332589c5ef
* Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS - Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch - Enable system security properties in the RPM (now disabled by default in the FIPS repo) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them Related: RHEL-45216
9 lines
197 B
INI
9 lines
197 B
INI
name = NSS-FIPS
|
|
nssLibraryDirectory = @NSS_LIBDIR@
|
|
nssSecmodDirectory = sql:/etc/pki/nssdb
|
|
nssDbMode = readOnly
|
|
nssModule = fips
|
|
|
|
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
|
|