-
Bug
-
Resolution: Unresolved
-
P3
-
None
-
8u411
-
b01
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
We have a functionality that involves the signing of a document. This feature always worked with many versions of JRE 1.8, but suddenly stopped working after the last update 411 and it's giving us the following exception:
java.security.InvalidKeyException: Unsupported key type: SunPKCS11-SmartCard RSA private key, 2048 bits (id 1002, token object, sensitive, unextractable)
The failing method is java.security.Signature.initSign().
Signature signatureAlgorithm = Signature.getInstance(algorithm);
signatureAlgorithm.initSign(pkey);
where algorithm is "NONEwithRSA"
and pKey is the privateKey that has been read from the smartcard correctly (and without any issue) via the following piece of code:
PrivateKey privateKey = (PrivateKey) keyStore.getKey(aliasId, password != null ? password.toCharArray() : null);
The keystore is read (also in this case, without any issue) via specific dll (bit4xpki.dll) and with the following piece of code:
public static KeyStore loadKeyStoreFromSmartCard(String aPKCS11LibraryFileName, String aSmartCardPIN, ClassLoader classLoader) throws GeneralSecurityException, IOException {
String pkcs11ConfigSettings = "name = SmartCard\n" + "library = " + aPKCS11LibraryFileName + "\n";
pkcs11ConfigSettings += "disabledMechanisms={ CKM_SHA1_RSA_PKCS }\n";
byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);
try {
Class<?> sunPkcs11Class = (classLoader != null) ? classLoader.loadClass(SUN_PKCS11_PROVIDER_CLASS) : Class.forName(SUN_PKCS11_PROVIDER_CLASS);
Constructor<?> pkcs11Constr = sunPkcs11Class.getConstructor(java.io.InputStream.class);
Provider pkcs11Provider = (Provider) pkcs11Constr.newInstance(confStream);
Security.addProvider(pkcs11Provider);
System.out.println("Provider name:" + pkcs11Provider.getName());
} catch (Exception e) {
throw new KeyStoreException("Can initialize Sun PKCS#11 security " + "provider. Reason: " + e, e);
}
char[] pin = (aSmartCardPIN != null) ? aSmartCardPIN.toCharArray() : null;
KeyStore keyStore = KeyStore.getInstance(PKCS11_KEYSTORE_TYPE);
keyStore.load(null, pin);
return keyStore;
}
I read all the changelog of Java 411, but I didn't find any bugfix that could explain such a change of behaviour
REGRESSION : Last worked in version 8
FREQUENCY : always
We have a functionality that involves the signing of a document. This feature always worked with many versions of JRE 1.8, but suddenly stopped working after the last update 411 and it's giving us the following exception:
java.security.InvalidKeyException: Unsupported key type: SunPKCS11-SmartCard RSA private key, 2048 bits (id 1002, token object, sensitive, unextractable)
The failing method is java.security.Signature.initSign().
Signature signatureAlgorithm = Signature.getInstance(algorithm);
signatureAlgorithm.initSign(pkey);
where algorithm is "NONEwithRSA"
and pKey is the privateKey that has been read from the smartcard correctly (and without any issue) via the following piece of code:
PrivateKey privateKey = (PrivateKey) keyStore.getKey(aliasId, password != null ? password.toCharArray() : null);
The keystore is read (also in this case, without any issue) via specific dll (bit4xpki.dll) and with the following piece of code:
public static KeyStore loadKeyStoreFromSmartCard(String aPKCS11LibraryFileName, String aSmartCardPIN, ClassLoader classLoader) throws GeneralSecurityException, IOException {
String pkcs11ConfigSettings = "name = SmartCard\n" + "library = " + aPKCS11LibraryFileName + "\n";
pkcs11ConfigSettings += "disabledMechanisms={ CKM_SHA1_RSA_PKCS }\n";
byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);
try {
Class<?> sunPkcs11Class = (classLoader != null) ? classLoader.loadClass(SUN_PKCS11_PROVIDER_CLASS) : Class.forName(SUN_PKCS11_PROVIDER_CLASS);
Constructor<?> pkcs11Constr = sunPkcs11Class.getConstructor(java.io.InputStream.class);
Provider pkcs11Provider = (Provider) pkcs11Constr.newInstance(confStream);
Security.addProvider(pkcs11Provider);
System.out.println("Provider name:" + pkcs11Provider.getName());
} catch (Exception e) {
throw new KeyStoreException("Can initialize Sun PKCS#11 security " + "provider. Reason: " + e, e);
}
char[] pin = (aSmartCardPIN != null) ? aSmartCardPIN.toCharArray() : null;
KeyStore keyStore = KeyStore.getInstance(PKCS11_KEYSTORE_TYPE);
keyStore.load(null, pin);
return keyStore;
}
I read all the changelog of Java 411, but I didn't find any bugfix that could explain such a change of behaviour
REGRESSION : Last worked in version 8
FREQUENCY : always
- relates to
-
JDK-8176837 SunPKCS11 provider needs to check more details on PKCS11 Mechanism
- Closed
-
JDK-8293345 SunPKCS11 provider checks on PKCS11 Mechanism are problematic
- Resolved