-
Bug
-
Resolution: Fixed
-
P4
-
8, 11, 17
-
b18
-
generic
-
generic
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8267024 | 16u-cpu | Christoph Langer | P4 | Resolved | Fixed | master |
JDK-8266538 | 16.0.2 | Christoph Langer | P4 | Resolved | Fixed | b04 |
JDK-8265142 | 11.0.12 | Martin Balao Alonso | P4 | Resolved | Fixed | b01 |
JDK-8265303 | openjdk8u302 | Martin Balao Alonso | P4 | Resolved | Fixed | b01 |
As an example of the previous, when the "AES/ECB/PKCS5Padding" algorithm is used, the underlying mechanism is CKM_AES_ECB and does not involve any padding on the native side. PKCS#11 backends such as the NSS Software Token are expecting, under these circumstances, that all C_EncryptUpdate calls have an input buffer whose length is a multiple of the block-size. Failing to do so results in a CKR_DATA_LEN_RANGE error, as it's happening now.
The following code snippet reproduces this bug in JDK now:
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding", p);
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(new byte[16], "AES"));
cipher.update(new byte[1], 0, 1);
Note: "p" is a SunPKCS11 instance
ByteBuffer input buffers can be used to trigger this bug as well:
cipher.update(ByteBuffer.allocate(1), ByteBuffer.allocate(16));
What we ought to do is, similarly to Cipher decryption operations, holding the data on the Java side and only making C_EncryptUpdate calls with enough bytes to complete a multiple of the block size.
- backported by
-
JDK-8265142 No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
- Resolved
-
JDK-8265303 No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
- Resolved
-
JDK-8266538 No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
- Resolved
-
JDK-8267024 No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
- Resolved
- links to
-
Commit openjdk/jdk16u/ce14719d
-
Commit openjdk/jdk/1ee80e03
-
Review openjdk/jdk16u/105
-
Review openjdk/jdk/2510