From e10d5707c9b1e54426f5f911ffcfe43f1a2e5354 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fridrich=20=C5=A0trba?= Date: Fri, 10 Feb 2023 23:24:36 +0100 Subject: [PATCH 1/2] Avoid calling C_GetInfo() too early, before cryptoki is initialized --- .../share/classes/sun/security/pkcs11/wrapper/PKCS11.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java index 5fbf8addcba66..5bba69410bd13 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -153,7 +153,7 @@ public static void loadNative() { throws IOException, PKCS11Exception { connect(pkcs11ModulePath, functionListName); this.pkcs11ModulePath = pkcs11ModulePath; - pInfo = C_GetInfo(); + pInfo = null; } /* @@ -215,6 +215,12 @@ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, * C_GetInfo. This structure represent Cryptoki library information. */ public CK_INFO getInfo() { + if (pInfo == null) { + try { + pInfo = C_GetInfo(); + } catch (PKCS11Exception e) { + } + } return pInfo; } From 658f03f7e380a159883011d10128a186b40e2714 Mon Sep 17 00:00:00 2001 From: Martin Balao Date: Mon, 27 Feb 2023 22:06:05 -0500 Subject: [PATCH 2/2] RH2173781: C_GetInfo can throw an exception if called before initialization in some PKCS #11 tokens --- .../security/pkcs11/P11SecretKeyFactory.java | 8 ++++--- .../sun/security/pkcs11/wrapper/PKCS11.java | 21 ++++++++++++------- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java index 950ed20cf628d..7ea9b4c5e7f61 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java @@ -220,9 +220,11 @@ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) } if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { - CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion; - if (P11Util.isNSS(token) || p11Ver.major < 2 || - p11Ver.major == 2 && p11Ver.minor < 40) { + CK_INFO p11Info = token.p11.getInfo(); + CK_VERSION p11Ver = (p11Info != null ? p11Info.cryptokiVersion + : null); + if (P11Util.isNSS(token) || p11Ver != null && (p11Ver.major < + 2 || p11Ver.major == 2 && p11Ver.minor < 40)) { // NSS keeps using the old structure beyond PKCS #11 v2.40 ckMech = new CK_MECHANISM(kdfData.kdfMech, new CK_PKCS5_PBKD2_PARAMS(password, salt, diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java index 5bba69410bd13..d796aaa307506 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -116,7 +116,7 @@ public static void loadNative() { private long pNativeData; - private CK_INFO pInfo; + private volatile CK_INFO pInfo; /** * This method does the initialization of the native library. It is called @@ -153,7 +153,6 @@ public static void loadNative() { throws IOException, PKCS11Exception { connect(pkcs11ModulePath, functionListName); this.pkcs11ModulePath = pkcs11ModulePath; - pInfo = null; } /* @@ -215,13 +214,21 @@ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, * C_GetInfo. This structure represent Cryptoki library information. */ public CK_INFO getInfo() { - if (pInfo == null) { - try { - pInfo = C_GetInfo(); - } catch (PKCS11Exception e) { + CK_INFO lPInfo = pInfo; + if (lPInfo == null) { + synchronized (this) { + lPInfo = pInfo; + if (lPInfo == null) { + try { + lPInfo = C_GetInfo(); + pInfo = lPInfo; + } catch (PKCS11Exception e) { + // Some PKCS #11 tokens require initialization first. + } + } } } - return pInfo; + return lPInfo; } /**