RFR: JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes
Valerie Peng
valeriep at openjdk.org
Thu Jul 21 22:14:02 UTC 2022
On Tue, 19 Jul 2022 13:14:17 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:
> The issue https://bugs.openjdk.org/browse/JDK-8282538 gave an example of the following PKCS11 exception (see attached jtr files of that bug) :
>
> .... Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: 0xCE534351
>
> Unfortunately the error code 0xCE534351 is currently not in the RV/errorMap table of PKCS11Exception, That's why we get this
> hex code and no more descriptive output, this could be improved.
PKCS11Exception objects are constructed by PKCS#11 JNI code and vendor info is not readily available there. One easy compromise is to keep the hex error code value but append the string form when there is a match., i.e.
+ public static enum RV_VENDOR {
+ // NSS
+ CKR_NSS_CERTDB_FAILED(0xCE534351L),
+ CKR_NSS_KEYDB_FAILED(0xCE534352L);
+
+ private final long value;
+
+ RV_VENDOR(long value) {
+ this.value = value;
+ }
+ };
+
private static String lookup(long errorCode) {
for (RV r : RV.values()) {
if (r.value == errorCode) {
return r.name();
}
}
- // for unknown PKCS11 return values, just use hex as its string
- return "0x" + Functions.toFullHexString((int)errorCode);
+ // for unknown PKCS11 return values, use hex as its string
+ String res = "0x" + Functions.toFullHexString((int)errorCode);
+ // for vendor-defined values, check the enum for vendors and include
+ // potential matches
+ if ((errorCode & 0x80000000L) != 0) {
+ // for unknown PKCS11 return values, just use hex as its string
+ for (RV_VENDOR r : RV_VENDOR.values()) {
+ if (r.value == errorCode) {
+ res += ("(" + r.name() + ")");
+ break;
+ }
+ }
+ }
+ return res;
This way, even if the vendor is not NSS, but the original return value is still available for callers.
Just my .02.
-------------
PR: https://git.openjdk.org/jdk/pull/9555
More information about the security-dev
mailing list