RFR: 8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
Valerie Peng
valeriep at openjdk.java.net
Tue May 4 23:29:53 UTC 2021
On Fri, 23 Apr 2021 19:32:35 GMT, Martin Balao <mbalao at openjdk.org> wrote:
> Hi,
>
> Please find in this PR a proposal to fix JDK-8265462 [1].
>
> With this fix, OpenJDK will only use the known slot IDs for the NSS Internal Module. If the NSS Internal Module has more slots (for example, as a result of an initialization sequence such as the one triggered from the libnsssysinit.so library), they will be ignored. The goal is to handle multiple-slots scenarios while keeping OpenJDK's previous behavior.
>
> No regressions observed in the jdk/sun/security/pkcs11 tests category.
>
> A new regression test was not added as part of this changeset because of its complexity. It would depend on a specific NSS configuration, or the NSS library would need to be mocked. I've done manual testing in my environment and JDK-8265462 [1] has further information about it.
>
> Thanks,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8265462
Here are some comments. Rest looks fine. Thanks. Valerie
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java line 81:
> 79:
> 80: private final static int FIPS_SLOT_ID = 0x3;
> 81:
Add a comment on where these are defined in native side, i.e. which sunpkcs11 header file as well as the NSS header just in case?
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java line 415:
> 413: } else {
> 414: throw new RuntimeException("Unexpected slot ID in the" +
> 415: " NSS Internal Module");
Add the slot ID to the exception message?
src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.h line 78:
> 76:
> 77: /* represent a pkcs#11 slot reference counted. */
> 78: struct PK11SlotInfoStr {
nit: add which nss header this is from.
src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.h line 166:
> 164: };
> 165:
> 166: struct SECMODModuleStr {
Same nit: add which nss header this is from.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3661
More information about the security-dev
mailing list