8255409: Support the new C_GetInterfaceList, C_GetInterface, and C_SessionCancel APIs in PKCS#11 v3.0 #6655
Conversation
|
|
|
@valeriepeng The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
| @@ -409,65 +415,89 @@ private void parse() throws IOException { | |||
| throw excToken("Unexpected token:"); | |||
| } | |||
| String word = st.sval; | |||
| if (word.equals("name")) { | |||
| switch (word) { | |||
There was a problem hiding this comment.
Since every case has a break it's probably better to use the enhanced switch (case "x" -> ...;). It's safer and also saves quite some lines. An IDE can help you with the conversion.
There was a problem hiding this comment.
Sure, I can do that. I tend to use the "->" for switch with less items.
There was a problem hiding this comment.
According to JEP 361, the preferred style is to write the statement (if there is only a single line) on the same line as the case label, so you save another one line.
| @@ -401,8 +401,27 @@ private void implInit(int opmode, Key key, byte[] iv, int tagLen, | |||
| } | |||
|
|
|||
| private void cancelOperation() { | |||
| // cancel operation by finishing it; avoid killSession as some | |||
| // hardware vendors may require re-login | |||
There was a problem hiding this comment.
The new cancelOperation() methods seems identical everywhere. Is it possible to consolidate it to a helper method like trySessionCancel(token, session, flags)? It can return true if canceled successfully, false if needs a fallback, and can still throw a ProviderException.
There was a problem hiding this comment.
I assume you mean the if-() block of code? I can move the code into a helper method inside the P11Util class.
There was a problem hiding this comment.
Yes, just keep duplicated lines as few as possible.
| // cancel operation by finishing it; avoid killSession as some | ||
| // hardware vendors may require re-login | ||
| if (token.p11.getVersion().major == 3) { | ||
| long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY); |
There was a problem hiding this comment.
I think this is a syntax nit with no space between M_SIGN and '?'
| token.ensureValid(); | ||
|
|
||
| if (token.p11.getVersion().major == 3) { | ||
| long flags = (opmode == Cipher.ENCRYPT_MODE? CKF_ENCRYPT : |
There was a problem hiding this comment.
I think this is a syntax nit with no space between MODE and '?'
| // cancel operation by finishing it; avoid killSession as some | ||
| // hardware vendors may require re-login | ||
| if (token.p11.getVersion().major == 3) { | ||
| long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT); |
There was a problem hiding this comment.
I think this is a syntax nit with no space between "encrypt" and '?'
| // hardware vendors may require re-login | ||
| token.ensureValid(); | ||
| if (token.p11.getVersion().major == 3) { | ||
| long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT); |
There was a problem hiding this comment.
I think this is a syntax nit with no space between "encrypt" and '?'
| // hardware vendors may require re-login | ||
|
|
||
| if (token.p11.getVersion().major == 3) { | ||
| long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY); |
There was a problem hiding this comment.
Ok. BTW, is there a central place for these syntax? I usually just pick up the convention used in the same file.
|
I updated my comments because I neglected to read your initial message and went straight to the code review |
Recall there was a bug filed for updating the artifactory NSS version. There was some window build issue, will follow up with the SQE RE again. |
| if (token.p11.getVersion().major == 3) { | ||
| try { | ||
| token.p11.C_SessionCancel(session.id(), flags); | ||
| status = true; |
There was a problem hiding this comment.
Or you can just return true here and return false at the end.
| } | ||
|
|
||
| // only used by cancelOperation(); cancel by finishing operations | ||
| // avoid killSession as some hardware vendors may require re-login |
There was a problem hiding this comment.
Since this method is only called once, maybe we can inline it back inside cancelOperation()?
| @@ -186,11 +203,14 @@ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, | |||
| * native part. | |||
| * | |||
| * @param pkcs11ModulePath The PKCS#11 library path. | |||
| * @param functionList the method name for retrieving the PKCS#11 | |||
| * function list; maybe null if not set in config file | |||
There was a problem hiding this comment.
Sure. Will fix both of the "maybe" s in this file.
valeriepeng
changed the title
| @@ -351,7 +378,7 @@ JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationSt | |||
|
|
|||
| free(ckpState); | |||
|
|
|||
| if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } | |||
| ckAssertReturnValueOK(env, rv); | |||
There was a problem hiding this comment.
Are you going to apply this change to other places? I see 2 new functions still using the old style.
There was a problem hiding this comment.
Sure, I can change the other 2 places.
| ckPinLength); | ||
| free(ckpPinArray); | ||
|
|
||
| if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } |
There was a problem hiding this comment.
Given you changed line 381 to not be in a condition, I would assume this could be the same.
|
|
||
| free(ckpPinArray); | ||
| free(ckpUsername); | ||
|
|
||
| if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } |
|
@valeriepeng This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 170 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.
|
|
/integrate |
|
Going to push as commit 83e6a4c.
Your commit was automatically rebased without conflicts. |
openjdk
bot
added
integrated
|
@valeriepeng Pushed as commit 83e6a4c. |
PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later.
I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
Thanks,
Valerie
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6655/head:pull/6655$ git checkout pull/6655Update a local copy of the PR:
$ git checkout pull/6655$ git pull https://git.openjdk.java.net/jdk pull/6655/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6655View PR using the GUI difftool:
$ git pr show -t 6655Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6655.diff