RFR: 8335288: SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms
Valerie Peng
valeriep at openjdk.org
Mon Jul 22 22:43:31 UTC 2024
On Wed, 17 Jul 2024 00:48:20 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> Can someone help review this fix? Changed the required-mechanism check by checking if the particular mechanism is inside the list of enabled supported mechanisms. This should be more reliable than calling C_GetMechanismInfo(..) on the required mechanism given vendors may return various sorts of error codes.
>
> Thanks,
> Valerie
> I understand that the sample config is for a test, but are there any mechanisms we _would_ want to disable by default? It occurred to me as I was reading through the test and noticed that SHA1 was not in the disabled list for the test.
Are you asking about general PKCS11 provider configuration setting? For PKCS11 providers, users provide their provider configuration file and they decide what to disable. As for SHA-1, it's not disabled by default for SUN provider either.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/20207#issuecomment-2243929578
More information about the security-dev
mailing list