-
Enhancement
-
Resolution: Fixed
-
P3
-
8
-
b23
-
generic
-
generic
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8337403 | 21.0.7-oracle | Nibedita Jena | P3 | Open | Unresolved | |
JDK-8337402 | 17.0.15-oracle | Nibedita Jena | P3 | Open | Unresolved |
ADDITIONAL SYSTEM INFORMATION :
Windows 10 64 bits / CentOS 7 64 bits
A DESCRIPTION OF THE PROBLEM :
In France, french healthcare professionals use a card to authenticate and sign.
Since jdk8 322 we have a problem.
PKCS11 have been disabled : https://bugs.openjdk.org/browse/JDK-8176837
The problem is that the card mechanism is considered legacy and therefore disabled.
This check needs a little more flexibility.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
SunPKCS11 loading ---DummyConfig-1---
Information for provider SunPKCS11-VitCo-0
Library info:
cryptokiVersion: 2.20
manufacturerID: ANS
flags: 0
libraryDescription: CPS3 PKCS#11 WIN 64
libraryVersion: 2.13
sunpkcs11: Initializing PKCS#11 library C:\Windows\System32\cps3_pkcs11_w64.dll
All slots: 0, 1
Slots with tokens: 0
Slot info for slot 0:
slotDescription: KAPELSE 00026351 KAP-LINK 0 0
manufacturerID:
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Token info for token in slot 0:
label: CPS3v3-2800638708
manufacturerID: ASIP SANTE
model: IAS ECC
serialNumber: 99231175
flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
ulSessionCount: 0
ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
ulRwSessionCount: 0
ulMaxPinLen: 4
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 0.00
firmwareVersion: 0.00
utcTime:
Mechanism CKM_SHA_1:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA256:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Mechanism CKM_RSA_X_509:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP
DISABLED due to legacy
Mechanism CKM_RSA_PKCS:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP
DISABLED due to legacy
Mechanism CKM_SHA1_RSA_PKCS:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 10240 = CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA256_RSA_PKCS:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 10240 = CKF_SIGN | CKF_VERIFY
DISABLED in configuration
sunpkcs11: login succeeded
sunpkcs11: user already logged in
ACTUAL -
javax.net.ssl.SSLException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT
at org.apache.hc.core5.reactor.ssl.SSLIOSession.convert(SSLIOSession.java:265)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:272)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:319)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$300(SSLIOSession.java:71)
at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:175)
at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:124)
at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:179)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:128)
at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:85)
at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
at java.lang.Thread.run(Thread.java:750)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT
at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:608)
at java.security.Signature$Delegate.engineSign(Signature.java:1382)
at java.security.Signature.sign(Signature.java:698)
at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:609)
at sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:761)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:288)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:362)
... 9 common frames omitted
FREQUENCY : always
Windows 10 64 bits / CentOS 7 64 bits
A DESCRIPTION OF THE PROBLEM :
In France, french healthcare professionals use a card to authenticate and sign.
Since jdk8 322 we have a problem.
PKCS11 have been disabled : https://bugs.openjdk.org/browse/JDK-8176837
The problem is that the card mechanism is considered legacy and therefore disabled.
This check needs a little more flexibility.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
SunPKCS11 loading ---DummyConfig-1---
Information for provider SunPKCS11-VitCo-0
Library info:
cryptokiVersion: 2.20
manufacturerID: ANS
flags: 0
libraryDescription: CPS3 PKCS#11 WIN 64
libraryVersion: 2.13
sunpkcs11: Initializing PKCS#11 library C:\Windows\System32\cps3_pkcs11_w64.dll
All slots: 0, 1
Slots with tokens: 0
Slot info for slot 0:
slotDescription: KAPELSE 00026351 KAP-LINK 0 0
manufacturerID:
flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
hardwareVersion: 0.00
firmwareVersion: 0.00
Token info for token in slot 0:
label: CPS3v3-2800638708
manufacturerID: ASIP SANTE
model: IAS ECC
serialNumber: 99231175
flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
ulSessionCount: 0
ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
ulRwSessionCount: 0
ulMaxPinLen: 4
ulMinPinLen: 4
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 0.00
firmwareVersion: 0.00
utcTime:
Mechanism CKM_SHA_1:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA256:
ulMinKeySize: 0
ulMaxKeySize: 0
flags: 1024 = CKF_DIGEST
Mechanism CKM_RSA_X_509:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP
DISABLED due to legacy
Mechanism CKM_RSA_PKCS:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP
DISABLED due to legacy
Mechanism CKM_SHA1_RSA_PKCS:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 10240 = CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA256_RSA_PKCS:
ulMinKeySize: 512
ulMaxKeySize: 2048
flags: 10240 = CKF_SIGN | CKF_VERIFY
DISABLED in configuration
sunpkcs11: login succeeded
sunpkcs11: user already logged in
ACTUAL -
javax.net.ssl.SSLException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT
at org.apache.hc.core5.reactor.ssl.SSLIOSession.convert(SSLIOSession.java:265)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:272)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:319)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$300(SSLIOSession.java:71)
at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:175)
at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:124)
at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:179)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:128)
at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:85)
at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
at java.lang.Thread.run(Thread.java:750)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT
at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:608)
at java.security.Signature$Delegate.engineSign(Signature.java:1382)
at java.security.Signature.sign(Signature.java:698)
at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:609)
at sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:761)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:288)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:362)
... 9 common frames omitted
FREQUENCY : always
- backported by
-
JDK-8337402 SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- Open
-
JDK-8337403 SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- Open
- csr for
-
JDK-8329300 SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- Closed
- relates to
-
JDK-8334284 InvalidKeyException: Unsupported key type: SunPKCS11-SmartCard
- Open
-
JDK-8272643 Backout JDK-8176837 from 8u312
- Resolved
- links to
-
Commit openjdk/jdk/1b476f52
-
Review(master) openjdk/jdk/18387
(2 links to)