# HG changeset patch

# User mbalao

# Date 1630103180 -3600

#      Fri Aug 27 23:26:20 2021 +0100

# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3

# Parent  c90394a76ee02a689f95199559d5724824b4b25e

RH1996182: Login to the NSS Software Token in FIPS Mode

diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java

--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java

+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java

@@ -42,6 +42,8 @@

 import javax.security.auth.callback.PasswordCallback;

 import javax.security.auth.callback.TextOutputCallback;

+import sun.misc.SharedSecrets;

+

 import sun.security.util.Debug;

 import sun.security.util.ResourcesMgr;

@@ -58,6 +60,9 @@

  */

 public final class SunPKCS11 extends AuthProvider {

+    private static final boolean systemFipsEnabled = SharedSecrets

+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();

+

     private static final long serialVersionUID = -1354835039035306505L;

     static final Debug debug = Debug.getInstance("sunpkcs11");

@@ -368,6 +373,24 @@

             if (nssModule != null) {

                 nssModule.setProvider(this);

             }

+            if (systemFipsEnabled) {

+                // The NSS Software Token in FIPS 140-2 mode requires a user

+                // login for most operations. See sftk_fipsCheck. The NSS DB

+                // (/etc/pki/nssdb) PIN is empty.

+                Session session = null;

+                try {

+                    session = token.getOpSession();

+                    p11.C_Login(session.id(), CKU_USER, new char[] {});

+                } catch (PKCS11Exception p11e) {

+                    if (debug != null) {

+                        debug.println("Error during token login: " +

+                                p11e.getMessage());

+                    }

+                    throw p11e;

+                } finally {

+                    token.releaseSession(session);

+                }

+            }

         } catch (Exception e) {

             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {

                 throw new UnsupportedOperationException