RFR: 8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic [v2]
Valerie Peng
valeriep at openjdk.org
Tue Apr 9 22:26:59 UTC 2024
On Tue, 9 Apr 2024 18:34:52 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update to match CSR for disableLegacy -> allowLegacy name change
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java line 1344:
>
>> 1342: continue;
>> 1343: }
>> 1344: }
>
> I'm curious why this check was moved down in the file. The only advantage I see is that you have access to `d.type`.
Yes, this is the purpose, e.g. perform the check based on the type of registered service. The earlier check does not take into account of the registered service and disables a mechanism completely even when it can still be used for some.
For example, a mechanism supports decryption, signing, and verification will be disabled completely with the earlier check, but will still be enabled for Signature with this proposed change.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18387#discussion_r1558368927
More information about the security-dev
mailing list