Hello, Thank you for the quick response. The HSM we are using is the Bull Proteccio Trustway.
This is the pkcs11 config file : name = Proteccio_PKCS11 library = /opt/bull/client/nethsm.so slot = 1 attributes = compatibility Thanks, Hubert -----Original Message----- From: Valerie Peng [mailto:valerie.p...@oracle.com] Sent: Tuesday, December 3, 2019 1:57 To: DEBORDEAUX Hubert <hubert.deborde...@thalesgroup.com>; security-dev@openjdk.java.net Subject: Re: SunPKCS11 connection lost after Decrypt doFinal (noPadding) openjdk 8_232 Hi Hubert, I've filed https://bugs.openjdk.java.net/browse/JDK-8235215 to keep track of this issue. I have not yet tried if this can be reproduced in house with NSS yet. Just curious, which HSM vendor did you use? It'd be helpful to include in the bug report. Thanks, Valerie On 12/2/2019 8:50 AM, DEBORDEAUX Hubert wrote: > Hello, > Following the update to OpenJDK 8_232, we did face a problem after a DECRYPT > with no padding. > We use a SunPKCS11 provider linked to a Network HSM. > After a DECRYPT command (DES or AES) NOPADDING, we noticed the log : "Killing > session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) > active: 1" > All following commands failed with error : CKR_USER_NOT_LOGGED_IN > > After a quick investigation, it looks like the fix JDK-8228565 done in > P11Cipher.java is the root cause of this new behavior. > .... > // Special handling to match SunJCE provider behavior > if (bytesBuffered == 0 && padBufferLen == 0) { > return 0; > } > .... > } finally { > reset(doCancel); // doCancel is true, so killSession > is called. > } > > This is a source code to reproduce the problem: > SunPKCS11 p = new SunPKCS11(configName); // config to Network > HSM > p.setCallbackHandler(handler); // Handler for password > Security.addProvider(p); > > KeyStore.CallbackHandlerProtection chp = > new KeyStore.CallbackHandlerProtection(handler); > KeyStore.Builder builder = > KeyStore.Builder.newInstance("PKCS11", p, chp); > KeyStore keystore = builder.getKeyStore(); > SecretKeyEntry entry = (SecretKeyEntry) > keystore.getEntry("MyKeyAlias", null); > > Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", > p.getName()); > IvParameterSpec ivParameterSpec = new IvParameterSpec(new > byte[8]); > // cipher a text > cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), > ivParameterSpec); > byte[] clearData = "clear text111111".getBytes(); > byte[] cipheredData = cipher.doFinal(clearData); > // Decipher the result > cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), > ivParameterSpec); > byte[] clearTextResult = cipher.doFinal(cipheredData); > // display the result > System.out.println(new String(clearTextResult)); // So far, no > problem > > // Try another cipher > cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), > ivParameterSpec); > byte[] clearData2 = "clear text222222".getBytes(); > byte[] cipheredData2 = cipher.doFinal(clearData); > // --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception: > CKR_USER_NOT_LOGGED_IN > > Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN > at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method) > at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581) > > > Workarounds: > . use the SunPkcs11 jar file from openJDK 8_222 > . add a login after every decrypt commands > . use PKCS5Padding when possible > > Could you tell me if you can reproduce this problem and what is the best way > for me to report it ? > > Thanks you > Best Regards, > Hubert >
