Skip to content

Commit

Permalink
8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
Browse files Browse the repository at this point in the history 
Reviewed-by: djelinski, weijun
  • Loading branch information
Valerie Peng committed May 10, 2024
1 parent 1c5f150 commit 1b476f5
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 26 deletions.
11 changes: 10 additions & 1 deletion src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -121,6 +121,9 @@ public List<String> run() {
// whether to print debug info during startup
private boolean showInfo = false;

// whether to allow legacy mechanisms
private boolean allowLegacy = false;

// template manager, initialized from parsed attributes
private TemplateManager templateManager;

Expand Down Expand Up @@ -251,6 +254,10 @@ boolean getShowInfo() {
return (SunPKCS11.debug != null) || showInfo;
}

boolean getAllowLegacy() {
return allowLegacy;
}

TemplateManager getTemplateManager() {
if (templateManager == null) {
templateManager = new TemplateManager();
Expand Down Expand Up @@ -453,6 +460,8 @@ private void parse() throws IOException {
destroyTokenAfterLogout = parseBooleanEntry(st.sval);
case "showInfo"->
showInfo = parseBooleanEntry(st.sval);
case "allowLegacy"->
allowLegacy = parseBooleanEntry(st.sval);
case "keyStoreCompatibilityMode"->
keyStoreCompatibilityMode = parseBooleanEntry(st.sval);
case "explicitCancel"->
Expand Down
41 changes: 16 additions & 25 deletions src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1222,25 +1222,6 @@ public Object run() {
}
}

private static boolean isLegacy(CK_MECHANISM_INFO mechInfo)
throws PKCS11Exception {
// assume full support if no mech info available
// For vendor-specific mechanisms, often no mech info is provided
boolean partialSupport = false;

if (mechInfo != null) {
if ((mechInfo.flags & CKF_DECRYPT) != 0) {
// non-legacy cipher mechs should support encryption
partialSupport |= ((mechInfo.flags & CKF_ENCRYPT) == 0);
}
if ((mechInfo.flags & CKF_VERIFY) != 0) {
// non-legacy signature mechs should support signing
partialSupport |= ((mechInfo.flags & CKF_SIGN) == 0);
}
}
return partialSupport;
}

// test if a token is present and initialize this provider for it if so.
// does nothing if no token is found
// called from constructor and by poller
Expand Down Expand Up @@ -1309,12 +1290,6 @@ private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception {
}
continue;
}
if (isLegacy(mechInfo)) {
if (showInfo) {
System.out.println("DISABLED due to legacy");
}
continue;
}

if (brokenMechanisms.contains(longMech)) {
if (showInfo) {
Expand All @@ -1336,6 +1311,7 @@ private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception {
if (ds == null) {
continue;
}
boolean allowLegacy = config.getAllowLegacy();
descLoop:
for (Descriptor d : ds) {
Integer oldMech = supportedAlgs.get(d);
Expand All @@ -1351,6 +1327,21 @@ private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception {
}
}
}

// assume full support if no mech info available
if (!allowLegacy && mechInfo != null) {
if ((d.type == CIP &&
(mechInfo.flags & CKF_ENCRYPT) == 0) ||
(d.type == SIG &&
(mechInfo.flags & CKF_SIGN) == 0)) {
if (showInfo) {
System.out.println("DISABLED " + d.type +
" " + d.algorithm +
" due to partial support");
}
continue;
}
}
supportedAlgs.put(d, integerMech);
continue;
}
Expand Down

0 comments on commit 1b476f5

Please sign in to comment.