Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8235215

SunPKCS11 connection lost after Decrypt doFinal (noPadding)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • P4
    • None
    • openjdk8u232
    • security-libs
    • None

    Description

      Reported by hubert.debordeaux@thalesgroup.com
      --------------------------
      Hello,
      Following the update to OpenJDK 8_232, we did face a problem after a DECRYPT with no padding.
      We use a SunPKCS11 provider linked to a Network HSM.
      After a DECRYPT command (DES or AES) NOPADDING, we noticed the log : "Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1"
      All following commands failed with error : CKR_USER_NOT_LOGGED_IN

      After a quick investigation, it looks like the fix JDK-8228565 done in P11Cipher.java is the root cause of this new behavior.
      ....
      // Special handling to match SunJCE provider behavior
                      if (bytesBuffered == 0 && padBufferLen == 0) {
                          return 0;
                      }
      ....
      } finally {
                   reset(doCancel); // doCancel is true, so killSession is called.
               }

      This is a source code to reproduce the problem:
      SunPKCS11 p = new SunPKCS11(configName); // config to Network HSM
      p.setCallbackHandler(handler); // Handler for password
               Security.addProvider(p);
              
               KeyStore.CallbackHandlerProtection chp =
                       new KeyStore.CallbackHandlerProtection(handler);
                   KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp);
               KeyStore keystore = builder.getKeyStore();
              SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MyKeyAlias", null);
              
               Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
               IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]);
               // cipher a text
               cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
               byte[] clearData = "clear text111111".getBytes();
               byte[] cipheredData = cipher.doFinal(clearData);
                  // Decipher the result
               cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
               byte[] clearTextResult = cipher.doFinal(cipheredData);
      // display the result
      System.out.println(new String(clearTextResult)); // So far, no problem
              
                    // Try another cipher
               cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
      byte[] clearData2 = "clear text222222".getBytes();
              byte[] cipheredData2 = cipher.doFinal(clearData);
      // --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN

      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
      at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
      at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)

              
      Workarounds:
      . use the SunPkcs11 jar file from openJDK 8_222
      . add a login after every decrypt commands
      . use PKCS5Padding when possible

      Attachments

        Issue Links

          Activity

            People

              valeriep Valerie Peng
              valeriep Valerie Peng
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: