Blame SOURCES/rh1996182-login_to_nss_software_token.patch

0a390a
commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
0a390a
Author: Martin Balao <mbalao@redhat.com>
0a390a
Date:   Sat Aug 28 00:35:44 2021 +0100
0a390a
0a390a
    RH1996182: Login to the NSS Software Token in FIPS Mode
0a390a
0a390a
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
840a84
index 238735c0c8c..dbbf11bbb22 100644
0a390a
--- openjdk.orig/src/java.base/share/classes/module-info.java
0a390a
+++ openjdk/src/java.base/share/classes/module-info.java
840a84
@@ -152,6 +152,7 @@ module java.base {
0a390a
         java.naming,
0a390a
         java.rmi,
840a84
         jdk.charsets,
0a390a
+        jdk.crypto.cryptoki,
0a390a
         jdk.crypto.ec,
0a390a
         jdk.jartool,
0a390a
         jdk.jlink,
0a390a
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
0a390a
index 112b639aa96..5d3963ea893 100644
0a390a
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
0a390a
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
0a390a
@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
0a390a
 
0a390a
 import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
0a390a
 
0a390a
+import jdk.internal.access.SharedSecrets;
0a390a
 import jdk.internal.misc.InnocuousThread;
0a390a
 import sun.security.util.Debug;
0a390a
 import sun.security.util.ResourcesMgr;
0a390a
@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
0a390a
  */
0a390a
 public final class SunPKCS11 extends AuthProvider {
0a390a
 
0a390a
+    private static final boolean systemFipsEnabled = SharedSecrets
0a390a
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
0a390a
+
0a390a
     private static final long serialVersionUID = -1354835039035306505L;
0a390a
 
0a390a
     static final Debug debug = Debug.getInstance("sunpkcs11");
0a390a
@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
0a390a
             if (nssModule != null) {
0a390a
                 nssModule.setProvider(this);
0a390a
             }
0a390a
+            if (systemFipsEnabled) {
0a390a
+                // The NSS Software Token in FIPS 140-2 mode requires a user
0a390a
+                // login for most operations. See sftk_fipsCheck. The NSS DB
0a390a
+                // (/etc/pki/nssdb) PIN is empty.
0a390a
+                Session session = null;
0a390a
+                try {
0a390a
+                    session = token.getOpSession();
0a390a
+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
0a390a
+                } catch (PKCS11Exception p11e) {
0a390a
+                    if (debug != null) {
0a390a
+                        debug.println("Error during token login: " +
0a390a
+                                p11e.getMessage());
0a390a
+                    }
0a390a
+                    throw p11e;
0a390a
+                } finally {
0a390a
+                    token.releaseSession(session);
0a390a
+                }
0a390a
+            }
0a390a
         } catch (Exception e) {
0a390a
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
0a390a
                 throw new UnsupportedOperationException