JDK-8203182 : Release session if initialization of SunPKCS11 Signature fails
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 10.0.1
  • Priority: P5
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2018-05-14
  • Updated: 2019-01-14
  • Resolved: 2018-06-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 7 JDK 8 Other
11 b17Fixed 7u191Resolved 8u192Fixed openjdk7uFixed
If initializing a SunPKCS11 Signature fails because C_SignInit or C_VerifyInit functions throw a PKCS11Exception exception, allocated session is not released. If this happens multiple times, token resources may be exhausted leading to an error. It's suggested to implement the same idiom as for SunPKCS11 Cipher objects. That is: release the session if initialization fails. 

Bug originally reported by: Hemant B Khot
Patch is contributed by Martin Balao (mbalao). I have reviewed the patch and uploaded it at: http://cr.openjdk.java.net/~valeriep/8203182/webrev.00/ No regression test is provided. Adding the label of noreg-hard as the potential session leak is hard to detect.