Details
-
Bug
-
Resolution: Fixed
-
P3
-
6
-
b23
-
x86
-
windows_xp
Description
FULL PRODUCT VERSION :
java version "1.6.0_03"
Java(TM) SE Runtime Environment (build 1.6.0_03-b05)
Java HotSpot(TM) Client VM (build 1.6.0_03-b05, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Was using a JCOP41 smart card with the Musclecard applet and the Musclecard PKCS11.
A DESCRIPTION OF THE PROBLEM :
Follow up to a previous report. The behavior of the native implementation of the PKCS11 C_GetAttributeValues doesn't follow the PKCS11 standard. Basically, it throws an error if an attribute is unretrievable due to access control or non-existence. PKCS11 identifies these as non-error conditions.
This has some interesting side effects on trying to integrate new PKCS11 libs with the JAVA code - specifically, its difficult or impossible to detect which attributes the java PKCS11 code is expecting and to adapt the other code to conform.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Go through the process of initializing a sun.security.pkcs11.wrapper.PKCS11 object
2) Open a session
3) Login in to the token.
4) Call the C_GetAttributeValue(...) method of sun.security.pkcs11.wapper.PKCS11 with a CK_ATTRIBUTE[] template with extraneous attributes.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Should return the template array with missing or sensitive attributes set to NULL
ACTUAL -
Throws a PKCS11Exception
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTR
IBUTE_TYPE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method)
at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_GetAttributeV
alue(PKCS11.java:1552)
at TestPKCS11.main(TestPKCS11.java:89)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
CK_ATTRIBUTE[] template =
{
new CK_ATTRIBUTE (CKA_CLASS, CKO_PUBLIC_KEY)
};
pk.C_FindObjectsInit(sessionid, template);
long[] objs = pk.C_FindObjects(sessionid, 10L);
if (objs.length > 0) {
System.out.printf ("Found: %d objects%n", objs.length);
for (long y : objs) {
{
CK_ATTRIBUTE[] xtemp =
{
new CK_ATTRIBUTE (CKA_KEY_TYPE),
new CK_ATTRIBUTE (CKA_LABEL)
};
pk.C_GetAttributeValue(sessionid, y, xtemp);
for (CK_ATTRIBUTE attr : xtemp)
System.out.println (attr);
}
}
}
pk.C_FindObjectsFinal(sessionid);
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I modified the return codes from C_GetAttributeValue in my code to return CKR_OK instead of CKR_ATTRIBUTE_SENSITIVE or CKR_ATTRIBUTE_TYPE_INVALID - but that may have other side effects.
java version "1.6.0_03"
Java(TM) SE Runtime Environment (build 1.6.0_03-b05)
Java HotSpot(TM) Client VM (build 1.6.0_03-b05, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Was using a JCOP41 smart card with the Musclecard applet and the Musclecard PKCS11.
A DESCRIPTION OF THE PROBLEM :
Follow up to a previous report. The behavior of the native implementation of the PKCS11 C_GetAttributeValues doesn't follow the PKCS11 standard. Basically, it throws an error if an attribute is unretrievable due to access control or non-existence. PKCS11 identifies these as non-error conditions.
This has some interesting side effects on trying to integrate new PKCS11 libs with the JAVA code - specifically, its difficult or impossible to detect which attributes the java PKCS11 code is expecting and to adapt the other code to conform.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Go through the process of initializing a sun.security.pkcs11.wrapper.PKCS11 object
2) Open a session
3) Login in to the token.
4) Call the C_GetAttributeValue(...) method of sun.security.pkcs11.wapper.PKCS11 with a CK_ATTRIBUTE[] template with extraneous attributes.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Should return the template array with missing or sensitive attributes set to NULL
ACTUAL -
Throws a PKCS11Exception
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTR
IBUTE_TYPE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method)
at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_GetAttributeV
alue(PKCS11.java:1552)
at TestPKCS11.main(TestPKCS11.java:89)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
CK_ATTRIBUTE[] template =
{
new CK_ATTRIBUTE (CKA_CLASS, CKO_PUBLIC_KEY)
};
pk.C_FindObjectsInit(sessionid, template);
long[] objs = pk.C_FindObjects(sessionid, 10L);
if (objs.length > 0) {
System.out.printf ("Found: %d objects%n", objs.length);
for (long y : objs) {
{
CK_ATTRIBUTE[] xtemp =
{
new CK_ATTRIBUTE (CKA_KEY_TYPE),
new CK_ATTRIBUTE (CKA_LABEL)
};
pk.C_GetAttributeValue(sessionid, y, xtemp);
for (CK_ATTRIBUTE attr : xtemp)
System.out.println (attr);
}
}
}
pk.C_FindObjectsFinal(sessionid);
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I modified the return codes from C_GetAttributeValue in my code to return CKR_OK instead of CKR_ATTRIBUTE_SENSITIVE or CKR_ATTRIBUTE_TYPE_INVALID - but that may have other side effects.
