On Tue, 23 Mar 2021 01:01:14 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> P11PrivateKey is private so we cannot check that. Our options to figure out >> if something is sensitive are: >> 1. See if it doesn't implement `RSAPrivateKey` (this yields the prior >> snippet with `implGetSoftwareFactory()`) >> 2. Try to access the attributes directly from the token (this yields the >> current solution which we're modifying) >> 3. Check the value of `p11Key.extractable` (which is package-private and >> thus visible) >> >> The smallest change would be to keep our strategy as 2. While I like it the >> least (my favorite is number 1) it has the smallest risk of changing some >> undocumented behavior on a PKCS#11 device that we're unfamiliar with (and >> not testing because we may not have the hardware costing tens of thousands >> of dollars). Option 3 somewhat spits the difference between 1 and 2. > > Or, how about changing the scope of > P11PrivateKey/P11RSAPrivateKey/P11RSAPrivateNonCRTKey to pkg private? This > way we can take advantage of the info implied by the type of class and avoid > the potential double failure of querying the attributes. Rest of changes look good. Thanks for the update. ------------- PR: https://git.openjdk.java.net/jdk/pull/2949
