@ -2625,7 +2625,7 @@ index 4e3c326cb2f..c39faee2f43 100644
      permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
      permission java.lang.RuntimePermission
                     "accessClassInPackage.sun.security.*";
-@@ -142,6 +144,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+@@ -143,6 +145,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
      permission java.util.PropertyPermission "os.name", "read";
      permission java.util.PropertyPermission "os.arch", "read";
      permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
@@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815
 +}
 \ No newline at end of file
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-index e05892e2c22..cb40c3bf794 100644
+index 006aa67f621..fd86a52e65c 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 @@ -37,6 +37,8 @@ import javax.crypto.*;
@@ -5266,10 +5266,10 @@ index 0d65ee26805..38fd4aff1f3 100644
 +                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
  }
 diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-index 3ea91a6cfd1..26309f4f7b2 100644
+index 376fd999261..d2b2b2e8013 100644
 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
 +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-@@ -1518,6 +1518,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+@@ -1517,6 +1517,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
          case CKM_PBE_SHA1_DES3_EDE_CBC:
          case CKM_PBE_SHA1_DES2_EDE_CBC:
          case CKM_PBA_SHA1_WITH_SHA1_HMAC:
@@ -5280,7 +5280,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
              ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
              break;
          case CKM_PKCS5_PBKD2:
-@@ -1661,13 +1665,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+@@ -1660,13 +1664,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
      // retrieve java values
      jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
      if (jPbeParamsClass == NULL) { return NULL; }
@@ -5296,7 +5296,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      if (fieldID == NULL) { return NULL; }
      jSalt = (*env)->GetObjectField(env, jParam, fieldID);
      fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
-@@ -1683,15 +1687,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+@@ -1682,15 +1686,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
  
      // populate using java values
      ckParamPtr->ulIteration = jLongToCKULong(jIteration);
@@ -5315,7 +5315,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      if ((*env)->ExceptionCheck(env)) {
          goto cleanup;
      }
-@@ -1770,31 +1774,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+@@ -1769,31 +1773,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
      }
  }
  
@@ -5384,7 +5384,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
      if (fieldID == NULL) { return NULL; }
      jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
-@@ -1810,36 +1842,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+@@ -1809,36 +1841,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
      fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
      if (fieldID == NULL) { return NULL; }
      jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
@@ -5458,7 +5458,7 @@ index 3ea91a6cfd1..26309f4f7b2 100644
      return NULL;
  
 diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-index 84edb3c5105..0f49657ada1 100644
+index 537bab224a0..3fd23558d3b 100644
 --- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
 +++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
 @@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index b96183e..6f77ec5 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -368,7 +368,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver df4c415ac9a
+%global fipsver e1780dd5d39
 %global javaver         %{featurever}
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 
@@ -1404,6 +1404,7 @@ Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
 # RH1940064: Enable XML Signature provider in FIPS mode (#24)
 # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
+# OPENJDK-4398: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY (#44)
 Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
@@ -2513,6 +2514,7 @@ cjc.mainProgram(args)
 * Wed Feb 11 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.8-2
 - Set rpmrelease to 2
 - Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9
+- Set fipsver to e1780dd5d39
 
 * Fri Jan 16 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.18.0.8-1
 - Update to jdk-17.0.18+8 (GA)