On Wed, 20 Mar 2024 02:44:19 GMT, Valerie Peng <valer...@openjdk.org> wrote:
> Existing legacy mechanism check disables mechanism(s) when the support is > partial, e.g. supports decryption but not encryption, or supports > verification but not signing. Some mechanisms can be used for both > encryption/decryption and sign/verify such as RSA related ones. If the > particular mechanism supports sign/verify/decryption but not encryption, it'd > be disabled as a result. Fine tune the legacy mechanism check with the > service type, i.e. supports encryption for Cipher, sign for Signature, so > the mechanism is disabled based on the service type. > For completeness sake, I also added a PKCS11 provider configuration option to > control this check (default is true, disable mechanisms with partial support). Is "disableLegacy" a standard PKCS11 attribute we are introducing support for? If so, I think a CSR is probably needed as it is kind of like a system property. ------------- PR Comment: https://git.openjdk.org/jdk/pull/18387#issuecomment-2021313367
