On Wed, 20 Mar 2024 02:44:19 GMT, Valerie Peng <valer...@openjdk.org> wrote:
> Existing legacy mechanism check disables mechanism(s) when the support is > partial, e.g. supports decryption but not encryption, or supports > verification but not signing. Some mechanisms can be used for both > encryption/decryption and sign/verify such as RSA related ones. If the > particular mechanism supports sign/verify/decryption but not encryption, it'd > be disabled as a result. Fine tune the legacy mechanism check with the > service type, i.e. supports encryption for Cipher, sign for Signature, so > the mechanism is disabled based on the service type. > For completeness sake, I also added a PKCS11 provider configuration option to > control this. If not set, SunPKCS11 provider will disable legacy mechanisms > by default. This pull request has now been integrated. Changeset: 1b476f52 Author: Valerie Peng <valer...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/1b476f52ba85f9ceaabe785d36cb07df831fd0e8 Stats: 51 lines in 2 files changed: 25 ins; 25 del; 1 mod 8293345: SunPKCS11 provider checks on PKCS11 Mechanism are problematic Reviewed-by: djelinski, weijun ------------- PR: https://git.openjdk.org/jdk/pull/18387
