Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8236512

PKCS11 Connection closed after Cipher.doFinal and NoPadding

    Details

      Backports

        Description

        ADDITIONAL SYSTEM INFORMATION :
        openJDK 8_232, Windows 10, PKCS11 SUN provider with a network equipment (HSM)

        A DESCRIPTION OF THE PROBLEM :
        (This problem has been noticed with 8_232 release.)
        When using Cipher instance (AES or DES) with NoPadding, the connection with the PKCS11 equipment is closed:
        Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1

        It looks like after JDK-8228565, a specific handling has been added
         // Special handling to match SunJCE provider behavior
                        if (bytesBuffered == 0 && padBufferLen == 0) {
                            return 0;
                        }
        In that case (NoPadding), the doFinal returns and calls the 'reset' in the finally block. (doCancel is true)




        REGRESSION : Last worked in version 8u231

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        1. Cipher some clear data with random padding to 8 or 16 byte block (DESede OR AES) --> OK
        2. Decipher the result using the same algo --> OK
        3. Try another cipher --> failed (CKR_USER_NOT_LOGGED_IN)


        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        We expect the Step 3 to return a new ciphered result.
        ACTUAL -
        At the end of step 2, the pkcs11 layer logs: Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
        At step 3, an error is returned : CKR_USER_NOT_LOGGED_IN

        ---------- BEGIN SOURCE ----------
        SunPKCS11 p = new SunPKCS11(configName); // pkcs11 config file to HSM equipement
        p.setCallbackHandler(handler); // login handler to PKCS11 layer
        Security.addProvider(p);
        // Initialize keystore
        KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(handler);
        KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp);
        KeyStore keystore = builder.getKeyStore();
        // Load a secret key handle
        SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MySecretKeyAlias", null);
        // Cipher some clear text with NoPadding
        Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
        IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]);
        cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
        byte[] clearData = "clear text111111".getBytes();
        byte[] cipheredData = cipher.doFinal(clearData);
        // Decipher the result
        cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
        byte[] clearTextResult = cipher.doFinal(cipheredData);
        // Output the clear result
        System.out.println(new String(clearTextResult));
        // try another cipher
        cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
        byte[] clearData2 = "clear text222222".getBytes();
        byte[] cipheredData2 = cipher.doFinal(clearData);

        --> Fails


        sunpkcs11: login succeeded
        Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
        clear text111111
        Exception in thread "main" java.security.ProviderException: update() failed
        at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:629)
        at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:526)
        at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:555)
        at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:541)
        at javax.crypto.Cipher.doFinal(Cipher.java:2164)
        Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
        at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
        at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)
        ... 5 more

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Wrapping all cipher and decipher calls with :
         ((sun.security.pkcs11.SunPKCS11)p).login(null, handler);

        FREQUENCY : always


          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  valeriep Valerie Peng
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: