Uploaded image for project: 'Fabric'
  1. Fabric
  2. FAB-18259

Always Finalize FindObject Operations in PKCS11

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Medium
    • Resolution: Done
    • None
    • v2.3.0, v2.2.2, v1.4.10
    • None
    • (Please add steps to reproduce)

    Description

      There are 6 pkcs11 operations that require the session handle to be finalized before a session can be reused. These operations are: Encrypt, Decrypt, Sign, Verify, Find, and Digest. The bccsp/pkcs11 package makes use of three of these operations: sign, verify, and find. Each of these operations has an init function, i.e., SignInit, VerifyInit and FindObjectInit, each are part of the cryptoki implementation. If the Init functions fail, the session handle is never initialized and the finalize function do not need to be called.

      For SignInit and VerifyInit, the next operation we call are the Sign or Verify functions, which also atomically finalized the session. For the FindObjectInit operation however, we must explicitly call the FindObjectFinal function to release the lock on the session handle.

      The current implementation makes a call to FindObject in between FindObjectInit and FindObjectFinal which has an error path. In the current implementation FindObjectFinal is not called on the error path, leaving the session in a state that it can't be used again.

      We should always finalize regardless of the happy path or error path

      Attachments

        Activity

          People

            btl5037 Brett Logan
            btl5037 Brett Logan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: