-
Bug
-
Resolution: Incomplete
-
P4
-
None
-
8u77
-
x86_64
-
linux
FULL PRODUCT VERSION :
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux localhost.localdomain 4.4.6-301.fc23.x86_64 #1 SMP Wed Mar 30 16:43:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Using Thales nShield HSM with Security World software v12.10, and associated PKCS#11 provider (/opt/nfast/toolkits/pkcs11/libcknfast.so). Note that this setup requires that the HSM belong to a valid Security World.
A DESCRIPTION OF THE PROBLEM :
1. Create sample code:
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyPairGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.PublicKey;
import java.security.KeyPair;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import sun.security.pkcs11.SunPKCS11;
public class SunPKCS11Sample {
private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray();
private SunPKCS11Sample(){
ByteArrayOutputStream byteStream = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(byteStream);
ps.println("name = nCipher");
ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so");
ps.println("attributes = compatibility");
ps.println("slotListIndex = 0");
InputStream config = new ByteArrayInputStream(byteStream.toByteArray());
Provider pkcs11Provider = new SunPKCS11(config);
Security.addProvider(pkcs11Provider);
}
private void run() throws Exception{
try {
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
} catch ( Exception e) {
System.out.println("Error with keystore.");
}
}
public static void main(String [] args) {
try {
(new SunPKCS11Sample()).run();
}catch (Throwable e){
e.printStackTrace();
System.exit(1);
}
System.exit(0);
}
}
PKCS#11 debugging:
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> C_GetFunctionList
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 > ppFunctionList 0x7fd9ac1190c8
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> C_Initialize
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 > voidp 0x7fd9ac116470
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> 2.19.1cam9
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D init_tweakflags
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D Turn on loadsharing
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D Ignore accelerator slots
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D init_mutexes
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D CK_C_INITIALIZE_ARGS flags 0x2
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D CKF_OS_LOCKING_OK, use default mutex callbacks
016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > tokenPresent 0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pSlotList (nil)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D Get loadsharing slots
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *pulCount 1
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > tokenPresent 0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pSlotList 0x7fd9ac134300
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > *pulCount 1
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D Get loadsharing slots
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *pulCount 1
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < pSlotList[0] 0x2D622495
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x2D622495
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pInfo 0x7fd9b50b0630
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < pInfo->flags 0x0000020D
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_OpenSession
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x2D622495
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *phSession 0x000008CB
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetMechanismList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x7FD9B50B05C0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pMechanismList (nil)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pulCount 140573022029280
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetMechanismList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x7FD9B50B05C0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pMechanismList 0x7fd9ac13faf0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pulCount 106
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D mechanism CKM_NC_AES_CMAC_KEY_DERIVATION_SCP03 disabled
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x00000000
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pInfo 0x7fd9b50aefc0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 Application error: NFC__lookup_slot CK_INVALID_HANDLE
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000003 (CKR_SLOT_ID_INVALID)
java.security.ProviderException: Initialization failed
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
at java.security.Security.insertProviderAt(Security.java:360)
at java.security.Security.addProvider(Security.java:403)
at SunPKCS11Sample.<init>(SunPKCS11Sample.java:37)
at SunPKCS11Sample.main(SunPKCS11Sample.java:57)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:365)
... 17 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create and execute the following sample code:
1. Create sample code:
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyPairGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.PublicKey;
import java.security.KeyPair;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import sun.security.pkcs11.SunPKCS11;
public class SunPKCS11Sample {
private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray();
private SunPKCS11Sample(){
ByteArrayOutputStream byteStream = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(byteStream);
ps.println("name = nCipher");
ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so");
ps.println("attributes = compatibility");
ps.println("slotListIndex = 0");
InputStream config = new ByteArrayInputStream(byteStream.toByteArray());
Provider pkcs11Provider = new SunPKCS11(config);
Security.addProvider(pkcs11Provider);
}
private void run() throws Exception{
try {
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
} catch ( Exception e) {
System.out.println("Error with keystore.");
}
}
public static void main(String [] args) {
try {
(new SunPKCS11Sample()).run();
}catch (Throwable e){
e.printStackTrace();
System.exit(1);
}
System.exit(0);
}
}
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Key should just load based on the following code:
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
ACTUAL -
java.security.ProviderException: Initialization failed
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
at java.security.Security.insertProviderAt(Security.java:360)
at java.security.Security.addProvider(Security.java:403)
at SunPKCS11Sample.<init>(SunPKCS11Sample.java:37)
at SunPKCS11Sample.main(SunPKCS11Sample.java:57)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:365)
... 17 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyPairGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.PublicKey;
import java.security.KeyPair;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import sun.security.pkcs11.SunPKCS11;
public class SunPKCS11Sample {
private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray();
private SunPKCS11Sample(){
ByteArrayOutputStream byteStream = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(byteStream);
ps.println("name = nCipher");
ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so");
ps.println("attributes = compatibility");
ps.println("slotListIndex = 0");
InputStream config = new ByteArrayInputStream(byteStream.toByteArray());
Provider pkcs11Provider = new SunPKCS11(config);
Security.addProvider(pkcs11Provider);
}
private void run() throws Exception{
try {
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
} catch ( Exception e) {
System.out.println("Error with keystore.");
}
}
public static void main(String [] args) {
try {
(new SunPKCS11Sample()).run();
}catch (Throwable e){
e.printStackTrace();
System.exit(1);
}
System.exit(0);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Workaround is to use the following version of OpenJDK 1.8:
penjdk version "1.8.0_77"
OpenJDK Runtime Environment (build 1.8.0_77-b03)
OpenJDK 64-Bit Server VM (build 25.77-b03, mixed mode)
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux localhost.localdomain 4.4.6-301.fc23.x86_64 #1 SMP Wed Mar 30 16:43:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
Using Thales nShield HSM with Security World software v12.10, and associated PKCS#11 provider (/opt/nfast/toolkits/pkcs11/libcknfast.so). Note that this setup requires that the HSM belong to a valid Security World.
A DESCRIPTION OF THE PROBLEM :
1. Create sample code:
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyPairGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.PublicKey;
import java.security.KeyPair;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import sun.security.pkcs11.SunPKCS11;
public class SunPKCS11Sample {
private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray();
private SunPKCS11Sample(){
ByteArrayOutputStream byteStream = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(byteStream);
ps.println("name = nCipher");
ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so");
ps.println("attributes = compatibility");
ps.println("slotListIndex = 0");
InputStream config = new ByteArrayInputStream(byteStream.toByteArray());
Provider pkcs11Provider = new SunPKCS11(config);
Security.addProvider(pkcs11Provider);
}
private void run() throws Exception{
try {
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
} catch ( Exception e) {
System.out.println("Error with keystore.");
}
}
public static void main(String [] args) {
try {
(new SunPKCS11Sample()).run();
}catch (Throwable e){
e.printStackTrace();
System.exit(1);
}
System.exit(0);
}
}
PKCS#11 debugging:
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> C_GetFunctionList
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 > ppFunctionList 0x7fd9ac1190c8
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> C_Initialize
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 > voidp 0x7fd9ac116470
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> 2.19.1cam9
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D init_tweakflags
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D Turn on loadsharing
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D Ignore accelerator slots
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D init_mutexes
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D CK_C_INITIALIZE_ARGS flags 0x2
2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D CKF_OS_LOCKING_OK, use default mutex callbacks
016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > tokenPresent 0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pSlotList (nil)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D Get loadsharing slots
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *pulCount 1
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > tokenPresent 0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pSlotList 0x7fd9ac134300
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > *pulCount 1
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D Get loadsharing slots
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *pulCount 1
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < pSlotList[0] 0x2D622495
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x2D622495
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pInfo 0x7fd9b50b0630
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < pInfo->flags 0x0000020D
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_OpenSession
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x2D622495
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *phSession 0x000008CB
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetMechanismList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x7FD9B50B05C0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pMechanismList (nil)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pulCount 140573022029280
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetMechanismList
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x7FD9B50B05C0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pMechanismList 0x7fd9ac13faf0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pulCount 106
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D mechanism CKM_NC_AES_CMAC_KEY_DERIVATION_SCP03 disabled
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK)
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotInfo
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x00000000
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pInfo 0x7fd9b50aefc0
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 Application error: NFC__lookup_slot CK_INVALID_HANDLE
2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000003 (CKR_SLOT_ID_INVALID)
java.security.ProviderException: Initialization failed
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
at java.security.Security.insertProviderAt(Security.java:360)
at java.security.Security.addProvider(Security.java:403)
at SunPKCS11Sample.<init>(SunPKCS11Sample.java:37)
at SunPKCS11Sample.main(SunPKCS11Sample.java:57)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:365)
... 17 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create and execute the following sample code:
1. Create sample code:
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyPairGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.PublicKey;
import java.security.KeyPair;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import sun.security.pkcs11.SunPKCS11;
public class SunPKCS11Sample {
private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray();
private SunPKCS11Sample(){
ByteArrayOutputStream byteStream = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(byteStream);
ps.println("name = nCipher");
ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so");
ps.println("attributes = compatibility");
ps.println("slotListIndex = 0");
InputStream config = new ByteArrayInputStream(byteStream.toByteArray());
Provider pkcs11Provider = new SunPKCS11(config);
Security.addProvider(pkcs11Provider);
}
private void run() throws Exception{
try {
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
} catch ( Exception e) {
System.out.println("Error with keystore.");
}
}
public static void main(String [] args) {
try {
(new SunPKCS11Sample()).run();
}catch (Throwable e){
e.printStackTrace();
System.exit(1);
}
System.exit(0);
}
}
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Key should just load based on the following code:
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
ACTUAL -
java.security.ProviderException: Initialization failed
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
at sun.security.jca.Providers.getFullProviderList(Providers.java:173)
at java.security.Security.insertProviderAt(Security.java:360)
at java.security.Security.addProvider(Security.java:403)
at SunPKCS11Sample.<init>(SunPKCS11Sample.java:37)
at SunPKCS11Sample.main(SunPKCS11Sample.java:57)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:365)
... 17 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.KeyPairGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Cipher;
import java.security.Key;
import java.security.PublicKey;
import java.security.KeyPair;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import sun.security.pkcs11.SunPKCS11;
public class SunPKCS11Sample {
private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray();
private SunPKCS11Sample(){
ByteArrayOutputStream byteStream = new ByteArrayOutputStream();
PrintStream ps = new PrintStream(byteStream);
ps.println("name = nCipher");
ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so");
ps.println("attributes = compatibility");
ps.println("slotListIndex = 0");
InputStream config = new ByteArrayInputStream(byteStream.toByteArray());
Provider pkcs11Provider = new SunPKCS11(config);
Security.addProvider(pkcs11Provider);
}
private void run() throws Exception{
try {
KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher"
);
//KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, CARDSET_PASSPHRASE );
Key mykey = ks.getKey("test123", null);
} catch ( Exception e) {
System.out.println("Error with keystore.");
}
}
public static void main(String [] args) {
try {
(new SunPKCS11Sample()).run();
}catch (Throwable e){
e.printStackTrace();
System.exit(1);
}
System.exit(0);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Workaround is to use the following version of OpenJDK 1.8:
penjdk version "1.8.0_77"
OpenJDK Runtime Environment (build 1.8.0_77-b03)
OpenJDK 64-Bit Server VM (build 25.77-b03, mixed mode)