From 338cf0dada68f165d180b8b393fde1f717387f06 Mon Sep 17 00:00:00 2001
From: Bob Du <bob.du@ibm.com>
Date: Wed, 28 Feb 2024 17:46:02 -0500
Subject: [PATCH] 8325254: CKA_TOKEN private and secret keys are not
 necessarily sensitive

Backporting a fix from OpenJDK in advance that changes the sensitivity
check for a key to only include CKA_TOKEN if it's using NSS.

Signed-off-by: Bob Du <bob.du@ibm.com>
---
 .../share/classes/sun/security/pkcs11/P11Key.java        | 5 +++--
 .../share/classes/sun/security/pkcs11/P11Util.java       | 9 +++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
index 2ba4b6171c3..dcca83b7af1 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@@ -422,8 +422,9 @@ static PrivateKey privateKey(Session session, long keyID, String algorithm,
                     new CK_ATTRIBUTE(CKA_EXTRACTABLE),
         });
 
-        boolean keySensitive = (attrs[0].getBoolean() ||
-                attrs[1].getBoolean() || !attrs[2].getBoolean());
+        boolean keySensitive =
+                (attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
+                attrs[1].getBoolean() || !attrs[2].getBoolean();
 
         if (keySensitive && (SunPKCS11.mysunpkcs11 != null) && "RSA".equals(algorithm)) {
             try {
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java
index 262cfc062ad..cabee449346 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java
@@ -44,6 +44,15 @@ private P11Util() {
         // empty
     }
 
+    static boolean isNSS(Token token) {
+        char[] tokenLabel = token.tokenInfo.label;
+        if (tokenLabel != null && tokenLabel.length >= 3) {
+            return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
+                    && tokenLabel[2] == 'S');
+        }
+        return false;
+    }
+
     static Provider getSunProvider() {
         Provider p = sun;
         if (p == null) {