RFR: 8301553: Support Password-Based Cryptography in SunPKCS11

[Martin Balao]

On Thu, 16 Feb 2023 04:52:57 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java line 165:
>> 
>>> 163:                 getInfo();
>>> 164:                 this.version.major = pInfo.cryptokiVersion.major;
>>> 165:                 this.version.minor = pInfo.cryptokiVersion.minor;
>> 
>> Now that you added getInfo(), then the C_GetInfo() could be made private, so that all callers can just leverage getInfo(), right?
>
> Right! We will make C_GetInfo private and delete the overload in SynchronizedPKCS11 for the next iteration.

We have analyzed this issue further and think that we need one more iteration. It's possible that the constructor of PKCS11 finishes with PKCS11::pInfo in null. In fact, it's very likely to happen and PKCS11::getInfo is not multi-thread safe. The second problem is that it's possible that a SyncrhonizedPKCS11 instance ends up calling a non-synchronized version of PKCS11::C_GetInfo, if we remove the override. The reason why we added PKCS11::getInfo in the first place was because PKCS11::getVersion is not currently available in 17u —where this feature was originally developed— and there were 2 calls to PKCS11::C_GetInfo. We can safely undo the PKCS11::getInfo change and call PKCS11::getVersion in P11SecretKeyFactory::derivePBEKey.

-------------

PR: https://git.openjdk.org/jdk/pull/12396