Re: SunPKCS11 connection lost after Decrypt doFinal (noPadding) openjdk 8_232

Mon, 02 Dec 2019 16:57:27 -0800 

Hi Hubert,
I've filed https://bugs.openjdk.java.net/browse/JDK-8235215 to keep track of this issue. 

I have not yet tried if this can be reproduced in house with NSS yet.


Just curious, which HSM vendor did you use? It'd be helpful to include 
in the bug report.


Thanks,
Valerie
On 12/2/2019 8:50 AM, DEBORDEAUX Hubert wrote:

Hello,
Following the update to OpenJDK 8_232, we did face a problem after a DECRYPT 
with no padding.
We use a SunPKCS11 provider linked to a Network HSM.
After a DECRYPT command (DES or AES) NOPADDING, we noticed the log : "Killing 
session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 
1"
All following commands failed with error : CKR_USER_NOT_LOGGED_IN

After a quick investigation, it looks like the fix JDK-8228565 done in 
P11Cipher.java is the root cause of this new behavior.
        ....
        // Special handling to match SunJCE provider behavior
                 if (bytesBuffered == 0 && padBufferLen == 0) {
                     return 0;
                 }
        ....
        } finally {
                        reset(doCancel);   // doCancel is true, so killSession 
is called.
                }

This is a source code to reproduce the problem:
        SunPKCS11 p = new SunPKCS11(configName);           // config to Network 
HSM
        p.setCallbackHandler(handler);    // Handler for password
                Security.addProvider(p);

         
         	KeyStore.CallbackHandlerProtection chp =

                        new KeyStore.CallbackHandlerProtection(handler);
                KeyStore.Builder builder = 
KeyStore.Builder.newInstance("PKCS11", p, chp);
                KeyStore keystore = builder.getKeyStore();
                SecretKeyEntry entry = (SecretKeyEntry) 
keystore.getEntry("MyKeyAlias", null);

         
         	Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());

                IvParameterSpec ivParameterSpec = new IvParameterSpec(new 
byte[8]);
                // cipher a text
                cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), 
ivParameterSpec);
                byte[] clearData = "clear text111111".getBytes();
                byte[] cipheredData = cipher.doFinal(clearData);
                // Decipher the result
                cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), 
ivParameterSpec);
                byte[] clearTextResult = cipher.doFinal(cipheredData);
        // display the result
        System.out.println(new String(clearTextResult));  // So far, no problem

         
               // Try another cipher

                cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), 
ivParameterSpec);
        byte[] clearData2 = "clear text222222".getBytes();
                byte[] cipheredData2 = cipher.doFinal(clearData);
        // --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception: 
CKR_USER_NOT_LOGGED_IN

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
        at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
        at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)


         
Workarounds:

        . use the SunPkcs11 jar file from openJDK 8_222
        . add a login after every decrypt commands
        . use PKCS5Padding when possible

Could you tell me if you can reproduce this problem and what is the best way 
for me to report it ?

Thanks you
Best Regards,
Hubert

  






















					Reply via email to