[8u] RFR 8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod

Andrew Hughes gnu.andrew at redhat.com
Wed May 26 17:32:33 UTC 2021 

On 17:38 Wed 26 May     , Andrew Hughes wrote:
> On 11:41 Wed 26 May     , Martin Balao wrote:
> > Hi Severin,
> > 
> > I'd like to request a review for the 8u backport of 8265462 [1].
> > 
> > Webrev.00:
> > 
> >  *
> > http://cr.openjdk.java.net/~mbalao/webrevs/8265462/8265462.webrev.8u.jdk.00/
> > 
> > The 11u backport applies cleanly to 8u (after paths conversion) but it's
> > not enough to work because of the following reasons:
> > 
> >  * src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h
> >   * 8u does not have the 8244154 enhancement, which is about updating
> > NSS PKCS11 header files from 2.40 to 3.0 (major change). The 8u backport
> > of 8265462 needs the typedef for CK_PROFILE_ID introduced there.
> > However, CK_PROFILE_ID is not new from PKCS 3.0: it is anecdotal that it
> > came with 8244154. I strongly believe that 8244154 should not be
> > considered a dependency for 8265462.
> > 
> > Testing:
> > 
> >  * I initially thought there were regressions because I recalled some of
> > the tests failing in jdk/sun/security/sunpkcs11 to be passing. Turns out
> > that these regressions are not caused by 8265462, they are a bit older.
> > I still went through the ones I thought that were regressions and they
> > don't seem to be related to 8265462 in any sense.
> >   * I'll need to spend some time fixing these tests but I wouldn't block
> > the 8u backport of 8265462.
> > 
> > Thanks,
> > Martin.-
> > 
> > --
> > [1] - https://bugs.openjdk.java.net/browse/JDK-8265462
> > 
> 
> 8244154 is marked as fixed in Oracle's 8u291, but has not yet been backported
> to OpenJDK 8u. Is this backport being altered to work around the current lack
> of 8244154 in 8u? If so, it should wait until 8244154 is in.
> 
> Thanks,
> -- 
> Andrew :)
> 
> Senior Free Java Software Engineer
> OpenJDK Package Owner
> Red Hat, Inc. (http://www.redhat.com)
> 
> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
> Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222


Ok, the backport looks clean, bar the addition of the CK_PROFILE_ID
hack. I'll approve this and then post a backport of JDK-8244154 after
rampdown next week. It was already on my TODO list to look at this.

I'm not happy about how close to rampdown this has been left though,
especially as this is a new patch.

Please don't let it happen again.

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk8u-dev mailing list