-
Bug
-
Resolution: Fixed
-
P3
-
openjdk8u232, 11, 14, 15
-
b10
-
x86_64
-
windows_10
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8325491 | 11.0.24-oracle | Nibedita Jena | P3 | Resolved | Fixed | b01 |
| JDK-8253189 | 11.0.10 | Valerie Peng | P3 | Resolved | Fixed | b01 |
| JDK-8255635 | openjdk8u282 | Valerie Peng | P3 | Resolved | Fixed | b01 |
| JDK-8255963 | openjdk8u275 | Valerie Peng | P3 | Resolved | Fixed | b01 |
ADDITIONAL SYSTEM INFORMATION :
openJDK 8_232, Windows 10, PKCS11 SUN provider with a network equipment (HSM)
A DESCRIPTION OF THE PROBLEM :
(This problem has been noticed with 8_232 release.)
When using Cipher instance (AES or DES) with NoPadding, the connection with the PKCS11 equipment is closed:
Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
It looks like afterJDK-8228565, a specific handling has been added
// Special handling to match SunJCE provider behavior
if (bytesBuffered == 0 && padBufferLen == 0) {
return 0;
}
In that case (NoPadding), the doFinal returns and calls the 'reset' in the finally block. (doCancel is true)
REGRESSION : Last worked in version 8u231
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Cipher some clear data with random padding to 8 or 16 byte block (DESede OR AES) --> OK
2. Decipher the result using the same algo --> OK
3. Try another cipher --> failed (CKR_USER_NOT_LOGGED_IN)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
We expect the Step 3 to return a new ciphered result.
ACTUAL -
At the end of step 2, the pkcs11 layer logs: Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
At step 3, an error is returned : CKR_USER_NOT_LOGGED_IN
---------- BEGIN SOURCE ----------
SunPKCS11 p = new SunPKCS11(configName); // pkcs11 config file to HSM equipement
p.setCallbackHandler(handler); // login handler to PKCS11 layer
Security.addProvider(p);
// Initialize keystore
KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(handler);
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp);
KeyStore keystore = builder.getKeyStore();
// Load a secret key handle
SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MySecretKeyAlias", null);
// Cipher some clear text with NoPadding
Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]);
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearData = "clear text111111".getBytes();
byte[] cipheredData = cipher.doFinal(clearData);
// Decipher the result
cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearTextResult = cipher.doFinal(cipheredData);
// Output the clear result
System.out.println(new String(clearTextResult));
// try another cipher
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearData2 = "clear text222222".getBytes();
byte[] cipheredData2 = cipher.doFinal(clearData);
--> Fails
sunpkcs11: login succeeded
Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
clear text111111
Exception in thread "main" java.security.ProviderException: update() failed
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:629)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:526)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:555)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:541)
at javax.crypto.Cipher.doFinal(Cipher.java:2164)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)
... 5 more
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Wrapping all cipher and decipher calls with :
((sun.security.pkcs11.SunPKCS11)p).login(null, handler);
FREQUENCY : always
openJDK 8_232, Windows 10, PKCS11 SUN provider with a network equipment (HSM)
A DESCRIPTION OF THE PROBLEM :
(This problem has been noticed with 8_232 release.)
When using Cipher instance (AES or DES) with NoPadding, the connection with the PKCS11 equipment is closed:
Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
It looks like after
// Special handling to match SunJCE provider behavior
if (bytesBuffered == 0 && padBufferLen == 0) {
return 0;
}
In that case (NoPadding), the doFinal returns and calls the 'reset' in the finally block. (doCancel is true)
REGRESSION : Last worked in version 8u231
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Cipher some clear data with random padding to 8 or 16 byte block (DESede OR AES) --> OK
2. Decipher the result using the same algo --> OK
3. Try another cipher --> failed (CKR_USER_NOT_LOGGED_IN)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
We expect the Step 3 to return a new ciphered result.
ACTUAL -
At the end of step 2, the pkcs11 layer logs: Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
At step 3, an error is returned : CKR_USER_NOT_LOGGED_IN
---------- BEGIN SOURCE ----------
SunPKCS11 p = new SunPKCS11(configName); // pkcs11 config file to HSM equipement
p.setCallbackHandler(handler); // login handler to PKCS11 layer
Security.addProvider(p);
// Initialize keystore
KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(handler);
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp);
KeyStore keystore = builder.getKeyStore();
// Load a secret key handle
SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MySecretKeyAlias", null);
// Cipher some clear text with NoPadding
Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]);
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearData = "clear text111111".getBytes();
byte[] cipheredData = cipher.doFinal(clearData);
// Decipher the result
cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearTextResult = cipher.doFinal(cipheredData);
// Output the clear result
System.out.println(new String(clearTextResult));
// try another cipher
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearData2 = "clear text222222".getBytes();
byte[] cipheredData2 = cipher.doFinal(clearData);
--> Fails
sunpkcs11: login succeeded
Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
clear text111111
Exception in thread "main" java.security.ProviderException: update() failed
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:629)
at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:526)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:555)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:541)
at javax.crypto.Cipher.doFinal(Cipher.java:2164)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)
... 5 more
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Wrapping all cipher and decipher calls with :
((sun.security.pkcs11.SunPKCS11)p).login(null, handler);
FREQUENCY : always
- backported by
-
JDK-8253189 PKCS11 Connection closed after Cipher.doFinal and NoPadding
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
-
- Closed
-
- relates to
-
-
- Resolved
-
- links to
(1 relates to, 1 links to)