RFR 6913047: SunPKCS11 memory leak

Martin Balao mbalao at redhat.com
Fri Aug 3 21:13:54 UTC 2018 

Hi Valerie,

 * http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10/
 * http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10.zip

New in webrev 10:

 * Bug fix when private DSA/EC keys are sensitive
  * I found this bug removing "attributes = compatibility" entry in NSS
configuration file so keys were CKA_SENSITIVE.
  * This is really an NSS bug when unwrapping ephemeral keys (NSC_UnwrapKey
function), because CKA_NETSCAPE_DB attribute is required but not
used/needed. There was a similar bug when creating objects
(NSC_CreateObject function), fixed many years ago [1].
  * In those cases in which the bug occurs (private keys, of DSA/EC type,
sensitive and without CKA_NETSCAPE_DB attribute set), I store an empty
CKA_NETSCAPE_DB attribute in the buffer that will later be used for key
unwrapping. I'm not doing a C_SetAttributeValue call because keys are
read-only. We can let users set CKA_NETSCAPE_DB attribute in NSS
configuration file [2] but this would be a workaround on users side.
  * Changes in:
   * p11_keymgmt.c
    * L175-187, L212-214 and L275-278

 * Bug fix when storing sensitive RSA keys in a keystore
  * CKA_NETSCAPE_DB attribute is not needed so we return it as null
(instead of failing with an "Invalid algorithm" message)
  * Changes in:
   * P11KeyStore.java
    * L1909-1914

 * Lines length was cut to improve code readability

Regression tests on jdk/sun/security/pkcs11 category passed. I ran my
internal test suite too, that covers the following services (with SunPKCS11
provider): Cipher, Signature, KeyAgreement, Digest, Mac, KeyGenerator,
KeyPairGenerator and Keystore.

Kind regards,
Martin.-

--
[1] - https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6
[2] - https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/
test/sun/security/pkcs11/fips/fips.cfg.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180803/f3c1fc6f/attachment.htm>

More information about the security-dev mailing list