8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic

vieiro · gnu-andrew · commit da5bfa9a70a5 · 2025-03-27T00:31:27.000Z
Reviewed-by: andrew
Backport-of: 6f16a44784fbaeedfe4ccd6c4e7fb5280b329c2b
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -126,6 +126,9 @@ private static void debug(Object o) {
     // whether to print debug info during startup
     private boolean showInfo = false;
 
+    // whether to allow legacy mechanisms
+    private boolean allowLegacy = false;
+
     // template manager, initialized from parsed attributes
     private TemplateManager templateManager;
 
@@ -256,6 +259,10 @@ boolean getShowInfo() {
         return (SunPKCS11.debug != null) || showInfo;
     }
 
+    boolean getAllowLegacy() {
+        return allowLegacy;
+    }
+
     TemplateManager getTemplateManager() {
         if (templateManager == null) {
             templateManager = new TemplateManager();
@@ -449,6 +456,8 @@ private void parse() throws IOException {
                 destroyTokenAfterLogout = parseBooleanEntry(word);
             } else if (word.equals("showInfo")) {
                 showInfo = parseBooleanEntry(word);
+            } else if (word.equals("allowLegacy")) {
+                allowLegacy = parseBooleanEntry(word);
             } else if (word.equals("keyStoreCompatibilityMode")) {
                 keyStoreCompatibilityMode = parseBooleanEntry(word);
             } else if (word.equals("explicitCancel")) {
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -956,25 +956,6 @@ public Object run() {
         }
     }
 
-    private static boolean isLegacy(CK_MECHANISM_INFO mechInfo)
-            throws PKCS11Exception {
-        // assume full support if no mech info available
-        // For vendor-specific mechanisms, often no mech info is provided
-        boolean partialSupport = false;
-
-        if (mechInfo != null) {
-            if ((mechInfo.flags & CKF_DECRYPT) != 0) {
-                // non-legacy cipher mechs should support encryption
-                partialSupport |= ((mechInfo.flags & CKF_ENCRYPT) == 0);
-            }
-            if ((mechInfo.flags & CKF_VERIFY) != 0) {
-                // non-legacy signature mechs should support signing
-                partialSupport |= ((mechInfo.flags & CKF_SIGN) == 0);
-            }
-        }
-        return partialSupport;
-    }
-
     // test if a token is present and initialize this provider for it if so.
     // does nothing if no token is found
     // called from constructor and by poller
@@ -1025,12 +1006,6 @@ private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception {
                 }
                 continue;
             }
-            if (isLegacy(mechInfo)) {
-                if (showInfo) {
-                    System.out.println("DISABLED due to legacy");
-                }
-                continue;
-            }
 
             // we do not know of mechs with the upper 32 bits set
             if (longMech >>> 32 != 0) {
@@ -1045,9 +1020,25 @@ private void initToken(CK_SLOT_INFO slotInfo) throws PKCS11Exception {
             if (ds == null) {
                 continue;
             }
+            boolean allowLegacy = config.getAllowLegacy();
             for (Descriptor d : ds) {
                 Integer oldMech = supportedAlgs.get(d);
                 if (oldMech == null) {
+
+                    // assume full support if no mech info available
+                    if (!allowLegacy && mechInfo != null) {
+                        if ((d.type == CIP &&
+                                (mechInfo.flags & CKF_ENCRYPT) == 0) ||
+                                (d.type == SIG &&
+                                (mechInfo.flags & CKF_SIGN) == 0)) {
+                            if (showInfo) {
+                                System.out.println("DISABLED " +  d.type +
+                                        " " + d.algorithm +
+                                        " due to partial support");
+                            }
+                            continue;
+                        }
+                    }
                     supportedAlgs.put(d, integerMech);
                     continue;
                 }
