From fb297243dca2ae0153c09736e65dd50caeeffa25 Mon Sep 17 00:00:00 2001 From: Francisco Ferrari Bihurriet Date: Thu, 30 Jun 2022 13:51:25 -0300 Subject: [PATCH] RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION Resolves: rhbz#2102433 --- java-17-openjdk.spec | 6 +++++- nss.fips.cfg.in | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 8a5b3ca..05115ee 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -336,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 3 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2541,6 +2541,10 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-4 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102433 + * Wed Jun 22 2022 Andrew Hughes - 1:17.0.3.0.7-3 - Update FIPS support to bring in latest changes - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in index 1aff153..2d9ec35 100644 --- a/nss.fips.cfg.in +++ b/nss.fips.cfg.in @@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } +