[jdk11u-dev] RFR: 8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
Andrew John Hughes
andrew at openjdk.org
Tue Mar 25 16:03:17 UTC 2025
On Fri, 3 Jan 2025 14:42:32 GMT, Antonio Vieiro <duke at openjdk.org> wrote:
> Clean backport of [JDK-8293345](https://bugs.openjdk.org/browse/JDK-8293345) (but a copyright line, that is) for parity with 11.0.27-oracle.
>
> Tier 1 tests pass in Linux.
It seems a little odd that this bug, [JDK-8293345](https://bugs.openjdk.org/browse/JDK-8293345) is listed as an enhancement - that I would usually be wary of backporting - but the bug that actually introduced the concept of legacy mechanism ([JDK-8176837](https://bugs.openjdk.org/browse/JDK-8176837)) - is regarded as a bug. What this change is effectively doing is allowing the legacy determination added by 8176837 to be overridden by the user in the configuration.
To my mind, this seems more like a bug fix for a regression created by 8176837, whereby mechanisms that worked prior to 8176837 can no longer be used due to the legacy determination. With this change, the user can explicitly enable such mechanisms again as needed.
With that in mind, and the CSR already in place all the way back to 8u, I'm ok with approving this for 11u. By default, the legacy override is off so the only change is that the legacy check is less intrusive and only checks ciphers for encryption and signatures for signing. Previously, a signature that could sign & verify would be regarded as legacy and disabled if it couldn't also encrypt, which is unnecessary. So this should also make more cases possible even without the new config flag enabled.
-------------
PR Comment: https://git.openjdk.org/jdk11u-dev/pull/2983#issuecomment-2751762205
More information about the jdk-updates-dev
mailing list