RFR: 8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod

Valerie Peng valeriep at openjdk.java.net
Tue May 4 22:21:53 UTC 2021


On Fri, 23 Apr 2021 19:32:35 GMT, Martin Balao <mbalao at openjdk.org> wrote:

> Hi,
> 
> Please find in this PR a proposal to fix JDK-8265462 [1].
> 
> With this fix, OpenJDK will only use the known slot IDs for the NSS Internal Module. If the NSS Internal Module has more slots (for example, as a result of an initialization sequence such as the one triggered from the libnsssysinit.so library), they will be ignored. The goal is to handle multiple-slots scenarios while keeping OpenJDK's previous behavior.
> 
> No regressions observed in the jdk/sun/security/pkcs11 tests category.
> 
> A new regression test was not added as part of this changeset because of its complexity. It would depend on a specific NSS configuration, or the NSS library would need to be mocked. I've done manual testing in my environment and JDK-8265462 [1] has further information about it.
> 
> Thanks,
> Martin.-
> 
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8265462

src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h line 112:

> 110: #define NETSCAPE_SLOT_ID 1
> 111: #define PRIVATE_KEY_SLOT_ID 2
> 112: #define FIPS_SLOT_ID 3

These NSS specific defines is better off to be placed in a separate header file for ease of maintenance. In the past when PKCS#11 version is updated, we just drop the latest header files in and replace existing ones. Why not adding them to  to j2secmod.h or pkcs11wrapper.h?

-------------

PR: https://git.openjdk.java.net/jdk/pull/3661


More information about the security-dev mailing list