Integrated: 8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
Valerie Peng
valeriep at openjdk.org
Fri May 10 16:56:11 UTC 2024
On Wed, 20 Mar 2024 02:44:19 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> Existing legacy mechanism check disables mechanism(s) when the support is partial, e.g. supports decryption but not encryption, or supports verification but not signing. Some mechanisms can be used for both encryption/decryption and sign/verify such as RSA related ones. If the particular mechanism supports sign/verify/decryption but not encryption, it'd be disabled as a result. Fine tune the legacy mechanism check with the service type, i.e. supports encryption for Cipher, sign for Signature, so the mechanism is disabled based on the service type.
> For completeness sake, I also added a PKCS11 provider configuration option to control this. If not set, SunPKCS11 provider will disable legacy mechanisms by default.
This pull request has now been integrated.
Changeset: 1b476f52
Author: Valerie Peng <valeriep at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/1b476f52ba85f9ceaabe785d36cb07df831fd0e8
Stats: 51 lines in 2 files changed: 25 ins; 25 del; 1 mod
8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
Reviewed-by: djelinski, weijun
-------------
PR: https://git.openjdk.org/jdk/pull/18387
More information about the security-dev
mailing list