Re: RFR 6913047: SunPKCS11 memory leak

Tue, 07 Aug 2018 17:43:08 -0700 

Hi Martin,
Thanks for the update, I will resume the review on this one with your latest webrev. 


BTW, there is no webrev.07 for your other fix, i.e. JDK-8029661, right? 
Just checking.


Regards,
Valerie

On 8/3/2018 2:13 PM, Martin Balao wrote:

Hi Valerie,


 * 
http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10/ 
<http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10/>
 * 
http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10.zip 
<http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10.zip>


New in webrev 10:

 * Bug fix when private DSA/EC keys are sensitive

  * I found this bug removing "attributes = compatibility" entry in 
NSS configuration file so keys were CKA_SENSITIVE.
  * This is really an NSS bug when unwrapping ephemeral keys 
(NSC_UnwrapKey function), because CKA_NETSCAPE_DB attribute is 
required but not used/needed. There was a similar bug when creating 
objects (NSC_CreateObject function), fixed many years ago [1].
  * In those cases in which the bug occurs (private keys, of DSA/EC 
type, sensitive and without CKA_NETSCAPE_DB attribute set), I store an 
empty CKA_NETSCAPE_DB attribute in the buffer that will later be used 
for key unwrapping. I'm not doing a C_SetAttributeValue call because 
keys are read-only. We can let users set CKA_NETSCAPE_DB attribute in 
NSS configuration file [2] but this would be a workaround on users side.

  * Changes in:
   * p11_keymgmt.c
    * L175-187, L212-214 and L275-278

 * Bug fix when storing sensitive RSA keys in a keystore

  * CKA_NETSCAPE_DB attribute is not needed so we return it as null 
(instead of failing with an "Invalid algorithm" message)

  * Changes in:
   * P11KeyStore.java
    * L1909-1914

 * Lines length was cut to improve code readability


Regression tests on jdk/sun/security/pkcs11 category passed. I ran my 
internal test suite too, that covers the following services (with 
SunPKCS11 provider): Cipher, Signature, KeyAgreement, Digest, Mac, 
KeyGenerator, KeyPairGenerator and Keystore.


Kind regards,
Martin.-

--

[1] - https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6 
<https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6>
[2] - 
https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml 
<https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml>


























					Reply via email to