Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8001284

Buffer problems with SunPKCS11-Solaris and CKM_AES_CTR

XMLWordPrintable

    • 7
    • b91
    • generic
    • solaris
    • Verified

      SYNOPSIS
      --------
      Buffer problems with SunPKCS11-Solaris and CKM_AES_CTR

      OPERATING SYSTEM
      ----------------
      Solaris 10/11

      FULL JDK VERSION
      ----------------
      Java 7 (tested with 7u7)

      PROBLEM DESCRIPTION
      ---------------------------------------
      We have a testcase that fails on machines where the CKM_AES_CTR mechanism is available via the SunPKCS11-Solaris provider. The same testcase passes with other providers (e.g. SunJCE, and XYZ providers).

      We have seen different manifestations of the problem on different levels of Solaris. On Solaris 10 we see failures like this:

      Exception in thread "main" java.lang.RuntimeException: java.security.ProviderException: javax.crypto.ShortBufferException
              at test.TestEncryption.drainStream(TestEncryption.java:51)
              at test.TestEncryption.main(TestEncryption.java:34)
      Caused by: java.security.ProviderException: javax.crypto.ShortBufferException
              at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:488)
              at javax.crypto.Cipher.update(Cipher.java:1754)
              at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:120)
              at javax.crypto.CipherInputStream.read(CipherInputStream.java:224)
              at javax.crypto.CipherInputStream.read(CipherInputStream.java:200)
              at test.TestEncryption.drainStream(TestEncryption.java:42)
              ... 1 more
      Caused by: javax.crypto.ShortBufferException
              at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:595)
              at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:496)
              at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:484)
              ... 6 more
      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_BUFFER_TOO_SMALL
              at sun.security.pkcs11.wrapper.PKCS11.C_DecryptUpdate(Native Method)
              at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:583)
              ... 8 more

      and on Solaris 11 we see the following:

      Exception in thread "main" java.lang.RuntimeException:
      java.lang.ArrayIndexOutOfBoundsException
              at test.TestEncryption.drainStream(TestEncryption.java:122)
              at test.TestEncryption.main(TestEncryption.java:105)
      Caused by: java.lang.ArrayIndexOutOfBoundsException
              at java.lang.System.arraycopy(Native Method)
              at sun.security.pkcs11.P11Util.convert(P11Util.java:106)
              at
      sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:485)
              at javax.crypto.Cipher.update(Cipher.java:1753)
              at
      javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:120)
              at
      javax.crypto.CipherInputStream.read(CipherInputStream.java:224)
              at
      javax.crypto.CipherInputStream.read(CipherInputStream.java:200)
              at test.TestEncryption.drainStream(TestEncryption.java:113)
              ... 1 more
             
      I understand that the JDK's provider in this case is a thin wrapper around the native Solaris PKCS library, so this may be an issue in the Solaris OS rather than the JDK.

      TESTCASE
      -----------------
      Attached

      REPRODUCTION INSTRUCTIONS
      -------------------------
      1. Ensure that the CKM_AES_CTR mechanism is available to user-level
         applications by checking the output of "cryptoadm list -m". We were
         not able to access this provider on a T1 box (but we could on a T3
         box).
      2. Compile and run the attached testcase.
      3. Observe a failure/Exception, as described in the Description above.

      WORKAROUND
      ----------
      Specify the SunJCE provider explicitly in the code. This works, but it is not acceptable because it is not platform neutral (i.e. this fails on other vendors JDKs).

            ascarpino Anthony Scarpino
            dkorbel David Korbel (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: