Integrated: 8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit

Prajwal Kumaraswamy pkumaraswamy at openjdk.org
Mon May 13 16:13:08 UTC 2024 

On Thu, 21 Mar 2024 09:23:43 GMT, Prajwal Kumaraswamy <pkumaraswamy at openjdk.org> wrote:

> This fix intends to eliminate additional library call to C_EncryptInit or C_DecryptInit for Ciphers running through the CKM_AES_GCM.
> 
> Background: 
> 
> There are two types of CK_GCM_PARAMS struct that are used, one with IV bits and the other without it.
> 
> Initially there was issue in NSS library, due to the struct being different in header and spec version.
> NSS was using version from header but Solaris and SoftHsm was using normative version from spec.
> To maintain compatibility Java used to try library call with non-normative (header) version first and then upon failure retrial was made with updated GCM struct with IV bits.
> 
> Note: Trying normative (spec) version first with NSS library results in JVM crash.
> 
> Refer below for more information:
> https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11gcm2.h#L36  
> 
> However NSS has fixed this to use normative/spec version since 3.52 which has spec version 2.40
> Solaris and SoftHSM was already complying to the version mentioned in spec 2.40
> 
> The fix now check if spec version is 2.40 and then makes library call with appropriate structure.
> 
> Internal testing is green, further I have done internal testing manually with NSS library 3.96, 3.76, 3.51 (non-normative spec), 3.52 and 3.53
> Results are attached [nss_logs.zip](https://github.com/openjdk/jdk/files/14692787/nss_logs.zip)
> 
> Our existing tests like sun/security/pkcs11/Cipher/TestKATForGCM.java already tests the functionality and I have used the same for internal testing

This pull request has now been integrated.

Changeset: 7c2c24fc
Author:    Prajwal Kumaraswamy <pkumaraswamy at openjdk.org>
Committer: Sean Coffey <coffeys at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/7c2c24fc0511b36132952c96be46eea5904a53c5
Stats:     242 lines in 5 files changed: 165 ins; 22 del; 55 mod

8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit

Reviewed-by: djelinski, valeriep, coffeys

-------------

PR: https://git.openjdk.org/jdk/pull/18425

More information about the security-dev mailing list