# HG changeset patch # User vinnie # Date 1372808289 25200 # Node ID ab43f18c524e9db620681bd95cf88511ae1aa40e # Parent 36bbc241ad6e9cdf8aca1748d9a2b832b463bd11 7165807: Non optimized initialization of NSS crypto library leads to scalability issues Reviewed-by: mullan, valeriep diff -r 36bbc241ad6e -r ab43f18c524e jdk/make/sun/security/pkcs11/mapfile-vers --- a/jdk/make/sun/security/pkcs11/mapfile-vers Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/make/sun/security/pkcs11/mapfile-vers Tue Jul 02 16:38:09 2013 -0700 @@ -102,7 +102,7 @@ Java_sun_security_pkcs11_Secmod_nssGetLibraryHandle; Java_sun_security_pkcs11_Secmod_nssLoadLibrary; Java_sun_security_pkcs11_Secmod_nssVersionCheck; - Java_sun_security_pkcs11_Secmod_nssInit; + Java_sun_security_pkcs11_Secmod_nssInitialize; Java_sun_security_pkcs11_Secmod_nssGetModuleList; local: diff -r 36bbc241ad6e -r ab43f18c524e jdk/makefiles/mapfiles/libj2pkcs11/mapfile-vers --- a/jdk/makefiles/mapfiles/libj2pkcs11/mapfile-vers Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/makefiles/mapfiles/libj2pkcs11/mapfile-vers Tue Jul 02 16:38:09 2013 -0700 @@ -1,5 +1,5 @@ # -# Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -102,7 +102,7 @@ Java_sun_security_pkcs11_Secmod_nssGetLibraryHandle; Java_sun_security_pkcs11_Secmod_nssLoadLibrary; Java_sun_security_pkcs11_Secmod_nssVersionCheck; - Java_sun_security_pkcs11_Secmod_nssInit; + Java_sun_security_pkcs11_Secmod_nssInitialize; Java_sun_security_pkcs11_Secmod_nssGetModuleList; local: diff -r 36bbc241ad6e -r ab43f18c524e jdk/src/share/classes/sun/security/pkcs11/Config.java --- a/jdk/src/share/classes/sun/security/pkcs11/Config.java Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/src/share/classes/sun/security/pkcs11/Config.java Tue Jul 02 16:38:09 2013 -0700 @@ -197,6 +197,10 @@ // (false). private boolean useEcX963Encoding = false; + // Flag to indicate whether NSS should favour performance (false) or + // memory footprint (true). + private boolean nssOptimizeSpace = false; + private Config(String filename, InputStream in) throws IOException { if (in == null) { if (filename.startsWith("--")) { @@ -329,6 +333,10 @@ return useEcX963Encoding; } + boolean getNssOptimizeSpace() { + return nssOptimizeSpace; + } + private static String expand(final String s) throws IOException { try { return PropertyExpander.expand(s); @@ -451,6 +459,8 @@ nssUseSecmodTrust = parseBooleanEntry(word); } else if (word.equals("useEcX963Encoding")) { useEcX963Encoding = parseBooleanEntry(word); + } else if (word.equals("nssOptimizeSpace")) { + nssOptimizeSpace = parseBooleanEntry(word); } else { throw new ConfigurationException ("Unknown keyword '" + word + "', line " + st.lineno()); diff -r 36bbc241ad6e -r ab43f18c524e jdk/src/share/classes/sun/security/pkcs11/Secmod.java --- a/jdk/src/share/classes/sun/security/pkcs11/Secmod.java Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/src/share/classes/sun/security/pkcs11/Secmod.java Tue Jul 02 16:38:09 2013 -0700 @@ -158,11 +158,17 @@ */ public void initialize(String configDir, String nssLibDir) throws IOException { - initialize(DbMode.READ_WRITE, configDir, nssLibDir); + initialize(DbMode.READ_WRITE, configDir, nssLibDir, false); } - public synchronized void initialize(DbMode dbMode, String configDir, String nssLibDir) + public void initialize(DbMode dbMode, String configDir, String nssLibDir) throws IOException { + initialize(dbMode, configDir, nssLibDir, false); + } + + public synchronized void initialize(DbMode dbMode, String configDir, + String nssLibDir, boolean nssOptimizeSpace) throws IOException { + if (isInitialized()) { throw new IOException("NSS is already initialized"); } @@ -211,7 +217,8 @@ } if (DEBUG) System.out.println("dir: " + configDir); - boolean initok = nssInit(dbMode.functionName, nssHandle, configDir); + boolean initok = nssInitialize(dbMode.functionName, nssHandle, + configDir, nssOptimizeSpace); if (DEBUG) System.out.println("init: " + initok); if (initok == false) { throw new IOException("NSS initialization failed"); @@ -764,7 +771,7 @@ private static native boolean nssVersionCheck(long handle, String minVersion); - private static native boolean nssInit(String functionName, long handle, String configDir); + private static native boolean nssInitialize(String functionName, long handle, String configDir, boolean nssOptimizeSpace); private static native Object nssGetModuleList(long handle, String libDir); diff -r 36bbc241ad6e -r ab43f18c524e jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java --- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java Tue Jul 02 16:38:09 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -167,6 +167,7 @@ try { String nssLibraryDirectory = config.getNssLibraryDirectory(); String nssSecmodDirectory = config.getNssSecmodDirectory(); + boolean nssOptimizeSpace = config.getNssOptimizeSpace(); if (secmod.isInitialized()) { if (nssSecmodDirectory != null) { @@ -204,7 +205,7 @@ } } secmod.initialize(nssDbMode, nssSecmodDirectory, - nssLibraryDirectory); + nssLibraryDirectory, nssOptimizeSpace); } } catch (IOException e) { // XXX which exception to throw diff -r 36bbc241ad6e -r ab43f18c524e jdk/src/share/native/sun/security/pkcs11/j2secmod.c --- a/jdk/src/share/native/sun/security/pkcs11/j2secmod.c Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/src/share/native/sun/security/pkcs11/j2secmod.c Tue Jul 02 16:38:09 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -51,20 +51,63 @@ return (res == 0) ? JNI_FALSE : JNI_TRUE; } -JNIEXPORT jboolean JNICALL Java_sun_security_pkcs11_Secmod_nssInit - (JNIEnv *env, jclass thisClass, jstring jFunctionName, jlong jHandle, jstring jConfigDir) +/* + * Initializes NSS. + * The NSS_INIT_OPTIMIZESPACE flag is supplied by the caller. + * The NSS_Init* functions are mapped to the NSS_Initialize function. + */ +JNIEXPORT jboolean JNICALL Java_sun_security_pkcs11_Secmod_nssInitialize + (JNIEnv *env, jclass thisClass, jstring jFunctionName, jlong jHandle, jstring jConfigDir, jboolean jNssOptimizeSpace) { - const char *functionName = (*env)->GetStringUTFChars(env, jFunctionName, NULL); - const char *configDir = (jConfigDir == NULL) ? NULL : (*env)->GetStringUTFChars(env, jConfigDir, NULL); - FPTR_Init init = (FPTR_Init)findFunction(env, jHandle, functionName); - int res; + const char *functionName = + (*env)->GetStringUTFChars(env, jFunctionName, NULL); + const char *configDir = (jConfigDir == NULL) + ? NULL : (*env)->GetStringUTFChars(env, jConfigDir, NULL); + FPTR_Initialize initialize = + (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize"); + int res = 0; + unsigned int flags = 0x00; - (*env)->ReleaseStringUTFChars(env, jFunctionName, functionName); - if (init == NULL) { - return JNI_FALSE; + if (jNssOptimizeSpace == JNI_TRUE) { + flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag } - res = init(configDir); + if (initialize != NULL) { + /* + * If the NSS_Init function is requested then call NSS_Initialize to + * open the Cert, Key and Security Module databases, read only. + */ + if (strcmp("NSS_Init", functionName) == 0) { + flags = flags | 0x01; // NSS_INIT_READONLY flag + res = initialize(configDir, "", "", "secmod.db", flags); + + /* + * If the NSS_InitReadWrite function is requested then call + * NSS_Initialize to open the Cert, Key and Security Module databases, + * read/write. + */ + } else if (strcmp("NSS_InitReadWrite", functionName) == 0) { + res = initialize(configDir, "", "", "secmod.db", flags); + + /* + * If the NSS_NoDB_Init function is requested then call + * NSS_Initialize without creating Cert, Key or Security Module + * databases. + */ + } else if (strcmp("NSS_NoDB_Init", functionName) == 0) { + flags = flags | 0x02 // NSS_INIT_NOCERTDB flag + | 0x04 // NSS_INIT_NOMODDB flag + | 0x08 // NSS_INIT_FORCEOPEN flag + | 0x10; // NSS_INIT_NOROOTINIT flag + res = initialize("", "", "", "", flags); + + } else { + res = 2; + } + } else { + res = 1; + } + (*env)->ReleaseStringUTFChars(env, jFunctionName, functionName); if (configDir != NULL) { (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir); } diff -r 36bbc241ad6e -r ab43f18c524e jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h --- a/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h Tue Jul 02 16:38:09 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,9 +25,14 @@ // in nss.h: // extern PRBool NSS_VersionCheck(const char *importedVersion); -// extern SECStatus NSS_Init(const char *configdir); +// extern SECStatus NSS_Initialize(const char *configdir, +// const char *certPrefix, const char *keyPrefix, +// const char *secmodName, PRUint32 flags); + typedef int (*FPTR_VersionCheck)(const char *importedVersion); -typedef int (*FPTR_Init)(const char *configdir); +typedef int (*FPTR_Initialize)(const char *configdir, + const char *certPrefix, const char *keyPrefix, + const char *secmodName, unsigned int flags); // in secmod.h //extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, diff -r 36bbc241ad6e -r ab43f18c524e jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.h --- a/jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.h Mon Jul 01 11:13:56 2013 +0200 +++ b/jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.h Tue Jul 02 16:38:09 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,9 +27,14 @@ // in nss.h: // extern PRBool NSS_VersionCheck(const char *importedVersion); -// extern SECStatus NSS_Init(const char *configdir); +// extern SECStatus NSS_Initialize(const char *configdir, +// const char *certPrefix, const char *keyPrefix, +// const char *secmodName, PRUint32 flags); + typedef int __declspec(dllimport) (*FPTR_VersionCheck)(const char *importedVersion); -typedef int __declspec(dllimport) (*FPTR_Init)(const char *configdir); +typedef int __declspec(dllimport) (*FPTR_Initialize)(const char *configdir, + const char *certPrefix, const char *keyPrefix, + const char *secmodName, unsigned int flags); // in secmod.h //extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,