RFR: 8255409: Support the new APIs in PKCS#11 v3.0

Anthony Scarpino ascarpino at openjdk.java.net
Mon Dec 6 18:53:13 UTC 2021 

On Wed, 1 Dec 2021 21:42:51 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 
> 
> I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
> 
> Thanks,
> Valerie

Are there no tests because there is no support for 3.0 in nss?

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java line 406:

> 404:         token.ensureValid();
> 405:         if (token.p11.getVersion().major == 3) {
> 406:             long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT);

I think this is a syntax nit with no space between "encrypt" and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 449:

> 447:         token.ensureValid();
> 448:         if (token.p11.getVersion().major == 3) {
> 449:             long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT);

I think this is a syntax nit with no space between "encrypt" and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java line 291:

> 289: 
> 290:         if (token.p11.getVersion().major == 3) {
> 291:             long flags = (opmode == Cipher.ENCRYPT_MODE? CKF_ENCRYPT :

I think this is a syntax nit with no space between MODE and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java line 275:

> 273: 
> 274:         if (token.p11.getVersion().major == 3) {
> 275:             long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY);

I think this is a syntax nit with no space between M_SIGN and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java line 285:

> 283: 
> 284:         if (token.p11.getVersion().major == 3) {
> 285:             long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY);

M_SIGN ? ...

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java line 558:

> 556:             throws PKCS11Exception;
> 557: 
> 558:     ///**

Was it intentional to have the below commented out?

src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/p11_md.c line 128:

> 126:     }
> 127: 
> 128: #ifdef DEBUG

Is C_GetInterfaceList in DEBUG only because it's a new 3.0 function we are not supporting yet?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

More information about the security-dev mailing list