From 0f5f3c9b9718c610406088327401210486447462 Mon Sep 17 00:00:00 2001
From: Martin Balao <mbalao@openjdk.org>
Date: Tue, 6 Feb 2024 19:49:30 +0000
Subject: [PATCH] 8325254: CKA_TOKEN private and secret keys are not
 necessarily sensitive

Reviewed-by: valeriep
---
 .../share/classes/sun/security/pkcs11/P11Key.java            | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
index 4406a77eafe..e987a1733bb 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@@ -395,8 +395,9 @@ abstract class P11Key implements Key, Length {
                     new CK_ATTRIBUTE(CKA_EXTRACTABLE),
         });
 
-        boolean keySensitive = (attrs[0].getBoolean() ||
-                attrs[1].getBoolean() || !attrs[2].getBoolean());
+        boolean keySensitive =
+                (attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
+                attrs[1].getBoolean() || !attrs[2].getBoolean();
 
         return switch (algorithm) {
             case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm,