diff --git a/fips-21u-9203d50836c.patch b/fips-21u-a0fd6e8ed6e.patch similarity index 99% rename from fips-21u-9203d50836c.patch rename to fips-21u-a0fd6e8ed6e.patch index 9966391..2db9580 100644 --- a/fips-21u-9203d50836c.patch +++ b/fips-21u-a0fd6e8ed6e.patch @@ -136,10 +136,10 @@ index 51d4f724c33..feb0bcf3e75 100644 BASIC_JDKLIB_LIBS="" BASIC_JDKLIB_LIBS_TARGET="" diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index f6def153c82..4d7abc33427 100644 +index 7f085676ca9..2476b9ae964 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -822,6 +822,11 @@ PANDOC_MARKDOWN_FLAG:=@PANDOC_MARKDOWN_FLAG@ # Libraries # @@ -1979,7 +1979,7 @@ index 539ef1e8ee8..435f57e3ff2 100644 "sun.security.rsa.PSSParameters", null); } diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index f8b01a4ea1e..b325bf7e9fc 100644 +index 6b0fd201b9b..2af4e3a3e21 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -85,6 +85,17 @@ security.provider.tbd=Apple @@ -2064,7 +2064,7 @@ index f8b01a4ea1e..b325bf7e9fc 100644 # the javax.net.ssl package. diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in new file mode 100644 -index 00000000000..55bbba98b7a +index 00000000000..6de716e6b42 --- /dev/null +++ b/src/java.base/share/conf/security/nss.fips.cfg.in @@ -0,0 +1,8 @@ @@ -2074,7 +2074,7 @@ index 00000000000..55bbba98b7a +nssDbMode = readWrite +nssModule = fips + -+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true } + diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy index 86d45147709..22fd8675503 100644 @@ -2959,7 +2959,7 @@ index 00000000000..f8d505ca815 +} \ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 01fc06ae283..e3ca000d309 100644 +index f8dd5a71c2c..6423805d164 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -3005,7 +3005,7 @@ index 01fc06ae283..e3ca000d309 100644 return null; } else { return "RAW"; -@@ -1638,4 +1645,3 @@ final class SessionKeyRef extends PhantomReference { +@@ -1664,4 +1671,3 @@ final class SessionKeyRef extends PhantomReference { this.clear(); } } diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec index 8c4807a..45f79b2 100644 --- a/java-21-openjdk.spec +++ b/java-21-openjdk.spec @@ -348,7 +348,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 9203d50836c +%global fipsver a0fd6e8ed6e # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -1329,6 +1329,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +# OPENJDK-4013: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# @@ -2475,10 +2476,12 @@ exit 0 - Update to jdk-21.0.10+7 (GA) - Update release notes to 21.0.10+7 - Bump libpng version to 1.6.51 following JDK-8372534 +- Update FIPS patch to include nss.fips.cfg that grants CKA_ENCRYPT - Resolves: RHEL-142857 - Resolves: RHEL-139565 - Resolves: RHEL-131428 - Resolves: RHEL-131441 +- Resolves: RHEL-142861 - ** This tarball is embargoed until 2026-01-20 @ 1pm PT. ** * Sat Oct 18 2025 Andrew Hughes - 1:21.0.9.0.10-2