-
Bug
-
Resolution: Fixed
-
P4
-
17
-
b19
-
x86_64
-
windows_10
A DESCRIPTION OF THE PROBLEM :
When debugging the SunPKCS11 configuration for a Yubikey 5, I noticed that setting java.security.debug=sunpkcs11 breaks the configuration if the slotListIndex parameter is used.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the following code, with and without -Djava.security.debug=sunpkcs11
PKCS11 pkcs11 = PKCS11.getInstance("C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll", "C_GetFunctionList", null, false);
long slot = pkcs11.C_GetSlotList(true)[0]; // slot = 2
String configuration = "--name=yubikey\n" +
"library = \"C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll\"\n" +
"slotListIndex=" + slot;
Provider provider = Security.getProvider("SunPKCS11");
provider.configure(configuration);
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No exception thrown, the provider is properly initialized.
ACTUAL -
When java.security.debug=sunpkcs11 is set an exception is thrown. Here is the output:
SunPKCS11 loading --name=yubikey
library = "C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll"
slotListIndex=2
sunpkcs11: Initializing PKCS#11 library C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll
Information for provider SunPKCS11-yubikey
Library info:
cryptokiVersion: 2.40
manufacturerID: Yubico (www.yubico.com)
flags: 0
libraryDescription: PKCS#11 PIV Library (SP-800-73)
libraryVersion: 2.30
All slots: 0, 1, 2
Slots with tokens: 2
java.security.ProviderException: Initialization failed
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:387)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
... 32 more
Caused by: java.security.ProviderException: slotListIndex is 2 but token only has 1 slots
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:368)
... 36 more
---------- BEGIN SOURCE ----------
import java.security.Provider;
import java.security.Security;
import org.junit.Test;
import sun.security.pkcs11.wrapper.PKCS11;
public class SunPKCS11Test {
@Test
public void testSunPKCS11() throws Exception {
PKCS11 pkcs11 = PKCS11.getInstance("C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll", "C_GetFunctionList", null, false);
long slot = pkcs11.C_GetSlotList(true)[0]; // slot = 2
String configuration = "--name=yubikey\n" +
"library = \"C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll\"\n" +
"slotListIndex=" + slot;
Provider provider = Security.getProvider("SunPKCS11");
provider.configure(configuration);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Replace the 'slotListIndex' parameter with 'slot'
FREQUENCY : always
When debugging the SunPKCS11 configuration for a Yubikey 5, I noticed that setting java.security.debug=sunpkcs11 breaks the configuration if the slotListIndex parameter is used.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the following code, with and without -Djava.security.debug=sunpkcs11
PKCS11 pkcs11 = PKCS11.getInstance("C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll", "C_GetFunctionList", null, false);
long slot = pkcs11.C_GetSlotList(true)[0]; // slot = 2
String configuration = "--name=yubikey\n" +
"library = \"C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll\"\n" +
"slotListIndex=" + slot;
Provider provider = Security.getProvider("SunPKCS11");
provider.configure(configuration);
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No exception thrown, the provider is properly initialized.
ACTUAL -
When java.security.debug=sunpkcs11 is set an exception is thrown. Here is the output:
SunPKCS11 loading --name=yubikey
library = "C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll"
slotListIndex=2
sunpkcs11: Initializing PKCS#11 library C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll
Information for provider SunPKCS11-yubikey
Library info:
cryptokiVersion: 2.40
manufacturerID: Yubico (www.yubico.com)
flags: 0
libraryDescription: PKCS#11 PIV Library (SP-800-73)
libraryVersion: 2.30
All slots: 0, 1, 2
Slots with tokens: 2
java.security.ProviderException: Initialization failed
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:387)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:118)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:115)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:115)
... 32 more
Caused by: java.security.ProviderException: slotListIndex is 2 but token only has 1 slots
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:368)
... 36 more
---------- BEGIN SOURCE ----------
import java.security.Provider;
import java.security.Security;
import org.junit.Test;
import sun.security.pkcs11.wrapper.PKCS11;
public class SunPKCS11Test {
@Test
public void testSunPKCS11() throws Exception {
PKCS11 pkcs11 = PKCS11.getInstance("C:\\Program Files\\Yubico\\Yubico PIV Tool\\bin\\libykcs11.dll", "C_GetFunctionList", null, false);
long slot = pkcs11.C_GetSlotList(true)[0]; // slot = 2
String configuration = "--name=yubikey\n" +
"library = \"C:/Program Files/Yubico/Yubico PIV Tool/bin/libykcs11.dll\"\n" +
"slotListIndex=" + slot;
Provider provider = Security.getProvider("SunPKCS11");
provider.configure(configuration);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Replace the 'slotListIndex' parameter with 'slot'
FREQUENCY : always