-
Bug
-
Resolution: Fixed
-
P3
-
21, 22, 23
-
b26
-
b16
-
generic
-
generic
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8341800 | 21.0.7-oracle | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8346813 | 21.0.7 | Goetz Lindenmaier | P3 | Resolved | Fixed | master |
Problem observed with Utimaco CryptoServer PKCS11 device, but is of general scope
A DESCRIPTION OF THE PROBLEM :
With the introduction of https://bugs.openjdk.org/browse/JDK-8308719 the SunPKCS11 provider will query the PKCS11 device (C_GetMechanismInfo) for mechanisms that are not supported.
This happens because of new logic, which queries info for "required mechanisms" for a feature, even if that mechanism is not returned by C_GetMechanismList and even if the mechanism is blacklisted in disabledMechanisms.
At least some PKCS11 implementations will respond with CKR_FUNCTION_FAILED when C_GetMechanismInfo is called with an unknown mechanism. This makes it impossible to initialize the PKCS11 interface.
This happens in SunPKCS11.java line 1309ff
// Check that other mechanisms required for the
// service are supported before listing it as
// available for the first time.
for (int requiredMech : d.requiredMechs) {
if (token.getMechanismInfo(
requiredMech & 0xFFFFFFFFL) == null) {
continue descLoop;
}
}
}
REGRESSION : Last worked in version 20
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure a PKCS11 device as described in:
https://docs.oracle.com/en/java/javase/21/security/pkcs11-reference-guide1.html
Run
keytool -v -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg c:
/pkcs11/pkcs11.cfg
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
List of keys in PKCS11 device
ACTUAL -
keytool error: java.security.ProviderException: Initialization failed
java.security.ProviderException: Initialization failed
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:391)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:126)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:123)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:571)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:123)
at java.base/sun.security.tools.KeyStoreUtil.loadProviderByName(KeyStoreUtil.java:283)
at java.base/sun.security.tools.KeyStoreUtil.loadProviderByClass(KeyStoreUtil.java:316)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:834)
at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
at java.base/sun.security.tools.keytool.Main.main(Main.java:412)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GetMechanismInfo(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.Token.getMechanismInfo(Token.java:399)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.initToken(SunPKCS11.java:1313)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:382)
... 9 more
CUSTOMER SUBMITTED WORKAROUND :
Downgrade to Java 20 or below
FREQUENCY : always
- backported by
-
JDK-8341800 SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms
-
- Resolved
-
-
-
- Resolved
-
- caused by
-
JDK-8301553 Support Password-Based Cryptography in SunPKCS11
-
- Resolved
-
- duplicates
-
-
- Closed
-
- links to
-
Commit(master)
openjdk/jdk21u-dev/85e5a5c6
-
Commit(master)
openjdk/jdk/fdfe503d
-
Review(master)
openjdk/jdk21u-dev/1283
-
Review(master)
openjdk/jdk/20207