Also,
which JDK distro version of 8 are you using ? Note that the OpenJDK
version has an extra few pkcs11 fixes in OpenJDK in this area (compared
to the Oracle JDK 8 Updates) - Below being some of those :
https://bugs.openjdk.java.net/browse/JDK-8216597
https://bugs.openjdk.java.net/browse/JDK-6913047
https://bugs.openjdk.java.net/browse/JDK-6946830
Regards,
Sean.
On 03/12/19 00:56, Valerie Peng wrote:
Hi Hubert,
I've filed https://bugs.openjdk.java.net/browse/JDK-8235215 to keep
track of this issue.
I have not yet tried if this can be reproduced in house with NSS yet.
Just curious, which HSM vendor did you use? It'd be helpful to include
in the bug report.
Thanks,
Valerie
On 12/2/2019 8:50 AM, DEBORDEAUX Hubert wrote:
Hello,
Following the update to OpenJDK 8_232, we did face a problem after a
DECRYPT with no padding.
We use a SunPKCS11 provider linked to a Network HSM.
After a DECRYPT command (DES or AES) NOPADDING, we noticed the log :
"Killing session
(sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428))
active: 1"
All following commands failed with error : CKR_USER_NOT_LOGGED_IN
After a quick investigation, it looks like the fix JDK-8228565 done
in P11Cipher.java is the root cause of this new behavior.
....
// Special handling to match SunJCE provider behavior
if (bytesBuffered == 0 && padBufferLen == 0) {
return 0;
}
....
} finally {
reset(doCancel); // doCancel is true, so
killSession is called.
}
This is a source code to reproduce the problem:
SunPKCS11 p = new SunPKCS11(configName); // config to
Network HSM
p.setCallbackHandler(handler); // Handler for password
Security.addProvider(p);
KeyStore.CallbackHandlerProtection chp =
new KeyStore.CallbackHandlerProtection(handler);
KeyStore.Builder builder =
KeyStore.Builder.newInstance("PKCS11", p, chp);
KeyStore keystore = builder.getKeyStore();
SecretKeyEntry entry = (SecretKeyEntry)
keystore.getEntry("MyKeyAlias", null);
Cipher cipher =
Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
IvParameterSpec ivParameterSpec = new
IvParameterSpec(new byte[8]);
// cipher a text
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(),
ivParameterSpec);
byte[] clearData = "clear text111111".getBytes();
byte[] cipheredData = cipher.doFinal(clearData);
// Decipher the result
cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(),
ivParameterSpec);
byte[] clearTextResult = cipher.doFinal(cipheredData);
// display the result
System.out.println(new String(clearTextResult)); // So far, no
problem
// Try another cipher
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(),
ivParameterSpec);
byte[] clearData2 = "clear text222222".getBytes();
byte[] cipheredData2 = cipher.doFinal(clearData);
// --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_USER_NOT_LOGGED_IN
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_USER_NOT_LOGGED_IN
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)
Workarounds:
. use the SunPkcs11 jar file from openJDK 8_222
. add a login after every decrypt commands
. use PKCS5Padding when possible
Could you tell me if you can reproduce this problem and what is the
best way for me to report it ?
Thanks you
Best Regards,
Hubert
