OPENJDK-4013: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY

[franferrax]

Search this PR in Red Hat Jira

Hi,

This pull request addresses OPENJDK-4013: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY.

In particular, it applies to the following RHEL issues:

• RHEL-122136: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY [rhel-9, openjdk-17]
• RHEL-TBD: Update nss.fips.cfg to grant CKA_SIGN and CKA_ENCRYPT to any CKO_SECRET_KEY [rhel-8, openjdk-17]

The change has been successfully tested by the Cryostat team, and is in production for them, see cryostatio/cryostat#932.

[fitzsim]

This looks safe to me as long as we can count on NSS to reject operations that are newly allowed by this change, but that are not allowed by FIPS.

[fitzsim]

This looks safe to me as long as we can count on NSS to reject operations that are newly allowed by this change, but that are not allowed by FIPS.

[gnu-andrew]

Merged in #44

[franferrax]

@gnu-andrew: from now on, I will always make sure to check Allow edits and access to secrets by maintainers. With that option enabled, you should be able to directly push to my fork's branch and update the original PR. This removes the burden of creating a new PR, so feel free to directly push to my branch next time. Understanding you need to rebase, force-pushes won't be considered an offense.