-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
8u121
-
x86_64
-
linux
FULL PRODUCT VERSION :
/usr/local/jdk1.8.0_121/bin/java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
uname -a
Linux centos68 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When using TLS 1.2 with our JCA provider for Luna HSMs registered in the provider list, a TlsRsaPremasterSecretParameterSpec is passed into the engineInit method as the AlgorithmParameterSpec for our RSA PKCS1v1.5 Cipher.
The following is the stack trace:
java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1476) ~[?:1.8.0_121]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_121]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_121]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_121]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_121]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:525) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:322) ~[jetty-server-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:231) ~[jetty-server-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:202) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:200) ~[?:1.8.0_121]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_121]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_121]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:630) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
... 14 more
Caused by: java.security.InvalidAlgorithmParameterException: PKCS#1v1.5 padding doesn't use parameters
at com.safenetinc.luna.provider.cipher.LunaCipherRSAPKCS.engineInit(LunaCipherRSAPKCS.java:64) ~[LunaProvider.jar:?]
at javax.crypto.Cipher.implInit(Cipher.java:806) ~[?:1.8.0_121]
at javax.crypto.Cipher.chooseProvider(Cipher.java:864) ~[?:1.8.0_121]
at javax.crypto.Cipher.init(Cipher.java:1396) ~[?:1.8.0_121]
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:146) ~[?:1.8.0_121]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_121]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_121]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:630) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
... 14 more
The LunaProvider must be higher priority in the provider list than com.sun.crypto.provider.SunJCE to see the issue.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
This algorithm parameter spec has the status of "@deprecated Sun JDK internal use only --- WILL BE REMOVED in a future release" and should not be passed by JSSE to a JCA provider.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use TLSv1.1 or place the JCA provider with lower priority than com.sun.crypto.provider.SunJCE in the provider list.
/usr/local/jdk1.8.0_121/bin/java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
uname -a
Linux centos68 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When using TLS 1.2 with our JCA provider for Luna HSMs registered in the provider list, a TlsRsaPremasterSecretParameterSpec is passed into the engineInit method as the AlgorithmParameterSpec for our RSA PKCS1v1.5 Cipher.
The following is the stack trace:
java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1476) ~[?:1.8.0_121]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_121]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_121]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_121]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_121]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:525) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:322) ~[jetty-server-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:231) ~[jetty-server-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:202) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[jetty-util-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:200) ~[?:1.8.0_121]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_121]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_121]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:630) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
... 14 more
Caused by: java.security.InvalidAlgorithmParameterException: PKCS#1v1.5 padding doesn't use parameters
at com.safenetinc.luna.provider.cipher.LunaCipherRSAPKCS.engineInit(LunaCipherRSAPKCS.java:64) ~[LunaProvider.jar:?]
at javax.crypto.Cipher.implInit(Cipher.java:806) ~[?:1.8.0_121]
at javax.crypto.Cipher.chooseProvider(Cipher.java:864) ~[?:1.8.0_121]
at javax.crypto.Cipher.init(Cipher.java:1396) ~[?:1.8.0_121]
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:146) ~[?:1.8.0_121]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_121]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_121]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:630) ~[jetty-io-9.3.14.v20161028patch1.jar:9.3.14.v20161028patch1]
... 14 more
The LunaProvider must be higher priority in the provider list than com.sun.crypto.provider.SunJCE to see the issue.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
This algorithm parameter spec has the status of "@deprecated Sun JDK internal use only --- WILL BE REMOVED in a future release" and should not be passed by JSSE to a JCA provider.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Use TLSv1.1 or place the JCA provider with lower priority than com.sun.crypto.provider.SunJCE in the provider list.