8335288: SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms #20207
Conversation
…pported mechanisms
|
👋 Welcome back valeriep! A progress list of the required criteria for merging this PR into |
|
@valeriepeng This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 480 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
@valeriepeng The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
|
LGTM. |
Thanks Haimay for the review~ |
|
I understand that the sample config is for a test, but are there any mechanisms we would want to disable by default? It occurred to me as I was reading through the test and noticed that SHA1 was not in the disabled list for the test. |
Are you asking about general PKCS11 provider configuration setting? For PKCS11 providers, users provide their provider configuration file and they decide what to disable. As for SHA-1, it's not disabled by default for SUN provider either. |
|
@martinuy Can you also review this? IIRC, this is introduced by the PBE PKCS12 changes earlier. |
| Arrays.stream(supportedMechanisms).boxed().collect | ||
| (Collectors.toCollection(HashSet::new)); | ||
| if (config.getDisabledMechanisms() != null) { | ||
| enabledMechSet.removeAll(config.getDisabledMechanisms()); |
There was a problem hiding this comment.
Should enabledMechSet be further restricted to Config::enabledMechanisms (if set)? Config::disabledMechanisms looks like a fallback for when Config::enabledMechanisms is not set, according to Config::isEnabled. I'd keep the logic that makes Config::enabledMechanisms work in pair with Config::disabledMechanisms in a single place, as duplicating it into two different places may lead to misalignment.
There was a problem hiding this comment.
Yes, you have a good point. Let me think about it and see how to better handle this.
|
|
||
| for (int i = 0; i < supportedMechanisms.length; i++) { | ||
| long longMech = supportedMechanisms[i]; | ||
| for (long longMech : supportedMechanisms) { |
There was a problem hiding this comment.
Is the code under if (!config.isEnabled(longMech)) { still needed? Looks to me that we will be iterating over enabled mechanisms now.
There was a problem hiding this comment.
Just for the record, I want to note that we will not longer be showing information about supported but disabled mechanisms here.
There was a problem hiding this comment.
Right, I agree that it's better to show info about supported but disabled mechanisms.
…ailable mechanisms.
Thanks Martin for the review~ |
|
Updated webrev looks good. |
|
/integrate |
|
Going to push as commit fdfe503.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
|
@valeriepeng Pushed as commit fdfe503. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
|
Hi. I'm the original reporter of this issue. |
I have just opened a request to backport this to JDK 21 update. Someone from the sustaining team should handle the backport request. Thank~ |
Correction: It'll be the OpenJDK21 maintainers to handle the backport request (not the sustaining team). |
@GoeLin I fixed this in jdk24 and the submitter hopes that can be backported to jdk21. Is this something that you can help with? Thanks! |
Can someone help review this fix? Changed the required-mechanism check by checking if the particular mechanism is inside the list of enabled supported mechanisms. This should be more reliable than calling C_GetMechanismInfo(..) on the required mechanism given vendors may return various sorts of error codes.
Thanks,
Valerie
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/20207/head:pull/20207$ git checkout pull/20207Update a local copy of the PR:
$ git checkout pull/20207$ git pull https://git.openjdk.org/jdk.git pull/20207/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 20207View PR using the GUI difftool:
$ git pr show -t 20207Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/20207.diff
Webrev
Link to Webrev Comment