-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
none; adding new configuration option to disable legacy check and allow legacy mechanism being used.
-
Other
-
JDK
Summary
As some crypto algorithms become legacy (e.g. not strong enough for modern computers and thus being phased out), some PKCS11 library implementations may start limiting the usage for these algorithms. For example, for Cipher, only decryption is allowed but not encryption. This way, earlier encrypted data can be recovered but data won't be encrypted with legacy algorithm. Under https://bugs.openjdk.org/browse/JDK-8176837 , SunPKCS11 provider is updated to check and disable the legacy mechanisms. Further adjustment will be made to fine-tune the check and also provide a configuration attribute "allowLegacy" to disable the check if desired.
Problem
Under the existing check for identifying legacy algorithms, an algorithm would be disabled if it supports decryption but not encryption, or if it supports verification but not signing. For example, an algorithm would be disabled if it supports decryption, signing, and verification but not encryption. The check should be fine-tuned to only disable the algorithm for Cipher crypto service but not Signature crypto service since both signing and verification are supported. In addition, once an algorithm is identified as legacy and disabled, there is no setting to enable them for the supported usage.
Solution
Provide a "allowLegacy" configuration attribute in SunPKCS11 provider configuration file to allow applications to bypass the legacy check if needed. In addition, existing check will be updated to disable algorithms based on the registered crypto service. Using the earlier example of the algorithm supporting decryption, signing, and verification but not encryption, it will be disabled for Cipher crypto service but remain enabled for Signature crypto service.
Specification
Update the "SunPKCS11 Configuration" paragraph under the "PKCS#11 Reference Guide" section of "Security Developer's Guide" document with the new "allowLegacy" configuration attribute.
Attribute | Value | Description |
---|---|---|
allowLegacy | Boolean value, default: false | For Cipher crypto service registrations, PKCS11 mechanisms supporting decryption but not encryption are considered legacy and will be disabled by default. Similarly, for Signature crypto service registrations, PKCS11 mechanisms supporting verification but not signing are considered legacy and will be disabled by default. If set to true , SunPKCS11 provider will not disable legacy mechanisms. |
- csr of
-
JDK-8293345 SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- Resolved
- relates to
-
JDK-8343498 SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- Closed