8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
Reviewed-by: djelinski, weijun
This commit is contained in:
parent
1c5f1501ac
commit
1b476f52ba
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -121,6 +121,9 @@ final class Config {
|
|||||||
// whether to print debug info during startup
|
// whether to print debug info during startup
|
||||||
private boolean showInfo = false;
|
private boolean showInfo = false;
|
||||||
|
|
||||||
|
// whether to allow legacy mechanisms
|
||||||
|
private boolean allowLegacy = false;
|
||||||
|
|
||||||
// template manager, initialized from parsed attributes
|
// template manager, initialized from parsed attributes
|
||||||
private TemplateManager templateManager;
|
private TemplateManager templateManager;
|
||||||
|
|
||||||
@ -251,6 +254,10 @@ final class Config {
|
|||||||
return (SunPKCS11.debug != null) || showInfo;
|
return (SunPKCS11.debug != null) || showInfo;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
boolean getAllowLegacy() {
|
||||||
|
return allowLegacy;
|
||||||
|
}
|
||||||
|
|
||||||
TemplateManager getTemplateManager() {
|
TemplateManager getTemplateManager() {
|
||||||
if (templateManager == null) {
|
if (templateManager == null) {
|
||||||
templateManager = new TemplateManager();
|
templateManager = new TemplateManager();
|
||||||
@ -453,6 +460,8 @@ final class Config {
|
|||||||
destroyTokenAfterLogout = parseBooleanEntry(st.sval);
|
destroyTokenAfterLogout = parseBooleanEntry(st.sval);
|
||||||
case "showInfo"->
|
case "showInfo"->
|
||||||
showInfo = parseBooleanEntry(st.sval);
|
showInfo = parseBooleanEntry(st.sval);
|
||||||
|
case "allowLegacy"->
|
||||||
|
allowLegacy = parseBooleanEntry(st.sval);
|
||||||
case "keyStoreCompatibilityMode"->
|
case "keyStoreCompatibilityMode"->
|
||||||
keyStoreCompatibilityMode = parseBooleanEntry(st.sval);
|
keyStoreCompatibilityMode = parseBooleanEntry(st.sval);
|
||||||
case "explicitCancel"->
|
case "explicitCancel"->
|
||||||
|
@ -1222,25 +1222,6 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static boolean isLegacy(CK_MECHANISM_INFO mechInfo)
|
|
||||||
throws PKCS11Exception {
|
|
||||||
// assume full support if no mech info available
|
|
||||||
// For vendor-specific mechanisms, often no mech info is provided
|
|
||||||
boolean partialSupport = false;
|
|
||||||
|
|
||||||
if (mechInfo != null) {
|
|
||||||
if ((mechInfo.flags & CKF_DECRYPT) != 0) {
|
|
||||||
// non-legacy cipher mechs should support encryption
|
|
||||||
partialSupport |= ((mechInfo.flags & CKF_ENCRYPT) == 0);
|
|
||||||
}
|
|
||||||
if ((mechInfo.flags & CKF_VERIFY) != 0) {
|
|
||||||
// non-legacy signature mechs should support signing
|
|
||||||
partialSupport |= ((mechInfo.flags & CKF_SIGN) == 0);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return partialSupport;
|
|
||||||
}
|
|
||||||
|
|
||||||
// test if a token is present and initialize this provider for it if so.
|
// test if a token is present and initialize this provider for it if so.
|
||||||
// does nothing if no token is found
|
// does nothing if no token is found
|
||||||
// called from constructor and by poller
|
// called from constructor and by poller
|
||||||
@ -1309,12 +1290,6 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
}
|
}
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (isLegacy(mechInfo)) {
|
|
||||||
if (showInfo) {
|
|
||||||
System.out.println("DISABLED due to legacy");
|
|
||||||
}
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (brokenMechanisms.contains(longMech)) {
|
if (brokenMechanisms.contains(longMech)) {
|
||||||
if (showInfo) {
|
if (showInfo) {
|
||||||
@ -1336,6 +1311,7 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
if (ds == null) {
|
if (ds == null) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
boolean allowLegacy = config.getAllowLegacy();
|
||||||
descLoop:
|
descLoop:
|
||||||
for (Descriptor d : ds) {
|
for (Descriptor d : ds) {
|
||||||
Integer oldMech = supportedAlgs.get(d);
|
Integer oldMech = supportedAlgs.get(d);
|
||||||
@ -1351,6 +1327,21 @@ public final class SunPKCS11 extends AuthProvider {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// assume full support if no mech info available
|
||||||
|
if (!allowLegacy && mechInfo != null) {
|
||||||
|
if ((d.type == CIP &&
|
||||||
|
(mechInfo.flags & CKF_ENCRYPT) == 0) ||
|
||||||
|
(d.type == SIG &&
|
||||||
|
(mechInfo.flags & CKF_SIGN) == 0)) {
|
||||||
|
if (showInfo) {
|
||||||
|
System.out.println("DISABLED " + d.type +
|
||||||
|
" " + d.algorithm +
|
||||||
|
" due to partial support");
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
supportedAlgs.put(d, integerMech);
|
supportedAlgs.put(d, integerMech);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user