Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6928796

PKCS11 issue fixes in JDK6u14->18 that breaks Symmetric encryption (when NSS PKCS11 provider used)

    Details

      Description

      Problem
      ========
      It seems that since JDK6u13++, if one uses the SunPKCS11 module
      with Symmetric key encyption, it is likely one will get into
      PKCS11 error in java (CKR_BAD_ARGUMENTS).


      Simple example:
      ===============
      import javax.crypto.*;
      import java.security.*;
      public class SmallTest2 {
        public static void main(String args[])
        throws Exception {
            Provider nss = new sun.security.pkcs11.SunPKCS11(args[0]);
            Security.insertProviderAt(nss, 1);
            KeyGenerator kg = KeyGenerator.getInstance("DES");
            kg.init(56,new SecureRandom());
            System.out.println("SKeyGenerator provider: "+kg.getProvider());
            SecretKey skey =kg.generateKey();
            System.out.println("SecretKey: "+skey.getAlgorithm());
            Cipher sciph = Cipher.getInstance(skey.getAlgorithm());
            System.out.println("SCipher provider: "+sciph.getProvider());
            sciph.init(Cipher.ENCRYPT_MODE, skey);
            sciph.doFinal("SmallTesting".getBytes("UTF-8"));
            System.out.println("------------------");
            System.out.println();
        }
      }

      Take in a nss.cfg. (sample in
      https://www.opends.org/wiki/page/EllipticCurveCryptography)

      =============
      TEST RESULTS: On Solaris
      =============
      On JDK5, it works too
      On JDK6u12 and earlier: Run's OK
      On JDK6u14 to 18: BROKEN
      SKeyGenerator provider: SunPKCS11-NSS version 1.6
      SecretKey: DES
      SCipher provider: SunPKCS11-NSS version 1.6
      Exception in thread "main" java.security.ProviderException: update() failed
              at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:548)
              at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:448)
              at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:476)
              at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:462)
              at javax.crypto.Cipher.doFinal(DashoA13*..)
              at SmallTest2.main(SmallTest2.java:16)
      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
              at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
              at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:501)
              ... 5 more
      Example nss.cfg
      ===============
      name=NSS
      nssLibraryDirectory=/nss3125/lib
      nssDbMode=noDb
      attributes=compatibility
      showInfo=true

      Anyway, it seems that the working and and non-working diff
      shows that the default KeyGenerator.getInstance(...)
      is different. (which is also the workaround - eg : passing
      SunJCE as the provider)

      --- trace-ok.txt Wed Mar 3 10:34:37 2010
      +++ trace-fail.txt Wed Mar 3 10:32:23 2010
      @@ -500,8 +500,6 @@
         ulMinKeySize: 16
         ulMaxKeySize: 32
         flags: 393984 = CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP
      -SKeyGenerator provider: SunJCE version 1.6
      +SKeyGenerator provider: SunPKCS11-NSS version 1.6
       SecretKey: DES
      -SCipher provider: SunJCE version 1.6
      -------------------
      -
      +SCipher provider: SunPKCS11-NSS version 1.6
      =====================
      Further information.
      =====================
      - Without using NSS as the Softoken PKCS11, things work
        (and in JDK6u18, SunPKCS11-Solaris also works)

      - Now as a WORKAROUND for NSS, it either means
        that the PKCS11 module does not work with DES
        It seems that if we add

      disabledMechanisms = {
         CKM_DES_ECB
         CKM_DES_CBC
      }

      it works. (Specifically CKM_DES_ECB actually is needed
      and the testcase will work).

      Further changing the code to be 8-byte aligned
      the testcase work. That means that the
      NSS does not support any algorithm for non-8-byte aligned
      (or PADDING).

        Attachments

          Activity

            People

            • Assignee:
              mbankal Mala Bankal (Inactive)
              Reporter:
              cchea Chee-Weng Chea (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: