Blame SOURCES/rh1996182-login_to_nss_software_token.patch

e74e6c
# HG changeset patch
e74e6c
# User mbalao
e74e6c
# Date 1630103180 -3600
e74e6c
#      Fri Aug 27 23:26:20 2021 +0100
e74e6c
# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
e74e6c
# Parent  c90394a76ee02a689f95199559d5724824b4b25e
e74e6c
RH1996182: Login to the NSS Software Token in FIPS Mode
e74e6c
e74e6c
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
e74e6c
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
e74e6c
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
e74e6c
@@ -42,6 +42,8 @@
e74e6c
 import javax.security.auth.callback.PasswordCallback;
e74e6c
 import javax.security.auth.callback.TextOutputCallback;
e74e6c
 
e74e6c
+import sun.misc.SharedSecrets;
e74e6c
+
e74e6c
 import sun.security.util.Debug;
e74e6c
 import sun.security.util.ResourcesMgr;
e74e6c
 
e74e6c
@@ -58,6 +60,9 @@
e74e6c
  */
e74e6c
 public final class SunPKCS11 extends AuthProvider {
e74e6c
 
e74e6c
+    private static final boolean systemFipsEnabled = SharedSecrets
e74e6c
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
e74e6c
+
e74e6c
     private static final long serialVersionUID = -1354835039035306505L;
e74e6c
 
e74e6c
     static final Debug debug = Debug.getInstance("sunpkcs11");
e74e6c
@@ -368,6 +373,24 @@
e74e6c
             if (nssModule != null) {
e74e6c
                 nssModule.setProvider(this);
e74e6c
             }
e74e6c
+            if (systemFipsEnabled) {
e74e6c
+                // The NSS Software Token in FIPS 140-2 mode requires a user
e74e6c
+                // login for most operations. See sftk_fipsCheck. The NSS DB
e74e6c
+                // (/etc/pki/nssdb) PIN is empty.
e74e6c
+                Session session = null;
e74e6c
+                try {
e74e6c
+                    session = token.getOpSession();
e74e6c
+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
e74e6c
+                } catch (PKCS11Exception p11e) {
e74e6c
+                    if (debug != null) {
e74e6c
+                        debug.println("Error during token login: " +
e74e6c
+                                p11e.getMessage());
e74e6c
+                    }
e74e6c
+                    throw p11e;
e74e6c
+                } finally {
e74e6c
+                    token.releaseSession(session);
e74e6c
+                }
e74e6c
+            }
e74e6c
         } catch (Exception e) {
e74e6c
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
e74e6c
                 throw new UnsupportedOperationException