RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode

Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION
This commit is contained in:
Francisco Ferrari Bihurriet 2022-06-30 13:51:25 -03:00 committed by Andrew Hughes
parent 26e1d8bb6d
commit 742fc4c474
2 changed files with 6 additions and 1 deletions

View File

@ -347,7 +347,7 @@
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10 %global buildver 10
%global rpmrelease 4 %global rpmrelease 5
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -2555,6 +2555,9 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:18.0.1.0.10-5.rolling
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
* Thu Jun 30 2022 Stephan Bergmann <sbergman@redhat.com> - 1:18.0.1.0.10-4.rolling * Thu Jun 30 2022 Stephan Bergmann <sbergman@redhat.com> - 1:18.0.1.0.10-4.rolling
- Fix flatpak builds (catering for their uncompressed manual pages) - Fix flatpak builds (catering for their uncompressed manual pages)

View File

@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly nssDbMode = readOnly
nssModule = fips nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }