Mercurial > hg > icedtea8-forest > jdk
changeset 13438:d9b0b4bd2526 icedtea-3.9.0pre01
8203182, PR3603: Release session if initialization of SunPKCS11 Signature fails
Summary: Ensure session is properly released in P11Signature class
Reviewed-by: valeriep
Contributed-by: Martin Balao <mbalao@redhat.com>
author | igerasim |
---|---|
date | Thu, 14 Jun 2018 09:16:09 -0700 |
parents | 1f4b038b9550 |
children | fca53058af20 |
files | src/share/classes/sun/security/pkcs11/P11Signature.java |
diffstat | 1 files changed, 48 insertions(+), 38 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs11/P11Signature.java Fri Apr 17 12:32:46 2015 -0700 +++ b/src/share/classes/sun/security/pkcs11/P11Signature.java Thu Jun 14 09:16:09 2018 -0700 @@ -309,47 +309,51 @@ session = token.killSession(session); return; } - // "cancel" operation by finishing it - // XXX make sure all this always works correctly - if (mode == M_SIGN) { - try { - if (type == T_UPDATE) { - token.p11.C_SignFinal(session.id(), 0); - } else { - byte[] digest; - if (type == T_DIGEST) { - digest = md.digest(); - } else { // T_RAW - digest = buffer; + try { + // "cancel" operation by finishing it + // XXX make sure all this always works correctly + if (mode == M_SIGN) { + try { + if (type == T_UPDATE) { + token.p11.C_SignFinal(session.id(), 0); + } else { + byte[] digest; + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW + digest = buffer; + } + token.p11.C_Sign(session.id(), digest); } - token.p11.C_Sign(session.id(), digest); + } catch (PKCS11Exception e) { + throw new ProviderException("cancel failed", e); } - } catch (PKCS11Exception e) { - throw new ProviderException("cancel failed", e); + } else { // M_VERIFY + try { + byte[] signature; + if (keyAlgorithm.equals("DSA")) { + signature = new byte[40]; + } else { + signature = new byte[(p11Key.length() + 7) >> 3]; + } + if (type == T_UPDATE) { + token.p11.C_VerifyFinal(session.id(), signature); + } else { + byte[] digest; + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW + digest = buffer; + } + token.p11.C_Verify(session.id(), digest, signature); + } + } catch (PKCS11Exception e) { + // will fail since the signature is incorrect + // XXX check error code + } } - } else { // M_VERIFY - try { - byte[] signature; - if (keyAlgorithm.equals("DSA")) { - signature = new byte[40]; - } else { - signature = new byte[(p11Key.length() + 7) >> 3]; - } - if (type == T_UPDATE) { - token.p11.C_VerifyFinal(session.id(), signature); - } else { - byte[] digest; - if (type == T_DIGEST) { - digest = md.digest(); - } else { // T_RAW - digest = buffer; - } - token.p11.C_Verify(session.id(), digest, signature); - } - } catch (PKCS11Exception e) { - // will fail since the signature is incorrect - // XXX check error code - } + } finally { + session = token.releaseSession(session); } } @@ -368,6 +372,8 @@ } initialized = true; } catch (PKCS11Exception e) { + // release session when initialization failed + session = token.releaseSession(session); throw new ProviderException("Initialization failed", e); } if (bytesProcessed != 0) { @@ -529,6 +535,8 @@ } bytesProcessed += len; } catch (PKCS11Exception e) { + initialized = false; + session = token.releaseSession(session); throw new ProviderException(e); } break; @@ -576,6 +584,8 @@ bytesProcessed += len; byteBuffer.position(ofs + len); } catch (PKCS11Exception e) { + initialized = false; + session = token.releaseSession(session); throw new ProviderException("Update failed", e); } break;