8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic #18387
Conversation
|
👋 Welcome back valeriep! A progress list of the required criteria for merging this PR into |
|
@valeriepeng This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 734 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
@valeriepeng The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
|
Is "disableLegacy" a standard PKCS11 attribute we are introducing support for? If so, I think a CSR is probably needed as it is kind of like a system property. |
It's a configuration file option. Just for the uncommon case if users would like to disable the check entirely. I can file a CSR on this. Thanks for the comment. |
Thanks for the review~ |
openjdk
bot
added
csr
|
/csr |
|
@valeriepeng an approved CSR request is already required for this pull request. |
| if (!allowLegacy && mechInfo != null) { | ||
| if ((d.type == CIP && | ||
| (mechInfo.flags & CKF_ENCRYPT) == 0) || | ||
| (d.type == SIG && | ||
| (mechInfo.flags & CKF_SIGN) == 0)) { | ||
| if (showInfo) { | ||
| System.out.println("DISABLED " + d.type + | ||
| " " + d.algorithm + | ||
| " due to partial support"); | ||
| } | ||
| continue; | ||
| } | ||
| } |
There was a problem hiding this comment.
I'm curious why this check was moved down in the file. The only advantage I see is that you have access to d.type.
There was a problem hiding this comment.
Yes, this is the purpose, e.g. perform the check based on the type of registered service. The earlier check does not take into account of the registered service and disables a mechanism completely even when it can still be used for some.
For example, a mechanism supports decryption, signing, and verification will be disabled completely with the earlier check, but will still be enabled for Signature with this proposed change.
I tested the change manually by changing some behavior to simulate the case. However, this cannot be done by regression test since NSS does not have legacy mechanisms. |
|
@valeriepeng can this feature be backported to Java 17 ? |
openjdk
bot
added
ready
I suppose so, the PKCS11 configuration attribute part which requires CSR can be separated out if needed. |
|
@mcpowers I am about to leave for vacation. Will wait for your review and resume on this PR after I return. Thanks! |
|
Your changes look fine to me. |
|
/integrate |
|
Going to push as commit 1b476f5.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
|
@valeriepeng Pushed as commit 1b476f5. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
|
Many thanks @valeriepeng for this feature. |
|
UP @valeriepeng possible to backport PKCS11 configuration attribute part on JDK 17 or 21 ? |
I am not sure, let me check and get back to you. |
Based on the feedback that I got, it should be ok to backport the PKCS11 configuration attribute, separate CSRs would be needed for that though. |
|
Many thanks @valeriepeng ! |
This would be subject to the 21u and 17u Maintainer. I've opened the backport request against 17-pool and 21-pool but someone needs to file the CSR and do the actual backport. |
Existing legacy mechanism check disables mechanism(s) when the support is partial, e.g. supports decryption but not encryption, or supports verification but not signing. Some mechanisms can be used for both encryption/decryption and sign/verify such as RSA related ones. If the particular mechanism supports sign/verify/decryption but not encryption, it'd be disabled as a result. Fine tune the legacy mechanism check with the service type, i.e. supports encryption for Cipher, sign for Signature, so the mechanism is disabled based on the service type.
For completeness sake, I also added a PKCS11 provider configuration option to control this. If not set, SunPKCS11 provider will disable legacy mechanisms by default.
Progress
Issues
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/18387/head:pull/18387$ git checkout pull/18387Update a local copy of the PR:
$ git checkout pull/18387$ git pull https://git.openjdk.org/jdk.git pull/18387/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 18387View PR using the GUI difftool:
$ git pr show -t 18387Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/18387.diff
Webrev
Link to Webrev Comment