-
Bug
-
Resolution: Fixed
-
P3
-
7u6
-
b03
-
x86
-
linux
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8001706 | 7u40 | Bradford Wetmore | P3 | Closed | Fixed | b01 |
FULL PRODUCT VERSION :
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux satul-test 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Using Mozilla NSS as documented in
http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#NSS
A DESCRIPTION OF THE PROBLEM :
Up til jre7u5 everything was working fine using NSS 3.4.12.
Recently i updated to jre7u6 and SSL handshake started failing. The same problem is there in the latest jre7u7 also.
When i compared the sun.security.pkcs11.wrapper.PKCS11 class i see that two new methods were added in u6 which might have broken the pkcs11 interface with NSS. I cannot find any doc or release notes which mention about this change.
public native byte[] C_GetOperationState(long l)
throws PKCS11Exception;
public native void C_SetOperationState(long l, byte abyte0[], long l1, long l2)
throws PKCS11Exception;
==========
The exception trace i am getting
java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B
at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method)
at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308)
at java.security.MessageDigest$Delegate.clone(Unknown Source)
at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source)
at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
REGRESSION. Last worked in version 7
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Download NSS 3.12.4. It is currently available at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/
2) Extract and rename nss-3.12.4.tar.gz to /root/nss/
Execute following commands in Shell to create and configure NSS database.
3)
export LD_LIBRARY_PATH=/root/nss/lib/"
cd /root/nss/
mkdir db
/root/nss/bin/modutil -create -dbdir db/
/root/nss/bin/modutil -fips true -dbdir db/
/root/nss/bin/modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir db/
(A strong password like 'Password123!' is required.)
4) Now insert a key-pair to NSS. For that we first create a .jks file, convert to .p12 format and insert .p12 to nss.
4.1) Create a new jks (test.jks) using keytool command.
4.2) Convert .jks to .p12
/jre/bin/keytool -importkeystore -srckeystore /root/nss/test.jks -srcalias test -destkeystore /root/nss/test.p12 -deststoretype PKCS12
4.3) import keypair into NSS
/root/nss/bin/pk12util -d /root/nss/db -i /root/nss/test.p12
Now we have an NSS database which contains a keypair which is ready to be used by the java program.
5) Execute the sample java program which will listen to a ssl server socket and try to initiate ssl handshake from a similar client program.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
SSL Handshake goes through fine. (Uptil jre7 u5)
ACTUAL -
Getting UnsatisfiedLink error (From jre7 u6 onwards)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B
at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method)
at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308)
at java.security.MessageDigest$Delegate.clone(Unknown Source)
at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source)
at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux satul-test 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Using Mozilla NSS as documented in
http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#NSS
A DESCRIPTION OF THE PROBLEM :
Up til jre7u5 everything was working fine using NSS 3.4.12.
Recently i updated to jre7u6 and SSL handshake started failing. The same problem is there in the latest jre7u7 also.
When i compared the sun.security.pkcs11.wrapper.PKCS11 class i see that two new methods were added in u6 which might have broken the pkcs11 interface with NSS. I cannot find any doc or release notes which mention about this change.
public native byte[] C_GetOperationState(long l)
throws PKCS11Exception;
public native void C_SetOperationState(long l, byte abyte0[], long l1, long l2)
throws PKCS11Exception;
==========
The exception trace i am getting
java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B
at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method)
at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308)
at java.security.MessageDigest$Delegate.clone(Unknown Source)
at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source)
at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
REGRESSION. Last worked in version 7
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Download NSS 3.12.4. It is currently available at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/
2) Extract and rename nss-3.12.4.tar.gz to /root/nss/
Execute following commands in Shell to create and configure NSS database.
3)
export LD_LIBRARY_PATH=/root/nss/lib/"
cd /root/nss/
mkdir db
/root/nss/bin/modutil -create -dbdir db/
/root/nss/bin/modutil -fips true -dbdir db/
/root/nss/bin/modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir db/
(A strong password like 'Password123!' is required.)
4) Now insert a key-pair to NSS. For that we first create a .jks file, convert to .p12 format and insert .p12 to nss.
4.1) Create a new jks (test.jks) using keytool command.
4.2) Convert .jks to .p12
/jre/bin/keytool -importkeystore -srckeystore /root/nss/test.jks -srcalias test -destkeystore /root/nss/test.p12 -deststoretype PKCS12
4.3) import keypair into NSS
/root/nss/bin/pk12util -d /root/nss/db -i /root/nss/test.p12
Now we have an NSS database which contains a keypair which is ready to be used by the java program.
5) Execute the sample java program which will listen to a ssl server socket and try to initiate ssl handshake from a similar client program.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
SSL Handshake goes through fine. (Uptil jre7 u5)
ACTUAL -
Getting UnsatisfiedLink error (From jre7 u6 onwards)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B
at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method)
at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308)
at java.security.MessageDigest$Delegate.clone(Unknown Source)
at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source)
at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source)
at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
- backported by
-
JDK-8001706 UnsatisfiedLinkError on PKCS11.C_GetOperationState while using NSS from jre7u6 +
-
- Closed
-