-
Bug
-
Resolution: Fixed
-
P3
-
7
-
b91
-
generic
-
solaris
-
Verified
SYNOPSIS
--------
Buffer problems with SunPKCS11-Solaris and CKM_AES_CTR
OPERATING SYSTEM
----------------
Solaris 10/11
FULL JDK VERSION
----------------
Java 7 (tested with 7u7)
PROBLEM DESCRIPTION
---------------------------------------
We have a testcase that fails on machines where the CKM_AES_CTR mechanism is available via the SunPKCS11-Solaris provider. The same testcase passes with other providers (e.g. SunJCE, and XYZ providers).
We have seen different manifestations of the problem on different levels of Solaris. On Solaris 10 we see failures like this:
Exception in thread "main" java.lang.RuntimeException: java.security.ProviderException: javax.crypto.ShortBufferException
at test.TestEncryption.drainStream(TestEncryption.java:51)
at test.TestEncryption.main(TestEncryption.java:34)
Caused by: java.security.ProviderException: javax.crypto.ShortBufferException
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:488)
at javax.crypto.Cipher.update(Cipher.java:1754)
at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:120)
at javax.crypto.CipherInputStream.read(CipherInputStream.java:224)
at javax.crypto.CipherInputStream.read(CipherInputStream.java:200)
at test.TestEncryption.drainStream(TestEncryption.java:42)
... 1 more
Caused by: javax.crypto.ShortBufferException
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:595)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:496)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:484)
... 6 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_BUFFER_TOO_SMALL
at sun.security.pkcs11.wrapper.PKCS11.C_DecryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:583)
... 8 more
and on Solaris 11 we see the following:
Exception in thread "main" java.lang.RuntimeException:
java.lang.ArrayIndexOutOfBoundsException
at test.TestEncryption.drainStream(TestEncryption.java:122)
at test.TestEncryption.main(TestEncryption.java:105)
Caused by: java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at sun.security.pkcs11.P11Util.convert(P11Util.java:106)
at
sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:485)
at javax.crypto.Cipher.update(Cipher.java:1753)
at
javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:120)
at
javax.crypto.CipherInputStream.read(CipherInputStream.java:224)
at
javax.crypto.CipherInputStream.read(CipherInputStream.java:200)
at test.TestEncryption.drainStream(TestEncryption.java:113)
... 1 more
I understand that the JDK's provider in this case is a thin wrapper around the native Solaris PKCS library, so this may be an issue in the Solaris OS rather than the JDK.
TESTCASE
-----------------
Attached
REPRODUCTION INSTRUCTIONS
-------------------------
1. Ensure that the CKM_AES_CTR mechanism is available to user-level
applications by checking the output of "cryptoadm list -m". We were
not able to access this provider on a T1 box (but we could on a T3
box).
2. Compile and run the attached testcase.
3. Observe a failure/Exception, as described in the Description above.
WORKAROUND
----------
Specify the SunJCE provider explicitly in the code. This works, but it is not acceptable because it is not platform neutral (i.e. this fails on other vendors JDKs).
--------
Buffer problems with SunPKCS11-Solaris and CKM_AES_CTR
OPERATING SYSTEM
----------------
Solaris 10/11
FULL JDK VERSION
----------------
Java 7 (tested with 7u7)
PROBLEM DESCRIPTION
---------------------------------------
We have a testcase that fails on machines where the CKM_AES_CTR mechanism is available via the SunPKCS11-Solaris provider. The same testcase passes with other providers (e.g. SunJCE, and XYZ providers).
We have seen different manifestations of the problem on different levels of Solaris. On Solaris 10 we see failures like this:
Exception in thread "main" java.lang.RuntimeException: java.security.ProviderException: javax.crypto.ShortBufferException
at test.TestEncryption.drainStream(TestEncryption.java:51)
at test.TestEncryption.main(TestEncryption.java:34)
Caused by: java.security.ProviderException: javax.crypto.ShortBufferException
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:488)
at javax.crypto.Cipher.update(Cipher.java:1754)
at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:120)
at javax.crypto.CipherInputStream.read(CipherInputStream.java:224)
at javax.crypto.CipherInputStream.read(CipherInputStream.java:200)
at test.TestEncryption.drainStream(TestEncryption.java:42)
... 1 more
Caused by: javax.crypto.ShortBufferException
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:595)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:496)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:484)
... 6 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_BUFFER_TOO_SMALL
at sun.security.pkcs11.wrapper.PKCS11.C_DecryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:583)
... 8 more
and on Solaris 11 we see the following:
Exception in thread "main" java.lang.RuntimeException:
java.lang.ArrayIndexOutOfBoundsException
at test.TestEncryption.drainStream(TestEncryption.java:122)
at test.TestEncryption.main(TestEncryption.java:105)
Caused by: java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at sun.security.pkcs11.P11Util.convert(P11Util.java:106)
at
sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:485)
at javax.crypto.Cipher.update(Cipher.java:1753)
at
javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:120)
at
javax.crypto.CipherInputStream.read(CipherInputStream.java:224)
at
javax.crypto.CipherInputStream.read(CipherInputStream.java:200)
at test.TestEncryption.drainStream(TestEncryption.java:113)
... 1 more
I understand that the JDK's provider in this case is a thin wrapper around the native Solaris PKCS library, so this may be an issue in the Solaris OS rather than the JDK.
TESTCASE
-----------------
Attached
REPRODUCTION INSTRUCTIONS
-------------------------
1. Ensure that the CKM_AES_CTR mechanism is available to user-level
applications by checking the output of "cryptoadm list -m". We were
not able to access this provider on a T1 box (but we could on a T3
box).
2. Compile and run the attached testcase.
3. Observe a failure/Exception, as described in the Description above.
WORKAROUND
----------
Specify the SunJCE provider explicitly in the code. This works, but it is not acceptable because it is not platform neutral (i.e. this fails on other vendors JDKs).
- relates to
-
JDK-6604496 Support for CKM_AES_CTR (counter mode)
- Closed