SunPKCS11 connection lost after Decrypt doFinal (noPadding) openjdk 8_232

DEBORDEAUX Hubert hubert.debordeaux at thalesgroup.com
Tue Dec 3 09:36:32 UTC 2019


Hello,
Thank you for the quick response.

The HSM we are using is the Bull Proteccio Trustway.

This is the pkcs11 config file : 

name = Proteccio_PKCS11
library = /opt/bull/client/nethsm.so
slot = 1
attributes = compatibility


Thanks,
Hubert

-----Original Message-----
From: Valerie Peng [mailto:valerie.peng at oracle.com] 
Sent: Tuesday, December 3, 2019 1:57
To: DEBORDEAUX Hubert <hubert.debordeaux at thalesgroup.com>; security-dev at openjdk.java.net
Subject: Re: SunPKCS11 connection lost after Decrypt doFinal (noPadding) openjdk 8_232

Hi Hubert,

I've filed https://bugs.openjdk.java.net/browse/JDK-8235215 to keep track of this issue.

I have not yet tried if this can be reproduced in house with NSS yet.

Just curious, which HSM vendor did you use? It'd be helpful to include in the bug report.

Thanks,
Valerie
On 12/2/2019 8:50 AM, DEBORDEAUX Hubert wrote:
> Hello,
> Following the update to OpenJDK 8_232, we did face a problem after a DECRYPT with no padding.
> We use a SunPKCS11 provider linked to a Network HSM.
> After a DECRYPT command (DES or AES) NOPADDING, we noticed the log : "Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1"
> All following commands failed with error : CKR_USER_NOT_LOGGED_IN
>
> After a quick investigation, it looks like the fix JDK-8228565 done in P11Cipher.java is the root cause of this new behavior.
> 	....
> 	// Special handling to match SunJCE provider behavior
>                  if (bytesBuffered == 0 && padBufferLen == 0) {
>                      return 0;
>                  }
> 	....
> 	} finally {
>              		reset(doCancel);   // doCancel is true, so killSession is called.
>          	}
>
> This is a source code to reproduce the problem:
> 	SunPKCS11 p = new SunPKCS11(configName);           // config to Network HSM
> 	p.setCallbackHandler(handler);    // Handler for password
>          	Security.addProvider(p);
>          
>          	KeyStore.CallbackHandlerProtection chp =
>                  	new KeyStore.CallbackHandlerProtection(handler);
>              	KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp);
>          	KeyStore keystore = builder.getKeyStore();
>         	SecretKeyEntry entry = (SecretKeyEntry) 
> keystore.getEntry("MyKeyAlias", null);
>          
>          	Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
>          	IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]);
>          	// cipher a text
>          	cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
>          	byte[] clearData = "clear text111111".getBytes();
>          	byte[] cipheredData = cipher.doFinal(clearData);
>             	// Decipher the result
>          	cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
>          	byte[] clearTextResult = cipher.doFinal(cipheredData);
> 	// display the result
> 	System.out.println(new String(clearTextResult));  // So far, no 
> problem
>          
>                // Try another cipher
>          	cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
> 	byte[] clearData2 = "clear text222222".getBytes();
>         	byte[] cipheredData2 = cipher.doFinal(clearData);
> 	// --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception: 
> CKR_USER_NOT_LOGGED_IN
>
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
> 	at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
> 	at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)
>
>          
> Workarounds:
> 	. use the SunPkcs11 jar file from openJDK 8_222
> 	. add a login after every decrypt commands
> 	. use PKCS5Padding when possible
>
> Could you tell me if you can reproduce this problem and what is the best way for me to report it ?
>
> Thanks you
> Best Regards,
> Hubert
>   


More information about the security-dev mailing list