From 33b5eff6b3a45f1d89b3fb6bf36568338d9098bc Mon Sep 17 00:00:00 2001
From: Jinhang-Zhang <Jinhang.Zhang@ibm.com>
Date: Fri, 7 Oct 2022 11:54:26 -0400
Subject: [PATCH] Fix the PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT in FIPS
 mode

Refer to [Redhat-2007331](https://bugzilla.redhat.com/show_bug.cgi?id=2007331). Add a CKA_SIGN attribute to a key that is generated by the MAC service initialization in the FIPS mode.

Signed-off-by: Jinhang Zhang <Jinhang.Zhang@ibm.com>
---
 closed/adds/jdk/src/share/lib/security/nss.fips.cfg | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/closed/adds/jdk/src/share/lib/security/nss.fips.cfg b/closed/adds/jdk/src/share/lib/security/nss.fips.cfg
index 3b308d298ca..1139cee9af1 100644
--- a/closed/adds/jdk/src/share/lib/security/nss.fips.cfg
+++ b/closed/adds/jdk/src/share/lib/security/nss.fips.cfg
@@ -23,3 +23,5 @@ nssLibraryDirectory = /usr/lib64
 nssSecmodDirectory = /etc/pki/nssdb
 nssDbMode = readOnly
 nssModule = fips
+
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }