RFR: 8367024: JNI exception pending in Java_sun_security_pkcs11_wrapper_PKCS11_C_1DeriveKey of p11_keymgmt.c:950
Daniel Jeliński
djelinski at openjdk.org
Wed Jan 7 08:46:38 UTC 2026
On Tue, 6 Jan 2026 04:20:18 GMT, Koushik Muthukrishnan Thirupattur <duke at openjdk.org> wrote:
> The method ckAssertReturnValueOK will invoke ckAssertReturnValueOK2 which makes multiple calls to JNI functions, such as FindClass or GetMethodID. These calls would be unsafe as there may be a pending exception at this time.
> So adding exception check to return immediately and do not call any further JNI functions when there is exception pending.
src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c line 963:
> 961: goto cleanup;
> 962: }
> 963: if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
I think we should move this assertion right after the C_DeriveKey call above instead. No point in copying the keys if derivation fails.
Also, please update the copyright year.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29054#discussion_r2667542638
More information about the security-dev
mailing list