RFR: 8258833: Cancel multi-part cipher operations in SunPKCS11 after failures [v7]

Martin Balao mbalao at openjdk.java.net
Wed Jan 20 13:55:48 UTC 2021

On Wed, 20 Jan 2021 13:47:13 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> When a multi-part cipher operation fails in SunPKCS11 (i.e. because of an invalid block size), we now cancel the operation before returning the underlying Session to the Session Manager. This allows to use the returned Session for a different purpose. Otherwise, an CKR_OPERATION_ACTIVE error would be raised from the PKCS#11 library.
>> The jdk/sun/security/pkcs11/Cipher/CancelMultipart.java regression test is introduced as part of this PR.
>> No regressions found in jdk/sun/security/pkcs11.
> Martin Balao has updated the pull request incrementally with two additional commits since the last revision:
>  - Align doCancel pattern in 'P11Cipher::implDoFinal(byte[]..' to 'P11Cipher::implDoFinal(ByteBuffer..'. Better documentation in P11Cipher. Copyright date updated.
>  - Copyright dates updated to 2021 on modified files

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 793:

> 791:                 // only after this point. See JDK-8258833 for further
> 792:                 // information.
> 793:                 doCancel = false;

@valeriepeng I made a code change here so I'd like you to have a final look and validate. I'm just aligning the 'P11Cipher::implDoFinal(byte[]..' function to 'P11Cipher::implDoFinal(ByteBuffer..'. The rationale is that 'doFalse = false' can be placed before the C_EncryptFinal call because any error on it does not require a cancel (it already cancels the operation)

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 812:

> 810:                     // only after this point. See JDK-8258833 for further
> 811:                     // information.
> 812:                     doCancel = false;

Same comment that for line 793 of P11Cipher

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 820:

> 818:                     System.arraycopy(padBuffer, 0, out, outOfs, k);
> 819:                 } else {
> 820:                     doCancel = false;

Same comment than for line 793 of P11Cipher


PR: https://git.openjdk.java.net/jdk/pull/1901

More information about the security-dev mailing list