Closed WilburZjh closed 1 year ago
@WilburZjh
From my last investigation, in JDK11, "md instanceof Cloneable" will return false, when the md is from the SunPKCS11-NSS-FIPS. But when I take a look at the MessageDigest code, the "P11Digest" from the SunPKCS11-NSS-FIPS, it actually implements Cloneable interface. So, not sure why it return false. But from JDK17 and above, no such issue.
final class P11Digest extends MessageDigestSpi implements Cloneable, MessageDigestSpi2
The difference, as I explained in https://github.com/ibmruntimes/openj9-openjdk-jdk11/pull/662#discussion_r1219908565, is that
in Java 17 and later version, MessageDigest.Delegate.CloneableDelegate
is used instead of MessageDigest.Delegate
when the original digest object is cloneable.
Perhaps the solution to the situation explained here (https://github.com/ibmruntimes/openj9-openjdk-jdk11/pull/662#discussion_r1220265136) is to catch NoSuchAlgorithmException
for the SUN provider as well.
@keithc-ca Thanks for this https://github.com/ibmruntimes/openj9-openjdk-jdk17/commit/b88cc7219e1bd53bda2adefa8cfffb3bfbc0f8f9. And this commmit updated the java.security.MessageDigest to return Cloneable object, and it looks like, fixed the Cloneable check issue in HmacCore. Do you know, why this change did not backport to OpenJDK11?
In JDK11, it seems that the MessageDigest object initialized from provider such as SunPKCS11-NSS-FIPS is not cloneable. The following code is the sample test.
After compiling and running, we got the following message.
In jdk11, it seems that the MessageObject is not cloneable.
We are using the latest code from
openj9-openjdk-jdk11/openj9
branch.