RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key

BenEfrati github.com+1887540+benefrati at openjdk.java.net
Mon Oct 4 07:08:07 UTC 2021 

On Fri, 23 Jul 2021 10:33:14 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:

> Hello,
> 
> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
> 
> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. 
> If not applied, implementation can try to select signer from other providers
> 
> Regards
> Alexey

Hey,
Same issue using nCipherKM provider

Caused by: com.ncipher.provider.nCSecurityException: The key material is not exportable outside of the HSM
        at com.ncipher.provider.Utils.exportKey(Utils.java:1539)
        at com.ncipher.provider.Utils.getCrtParams(Utils.java:1486)
        at com.ncipher.provider.km.KMRSAPrivateCrtKey.getPrimeP(KMRSAPrivateCrtKey.java:87)
        at sun.security.rsa.RSACore.crtCrypt(RSACore.java:168)
        at sun.security.rsa.RSACore.rsa(RSACore.java:122)
        at sun.security.rsa.RSAPSSSignature.engineSign(RSAPSSSignature.java:371)
        at java.security.Signature.engineSign(Signature.java:1382)
        at java.security.Signature.sign(Signature.java:698)
        at sun.security.ssl.CertificateVerify.<init>(CertificateVerify.java:608)
        at sun.security.ssl.CertificateVerify.produce(CertificateVerify.java:760)
        at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
        at sun.security.ssl.ServerHelloDone.consume(ServerHelloDone.java:182)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
        


Is this fix is planned for OpenJDK 8u312?

-------------

PR: https://git.openjdk.java.net/jdk/pull/4887

More information about the security-dev mailing list