JDK-8215018 : Release Note: Memory Growth Issue in SunPKCS11 Fixed
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 11.0.6-oracle,13
  • Priority: P3
  • Status: Closed
  • Resolution: Delivered
  • OS: generic
  • CPU: generic
  • Submitted: 2018-12-07
  • Updated: 2020-04-27
  • Resolved: 2019-08-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13
11.0.6-oracleResolved 13Resolved
A memory growth issue in the SunPKCS11 cryptographic provider that affects the NSS back-end has been fixed.

A system property, `sun.security.pkcs11.disableKeyExtraction` has been introduced to disable the fix. A "`true`" value disables the fix, while a "`false`" value (default) keeps it enabled.

When enabled, PKCS#11 attributes of the NSS native keys are copied to Java byte buffers after key creation. Once used, NSS keys are destroyed and native heap space is freed up. If NSS keys are required again, they are recreated with the previously saved attributes.

Further information and implementation details can be found in the CSR: JDK-8213430
I think it's better to elaborate this a bit more, i.e. how is this fixed and what value should be set to the system property. Also current fix only goes into affect when NSS is used. Maybe pointing to CSR for more detailed info?