Commit Graph

3 Commits

Author SHA1 Message Date
Francisco Ferrari Bihurriet
fb297243dc RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION

Resolves: rhbz#2102433
2022-07-08 04:09:10 +01:00
Andrew Hughes
821e2145f6 Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy secmod.db file as part of nss
Resolves: rhbz#2023537
2021-11-29 19:36:18 +00:00
Andrew Hughes
584ffa5a36 Support the FIPS mode crypto policy (RH1655466)
Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)

Related: rhbz#1995889
2021-08-27 05:58:02 +01:00