Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262226

Better resource cleaning for SunPKCS11 Provider



    • Subcomponent:
    • Compatibility Kind:
    • Compatibility Risk:
    • Interface Kind:
      System or security property
    • Scope:



      Introduce new properties to the SunPKCS11 configuration file which control resources managed by the SunPKCS11 provider.


      The SunPKCS11 security provider extends java.security.AuthProvider and allows login()/logout() operations on the underlying Token through native PKCS11 APIs. With the current SunPKCS11 provider impl, upon logout(), its resources remain on the Java heap for possible subsequent login() calls. This means that each SunPKCS11 provider instance consumes certain resources.

      In a rare environment where new SunPKCS11 provider instances are instantiated upon each pair of login()/logout() operations, there may be a memory resource issue as the number of SunPKCS11 provider instances grows during the lifetime of JVM.


      Support additional configuration options via the SunPKCS11 provider configuration file which control how and when the PKCS11 resources are freed as well as whether to destroy underlying Token upon logout() operation. Note that if token were set to be destroyed after logout() operation, no further login() calls will be permitted.


      3 new properties will be supported by the SunPKCS11 provider config file:

      • destroyTokenAfterLogout (defaults to false) If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls.

      In addition, the following two properties are for improving SunPKCS11 native resource cleaning effort. They control how often the resource cleaner Thread, Cleanup-SunPKCS11, polls and cleans up SunPKCS11 references. This cleaner thread manages the cleanup for all SunPKCS11 provider instances.

      • cleaner.shortInterval (defaults to 2000ms) Value in milliseconds on how often reference cleaning should be performed during busy period, i.e. when to-be-cleaned references are found by the cleaner thread

      • cleaner.longInterval (defaults to 60000ms) Value in milliseconds on how often reference cleaning should be performed during non-busy period, i.e. when no to-be-cleaned references are found by the cleaner thread.

      The system toggles from busy to non-busy period if no references need to be cleaned after the Cleaner thread polls for to-be-cleaned references 100 times. The cleaner thread continues to poll at the cleaner.longInterval until to-be-cleaned-up references appear. The thread will then move back to polling for references at the cleaner.shortInterval interval count and the cycle continues.

      Minimum value of 1000 for both interval values. java.security.InvalidParameterException (with cause of sun.security.pkcs11.ConfigurationException) will be thrown if the specified value is less than minimum value.

      By default, none of these 3 new properties will be declared in the config file that ships in some JDK distros. (Solaris only)

      A release note outlining the new properties will be created for relevant JDK releases.


          Issue Links



              coffeys Sean Coffey
              shadowbug Shadow Bug
              Reviewed By:
              Valerie Peng
              0 Vote for this issue
              2 Start watching this issue