Update FIPS patch to include nss.fips.cfg that grants CKA_ENCRYPT
Resolves: RHEL-142861
This commit is contained in:
parent
8322b431d0
commit
6735be194e
@ -136,10 +136,10 @@ index 51d4f724c33..feb0bcf3e75 100644
|
||||
BASIC_JDKLIB_LIBS=""
|
||||
BASIC_JDKLIB_LIBS_TARGET=""
|
||||
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
|
||||
index f6def153c82..4d7abc33427 100644
|
||||
index 7f085676ca9..2476b9ae964 100644
|
||||
--- a/make/autoconf/spec.gmk.in
|
||||
+++ b/make/autoconf/spec.gmk.in
|
||||
@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
|
||||
@@ -822,6 +822,11 @@ PANDOC_MARKDOWN_FLAG:=@PANDOC_MARKDOWN_FLAG@
|
||||
# Libraries
|
||||
#
|
||||
|
||||
@ -1979,7 +1979,7 @@ index 539ef1e8ee8..435f57e3ff2 100644
|
||||
"sun.security.rsa.PSSParameters", null);
|
||||
}
|
||||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
||||
index f8b01a4ea1e..b325bf7e9fc 100644
|
||||
index 6b0fd201b9b..2af4e3a3e21 100644
|
||||
--- a/src/java.base/share/conf/security/java.security
|
||||
+++ b/src/java.base/share/conf/security/java.security
|
||||
@@ -85,6 +85,17 @@ security.provider.tbd=Apple
|
||||
@ -2064,7 +2064,7 @@ index f8b01a4ea1e..b325bf7e9fc 100644
|
||||
# the javax.net.ssl package.
|
||||
diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||
new file mode 100644
|
||||
index 00000000000..55bbba98b7a
|
||||
index 00000000000..6de716e6b42
|
||||
--- /dev/null
|
||||
+++ b/src/java.base/share/conf/security/nss.fips.cfg.in
|
||||
@@ -0,0 +1,8 @@
|
||||
@ -2074,7 +2074,7 @@ index 00000000000..55bbba98b7a
|
||||
+nssDbMode = readWrite
|
||||
+nssModule = fips
|
||||
+
|
||||
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||
+attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
|
||||
+
|
||||
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
|
||||
index 86d45147709..22fd8675503 100644
|
||||
@ -2959,7 +2959,7 @@ index 00000000000..f8d505ca815
|
||||
+}
|
||||
\ No newline at end of file
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||
index 01fc06ae283..e3ca000d309 100644
|
||||
index f8dd5a71c2c..6423805d164 100644
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||
@@ -37,6 +37,8 @@ import javax.crypto.*;
|
||||
@ -3005,7 +3005,7 @@ index 01fc06ae283..e3ca000d309 100644
|
||||
return null;
|
||||
} else {
|
||||
return "RAW";
|
||||
@@ -1638,4 +1645,3 @@ final class SessionKeyRef extends PhantomReference<P11Key> {
|
||||
@@ -1664,4 +1671,3 @@ final class SessionKeyRef extends PhantomReference<P11Key> {
|
||||
this.clear();
|
||||
}
|
||||
}
|
||||
@ -348,7 +348,7 @@
|
||||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||
# Define current Git revision for the FIPS support patches
|
||||
%global fipsver 9203d50836c
|
||||
%global fipsver a0fd6e8ed6e
|
||||
# Define JDK versions
|
||||
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
|
||||
%global javaver %{featurever}
|
||||
@ -1329,6 +1329,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
|
||||
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
|
||||
# RH1940064: Enable XML Signature provider in FIPS mode
|
||||
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
|
||||
# OPENJDK-4013: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY
|
||||
Patch1001: fips-%{featurever}u-%{fipsver}.patch
|
||||
|
||||
#############################################
|
||||
@ -2475,10 +2476,12 @@ exit 0
|
||||
- Update to jdk-21.0.10+7 (GA)
|
||||
- Update release notes to 21.0.10+7
|
||||
- Bump libpng version to 1.6.51 following JDK-8372534
|
||||
- Update FIPS patch to include nss.fips.cfg that grants CKA_ENCRYPT
|
||||
- Resolves: RHEL-142857
|
||||
- Resolves: RHEL-139565
|
||||
- Resolves: RHEL-131428
|
||||
- Resolves: RHEL-131441
|
||||
- Resolves: RHEL-142861
|
||||
- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. **
|
||||
|
||||
* Sat Oct 18 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.9.0.10-2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user