8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic
Reviewed-by: djelinski, weijun
This commit is contained in:
parent
1c5f1501ac
commit
1b476f52ba
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -121,6 +121,9 @@ final class Config {
|
||||
// whether to print debug info during startup
|
||||
private boolean showInfo = false;
|
||||
|
||||
// whether to allow legacy mechanisms
|
||||
private boolean allowLegacy = false;
|
||||
|
||||
// template manager, initialized from parsed attributes
|
||||
private TemplateManager templateManager;
|
||||
|
||||
@ -251,6 +254,10 @@ final class Config {
|
||||
return (SunPKCS11.debug != null) || showInfo;
|
||||
}
|
||||
|
||||
boolean getAllowLegacy() {
|
||||
return allowLegacy;
|
||||
}
|
||||
|
||||
TemplateManager getTemplateManager() {
|
||||
if (templateManager == null) {
|
||||
templateManager = new TemplateManager();
|
||||
@ -453,6 +460,8 @@ final class Config {
|
||||
destroyTokenAfterLogout = parseBooleanEntry(st.sval);
|
||||
case "showInfo"->
|
||||
showInfo = parseBooleanEntry(st.sval);
|
||||
case "allowLegacy"->
|
||||
allowLegacy = parseBooleanEntry(st.sval);
|
||||
case "keyStoreCompatibilityMode"->
|
||||
keyStoreCompatibilityMode = parseBooleanEntry(st.sval);
|
||||
case "explicitCancel"->
|
||||
|
@ -1222,25 +1222,6 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean isLegacy(CK_MECHANISM_INFO mechInfo)
|
||||
throws PKCS11Exception {
|
||||
// assume full support if no mech info available
|
||||
// For vendor-specific mechanisms, often no mech info is provided
|
||||
boolean partialSupport = false;
|
||||
|
||||
if (mechInfo != null) {
|
||||
if ((mechInfo.flags & CKF_DECRYPT) != 0) {
|
||||
// non-legacy cipher mechs should support encryption
|
||||
partialSupport |= ((mechInfo.flags & CKF_ENCRYPT) == 0);
|
||||
}
|
||||
if ((mechInfo.flags & CKF_VERIFY) != 0) {
|
||||
// non-legacy signature mechs should support signing
|
||||
partialSupport |= ((mechInfo.flags & CKF_SIGN) == 0);
|
||||
}
|
||||
}
|
||||
return partialSupport;
|
||||
}
|
||||
|
||||
// test if a token is present and initialize this provider for it if so.
|
||||
// does nothing if no token is found
|
||||
// called from constructor and by poller
|
||||
@ -1309,12 +1290,6 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
}
|
||||
continue;
|
||||
}
|
||||
if (isLegacy(mechInfo)) {
|
||||
if (showInfo) {
|
||||
System.out.println("DISABLED due to legacy");
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
if (brokenMechanisms.contains(longMech)) {
|
||||
if (showInfo) {
|
||||
@ -1336,6 +1311,7 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
if (ds == null) {
|
||||
continue;
|
||||
}
|
||||
boolean allowLegacy = config.getAllowLegacy();
|
||||
descLoop:
|
||||
for (Descriptor d : ds) {
|
||||
Integer oldMech = supportedAlgs.get(d);
|
||||
@ -1351,6 +1327,21 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// assume full support if no mech info available
|
||||
if (!allowLegacy && mechInfo != null) {
|
||||
if ((d.type == CIP &&
|
||||
(mechInfo.flags & CKF_ENCRYPT) == 0) ||
|
||||
(d.type == SIG &&
|
||||
(mechInfo.flags & CKF_SIGN) == 0)) {
|
||||
if (showInfo) {
|
||||
System.out.println("DISABLED " + d.type +
|
||||
" " + d.algorithm +
|
||||
" due to partial support");
|
||||
}
|
||||
continue;
|
||||
}
|
||||
}
|
||||
supportedAlgs.put(d, integerMech);
|
||||
continue;
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user