RH1996182: Login to the NSS Software Token in FIPS Mode

martinuy · gnu-andrew · commit 8f6bbc1c697c · 2022-03-16T17:23:11.000Z
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
@@ -182,6 +182,7 @@
         java.security.jgss,
         java.sql,
         java.xml,
+        jdk.crypto.cryptoki,
         jdk.jartool,
         jdk.attach,
         jdk.charsets,
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -41,6 +41,8 @@
 import javax.security.auth.callback.PasswordCallback;
 
 import jdk.internal.misc.InnocuousThread;
+import jdk.internal.misc.SharedSecrets;
+
 import sun.security.util.Debug;
 import sun.security.util.ResourcesMgr;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -58,6 +60,9 @@
  */
 public final class SunPKCS11 extends AuthProvider {
 
+    private static final boolean systemFipsEnabled = SharedSecrets
+            .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
     private static final long serialVersionUID = -1354835039035306505L;
 
     static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -374,6 +379,24 @@ private static <T> T checkNull(T obj) {
             if (nssModule != null) {
                 nssModule.setProvider(this);
             }
+            if (systemFipsEnabled) {
+                // The NSS Software Token in FIPS 140-2 mode requires a user
+                // login for most operations. See sftk_fipsCheck. The NSS DB
+                // (/etc/pki/nssdb) PIN is empty.
+                Session session = null;
+                try {
+                    session = token.getOpSession();
+                    p11.C_Login(session.id(), CKU_USER, new char[] {});
+                } catch (PKCS11Exception p11e) {
+                    if (debug != null) {
+                        debug.println("Error during token login: " +
+                                p11e.getMessage());
+                    }
+                    throw p11e;
+                } finally {
+                    token.releaseSession(session);
+                }
+            }
         } catch (Exception e) {
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
                 throw new UnsupportedOperationException
