From bd9a923c567fc0a506045dbafa1cbbb0f4e0527f Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 27 2021 04:56:03 +0000
Subject: import jss-4.8.1-2.module+el8.4.0+10451+3e5b5448


---

diff --git a/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch b/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
new file mode 100644
index 0000000..581f7cf
--- /dev/null
+++ b/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
@@ -0,0 +1,105 @@
+From 3cc2f62eaca0e616dadc3053919180615b48bf54 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <alexander.m.scheel@gmail.com>
+Date: Fri, 12 Mar 2021 20:41:51 -0500
+Subject: [PATCH] Encrypt & unwrap symmetric key in FIPS mode (#678)
+
+NSS doesn't generally allow keys to be imported in FIPS mode. However,
+for portability with other JCA providers, we sometimes need to import
+keys from byte arrays. Do this in the JNI layer by executing a PKCS#11
+encrypt and then unwrap using the same key. This lets us effectively
+"import" a key into a token, if the token supports using the given
+mechanism for both encryption and unwrapping operations. Some HSMs are
+getting stricter about this and forbid using the same key for encrypt
+and unwrap operations.
+
+Resolves: #334
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
+---
+ org/mozilla/jss/pkcs11/PK11KeyWrapper.c | 62 ++++++++++++++++++++++++-
+ 1 file changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+index f39a3796..e8e9da16 100644
+--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
++++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+@@ -712,6 +712,61 @@ finish:
+     return keyObj;
+ }
+ 
++PK11SymKey *JSS_PK11_ImportSymKeyWithFlagsFIPS(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
++        CK_ATTRIBUTE_TYPE operation, SECItem *key, CK_FLAGS flags,
++        PRBool isPerm, void *wincx)
++{
++    PK11SymKey *result = NULL;
++    PK11SymKey *wrapper = NULL;
++    SECStatus ret = SECFailure;
++    unsigned int wrapped_len = 0;
++    unsigned int wrapped_max = key->len + 64;
++    unsigned char *wrapped_key = calloc(wrapped_max, sizeof(unsigned char));
++    SECItem wrapped_item = { siBuffer, wrapped_key, 0 };
++    SECItem *param = NULL;
++
++    /* Steps:
++     * 1. Generate a temporary key to encrypt and unwrap with,
++     * 2. Encrypt our key to import using the wrapping key,
++     * 3. Unwrap into the token using the wrapping key.
++     */
++
++#define FIPS_KEYGEN_ALGO CKM_AES_KEY_GEN
++#define FIPS_ENCRYPT_UNWRAP_ALGO CKM_AES_KEY_WRAP_PAD
++
++    wrapper = PK11_KeyGen(slot, FIPS_KEYGEN_ALGO, NULL, 32, wincx);
++    if (wrapper == NULL) {
++        goto done;
++    }
++
++    param = PK11_GenerateNewParam(FIPS_ENCRYPT_UNWRAP_ALGO, wrapper);
++    if (param == NULL) {
++        goto done;
++    }
++
++    ret = PK11_Encrypt(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, param,
++            wrapped_key, &wrapped_len, wrapped_max,
++            key->data, key->len);
++    if (ret != SECSuccess) {
++        goto done;
++    }
++
++    wrapped_item.len = wrapped_len;
++
++    result = PK11_UnwrapSymKeyWithFlagsPerm(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO,
++            param, &wrapped_item, type, operation, key->len, flags,
++            isPerm);
++
++done:
++    free(wrapped_key);
++    SECITEM_FreeItem(param, PR_TRUE);
++    if (wrapper != NULL) {
++        PK11_DeleteTokenSymKey(wrapper);
++        PK11_FreeSymKey(wrapper);
++    }
++    return result;
++}
++
+ /***********************************************************************
+  *
+  * PK11KeyWrapper.nativeUnwrapSymPlaintext
+@@ -765,8 +820,11 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
+     }
+ 
+     /* pull in the key */
+-    symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap,
+-        operation, wrappedKey, flags, isPerm, NULL);
++    if (PK11_IsFIPS()) {
++        symKey = JSS_PK11_ImportSymKeyWithFlagsFIPS(slot, keyTypeMech, operation, wrappedKey, flags, isPerm, NULL);
++    } else {
++        symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, operation, wrappedKey, flags, isPerm, NULL);
++    }
+     if( symKey == NULL ) {
+         JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to unwrap key");
+         goto finish;
+-- 
+2.26.2
+
diff --git a/SPECS/jss.spec b/SPECS/jss.spec
index 646b509..9fa89b0 100644
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@@ -7,7 +7,7 @@ URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
 Version:        4.8.1
-Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
+Release:        2%{?_timestamp}%{?_commit_id}%{?dist}
 #global         _phase -a1
 
 # To generate the source tarball:
@@ -25,6 +25,7 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 #     <version tag> \
 #     > jss-VERSION-RELEASE.patch
 # Patch: jss-VERSION-RELEASE.patch
+Patch1: 0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
 
 ################################################################################
 # Build Dependencies
@@ -160,6 +161,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
 ################################################################################
 %changelog
+* Tue Mar 16 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-2
+- Bug 1932803 - HSM + FIPS: CMCRequest with a shared secret resulting in error
+
 * Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
 - Rebase to upstream JSS v4.8.1
 - Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class