Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8293345

SunPKCS11 provider checks on PKCS11 Mechanism are problematic

XMLWordPrintable

        ADDITIONAL SYSTEM INFORMATION :
        Windows 10 64 bits / CentOS 7 64 bits

        A DESCRIPTION OF THE PROBLEM :
        In France, french healthcare professionals use a card to authenticate and sign.
        Since jdk8 322 we have a problem.
        PKCS11 have been disabled : https://bugs.openjdk.org/browse/JDK-8176837

        The problem is that the card mechanism is considered legacy and therefore disabled.
        This check needs a little more flexibility.


        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        SunPKCS11 loading ---DummyConfig-1---
        Information for provider SunPKCS11-VitCo-0
        Library info:
          cryptokiVersion: 2.20
          manufacturerID: ANS
          flags: 0
          libraryDescription: CPS3 PKCS#11 WIN 64
          libraryVersion: 2.13
        sunpkcs11: Initializing PKCS#11 library C:\Windows\System32\cps3_pkcs11_w64.dll
        All slots: 0, 1
        Slots with tokens: 0
        Slot info for slot 0:
          slotDescription: KAPELSE 00026351 KAP-LINK 0 0
          manufacturerID:
          flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
          hardwareVersion: 0.00
          firmwareVersion: 0.00
        Token info for token in slot 0:
          label: CPS3v3-2800638708
          manufacturerID: ASIP SANTE
          model: IAS ECC
          serialNumber: 99231175
          flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
          ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
          ulSessionCount: 0
          ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
          ulRwSessionCount: 0
          ulMaxPinLen: 4
          ulMinPinLen: 4
          ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
          ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
          ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
          ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
          hardwareVersion: 0.00
          firmwareVersion: 0.00
          utcTime:
        Mechanism CKM_SHA_1:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 1024 = CKF_DIGEST
        Mechanism CKM_SHA256:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 1024 = CKF_DIGEST
        Mechanism CKM_RSA_X_509:
          ulMinKeySize: 512
          ulMaxKeySize: 2048
          flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP
        DISABLED due to legacy
        Mechanism CKM_RSA_PKCS:
          ulMinKeySize: 512
          ulMaxKeySize: 2048
          flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP
        DISABLED due to legacy
        Mechanism CKM_SHA1_RSA_PKCS:
          ulMinKeySize: 512
          ulMaxKeySize: 2048
          flags: 10240 = CKF_SIGN | CKF_VERIFY
        Mechanism CKM_SHA256_RSA_PKCS:
          ulMinKeySize: 512
          ulMaxKeySize: 2048
          flags: 10240 = CKF_SIGN | CKF_VERIFY
        DISABLED in configuration
        sunpkcs11: login succeeded
        sunpkcs11: user already logged in

        ACTUAL -
        javax.net.ssl.SSLException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.convert(SSLIOSession.java:265)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:272)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:319)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$300(SSLIOSession.java:71)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:175)
        at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:124)
        at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
        at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:179)
        at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:128)
        at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:85)
        at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
        at java.lang.Thread.run(Thread.java:750)
        Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT
        at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:608)
        at java.security.Signature$Delegate.engineSign(Signature.java:1382)
        at java.security.Signature.sign(Signature.java:698)
        at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:609)
        at sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:761)
        at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
        at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:288)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:362)
        ... 9 common frames omitted

        FREQUENCY : always


              valeriep Valerie Peng
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: