8325254: CKA_TOKEN private and secret keys are not necessarily sensitive

Reviewed-by: mbalao
Backport-of: 0f5f3c9b9718c610406088327401210486447462

Author: franferrax

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java

@@ -261,10 +261,8 @@ protected void engineSetPadding(String padding)
                 // no native padding support; use our own padding impl
                 paddingObj = new PKCS5Padding(blockSize);
                 padBuffer = new byte[blockSize];
-                char[] tokenLabel = token.tokenInfo.label;
                 // NSS requires block-sized updates in multi-part operations.
-                reqBlockUpdates = ((tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
-                        && tokenLabel[2] == 'S') ? true : false);
+                reqBlockUpdates = P11Util.isNSS(token);
             }
         } else {
             throw new NoSuchPaddingException("Unsupported padding " + padding);

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java

@@ -139,9 +139,7 @@ abstract class P11Key implements Key, Length {
         this.tokenObject = tokenObject;
         this.sensitive = sensitive;
         this.extractable = extractable;
-        char[] tokenLabel = this.token.tokenInfo.label;
-        isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
-                && tokenLabel[2] == 'S');
+        isNSS = P11Util.isNSS(this.token);
         boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS &&
                 extractable && !tokenObject);
         this.keyIDHolder = new NativeKeyHolder(this, keyID, session,
@@ -395,8 +393,9 @@ static PrivateKey privateKey(Session session, long keyID, String algorithm,
                     new CK_ATTRIBUTE(CKA_EXTRACTABLE),
         });
 
-        boolean keySensitive = (attrs[0].getBoolean() ||
-                attrs[1].getBoolean() || !attrs[2].getBoolean());
+        boolean keySensitive =
+                (attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
+                attrs[1].getBoolean() || !attrs[2].getBoolean();
 
         switch (algorithm) {
         case "RSA":

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java

@@ -44,6 +44,15 @@ private P11Util() {
         // empty
     }
 
+    static boolean isNSS(Token token) {
+        char[] tokenLabel = token.tokenInfo.label;
+        if (tokenLabel != null && tokenLabel.length >= 3) {
+            return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
+                    && tokenLabel[2] == 'S');
+        }
+        return false;
+    }
+
     static Provider getSunProvider() {
         Provider p = sun;
         if (p == null) {