Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8183107

PKCS11 regression regarding checkKeySize

    Details

    • Subcomponent:
    • Resolved In Build:
      b10
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Not verified

      Backports

        Description

        FULL PRODUCT VERSION :


        ADDITIONAL OS VERSION INFORMATION :
        Windows, Linux

        A DESCRIPTION OF THE PROBLEM :
        There is a problem using PKCS11 for smartcard driver in java 8.

        It seems that check regarding key size based on C_GetMechanismInfo was added and in our case PKCS11 smart card driver returns min and max key size with a value of 0 for RSA. And now because of added checkKeySize it fails, because it contains check:

                if ((minKeySize != -1) && (keySize < minKeySize)) {
                    throw new InvalidKeyException(keyAlgo +
                        " key must be at least " + minKeySize + " bits");
                }
                if ((maxKeySize != -1) && (keySize > maxKeySize)) {
                    throw new InvalidKeyException(keyAlgo +
                        " key must be at most " + maxKeySize + " bits");
                }

        Error is:
        Exception in thread "main" java.security.InvalidKeyException: RSA key must be at most 0 bits
        at com.sun.security.pkcs11.P11Signature.checkKeySize(P11Signature.java:366)
        at com.sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:431)
        at java.security.Signature$Delegate.engineInitSign(Signature.java:1174)
        at java.security.Signature.initSign(Signature.java:527)
        at gem_test.Test.signDocument(Test.java:140)
        at gem_test.Test.main(Test.java:126)

        Relevant mechanism is CKM_SHA1_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =

        In java 7 and before there was no check regarding key size.
        Our code worked from java 1.4 till 1.7 and is broken in JDK 8 and JDK 9.


        REGRESSION. Last worked in version 7u80

        ADDITIONAL REGRESSION INFORMATION:
        Information for provider SunPKCS11-Personal
        Library info:
          cryptokiVersion: 2.20
          manufacturerID: Nexus
          flags: 0
          libraryDescription: Personal NG PKCS 11
          libraryVersion: 1.01
        All slots: 1000, 0, 1, 100, 101, 102, 103, 104, 105, 106
        Slots with tokens: 1000, 0, 100, 101, 102, 103, 104, 105, 106
        Slot info for slot 0:
          slotDescription: Gemplus USB Key Smart Card Reader 0
          manufacturerID: Gemplus USB Key Smart Card Reade
          flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
          hardwareVersion: 255.255
          firmwareVersion: 1.00
        Token info for token in slot 0:
          label: Electronic ID (PIN1)
          manufacturerID: Technology Nexus AB
          model: Gemalto Classic
          serialNumber: 88889398785
          flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED
          ulMaxSessionCount: 65535
          ulSessionCount: 0
          ulMaxRwSessionCount: 65535
          ulRwSessionCount: 0
          ulMaxPinLen: 16
          ulMinPinLen: 6
          ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
          ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
          ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
          ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
          hardwareVersion: 3.00
          firmwareVersion: 3.00
          utcTime:
        Mechanism Unknown 0x0000000080694434:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism Unknown 0x0000000080694435:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_RSA_X_509:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_RIPEMD160_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_SHA512_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_SHA384_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_SHA256_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism Unknown 0x0000000080000046:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_SHA1_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_MD5_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_RSA_PKCS:
          ulMinKeySize: 0
          ulMaxKeySize: 0
          flags: 0 =
        Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN:
          ulMinKeySize: 512
          ulMaxKeySize: 2048
          flags: 65537 = CKF_HW | CKF_GENERATE_KEY_PAIR



        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        import java.io.ByteArrayInputStream;
        import java.security.KeyStore;
        import java.security.PrivateKey;
        import java.security.Signature;

        import com.sun.security.pkcs11.SunPKCS11;

        public class Test3 {

        public static void main(String[] args) throws Exception {

                char[] pin = "matej24cc".toCharArray();
                String useCertAlias = "Non Repudiation";
            
                String pkcsConf = (
                        "name = Personal\n" +
                        "library = \"c:/Program Files (x86)/Personal/bin/personal.dll\"\n" +
                        "showInfo = true\n" +
                        "slot = 0\n"
                    );

                SunPKCS11 provider = new SunPKCS11(new ByteArrayInputStream(pkcsConf.getBytes()));
                
                KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
                keyStore.load(null, pin);
                
                PrivateKey privateKey = (PrivateKey) keyStore.getKey(useCertAlias, pin);
            
                Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA", provider);
                signatureAlgorithm.initSign(privateKey);
                signatureAlgorithm.update("my sample test to be signed".getBytes("UTF-8"));
                byte[] digitalSignature = signatureAlgorithm.sign();
            }

        }

        ---------- END SOURCE ----------

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  valeriep Valerie Peng
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: