diff --git a/SOURCES/nss-3.79-pkcs12-fips-defaults.patch b/SOURCES/nss-3.79-pkcs12-fips-defaults.patch
new file mode 100644
index 0000000..fd8cb4d
--- /dev/null
+++ b/SOURCES/nss-3.79-pkcs12-fips-defaults.patch
@@ -0,0 +1,25 @@
+diff -up ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults ./cmd/pk12util/pk12util.c
+--- ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults 2022-07-20 13:40:24.152212683 -0700
++++ ./cmd/pk12util/pk12util.c 2022-07-20 13:42:40.031094190 -0700
+@@ -1146,6 +1146,11 @@ main(int argc, char **argv)
+ goto done;
+ }
+
++ if (PK11_IsFIPS()) {
++ cipher = SEC_OID_AES_256_CBC;
++ certCipher = SEC_OID_AES_128_CBC;
++ }
++
+ if (pk12util.options[opt_Cipher].activated) {
+ char *cipherString = pk12util.options[opt_Cipher].arg;
+
+@@ -1160,9 +1165,6 @@ main(int argc, char **argv)
+ }
+ }
+
+- if (PK11_IsFIPS()) {
+- certCipher = SEC_OID_UNKNOWN;
+- }
+ if (pk12util.options[opt_CertCipher].activated) {
+ char *cipherString = pk12util.options[opt_CertCipher].arg;
+
diff --git a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch
new file mode 100644
index 0000000..1195e5c
--- /dev/null
+++ b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch
@@ -0,0 +1,21 @@
+diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c
+--- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700
++++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700
+@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre
+ if (zeroTerm) {
+ /* unicode adds two nulls at the end */
+ if (toUnicode) {
+- if ((dest->len >= 2) &&
+- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
++ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
+ /* we've already allocated space for these new NULLs */
+ PORT_Assert(dest->len + 2 <= bufferSize);
+ dest->len += 2;
+ dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
+ }
+ /* ascii/utf-8 adds just 1 */
+- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
++ } else if (!dest->len || dest->data[dest->len - 1]) {
+ PORT_Assert(dest->len + 1 <= bufferSize);
+ dest->len++;
+ dest->data[dest->len - 1] = 0;
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 238cbf8..dd32c68 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
Summary: Network Security Services
Name: nss
Version: %{nss_version}
-Release: 7%{?dist}
+Release: 8%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}%{nspr_release}
@@ -153,6 +153,8 @@ Patch45: nss-3.66-disable-external-host-test.patch
Patch50: nss-3.66-restore-old-pkcs12-default.patch
# Local Patch: restore expired distrusted certs for now
Patch51: nss-3.79-revert-distrusted-certs.patch
+# Local Patch: update fipsdefaults to AES
+Patch52: nss-3.79-pkcs12-fips-defaults.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
Patch60: nss-3.79-dbtool.patch
@@ -163,8 +165,7 @@ Patch63: nss-3.79-fix-client-cert-crash.patch
Patch64: nss-3.79-rhel-8-fips-signature-policy.patch
Patch65: nss-3.79-enable-POST-rerun.patch
Patch66: nss-3.79-increase-pbe-cache.patch
-
-
+Patch67: /nss-3.79-pkcs12-fix-null-password.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -941,6 +942,10 @@ update-crypto-policies --no-reload &> /dev/null || :
%changelog
+* Wed Jul 13 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-8
+- Update fips default for pk12util to AES rather than TDES
+- Fix bug in pkcs12 files with null passwords
+
* Wed Jul 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
- Better fix for test regressions