8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic

[vieiro]

Clean backport of JDK-8293345 (but a copyright line, that is) for parity with 11.0.27-oracle.

Tier 1 tests pass in Linux.

---

Progress

• JDK-8293345 needs maintainer approval
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8343498 to be approved

Issues

• JDK-8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic (Enhancement - P3 - Approved)
• JDK-8343498: SunPKCS11 provider checks on PKCS11 Mechanism are problematic (CSR)

Reviewers

• Andrew John Hughes (@gnu-andrew - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/2983/head:pull/2983
$ git checkout pull/2983

Update a local copy of the PR:
$ git checkout pull/2983
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/2983/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2983

View PR using the GUI difftool:
$ git pr show -t 2983

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/2983.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back vieiro! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@vieiro This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic

Reviewed-by: andrew

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 37 new commits pushed to the master branch:

• 6d469db: 8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
• 6b7a312: 8309841: Jarsigner should print a warning if an entry is removed
• 428c2a2: 8348596: Update FreeType to 2.13.3
• bf78d9b: 8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class
• 624cef6: 8351099: Bump update version of OpenJDK: 11.0.28
• 8785172: 8026976: ECParameters, Point does not match field size
• 289644a: 8346887: DrawFocusRect() may cause an assertion failure
• ea3a0e4: 8328957: Update PKCS11Test.java to not use hardcoded path
• 659a466: 8306408: Fix the format of several tables in building.md
• 86dddbc: 8347427: JTabbedPane/8134116/Bug8134116.java has no license header
• ... and 27 more: https://git.openjdk.org/jdk11u-dev/compare/a47c72fad455bfdf9053cb8e94c99e73965ab50d...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@gnu-andrew) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[openjdk]

⚠️ @vieiro This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[mlbridge]

Webrevs

• 00: Full (8e1185e6)

[vieiro]

/approval request Let's allow PCKS11 legacy mechanisms in JDK11 too, as in 11.0.27-oracle and upper OpenJDK versions.

[openjdk]

@vieiro
8293345: The approval request has been created successfully.

[bridgekeeper]

@vieiro This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[vieiro]

Let's keep it open. I may want to run additional tests too.

[bridgekeeper]

@vieiro This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[gnu-andrew]

Backport looks good with copyright header difference in Config.java correctly resolved. Builds and passes GHA tests.

[gnu-andrew]

It seems a little odd that this bug, JDK-8293345 is listed as an enhancement - that I would usually be wary of backporting - but the bug that actually introduced the concept of legacy mechanism (JDK-8176837) - is regarded as a bug. What this change is effectively doing is allowing the legacy determination added by 8176837 to be overridden by the user in the configuration.

To my mind, this seems more like a bug fix for a regression created by 8176837, whereby mechanisms that worked prior to 8176837 can no longer be used due to the legacy determination. With this change, the user can explicitly enable such mechanisms again as needed.

With that in mind, and the CSR already in place all the way back to 8u, I'm ok with approving this for 11u. By default, the legacy override is off so the only change is that the legacy check is less intrusive and only checks ciphers for encryption and signatures for signing. Previously, a signature that could sign & verify would be regarded as legacy and disabled if it couldn't also encrypt, which is unnecessary. So this should also make more cases possible even without the new config flag enabled.

/approve yes

[openjdk]

@gnu-andrew
8293345: The approval request has been approved.

[vieiro]

Thanks for the approval, let's integrate.

/integrate

[openjdk]

@vieiro
Your change (at version 8e1185e) is now ready to be sponsored by a Committer.

[gnu-andrew]

/sponsor

[openjdk]

Going to push as commit da5bfa9.
Since your change was applied there have been 38 commits pushed to the master branch:

• c56a86d: 8331959: Update PKCS#11 Cryptographic Token Interface to v3.1
• 6d469db: 8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
• 6b7a312: 8309841: Jarsigner should print a warning if an entry is removed
• 428c2a2: 8348596: Update FreeType to 2.13.3
• bf78d9b: 8339728: [Accessibility,Windows,JAWS] Bug in the getKeyChar method of the AccessBridge class
• 624cef6: 8351099: Bump update version of OpenJDK: 11.0.28
• 8785172: 8026976: ECParameters, Point does not match field size
• 289644a: 8346887: DrawFocusRect() may cause an assertion failure
• ea3a0e4: 8328957: Update PKCS11Test.java to not use hardcoded path
• 659a466: 8306408: Fix the format of several tables in building.md
• ... and 28 more: https://git.openjdk.org/jdk11u-dev/compare/a47c72fad455bfdf9053cb8e94c99e73965ab50d...master

Your commit was automatically rebased without conflicts.

[openjdk]

@gnu-andrew @vieiro Pushed as commit da5bfa9.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.