RFR: JDK-6676643: Improve current C_GetAttributeValue native implementation
Valerie Peng
valeriep at openjdk.java.net
Tue Apr 27 18:39:35 UTC 2021
On Tue, 27 Apr 2021 04:31:42 GMT, Greg Rubin <github.com+829871+SalusaSecondus at openjdk.org> wrote:
>> Anyone can help review this somewhat trivial fix? The main change is inside src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c. This is to help better troubleshooting by reporting the type of unavailable attributes in PKCS11 exception message when C_GetAttributeValue(...) call failed. The java file changes are just cleanup for consolidating the CKR_* constants definition into PKCS11Exception class.
>>
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c line 252:
>
>> 250:
>> 251: if (rv != CKR_OK) {
>> 252: if (rv == CKR_ATTRIBUTE_SENSITIVE || rv == CKR_ATTRIBUTE_TYPE_INVALID) {
>
> According to the PKCS#11v2.40 spec, `CKR_BUFFER_TOO_SMALL` should be handled in the same special ways as these too (in that it isn't a "true error").
For this particular call, the pValue field is null, it's meant to query the exact length of the specified attribute. Thus, CKR_BUFFER_TOO_SMALL should not be returned.
Afterwards, we then allocate the buffer based on this queried result, so CKR_BUFFER_TOO_SMALL should also not occur.
So, based on the current API usage, CKR_BUFFER_TOO_SMALL should not happen.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3709
More information about the security-dev
mailing list