Description of problem:

When the NSS software token is configured in FIPS mode -as we do for OpenJDK's system FIPS mode-, a token login is required prior to (almost) any operation. The token login can be achieved by means of a C_Login PKCS#11 call, passing the NSSDB PIN (if any). As an example, C_CreateObject (PKCS#11 API to create keys among other objects) cannot be invoked without a login [1] [2].

OpenJDK will perform a login into the token if a KeyStore::load API is invoked and the keystore implementation is from the SunPKCS11 provider [3] [4]. However, in the case that the application does not perform such call and tries to execute a PKCS#11 action (such as importing a public RSA key into the token [5]), a CKR_USER_NOT_LOGGED_IN error will be thrown.

Proposed solution:

When in system FIPS mode, login into the token right after the SunPKCS11 security provider is initialized. The PIN for the /etc/pki/nssdb token is empty. Note: only privileged (root) users have the right to modify /etc/pki/nssdb files, so there was no need to set a PIN there. OpenJDK's FIPS mode will open the token in read-only mode.

--
[1] - https://github.com/nss-dev/nss/blob/b6145f4aaeb6970f25b497f55ed9a5476f13b715/lib/softoken/fipstokn.c#L970
[2] - https://github.com/nss-dev/nss/blob/b6145f4aaeb6970f25b497f55ed9a5476f13b715/lib/softoken/fipstokn.c#L198
[3] - https://github.com/openjdk/jdk17/blob/dfacda488bfbe2e11e8d607a6d08527710286982/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java#L752
[4] - https://github.com/openjdk/jdk17/blob/dfacda488bfbe2e11e8d607a6d08527710286982/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java#L1403
[5] - https://github.com/openjdk/jdk17/blob/dfacda488bfbe2e11e8d607a6d08527710286982/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java#L193