8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0

[valeriepeng]

This PR fixes a problem regarding the usage of dlerror() where an earlier error message causes a premature error out. Added extra code to clear out earlier error message and made minor code refactoring.

No regression test as this can't be reproduced using the NSS library from artifactory and thus the noreg-hard label.

Thanks!

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0 (Bug - P3)

Reviewers

• Daniel Jeliński (@djelinski - Reviewer)
• Weijun Wang (@wangweij - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/18588/head:pull/18588
$ git checkout pull/18588

Update a local copy of the PR:
$ git checkout pull/18588
$ git pull https://git.openjdk.org/jdk.git pull/18588/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 18588

View PR using the GUI difftool:
$ git pr show -t 18588

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/18588.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back valeriep! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@valeriepeng This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8328785: IOException: Symbol not found: C_GetInterface for PKCS11 interface prior to V3.0

Reviewed-by: djelinski, weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 137 new commits pushed to the master branch:

• fbc1e66: 8328181: C2: assert(MaxVectorSize >= 32) failed: vector length should be >= 32
• a887fd2: 8316991: Reduce nullable allocation merges
• e702646: 8200566: DistributionPointFetcher fails to fetch CRLs if the DistributionPoints field contains more than one DistributionPoint and the first one fails
• 7e5ef79: 8323116: [REDO] Computational test more than 2x slower when AVX instructions are used
• 9467720: 8329875: Serial: Move preservedMarks.inline.hpp to serialFullGC.cpp
• a4dd2e9: 8329766: Serial: Refactor SerialBlockOffsetTable API
• 212a253: 8329623: NegativeArraySizeException encoding large String to UTF-8
• dd930c5: 8329787: Fix typo in CLDRConverter
• 115f419: 8329659: Serial: Extract allowed_dead_ratio from ContiguousSpace
• 9ac3b77: 8329775: Serial: Remove unused declarations in serialFullGC.hpp
• ... and 127 more: https://git.openjdk.org/jdk/compare/892b8bb6d1725119e4c9ada8f2617c15f8af674e...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@valeriepeng The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 03: Full - Incremental (a2d9a5fa)
• 02: Full - Incremental (65daabff)
• 01: Full - Incremental (15729faa)
• 00: Full (66682f9b)

[djelinski]

Do we need an else goto cleanup here?

[valeriepeng]

Not really, the intention is to continue with the C_GetFunctionList (or the method named by "getFunctionListStr").

[djelinski]

if that's the intention, then you shouldn't be using ckAssertReturnValueOK, which throws an exception if rv is anything other than CK_ASSERT_OK

[valeriepeng]

Good point, I will change it.

[djelinski]

If this value ever gets used by ReleaseStringUTFChars, the failure will be spectacular 🍿

[valeriepeng]

We do have checks for jGetFunctionList != NULL before calling ReleaseStringUTFChars() with it. So, this shouldn't be an issue?

[djelinski]

this will be an issue if jGetFunctionList != NULL and dlopen fails, resulting in goto cleanup before getFunctionListStr is reassigned.

[valeriepeng]

Hmm, ok, I will change it. Thanks~

[djelinski]

LGTM. One nit, feel free to ignore.

[djelinski]

Would it make sense to move this check under if (C_GetFunctionList == NULL)? If C_GetFunctionList is non-null, do we care about the value of dlerror?

[valeriepeng]

Yes, makes sense, I'll change it.

[valeriepeng]

@djelinski Thanks much for the review!
I'll integrate once I got one more reviewer from my team.

[wangweij]

Just a small comment. The dlerror is only for debugging purpose but the code above looks like it is used to determine whether to goto cleanup.

How about this:

    if (C_GetFunctionList == NULL) {
        if ((systemErrorMessage = dlerror()) != NULL){
            p11ThrowIOException(env, systemErrorMessage);
        } else {
            TRACE1("Connect: No %s func\n", getFunctionListStr);
            p11ThrowIOException(env, "ERROR: C_GetFunctionList == NULL");
        }
        goto cleanup;
    }

Also, why is TRACE1 not called when dlerror is not NULL?

[valeriepeng]

Sure, thanks for the suggestion. I'll change and re-run the tests.

[valeriepeng]

/integrate

[openjdk]

Going to push as commit 6276789.
Since your change was applied there have been 163 commits pushed to the master branch:

• 316361b: 8328318: Wrong description in X509Extension.getExtensionValue method javadoc
• b80ba08: 8329967: Build failure after JDK-8329628
• 4bba445: 8325659: Normalize Random usage by incubator vector tests
• 6736792: 8329628: Additional changes after JDK-8329332
• 1e02a13: 8328614: hsdis: dlsym can't find decode symbol
• 23d161d: 8328630: Add logging when needed symbols in dll are missing.
• 2e925f2: 8329726: Use non-short forward jumps in lightweight locking
• e75e1cb: 8329955: Class-File API ClassPrinter does not print bootstrap methods arguments
• f9bc2db: 8325371: Missing ClassFile.Option in package summary
• a8fbeec: 8329956: G1: Remove unimplemented collection_set_candidate_short_type_str
• ... and 153 more: https://git.openjdk.org/jdk/compare/892b8bb6d1725119e4c9ada8f2617c15f8af674e...master

Your commit was automatically rebased without conflicts.

[openjdk]

@valeriepeng Pushed as commit 6276789.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.