J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2003-2006 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | package sun.security.pkcs11; |
| 27 | |
| 28 | import java.util.*; |
| 29 | |
| 30 | import java.security.ProviderException; |
| 31 | |
| 32 | import sun.security.util.Debug; |
| 33 | |
| 34 | import sun.security.pkcs11.wrapper.*; |
| 35 | import static sun.security.pkcs11.wrapper.PKCS11Constants.*; |
| 36 | |
| 37 | /** |
| 38 | * Session manager. There is one session manager object per PKCS#11 |
| 39 | * provider. It allows code to checkout a session, release it |
| 40 | * back to the pool, or force it to be closed. |
| 41 | * |
| 42 | * The session manager pools sessions to minimize the number of |
| 43 | * C_OpenSession() and C_CloseSession() that have to be made. It |
| 44 | * maintains two pools: one for "object" sessions and one for |
| 45 | * "operation" sessions. |
| 46 | * |
| 47 | * The reason for this separation is how PKCS#11 deals with session objects. |
| 48 | * It defines that when a session is closed, all objects created within |
| 49 | * that session are destroyed. In other words, we may never close a session |
| 50 | * while a Key created it in is still in use. We would like to keep the |
| 51 | * number of such sessions low. Note that we occasionally want to explicitly |
| 52 | * close a session, see P11Signature. |
| 53 | * |
| 54 | * NOTE that all sessions obtained from this class MUST be returned using |
| 55 | * either releaseSession() or closeSession() using a finally block or a |
| 56 | * finalizer where appropriate. Otherwise, they will be "lost", i.e. there |
| 57 | * will be a resource leak eventually leading to exhaustion. |
| 58 | * |
| 59 | * Note that sessions are automatically closed when they are not used for a |
| 60 | * period of time, see Session. |
| 61 | * |
| 62 | * @author Andreas Sterbenz |
| 63 | * @since 1.5 |
| 64 | */ |
| 65 | final class SessionManager { |
| 66 | |
| 67 | private final static int DEFAULT_MAX_SESSIONS = 32; |
| 68 | |
| 69 | private final static Debug debug = Debug.getInstance("pkcs11"); |
| 70 | |
| 71 | // token instance |
| 72 | private final Token token; |
| 73 | |
| 74 | // maximum number of sessions to open with this token |
| 75 | private final int maxSessions; |
| 76 | |
| 77 | // total number of active sessions |
| 78 | private int activeSessions; |
| 79 | |
| 80 | // pool of available object sessions |
| 81 | private final Pool objSessions; |
| 82 | |
| 83 | // pool of available operation sessions |
| 84 | private final Pool opSessions; |
| 85 | |
| 86 | // maximum number of active sessions during this invocation, for debugging |
| 87 | private int maxActiveSessions; |
| 88 | |
| 89 | // flags to use in the C_OpenSession() call |
| 90 | private final long openSessionFlags; |
| 91 | |
| 92 | SessionManager(Token token) { |
| 93 | long n; |
| 94 | if (token.isWriteProtected()) { |
| 95 | openSessionFlags = CKF_SERIAL_SESSION; |
| 96 | n = token.tokenInfo.ulMaxSessionCount; |
| 97 | } else { |
| 98 | openSessionFlags = CKF_SERIAL_SESSION | CKF_RW_SESSION; |
| 99 | n = token.tokenInfo.ulMaxRwSessionCount; |
| 100 | } |
| 101 | if (n == CK_EFFECTIVELY_INFINITE) { |
| 102 | n = Integer.MAX_VALUE; |
| 103 | } else if ((n == CK_UNAVAILABLE_INFORMATION) || (n < 0)) { |
| 104 | // choose an arbitrary concrete value |
| 105 | n = DEFAULT_MAX_SESSIONS; |
| 106 | } |
| 107 | maxSessions = (int)Math.min(n, Integer.MAX_VALUE); |
| 108 | this.token = token; |
| 109 | this.objSessions = new Pool(this); |
| 110 | this.opSessions = new Pool(this); |
| 111 | } |
| 112 | |
| 113 | // returns whether only a fairly low number of sessions are |
| 114 | // supported by this token. |
| 115 | boolean lowMaxSessions() { |
| 116 | return (maxSessions <= DEFAULT_MAX_SESSIONS); |
| 117 | } |
| 118 | |
| 119 | synchronized Session getObjSession() throws PKCS11Exception { |
| 120 | Session session = objSessions.poll(); |
| 121 | if (session != null) { |
| 122 | return ensureValid(session); |
| 123 | } |
| 124 | session = opSessions.poll(); |
| 125 | if (session != null) { |
| 126 | return ensureValid(session); |
| 127 | } |
| 128 | session = openSession(); |
| 129 | return ensureValid(session); |
| 130 | } |
| 131 | |
| 132 | synchronized Session getOpSession() throws PKCS11Exception { |
| 133 | Session session = opSessions.poll(); |
| 134 | if (session != null) { |
| 135 | return ensureValid(session); |
| 136 | } |
| 137 | // create a new session rather than re-using an obj session |
| 138 | // that avoids potential expensive cancels() for Signatures & RSACipher |
| 139 | if (activeSessions < maxSessions) { |
| 140 | session = openSession(); |
| 141 | return ensureValid(session); |
| 142 | } |
| 143 | session = objSessions.poll(); |
| 144 | if (session != null) { |
| 145 | return ensureValid(session); |
| 146 | } |
| 147 | throw new ProviderException("Could not obtain session"); |
| 148 | } |
| 149 | |
| 150 | private Session ensureValid(Session session) { |
| 151 | session.id(); |
| 152 | return session; |
| 153 | } |
| 154 | |
| 155 | synchronized Session killSession(Session session) { |
| 156 | if ((session == null) || (token.isValid() == false)) { |
| 157 | return null; |
| 158 | } |
| 159 | if (debug != null) { |
| 160 | String location = new Exception().getStackTrace()[2].toString(); |
| 161 | System.out.println("Killing session (" + location + ") active: " |
| 162 | + activeSessions); |
| 163 | } |
| 164 | try { |
| 165 | closeSession(session); |
| 166 | return null; |
| 167 | } catch (PKCS11Exception e) { |
| 168 | throw new ProviderException(e); |
| 169 | } |
| 170 | } |
| 171 | |
| 172 | synchronized Session releaseSession(Session session) { |
| 173 | if ((session == null) || (token.isValid() == false)) { |
| 174 | return null; |
| 175 | } |
| 176 | |
| 177 | if (session.hasObjects()) { |
| 178 | objSessions.release(session); |
| 179 | } else { |
| 180 | opSessions.release(session); |
| 181 | } |
| 182 | return null; |
| 183 | } |
| 184 | |
| 185 | synchronized void demoteObjSession(Session session) { |
| 186 | if (token.isValid() == false) { |
| 187 | return; |
| 188 | } |
| 189 | if (debug != null) { |
| 190 | System.out.println("Demoting session, active: " + activeSessions); |
| 191 | } |
| 192 | boolean present = objSessions.remove(session); |
| 193 | if (present == false) { |
| 194 | // session is currently in use |
| 195 | // will be added to correct pool on release, nothing to do now |
| 196 | return; |
| 197 | } |
| 198 | opSessions.release(session); |
| 199 | } |
| 200 | |
| 201 | private Session openSession() throws PKCS11Exception { |
| 202 | if (activeSessions >= maxSessions) { |
| 203 | throw new ProviderException("No more sessions available"); |
| 204 | } |
| 205 | long id = token.p11.C_OpenSession |
| 206 | (token.provider.slotID, openSessionFlags, null, null); |
| 207 | Session session = new Session(token, id); |
| 208 | activeSessions++; |
| 209 | if (debug != null) { |
| 210 | if (activeSessions > maxActiveSessions) { |
| 211 | maxActiveSessions = activeSessions; |
| 212 | if (maxActiveSessions % 10 == 0) { |
| 213 | System.out.println("Open sessions: " + maxActiveSessions); |
| 214 | } |
| 215 | } |
| 216 | } |
| 217 | return session; |
| 218 | } |
| 219 | |
| 220 | private void closeSession(Session session) throws PKCS11Exception { |
| 221 | if (session.hasObjects()) { |
| 222 | throw new ProviderException |
| 223 | ("Internal error: close session with active objects"); |
| 224 | } |
| 225 | token.p11.C_CloseSession(session.id()); |
| 226 | activeSessions--; |
| 227 | } |
| 228 | |
| 229 | private static final class Pool { |
| 230 | |
| 231 | private final SessionManager mgr; |
| 232 | |
| 233 | private final List<Session> pool; |
| 234 | |
| 235 | Pool(SessionManager mgr) { |
| 236 | this.mgr = mgr; |
| 237 | pool = new ArrayList<Session>(); |
| 238 | } |
| 239 | |
| 240 | boolean remove(Session session) { |
| 241 | return pool.remove(session); |
| 242 | } |
| 243 | |
| 244 | Session poll() { |
| 245 | int n = pool.size(); |
| 246 | if (n == 0) { |
| 247 | return null; |
| 248 | } |
| 249 | Session session = pool.remove(n - 1); |
| 250 | return session; |
| 251 | } |
| 252 | |
| 253 | void release(Session session) { |
| 254 | pool.add(session); |
| 255 | // if there are idle sessions, close them |
| 256 | if (session.hasObjects()) { |
| 257 | return; |
| 258 | } |
| 259 | int n = pool.size(); |
| 260 | if (n < 5) { |
| 261 | return; |
| 262 | } |
| 263 | Session oldestSession = pool.get(0); |
| 264 | long time = System.currentTimeMillis(); |
| 265 | if (session.isLive(time) && oldestSession.isLive(time)) { |
| 266 | return; |
| 267 | } |
| 268 | Collections.sort(pool); |
| 269 | int i = 0; |
| 270 | PKCS11Exception exc = null; |
| 271 | while (i < n - 1) { // always keep at least 1 session open |
| 272 | oldestSession = pool.get(i); |
| 273 | if (oldestSession.isLive(time)) { |
| 274 | break; |
| 275 | } |
| 276 | i++; |
| 277 | try { |
| 278 | mgr.closeSession(oldestSession); |
| 279 | } catch (PKCS11Exception e) { |
| 280 | exc = e; |
| 281 | } |
| 282 | } |
| 283 | if (debug != null) { |
| 284 | System.out.println("Closing " + i + " idle sessions, active: " |
| 285 | + mgr.activeSessions); |
| 286 | } |
| 287 | List<Session> subList = pool.subList(0, i); |
| 288 | subList.clear(); |
| 289 | if (exc != null) { |
| 290 | throw new ProviderException(exc); |
| 291 | } |
| 292 | } |
| 293 | |
| 294 | } |
| 295 | |
| 296 | } |