Blame SOURCES/rh1996182-login_to_nss_software_token.patch

be8a6c
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
be8a6c
Author: Martin Balao <mbalao@redhat.com>
be8a6c
Date:   Fri Aug 27 19:42:07 2021 +0100
be8a6c
be8a6c
    RH1996182: Login to the NSS Software Token in FIPS Mode
be8a6c
be8a6c
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
be8a6c
index 0cf61732d7..2cd851587c 100644
be8a6c
--- openjdk.orig/src/java.base/share/classes/module-info.java
be8a6c
+++ openjdk/src/java.base/share/classes/module-info.java
be8a6c
@@ -182,6 +182,7 @@ module java.base {
be8a6c
         java.security.jgss,
be8a6c
         java.sql,
be8a6c
         java.xml,
be8a6c
+        jdk.crypto.cryptoki,
be8a6c
         jdk.jartool,
be8a6c
         jdk.attach,
be8a6c
         jdk.charsets,
be8a6c
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
be8a6c
index b00b738b85..1eca1f8f0a 100644
be8a6c
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
be8a6c
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
be8a6c
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
be8a6c
 import javax.security.auth.callback.PasswordCallback;
be8a6c
 import javax.security.auth.callback.TextOutputCallback;
be8a6c
 
be8a6c
+import jdk.internal.misc.SharedSecrets;
be8a6c
+
be8a6c
 import sun.security.util.Debug;
be8a6c
 import sun.security.util.ResourcesMgr;
be8a6c
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
be8a6c
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
be8a6c
  */
be8a6c
 public final class SunPKCS11 extends AuthProvider {
be8a6c
 
be8a6c
+    private static final boolean systemFipsEnabled = SharedSecrets
be8a6c
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
be8a6c
+
be8a6c
     private static final long serialVersionUID = -1354835039035306505L;
be8a6c
 
be8a6c
     static final Debug debug = Debug.getInstance("sunpkcs11");
be8a6c
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
be8a6c
             if (nssModule != null) {
be8a6c
                 nssModule.setProvider(this);
be8a6c
             }
be8a6c
+            if (systemFipsEnabled) {
be8a6c
+                // The NSS Software Token in FIPS 140-2 mode requires a user
be8a6c
+                // login for most operations. See sftk_fipsCheck. The NSS DB
be8a6c
+                // (/etc/pki/nssdb) PIN is empty.
be8a6c
+                Session session = null;
be8a6c
+                try {
be8a6c
+                    session = token.getOpSession();
be8a6c
+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
be8a6c
+                } catch (PKCS11Exception p11e) {
be8a6c
+                    if (debug != null) {
be8a6c
+                        debug.println("Error during token login: " +
be8a6c
+                                p11e.getMessage());
be8a6c
+                    }
be8a6c
+                    throw p11e;
be8a6c
+                } finally {
be8a6c
+                    token.releaseSession(session);
be8a6c
+                }
be8a6c
+            }
be8a6c
         } catch (Exception e) {
be8a6c
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
be8a6c
                 throw new UnsupportedOperationException