|
|
605045 |
# HG changeset patch
|
|
|
605045 |
# User igerasim
|
|
|
605045 |
# Date 1528992969 25200
|
|
|
605045 |
# Thu Jun 14 09:16:09 2018 -0700
|
|
|
605045 |
# Node ID d9b0b4bd2526818afa73b60da77403245554caa8
|
|
|
605045 |
# Parent 1f4b038b9550afaf88a70cee4cf9c1422ecd86d6
|
|
|
605045 |
8203182, PR3603: Release session if initialization of SunPKCS11 Signature fails
|
|
|
605045 |
Summary: Ensure session is properly released in P11Signature class
|
|
|
605045 |
Reviewed-by: valeriep
|
|
|
605045 |
Contributed-by: Martin Balao <mbalao@redhat.com>
|
|
|
605045 |
|
|
|
605045 |
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
605045 |
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
605045 |
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
|
|
|
605045 |
@@ -309,47 +309,51 @@
|
|
|
605045 |
session = token.killSession(session);
|
|
|
605045 |
return;
|
|
|
605045 |
}
|
|
|
605045 |
- // "cancel" operation by finishing it
|
|
|
605045 |
- // XXX make sure all this always works correctly
|
|
|
605045 |
- if (mode == M_SIGN) {
|
|
|
605045 |
- try {
|
|
|
605045 |
- if (type == T_UPDATE) {
|
|
|
605045 |
- token.p11.C_SignFinal(session.id(), 0);
|
|
|
605045 |
- } else {
|
|
|
605045 |
- byte[] digest;
|
|
|
605045 |
- if (type == T_DIGEST) {
|
|
|
605045 |
- digest = md.digest();
|
|
|
605045 |
- } else { // T_RAW
|
|
|
605045 |
- digest = buffer;
|
|
|
605045 |
+ try {
|
|
|
605045 |
+ // "cancel" operation by finishing it
|
|
|
605045 |
+ // XXX make sure all this always works correctly
|
|
|
605045 |
+ if (mode == M_SIGN) {
|
|
|
605045 |
+ try {
|
|
|
605045 |
+ if (type == T_UPDATE) {
|
|
|
605045 |
+ token.p11.C_SignFinal(session.id(), 0);
|
|
|
605045 |
+ } else {
|
|
|
605045 |
+ byte[] digest;
|
|
|
605045 |
+ if (type == T_DIGEST) {
|
|
|
605045 |
+ digest = md.digest();
|
|
|
605045 |
+ } else { // T_RAW
|
|
|
605045 |
+ digest = buffer;
|
|
|
605045 |
+ }
|
|
|
605045 |
+ token.p11.C_Sign(session.id(), digest);
|
|
|
605045 |
}
|
|
|
605045 |
- token.p11.C_Sign(session.id(), digest);
|
|
|
605045 |
+ } catch (PKCS11Exception e) {
|
|
|
605045 |
+ throw new ProviderException("cancel failed", e);
|
|
|
605045 |
}
|
|
|
605045 |
- } catch (PKCS11Exception e) {
|
|
|
605045 |
- throw new ProviderException("cancel failed", e);
|
|
|
605045 |
+ } else { // M_VERIFY
|
|
|
605045 |
+ try {
|
|
|
605045 |
+ byte[] signature;
|
|
|
605045 |
+ if (keyAlgorithm.equals("DSA")) {
|
|
|
605045 |
+ signature = new byte[40];
|
|
|
605045 |
+ } else {
|
|
|
605045 |
+ signature = new byte[(p11Key.length() + 7) >> 3];
|
|
|
605045 |
+ }
|
|
|
605045 |
+ if (type == T_UPDATE) {
|
|
|
605045 |
+ token.p11.C_VerifyFinal(session.id(), signature);
|
|
|
605045 |
+ } else {
|
|
|
605045 |
+ byte[] digest;
|
|
|
605045 |
+ if (type == T_DIGEST) {
|
|
|
605045 |
+ digest = md.digest();
|
|
|
605045 |
+ } else { // T_RAW
|
|
|
605045 |
+ digest = buffer;
|
|
|
605045 |
+ }
|
|
|
605045 |
+ token.p11.C_Verify(session.id(), digest, signature);
|
|
|
605045 |
+ }
|
|
|
605045 |
+ } catch (PKCS11Exception e) {
|
|
|
605045 |
+ // will fail since the signature is incorrect
|
|
|
605045 |
+ // XXX check error code
|
|
|
605045 |
+ }
|
|
|
605045 |
}
|
|
|
605045 |
- } else { // M_VERIFY
|
|
|
605045 |
- try {
|
|
|
605045 |
- byte[] signature;
|
|
|
605045 |
- if (keyAlgorithm.equals("DSA")) {
|
|
|
605045 |
- signature = new byte[40];
|
|
|
605045 |
- } else {
|
|
|
605045 |
- signature = new byte[(p11Key.length() + 7) >> 3];
|
|
|
605045 |
- }
|
|
|
605045 |
- if (type == T_UPDATE) {
|
|
|
605045 |
- token.p11.C_VerifyFinal(session.id(), signature);
|
|
|
605045 |
- } else {
|
|
|
605045 |
- byte[] digest;
|
|
|
605045 |
- if (type == T_DIGEST) {
|
|
|
605045 |
- digest = md.digest();
|
|
|
605045 |
- } else { // T_RAW
|
|
|
605045 |
- digest = buffer;
|
|
|
605045 |
- }
|
|
|
605045 |
- token.p11.C_Verify(session.id(), digest, signature);
|
|
|
605045 |
- }
|
|
|
605045 |
- } catch (PKCS11Exception e) {
|
|
|
605045 |
- // will fail since the signature is incorrect
|
|
|
605045 |
- // XXX check error code
|
|
|
605045 |
- }
|
|
|
605045 |
+ } finally {
|
|
|
605045 |
+ session = token.releaseSession(session);
|
|
|
605045 |
}
|
|
|
605045 |
}
|
|
|
605045 |
|
|
|
605045 |
@@ -368,6 +372,8 @@
|
|
|
605045 |
}
|
|
|
605045 |
initialized = true;
|
|
|
605045 |
} catch (PKCS11Exception e) {
|
|
|
605045 |
+ // release session when initialization failed
|
|
|
605045 |
+ session = token.releaseSession(session);
|
|
|
605045 |
throw new ProviderException("Initialization failed", e);
|
|
|
605045 |
}
|
|
|
605045 |
if (bytesProcessed != 0) {
|
|
|
605045 |
@@ -529,6 +535,8 @@
|
|
|
605045 |
}
|
|
|
605045 |
bytesProcessed += len;
|
|
|
605045 |
} catch (PKCS11Exception e) {
|
|
|
605045 |
+ initialized = false;
|
|
|
605045 |
+ session = token.releaseSession(session);
|
|
|
605045 |
throw new ProviderException(e);
|
|
|
605045 |
}
|
|
|
605045 |
break;
|
|
|
605045 |
@@ -576,6 +584,8 @@
|
|
|
605045 |
bytesProcessed += len;
|
|
|
605045 |
byteBuffer.position(ofs + len);
|
|
|
605045 |
} catch (PKCS11Exception e) {
|
|
|
605045 |
+ initialized = false;
|
|
|
605045 |
+ session = token.releaseSession(session);
|
|
|
605045 |
throw new ProviderException("Update failed", e);
|
|
|
605045 |
}
|
|
|
605045 |
break;
|