JDK-8262226 : Better resource cleaning for SunPKCS11 Provider
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 8-pool,11-pool,16-pool,17
  • Submitted: 2021-02-23
  • Updated: 2021-05-04
  • Resolved: 2021-05-04
Related Reports
CSR :  
JDK-8240256 - Better resource cleaning for SunPKCS11 Provider
Description
Summary
-------

Introduce new properties to the SunPKCS11 configuration file which control resources managed by the SunPKCS11 provider.

Problem
-------

The `SunPKCS11` security provider extends `java.security.AuthProvider` and allows login()/logout() operations on the underlying Token through native PKCS11 APIs. With the current SunPKCS11 provider impl, upon logout(), its resources remain on the Java heap for possible subsequent login() calls. This means that each SunPKCS11 provider instance consumes certain resources.

In a rare environment where new SunPKCS11 provider instances are instantiated upon each pair of login()/logout() operations, there may be a memory resource issue as the number of SunPKCS11 provider instances grows during the lifetime of JVM.

Solution
--------

Support additional configuration options via the SunPKCS11 provider configuration file which control how and when the PKCS11 resources are freed as well as whether to destroy underlying Token upon logout() operation. Note that if token were set to be destroyed after logout() operation, no further login() calls will be permitted. 

Specification
-------------

3 new properties will be supported by the SunPKCS11 provider config file:

 * `destroyTokenAfterLogout` (defaults to false)
If set to true, when `java.security.AuthProvider.logout()` is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls.

In addition, the following two properties are for improving SunPKCS11 native resource cleaning effort. They control how often the resource cleaner Thread, `Cleanup-SunPKCS11`, polls and cleans up SunPKCS11 references. This cleaner thread manages the cleanup for all SunPKCS11 provider instances.

* `cleaner.shortInterval`  (defaults to 2000ms)
Value in milliseconds on how often reference cleaning should be performed during busy period, i.e. when to-be-cleaned references are found by the cleaner thread

* `cleaner.longInterval` (defaults to 60000ms)
Value in milliseconds on how often reference cleaning should be performed during non-busy period, i.e. when no to-be-cleaned references are found by the cleaner thread.

The system toggles from busy to non-busy period if no references need to be cleaned after the Cleaner thread polls for to-be-cleaned references 100 times. The cleaner thread continues to poll at the `cleaner.longInterval` until to-be-cleaned-up references appear. The thread will then move back to polling for references at the `cleaner.shortInterval` interval count and the cycle continues.

Minimum value of 1000 for both interval values.
`java.security.InvalidParameterException` (with cause of `sun.security.pkcs11.ConfigurationException`) will be thrown if the specified value is less than minimum value.

By default, none of these 3 new properties will be declared in the config file that ships in some JDK distros. (Solaris only)

A release note outlining the new properties will be created for relevant JDK releases.
Comments
Re-approving updated request.
04-05-2021
[~darcy] - Thanks Joe. I do plan to port the same functionality to JDK 11u Oracle and JDK 8u Oracle releases. Re-submitting.
27-04-2021
Moving to Approved for JDK 17. Please file a separate issue for any backports, or withdraw -> update -> re-Finalize, if you want to use this request for backports as well.
26-04-2021
Hi Joe, Admittedly - it is a corner case we're dealing with here. It does prove to be a problem for some specialist deployments however. Without such a solution, memory resources are tied up long after the SunPKCS11 sessions are disposed of. The solution is specific to the SunPKCS11 configuration parameters and given the memory resource issue, I believe it's warranted.
20-04-2021
Moving to Provisional, not Approved. Seems like a lot of mechanism and configuration for a seemingly (?) small issue.
16-04-2021