RFR: 8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding [v2]
Valerie Peng
valeriep at openjdk.java.net
Wed Apr 7 20:25:46 UTC 2021
On Tue, 6 Apr 2021 14:26:00 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 265:
>>
>>> 263: // NSS requires block-sized updates in multi-part operations.
>>> 264: reqBlockUpdates = ((tokenLabel[0] == 'N' && tokenLabel[1] == 'S'
>>> 265: && tokenLabel[2] == 'S') ? true : false);
>>
>> IIRC, depending on how the impl is registered, engineSetPadding(String) may not always be called. It's probably safer to set this in engineInit(...)?
>
> Looks to me that engineSetPadding is always called from the P11Cipher constructor. I thought that was a good location to set the reqBlockUpdates variable because it's next to the paddingObj initialization; which is a pre-requisite for reqBlockUpdates to be used. In other words, if we have no Java-side padding (paddingObj == null), reqBlockUpdates won't be used and we don't even pay the price of setting it.
Ok.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2510
More information about the security-dev
mailing list