diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java index 3a1bb807263..20726bb8d47 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -121,6 +121,9 @@ final class Config { // whether to print debug info during startup private boolean showInfo = false; + // whether to allow legacy mechanisms + private boolean allowLegacy = false; + // template manager, initialized from parsed attributes private TemplateManager templateManager; @@ -251,6 +254,10 @@ final class Config { return (SunPKCS11.debug != null) || showInfo; } + boolean getAllowLegacy() { + return allowLegacy; + } + TemplateManager getTemplateManager() { if (templateManager == null) { templateManager = new TemplateManager(); @@ -453,6 +460,8 @@ final class Config { destroyTokenAfterLogout = parseBooleanEntry(st.sval); case "showInfo"-> showInfo = parseBooleanEntry(st.sval); + case "allowLegacy"-> + allowLegacy = parseBooleanEntry(st.sval); case "keyStoreCompatibilityMode"-> keyStoreCompatibilityMode = parseBooleanEntry(st.sval); case "explicitCancel"-> diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java index 3e112bfe0ed..07aaa1037ea 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -1222,25 +1222,6 @@ public final class SunPKCS11 extends AuthProvider { } } - private static boolean isLegacy(CK_MECHANISM_INFO mechInfo) - throws PKCS11Exception { - // assume full support if no mech info available - // For vendor-specific mechanisms, often no mech info is provided - boolean partialSupport = false; - - if (mechInfo != null) { - if ((mechInfo.flags & CKF_DECRYPT) != 0) { - // non-legacy cipher mechs should support encryption - partialSupport |= ((mechInfo.flags & CKF_ENCRYPT) == 0); - } - if ((mechInfo.flags & CKF_VERIFY) != 0) { - // non-legacy signature mechs should support signing - partialSupport |= ((mechInfo.flags & CKF_SIGN) == 0); - } - } - return partialSupport; - } - // test if a token is present and initialize this provider for it if so. // does nothing if no token is found // called from constructor and by poller @@ -1309,12 +1290,6 @@ public final class SunPKCS11 extends AuthProvider { } continue; } - if (isLegacy(mechInfo)) { - if (showInfo) { - System.out.println("DISABLED due to legacy"); - } - continue; - } if (brokenMechanisms.contains(longMech)) { if (showInfo) { @@ -1336,6 +1311,7 @@ public final class SunPKCS11 extends AuthProvider { if (ds == null) { continue; } + boolean allowLegacy = config.getAllowLegacy(); descLoop: for (Descriptor d : ds) { Integer oldMech = supportedAlgs.get(d); @@ -1351,6 +1327,21 @@ public final class SunPKCS11 extends AuthProvider { } } } + + // assume full support if no mech info available + if (!allowLegacy && mechInfo != null) { + if ((d.type == CIP && + (mechInfo.flags & CKF_ENCRYPT) == 0) || + (d.type == SIG && + (mechInfo.flags & CKF_SIGN) == 0)) { + if (showInfo) { + System.out.println("DISABLED " + d.type + + " " + d.algorithm + + " due to partial support"); + } + continue; + } + } supportedAlgs.put(d, integerMech); continue; }