-
Bug
-
Resolution: Fixed
-
P3
-
13, 14
-
b22
-
x86_64
-
linux
-
Not verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8241359 | 13.0.3 | Valerie Peng | P3 | Resolved | Fixed | b01 |
JDK-8233470 | 11.0.7-oracle | Sean Coffey | P3 | Resolved | Fixed | b01 |
JDK-8237828 | 11.0.7 | Valerie Peng | P3 | Resolved | Fixed | b01 |
JDK-8292875 | openjdk8u352 | Andrew Hughes | P3 | Resolved | Fixed | b05 |
JDK-8310185 | 8u391 | Nibedita Jena | P3 | Resolved | Fixed | b02 |
ADDITIONAL SYSTEM INFORMATION :
CentOS 6
OpenJDK 13.0.1
PKCS11 driver is LunaHSM cryptoki2 64-bit version 6 (/usr/safenet/lunaclient/lib/libCryptoki2_64.so)
A DESCRIPTION OF THE PROBLEM :
When generating RSASSA-PSS signatures using SunPKCS11 it generates the error: "RSA key must be at least 1024 bytes" even though I have a 2048 bit RSA key.
P11PSSSignature.java:352 check min and max key length fetched from Mechanism Info but check the key lengths in bytes instead of bits which is defined in PKCS11 v2.40 http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf section 2.1.10.
To fix this should row 345 in P11PSSSignature be changed from
keySize = (((P11Key) key).length() + 7) >> 3;
to something like:
keySize = ((P11Key) key).length();
and row 347:
keySize = ((RSAKey) key).getModulus().bitLength() >> 3;
to something like:
keySize = ((RSAKey) key).getModulus().bitLength();
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a SUNPKCS11 Provider with a PKCS11 library that returns Mechanism Info according to PKCS11 2.40 such as Safenet LUNA HSM Version 6.
Create a signature with:
Signature signature = Signature.getInstance("RSASSA-PSS", sunPKCS11Provider)
signature.setParameter(new PSSParameterSpec("SHA-256", "MGF1",new MGF1ParameterSpec("SHA256"),222,1))
signature.initSign(privateKey)
signature.update(signData)
byte[] signatureData = signature.sign()
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Signature should be generated.
ACTUAL -
The signature operation generates a java.security.InvalidKeyException: RSA key must be at least 1024 bytes
FREQUENCY : always
CentOS 6
OpenJDK 13.0.1
PKCS11 driver is LunaHSM cryptoki2 64-bit version 6 (/usr/safenet/lunaclient/lib/libCryptoki2_64.so)
A DESCRIPTION OF THE PROBLEM :
When generating RSASSA-PSS signatures using SunPKCS11 it generates the error: "RSA key must be at least 1024 bytes" even though I have a 2048 bit RSA key.
P11PSSSignature.java:352 check min and max key length fetched from Mechanism Info but check the key lengths in bytes instead of bits which is defined in PKCS11 v2.40 http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf section 2.1.10.
To fix this should row 345 in P11PSSSignature be changed from
keySize = (((P11Key) key).length() + 7) >> 3;
to something like:
keySize = ((P11Key) key).length();
and row 347:
keySize = ((RSAKey) key).getModulus().bitLength() >> 3;
to something like:
keySize = ((RSAKey) key).getModulus().bitLength();
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a SUNPKCS11 Provider with a PKCS11 library that returns Mechanism Info according to PKCS11 2.40 such as Safenet LUNA HSM Version 6.
Create a signature with:
Signature signature = Signature.getInstance("RSASSA-PSS", sunPKCS11Provider)
signature.setParameter(new PSSParameterSpec("SHA-256", "MGF1",new MGF1ParameterSpec("SHA256"),222,1))
signature.initSign(privateKey)
signature.update(signData)
byte[] signatureData = signature.sign()
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Signature should be generated.
ACTUAL -
The signature operation generates a java.security.InvalidKeyException: RSA key must be at least 1024 bytes
FREQUENCY : always
- backported by
-
JDK-8233470 SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
- Resolved
-
JDK-8237828 SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
- Resolved
-
JDK-8241359 SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
- Resolved
-
JDK-8292875 SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
- Resolved
-
JDK-8310185 SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
- Resolved
(2 links to)