-
Bug
-
Resolution: Not an Issue
-
P3
-
6u18
-
sparc
-
solaris_10
Problem
========
It seems that since JDK6u13++, if one uses the SunPKCS11 module
with Symmetric key encyption, it is likely one will get into
PKCS11 error in java (CKR_BAD_ARGUMENTS).
Simple example:
===============
import javax.crypto.*;
import java.security.*;
public class SmallTest2 {
public static void main(String args[])
throws Exception {
Provider nss = new sun.security.pkcs11.SunPKCS11(args[0]);
Security.insertProviderAt(nss, 1);
KeyGenerator kg = KeyGenerator.getInstance("DES");
kg.init(56,new SecureRandom());
System.out.println("SKeyGenerator provider: "+kg.getProvider());
SecretKey skey =kg.generateKey();
System.out.println("SecretKey: "+skey.getAlgorithm());
Cipher sciph = Cipher.getInstance(skey.getAlgorithm());
System.out.println("SCipher provider: "+sciph.getProvider());
sciph.init(Cipher.ENCRYPT_MODE, skey);
sciph.doFinal("SmallTesting".getBytes("UTF-8"));
System.out.println("------------------");
System.out.println();
}
}
Take in a nss.cfg. (sample in
https://www.opends.org/wiki/page/EllipticCurveCryptography)
=============
TEST RESULTS: On Solaris
=============
On JDK5, it works too
On JDK6u12 and earlier: Run's OK
On JDK6u14 to 18: BROKEN
SKeyGenerator provider: SunPKCS11-NSS version 1.6
SecretKey: DES
SCipher provider: SunPKCS11-NSS version 1.6
Exception in thread "main" java.security.ProviderException: update() failed
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:548)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:448)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:476)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:462)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at SmallTest2.main(SmallTest2.java:16)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:501)
... 5 more
Example nss.cfg
===============
name=NSS
nssLibraryDirectory=/nss3125/lib
nssDbMode=noDb
attributes=compatibility
showInfo=true
Anyway, it seems that the working and and non-working diff
shows that the default KeyGenerator.getInstance(...)
is different. (which is also the workaround - eg : passing
SunJCE as the provider)
--- trace-ok.txt Wed Mar 3 10:34:37 2010
+++ trace-fail.txt Wed Mar 3 10:32:23 2010
@@ -500,8 +500,6 @@
ulMinKeySize: 16
ulMaxKeySize: 32
flags: 393984 = CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
-SKeyGenerator provider: SunJCE version 1.6
+SKeyGenerator provider: SunPKCS11-NSS version 1.6
SecretKey: DES
-SCipher provider: SunJCE version 1.6
-------------------
-
+SCipher provider: SunPKCS11-NSS version 1.6
=====================
Further information.
=====================
- Without using NSS as the Softoken PKCS11, things work
(and in JDK6u18, SunPKCS11-Solaris also works)
- Now as a WORKAROUND for NSS, it either means
that the PKCS11 module does not work with DES
It seems that if we add
disabledMechanisms = {
CKM_DES_ECB
CKM_DES_CBC
}
it works. (Specifically CKM_DES_ECB actually is needed
and the testcase will work).
Further changing the code to be 8-byte aligned
the testcase work. That means that the
NSS does not support any algorithm for non-8-byte aligned
(or PADDING).
========
It seems that since JDK6u13++, if one uses the SunPKCS11 module
with Symmetric key encyption, it is likely one will get into
PKCS11 error in java (CKR_BAD_ARGUMENTS).
Simple example:
===============
import javax.crypto.*;
import java.security.*;
public class SmallTest2 {
public static void main(String args[])
throws Exception {
Provider nss = new sun.security.pkcs11.SunPKCS11(args[0]);
Security.insertProviderAt(nss, 1);
KeyGenerator kg = KeyGenerator.getInstance("DES");
kg.init(56,new SecureRandom());
System.out.println("SKeyGenerator provider: "+kg.getProvider());
SecretKey skey =kg.generateKey();
System.out.println("SecretKey: "+skey.getAlgorithm());
Cipher sciph = Cipher.getInstance(skey.getAlgorithm());
System.out.println("SCipher provider: "+sciph.getProvider());
sciph.init(Cipher.ENCRYPT_MODE, skey);
sciph.doFinal("SmallTesting".getBytes("UTF-8"));
System.out.println("------------------");
System.out.println();
}
}
Take in a nss.cfg. (sample in
https://www.opends.org/wiki/page/EllipticCurveCryptography)
=============
TEST RESULTS: On Solaris
=============
On JDK5, it works too
On JDK6u12 and earlier: Run's OK
On JDK6u14 to 18: BROKEN
SKeyGenerator provider: SunPKCS11-NSS version 1.6
SecretKey: DES
SCipher provider: SunPKCS11-NSS version 1.6
Exception in thread "main" java.security.ProviderException: update() failed
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:548)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:448)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:476)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:462)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at SmallTest2.main(SmallTest2.java:16)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:501)
... 5 more
Example nss.cfg
===============
name=NSS
nssLibraryDirectory=/nss3125/lib
nssDbMode=noDb
attributes=compatibility
showInfo=true
Anyway, it seems that the working and and non-working diff
shows that the default KeyGenerator.getInstance(...)
is different. (which is also the workaround - eg : passing
SunJCE as the provider)
--- trace-ok.txt Wed Mar 3 10:34:37 2010
+++ trace-fail.txt Wed Mar 3 10:32:23 2010
@@ -500,8 +500,6 @@
ulMinKeySize: 16
ulMaxKeySize: 32
flags: 393984 = CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
-SKeyGenerator provider: SunJCE version 1.6
+SKeyGenerator provider: SunPKCS11-NSS version 1.6
SecretKey: DES
-SCipher provider: SunJCE version 1.6
-------------------
-
+SCipher provider: SunPKCS11-NSS version 1.6
=====================
Further information.
=====================
- Without using NSS as the Softoken PKCS11, things work
(and in JDK6u18, SunPKCS11-Solaris also works)
- Now as a WORKAROUND for NSS, it either means
that the PKCS11 module does not work with DES
It seems that if we add
disabledMechanisms = {
CKM_DES_ECB
CKM_DES_CBC
}
it works. (Specifically CKM_DES_ECB actually is needed
and the testcase will work).
Further changing the code to be 8-byte aligned
the testcase work. That means that the
NSS does not support any algorithm for non-8-byte aligned
(or PADDING).