java-17-openjdk/rh1996182-login_to_nss_software_token.patch

commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
Author: Martin Balao <mbalao@redhat.com>
Date:   Sat Aug 28 00:35:44 2021 +0100

    RH1996182: Login to the NSS Software Token in FIPS Mode

diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 39e69362458..aeb5fc2eb46 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -151,6 +151,7 @@ module java.base {
         java.management,
         java.naming,
         java.rmi,
+        jdk.crypto.cryptoki,
         jdk.crypto.ec,
         jdk.jartool,
         jdk.jlink,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 112b639aa96..5d3963ea893 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
 
 import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
 
+import jdk.internal.access.SharedSecrets;
 import jdk.internal.misc.InnocuousThread;
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
  */
 public final class SunPKCS11 extends AuthProvider {
 
+    private static final boolean systemFipsEnabled = SharedSecrets
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
     private static final long serialVersionUID = -1354835039035306505L;
 
     static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
             if (nssModule != null) {
                 nssModule.setProvider(this);
             }
+            if (systemFipsEnabled) {
+                // The NSS Software Token in FIPS 140-2 mode requires a user
+                // login for most operations. See sftk_fipsCheck. The NSS DB
+                // (/etc/pki/nssdb) PIN is empty.
+                Session session = null;
+                try {
+                    session = token.getOpSession();
+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
+                } catch (PKCS11Exception p11e) {
+                    if (debug != null) {
+                        debug.println("Error during token login: " +
+                                p11e.getMessage());
+                    }
+                    throw p11e;
+                } finally {
+                    token.releaseSession(session);
+                }
+            }
         } catch (Exception e) {
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
                 throw new UnsupportedOperationException
Initial load 2021-12-07 14:45:09 +00:00			`commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923`
			`Author: Martin Balao <mbalao@redhat.com>`
			`Date: Sat Aug 28 00:35:44 2021 +0100`

			`RH1996182: Login to the NSS Software Token in FIPS Mode`

			`diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java`
			`index 39e69362458..aeb5fc2eb46 100644`
			`--- openjdk.orig/src/java.base/share/classes/module-info.java`
			`+++ openjdk/src/java.base/share/classes/module-info.java`
			`@@ -151,6 +151,7 @@ module java.base {`
			`java.management,`
			`java.naming,`
			`java.rmi,`
			`+ jdk.crypto.cryptoki,`
			`jdk.crypto.ec,`
			`jdk.jartool,`
			`jdk.jlink,`
			`diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java`
			`index 112b639aa96..5d3963ea893 100644`
			`--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java`
			`+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java`
			`@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;`

			`import com.sun.crypto.provider.ChaCha20Poly1305Parameters;`

			`+import jdk.internal.access.SharedSecrets;`
			`import jdk.internal.misc.InnocuousThread;`
			`import sun.security.util.Debug;`
			`import sun.security.util.ResourcesMgr;`
			`@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;`
			`*/`
			`public final class SunPKCS11 extends AuthProvider {`

			`+ private static final boolean systemFipsEnabled = SharedSecrets`
			`+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();`
			`+`
			`private static final long serialVersionUID = -1354835039035306505L;`

			`static final Debug debug = Debug.getInstance("sunpkcs11");`
			`@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {`
			`if (nssModule != null) {`
			`nssModule.setProvider(this);`
			`}`
			`+ if (systemFipsEnabled) {`
			`+ // The NSS Software Token in FIPS 140-2 mode requires a user`
			`+ // login for most operations. See sftk_fipsCheck. The NSS DB`
			`+ // (/etc/pki/nssdb) PIN is empty.`
			`+ Session session = null;`
			`+ try {`
			`+ session = token.getOpSession();`
			`+ p11.C_Login(session.id(), CKU_USER, new char[] {});`
			`+ } catch (PKCS11Exception p11e) {`
			`+ if (debug != null) {`
			`+ debug.println("Error during token login: " +`
			`+ p11e.getMessage());`
			`+ }`
			`+ throw p11e;`
			`+ } finally {`
			`+ token.releaseSession(session);`
			`+ }`
			`+ }`
			`} catch (Exception e) {`
			`if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {`
			`throw new UnsupportedOperationException`