8325254: CKA_TOKEN private and secret keys are not necessarily sensitive

Reviewed-by: valeriep
ibmruntimes · Feb 28, 2024 · 1b42f44 · 1b42f44
1 parent cdc12a5
commit 1b42f44
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@@ -437,8 +437,9 @@ static PrivateKey privateKey(Session session, long keyID, String algorithm,
                     new CK_ATTRIBUTE(CKA_EXTRACTABLE),
         });
 
-        boolean keySensitive = (attrs[0].getBoolean() ||
-                attrs[1].getBoolean() || !attrs[2].getBoolean());
+        boolean keySensitive =
+                (attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
+                attrs[1].getBoolean() || !attrs[2].getBoolean();
 
         if (keySensitive && (SunPKCS11.mysunpkcs11 != null) && "RSA".equals(algorithm)) {
             try {