ADDITIONAL SYSTEM INFORMATION :
Problem observed with Utimaco CryptoServer PKCS11 device, but is of general scope

A DESCRIPTION OF THE PROBLEM :
With the introduction of https://bugs.openjdk.org/browse/JDK-8308719 the SunPKCS11 provider will query the PKCS11 device (C_GetMechanismInfo) for mechanisms that are not supported.
This happens because of new logic, which queries info for "required mechanisms" for a feature, even if that mechanism is not returned by C_GetMechanismList and even if the mechanism is blacklisted in disabledMechanisms.
At least some PKCS11 implementations will respond with CKR_FUNCTION_FAILED when C_GetMechanismInfo is called with an unknown mechanism. This makes it impossible to initialize the PKCS11 interface.
This happens in SunPKCS11.java line 1309ff
            // Check that other mechanisms required for the
                        // service are supported before listing it as
                        // available for the first time.
                        for (int requiredMech : d.requiredMechs) {
                            if (token.getMechanismInfo(
                                    requiredMech & 0xFFFFFFFFL) == null) {
                                continue descLoop;
                            }
                        }
                    }

REGRESSION : Last worked in version 20

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure a PKCS11 device as described in:
https://docs.oracle.com/en/java/javase/21/security/pkcs11-reference-guide1.html
Run
keytool -v -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg c:
/pkcs11/pkcs11.cfg

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
List of keys in PKCS11 device
ACTUAL -
keytool error: java.security.ProviderException: Initialization failed
java.security.ProviderException: Initialization failed
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:391)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:126)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:123)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:571)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:123)
        at java.base/sun.security.tools.KeyStoreUtil.loadProviderByName(KeyStoreUtil.java:283)
        at java.base/sun.security.tools.KeyStoreUtil.loadProviderByClass(KeyStoreUtil.java:316)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:834)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:412)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GetMechanismInfo(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Token.getMechanismInfo(Token.java:399)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.initToken(SunPKCS11.java:1313)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:382)
        ... 9 more

CUSTOMER SUBMITTED WORKAROUND :
Downgrade to Java 20 or below

FREQUENCY : always