SunPKCS11 connection lost after Decrypt doFinal (noPadding) openjdk 8_232
DEBORDEAUX Hubert
hubert.debordeaux at thalesgroup.com
Mon Dec 2 16:50:51 UTC 2019
Hello,
Following the update to OpenJDK 8_232, we did face a problem after a DECRYPT with no padding.
We use a SunPKCS11 provider linked to a Network HSM.
After a DECRYPT command (DES or AES) NOPADDING, we noticed the log : "Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1"
All following commands failed with error : CKR_USER_NOT_LOGGED_IN
After a quick investigation, it looks like the fix JDK-8228565 done in P11Cipher.java is the root cause of this new behavior.
....
// Special handling to match SunJCE provider behavior
if (bytesBuffered == 0 && padBufferLen == 0) {
return 0;
}
....
} finally {
reset(doCancel); // doCancel is true, so killSession is called.
}
This is a source code to reproduce the problem:
SunPKCS11 p = new SunPKCS11(configName); // config to Network HSM
p.setCallbackHandler(handler); // Handler for password
Security.addProvider(p);
KeyStore.CallbackHandlerProtection chp =
new KeyStore.CallbackHandlerProtection(handler);
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp);
KeyStore keystore = builder.getKeyStore();
SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MyKeyAlias", null);
Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]);
// cipher a text
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearData = "clear text111111".getBytes();
byte[] cipheredData = cipher.doFinal(clearData);
// Decipher the result
cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearTextResult = cipher.doFinal(cipheredData);
// display the result
System.out.println(new String(clearTextResult)); // So far, no problem
// Try another cipher
cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
byte[] clearData2 = "clear text222222".getBytes();
byte[] cipheredData2 = cipher.doFinal(clearData);
// --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)
Workarounds:
. use the SunPkcs11 jar file from openJDK 8_222
. add a login after every decrypt commands
. use PKCS5Padding when possible
Could you tell me if you can reproduce this problem and what is the best way for me to report it ?
Thanks you
Best Regards,
Hubert
More information about the security-dev
mailing list