8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod

Reviewed-by: valeriep

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Secmod.java

@@ -73,6 +73,15 @@ public final class Secmod {
 
     private static final String TRUST_LIB_NAME = "nssckbi";
 
+    // Slot IDs - defined in j2secmod.h on the native side
+    // Values obtained from NSS's pkcs11i.h header
+
+    private final static int NETSCAPE_SLOT_ID = 0x1;
+
+    private final static int PRIVATE_KEY_SLOT_ID = 0x2;
+
+    private final static int FIPS_SLOT_ID = 0x3;
+
     // handle to be passed to the native code, 0 means not initialized
     private long nssHandle;
 
@@ -392,20 +401,21 @@ public final class Secmod {
         private Map<Bytes,TrustAttributes> trust;
 
         Module(String libraryDir, String libraryName, String commonName,
-                boolean fips, int slot) {
+                int slotIndex, int slotId) {
             ModuleType type;
 
             if ((libraryName == null) || (libraryName.length() == 0)) {
                 // must be softtoken
                 libraryName = System.mapLibraryName(SOFTTOKEN_LIB_NAME);
-                if (fips == false) {
+                if (slotId == NETSCAPE_SLOT_ID) {
-                    type = (slot == 0) ? ModuleType.CRYPTO : ModuleType.KEYSTORE;
+                    type = ModuleType.CRYPTO;
-                } else {
+                } else if (slotId == PRIVATE_KEY_SLOT_ID) {
+                    type = ModuleType.KEYSTORE;
+                } else if (slotId == FIPS_SLOT_ID) {
                     type = ModuleType.FIPS;
-                    if (slot != 0) {
+                } else {
-                        throw new RuntimeException
+                    throw new RuntimeException("Unexpected slot ID " + slotId +
-                            ("Slot index should be 0 for FIPS slot");
+                            " in the NSS Internal Module");
-                    }
                 }
             } else {
                 if (libraryName.endsWith(System.mapLibraryName(TRUST_LIB_NAME))
@@ -426,7 +436,7 @@ public final class Secmod {
             }
             this.libraryName = libraryFile.getPath();
             this.commonName = commonName;
-            this.slot = slot;
+            this.slot = slotIndex;
             this.type = type;
             initConfiguration();
         }

src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.c

@@ -170,8 +170,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_Secmod_nssGetModuleList
     jobject jList, jModule;
     jmethodID jListConstructor, jAdd, jModuleConstructor;
     jstring jCommonName, jDllName;
-    jboolean jFIPS;
+    jint i, jSlotID;
-    jint i;
 
     if (getModuleList == NULL) {
         dprintf("-getmodulelist function not found\n");
@@ -204,7 +203,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_Secmod_nssGetModuleList
         return NULL;
     }
     jModuleConstructor = (*env)->GetMethodID(env, jModuleClass, "<init>",
-        "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ZI)V");
+        "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;II)V");
     if (jModuleConstructor == NULL) {
         return NULL;
     }
@@ -230,10 +229,15 @@ JNIEXPORT jobject JNICALL Java_sun_security_pkcs11_Secmod_nssGetModuleList
                 return NULL;
             }
         }
-        jFIPS = module->isFIPS;
         for (i = 0; i < module->slotCount; i++ ) {
+            jSlotID = module->slots[i]->slotID;
+            if (jDllName == NULL && jSlotID != NETSCAPE_SLOT_ID &&
+                    jSlotID != PRIVATE_KEY_SLOT_ID && jSlotID != FIPS_SLOT_ID) {
+                // Ignore unknown slot IDs in the NSS Internal Module. See JDK-8265462.
+                continue;
+            }
             jModule = (*env)->NewObject(env, jModuleClass, jModuleConstructor,
-                jLibDir, jDllName, jCommonName, jFIPS, i);
+                    jLibDir, jDllName, jCommonName, i, jSlotID);
             if (jModule == NULL) {
                 return NULL;
             }

src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.h

@@ -51,32 +51,150 @@ void *findFunction(JNIEnv *env, jlong jHandle, const char *functionName);
 // NSS types
 
 typedef int PRBool;
+typedef unsigned short PRUint16;
+typedef short PRInt16;
+typedef unsigned int PRUint32;
+typedef int PRInt32;
+typedef long long PRInt64;
+
+typedef PRUint32 PRIntervalTime;
+typedef PRInt64 PRTime;
+
+typedef struct PK11SlotInfoStr PK11SlotInfo;
 
 typedef struct SECMODModuleStr SECMODModule;
 typedef struct SECMODModuleListStr SECMODModuleList;
 
-struct SECMODModuleStr {
+// Defined in NSS's secmodt.h header
-    void        *v1;
+/* PKCS #11 disable reasons */
-    PRBool      internal;       /* true of internally linked modules, false
+typedef enum {
-                                 * for the loaded modules */
+    PK11_DIS_NONE = 0,
-    PRBool      loaded;         /* Set to true if module has been loaded */
+    PK11_DIS_USER_SELECTED = 1,
-    PRBool      isFIPS;         /* Set to true if module is finst internal */
+    PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
-    char        *dllName;       /* name of the shared library which implements
+    PK11_DIS_TOKEN_VERIFY_FAILED = 3,
-                                 * this module */
+    PK11_DIS_TOKEN_NOT_PRESENT = 4
-    char        *commonName;    /* name of the module to display to the user */
+} PK11DisableReasons;
-    void        *library;       /* pointer to the library. opaque. used only by
-                                 * pk11load.c */
 
-    void        *functionList; /* The PKCS #11 function table */
+// Slot IDs - defined in Secmod.java on the Java side
-    void        *refLock;       /* only used pk11db.c */
+// Values obtained from NSS's pkcs11i.h header
-    int         refCount;       /* Module reference count */
+#define NETSCAPE_SLOT_ID 1
-    void        **slots;        /* array of slot points attached to this mod*/
+#define PRIVATE_KEY_SLOT_ID 2
-    int         slotCount;      /* count of slot in above array */
+#define FIPS_SLOT_ID 3
-    void        *slotInfo;      /* special info about slots default settings */
+
-    int         slotInfoCount;  /* count */
+// Defined in NSS's secmodti.h header
+/* represent a pkcs#11 slot reference counted. */
+struct PK11SlotInfoStr {
+    /* the PKCS11 function list for this slot */
+    void *functionList;
+    SECMODModule *module; /* our parent module */
+    /* Boolean to indicate the current state of this slot */
+    PRBool needTest;           /* Has this slot been tested for Export complience */
+    PRBool isPerm;             /* is this slot a permanment device */
+    PRBool isHW;               /* is this slot a hardware device */
+    PRBool isInternal;         /* is this slot one of our internal PKCS #11 devices */
+    PRBool disabled;           /* is this slot disabled... */
+    PK11DisableReasons reason; /* Why this slot is disabled */
+    PRBool readOnly;           /* is the token in this slot read-only */
+    PRBool needLogin;          /* does the token of the type that needs
+                                * authentication (still true even if token is logged
+                                * in) */
+    PRBool hasRandom;          /* can this token generated random numbers */
+    PRBool defRWSession;       /* is the default session RW (we open our default
+                                * session rw if the token can only handle one session
+                                * at a time. */
+    PRBool isThreadSafe;       /* copied from the module */
+    /* The actual flags (many of which are distilled into the above PRBools) */
+    CK_FLAGS flags; /* flags from PKCS #11 token Info */
+    /* a default session handle to do quick and dirty functions */
+    CK_SESSION_HANDLE session;
+    void *sessionLock; /* lock for this session */
+    /* our ID */
+    CK_SLOT_ID slotID;
+    /* persistant flags saved from startup to startup */
+    unsigned long defaultFlags;
+    /* keep track of who is using us so we don't accidently get freed while
+     * still in use */
+    PRInt32 refCount; /* to be in/decremented by atomic calls ONLY! */
+    void *freeListLock;
+    void *freeSymKeysWithSessionHead;
+    void *freeSymKeysHead;
+    int keyCount;
+    int maxKeyCount;
+    /* Password control functions for this slot. many of these are only
+     * active if the appropriate flag is on in defaultFlags */
+    int askpw;           /* what our password options are */
+    int timeout;         /* If we're ask_timeout, what is our timeout time is
+                          * seconds */
+    int authTransact;    /* allow multiple authentications off one password if
+                          * they are all part of the same transaction */
+    PRTime authTime;     /* when were we last authenticated */
+    int minPassword;     /* smallest legal password */
+    int maxPassword;     /* largest legal password */
+    PRUint16 series;     /* break up the slot info into various groups of
+                          * inserted tokens so that keys and certs can be
+                          * invalidated */
+    PRUint16 flagSeries; /* record the last series for the last event
+                          * returned for this slot */
+    PRBool flagState;    /* record the state of the last event returned for this
+                          * slot. */
+    PRUint16 wrapKey;    /* current wrapping key for SSL master secrets */
+    CK_MECHANISM_TYPE wrapMechanism;
+    /* current wrapping mechanism for current wrapKey */
+    CK_OBJECT_HANDLE refKeys[1];      /* array of existing wrapping keys for */
+    CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this
+                                       * token */
+    int mechanismCount;
+    /* cache the certificates stored on the token of this slot */
+    void **cert_array;
+    int array_size;
+    int cert_count;
+    char serial[16];
+    /* since these are odd sizes, keep them last. They are odd sizes to
+     * allow them to become null terminated strings */
+    char slot_name[65];
+    char token_name[33];
+    PRBool hasRootCerts;
+    PRBool hasRootTrust;
+    PRBool hasRSAInfo;
+    CK_FLAGS RSAInfoFlags;
+    PRBool protectedAuthPath;
+    PRBool isActiveCard;
+    PRIntervalTime lastLoginCheck;
+    unsigned int lastState;
+    /* for Stan */
+    void *nssToken;
+    /* the tokeninfo struct */
+    CK_TOKEN_INFO tokenInfo;
+    /* fast mechanism lookup */
+    char mechanismBits[256];
+    CK_PROFILE_ID *profileList;
+    int profileCount;
+};
+
+// Defined in NSS's secmodt.h header
+struct SECMODModuleStr {
+    void         *v1;
+    PRBool       internal;       /* true of internally linked modules, false
+                                  * for the loaded modules */
+    PRBool       loaded;         /* Set to true if module has been loaded */
+    PRBool       isFIPS;         /* Set to true if module is finst internal */
+    char         *dllName;       /* name of the shared library which implements
+                                  * this module */
+    char         *commonName;    /* name of the module to display to the user */
+    void         *library;       /* pointer to the library. opaque. used only by
+                                  * pk11load.c */
+
+    void         *functionList; /* The PKCS #11 function table */
+    void         *refLock;       /* only used pk11db.c */
+    int          refCount;       /* Module reference count */
+    PK11SlotInfo **slots;        /* array of slot points attached to this mod*/
+    int          slotCount;      /* count of slot in above array */
+    void         *slotInfo;      /* special info about slots default settings */
+    int          slotInfoCount;  /* count */
     // incomplete, sizeof() is wrong
 };
 
+// Defined in NSS's secmodt.h header
 struct SECMODModuleListStr {
     SECMODModuleList    *next;
     SECMODModule        *module;