archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8176837: SunPKCS11 provider needs to check more details on PKCS11 Mechanism

Browse source 
Disable mechanisms with partial support, e.g. can decrypt but cannot encrypt

Reviewed-by: xuelei
This commit is contained in:
Valerie Peng 2019-09-20 21:33:24 +00:00
parent d564ab722a
commit 46db25e188
1 changed files with 38 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

45
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
View file

@ -62,7 +62,6 @@ public final class SunPKCS11 extends AuthProvider {
private static final long serialVersionUID = -1354835039035306505L; private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11"); static final Debug debug = Debug.getInstance("sunpkcs11");
// the PKCS11 object through which we make the native calls // the PKCS11 object through which we make the native calls
final PKCS11 p11; final PKCS11 p11;
@ -913,6 +912,25 @@ public final class SunPKCS11 extends AuthProvider {
createPoller(); createPoller();
} }
private static boolean isLegacy(CK_MECHANISM_INFO mechInfo)
throws PKCS11Exception {
// assume full support if no mech info available
// For vendor-specific mechanisms, often no mech info is provided
boolean partialSupport = false;
if (mechInfo != null) {
if ((mechInfo.flags & CKF_DECRYPT) != 0) {
// non-legacy cipher mechs should support encryption
partialSupport |= ((mechInfo.flags & CKF_ENCRYPT) == 0);
}
if ((mechInfo.flags & CKF_VERIFY) != 0) {
// non-legacy signature mechs should support signing
partialSupport |= ((mechInfo.flags & CKF_SIGN) == 0);
}
}
return partialSupport;
}
// test if a token is present and initialize this provider for it if so. // test if a token is present and initialize this provider for it if so.
// does nothing if no token is found // does nothing if no token is found
// called from constructor and by poller // called from constructor and by poller
@ -946,24 +964,35 @@ public final class SunPKCS11 extends AuthProvider {
// return a CKM_DES_CBC_PAD. // return a CKM_DES_CBC_PAD.
final Map<Descriptor,Integer> supportedAlgs = final Map<Descriptor,Integer> supportedAlgs =
new HashMap<Descriptor,Integer>(); new HashMap<Descriptor,Integer>();
for (int i = 0; i < supportedMechanisms.length; i++) { for (int i = 0; i < supportedMechanisms.length; i++) {
long longMech = supportedMechanisms[i]; long longMech = supportedMechanisms[i];
boolean isEnabled = config.isEnabled(longMech); CK_MECHANISM_INFO mechInfo = token.getMechanismInfo(longMech);
if (showInfo) { if (showInfo) {
CK_MECHANISM_INFO mechInfo =
p11.C_GetMechanismInfo(slotID, longMech);
System.out.println("Mechanism " + System.out.println("Mechanism " +
Functions.getMechanismName(longMech) + ":"); Functions.getMechanismName(longMech) + ":");
if (isEnabled == false) { System.out.println(mechInfo == null?
(Constants.INDENT + "info n/a") :
mechInfo);
}
if (!config.isEnabled(longMech)) {
if (showInfo) {
System.out.println("DISABLED in configuration"); System.out.println("DISABLED in configuration");
} }
System.out.println(mechInfo);
}
if (isEnabled == false) {
continue; continue;
} }
if (isLegacy(mechInfo)) {
if (showInfo) {
System.out.println("DISABLED due to legacy");
}
continue;
}
// we do not know of mechs with the upper 32 bits set // we do not know of mechs with the upper 32 bits set
if (longMech >>> 32 != 0) { if (longMech >>> 32 != 0) {
if (showInfo) {
System.out.println("DISABLED due to unknown mech value");
}
continue; continue;
} }
int mech = (int)longMech; int mech = (int)longMech;