RFR 6913047: SunPKCS11 memory leak

Valerie Peng valerie.peng at oracle.com
Wed Aug 8 00:41:55 UTC 2018 

Hi Martin,

Thanks for the update, I will resume the review on this one with your 
latest webrev.

BTW, there is no webrev.07 for your other fix, i.e. JDK-8029661, right? 
Just checking.

Regards,
Valerie

On 8/3/2018 2:13 PM, Martin Balao wrote:
> Hi Valerie,
>
>  * 
> http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10/ 
> <http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10/>
>  * 
> http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10.zip 
> <http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10.zip>
>
> New in webrev 10:
>
>  * Bug fix when private DSA/EC keys are sensitive
>   * I found this bug removing "attributes = compatibility" entry in 
> NSS configuration file so keys were CKA_SENSITIVE.
>   * This is really an NSS bug when unwrapping ephemeral keys 
> (NSC_UnwrapKey function), because CKA_NETSCAPE_DB attribute is 
> required but not used/needed. There was a similar bug when creating 
> objects (NSC_CreateObject function), fixed many years ago [1].
>   * In those cases in which the bug occurs (private keys, of DSA/EC 
> type, sensitive and without CKA_NETSCAPE_DB attribute set), I store an 
> empty CKA_NETSCAPE_DB attribute in the buffer that will later be used 
> for key unwrapping. I'm not doing a C_SetAttributeValue call because 
> keys are read-only. We can let users set CKA_NETSCAPE_DB attribute in 
> NSS configuration file [2] but this would be a workaround on users side.
>   * Changes in:
>    * p11_keymgmt.c
>     * L175-187, L212-214 and L275-278
>
>  * Bug fix when storing sensitive RSA keys in a keystore
>   * CKA_NETSCAPE_DB attribute is not needed so we return it as null 
> (instead of failing with an "Invalid algorithm" message)
>   * Changes in:
>    * P11KeyStore.java
>     * L1909-1914
>
>  * Lines length was cut to improve code readability
>
> Regression tests on jdk/sun/security/pkcs11 category passed. I ran my 
> internal test suite too, that covers the following services (with 
> SunPKCS11 provider): Cipher, Signature, KeyAgreement, Digest, Mac, 
> KeyGenerator, KeyPairGenerator and Keystore.
>
> Kind regards,
> Martin.-
>
> --
> [1] - https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6 
> <https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6>
> [2] - 
> https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml 
> <https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180807/4f915e41/attachment.htm>

More information about the security-dev mailing list