Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7001094

Can't initialize SunPKCS11 more times than PKCS11 driver maxSessionCount

    Details

    • Subcomponent:
    • Resolved In Build:
      b140
    • CPU:
      x86
    • OS:
      windows_xp
    • Verification:
      Not verified

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.6.0_22"
        Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
        Java HotSpot(TM) Client VM (build 17.1-b03, mixed mode, sharing)

        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows XP [Version 5.1.2600]

        EXTRA RELEVANT SYSTEM CONFIGURATION :
        PKCS11 driver has limit for session count.

        A DESCRIPTION OF THE PROBLEM :
        After refactoring done in 1.6.0_21 in sun.security.pkcs11.SessionManager it is not possible to initialize SunPKCS11 provider more times than PKCS11 driver maxSessionCount limit. When initializing (maxLimitCount + 1) instance exception is thrown.

        In 1.6.0_20 or earlier this works fine.

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Create in loop more than maxSessionCount (this is specific for PKCS11 driver). In maxSessionCounty + 1 loop exception is thrown.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        no exception is thrown
        ACTUAL -

        Exception in thread "main" java.security.ProviderException: Initialization failed
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:340)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90)
        at pl.unizeto.procertum.pkcs11.SunPkcs11BugTest.main(SunPkcs11BugTest.java:29)
        Caused by: java.security.ProviderException: Could not obtain session
        at sun.security.pkcs11.SessionManager.getOpSession(SessionManager.java:134)
        at sun.security.pkcs11.Token.<init>(Token.java:118)
        at sun.security.pkcs11.SunPKCS11.initToken(SunPKCS11.java:780)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:331)

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
                // Maximum session count supported by pkcs11 driver.
                // If you don't know what is the limit for your driver set it to 1000
                // or higher value.
                // If driver has no limit for session count this test works fine.
                int driverMaxSessions = 32;
                
                StringBuilder pkcs11Cfg = new StringBuilder();
                pkcs11Cfg.append("name = PKCS11\n");
                pkcs11Cfg.append("library = crypto3PKCS.dll");
                
                for(int i=0; i < driverMaxSessions + 1; i++) {
                
                    InputStream config = new ByteArrayInputStream(pkcs11Cfg.toString().getBytes());
                    
                    // fails with "java.security.ProviderException: Could not obtain session"
                    // when in (driverMaxSession + 1) loop on JRE 6u20 or later
                    SunPKCS11 provider = new sun.security.pkcs11.SunPKCS11(config);
                    provider.logout();
                }
        ---------- END SOURCE ----------

          Activity

          Hide
          valeriep Valerie Peng added a comment -
          BT2:EVALUATION

          The difference in behavior is due to the following bug fix:
              6918573: sun.security.pkcs11.P11RSACipher.finalize() is a scalability blocker
          which uses PhantomReference for proper session cleanup.

          The current impl keeps track of the number of sessions by counting the number of PhantomReferences of session objects. This has the problem of being too restrictive when there are more than one SunPKCS11 providers.

          To fix the problem, we'll have to revert back to keeping track of the number of sessions inside each SessionManager instance.
          Show
          valeriep Valerie Peng added a comment - BT2:EVALUATION The difference in behavior is due to the following bug fix:     6918573: sun.security.pkcs11.P11RSACipher.finalize() is a scalability blocker which uses PhantomReference for proper session cleanup. The current impl keeps track of the number of sessions by counting the number of PhantomReferences of session objects. This has the problem of being too restrictive when there are more than one SunPKCS11 providers. To fix the problem, we'll have to revert back to keeping track of the number of sessions inside each SessionManager instance.

            People

            • Assignee:
              valeriep Valerie Peng
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: