Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8236512

PKCS11 Connection closed after Cipher.doFinal and NoPadding

    Details

      Description

      ADDITIONAL SYSTEM INFORMATION :
      openJDK 8_232, Windows 10, PKCS11 SUN provider with a network equipment (HSM)

      A DESCRIPTION OF THE PROBLEM :
      (This problem has been noticed with 8_232 release.)
      When using Cipher instance (AES or DES) with NoPadding, the connection with the PKCS11 equipment is closed:
      Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1

      It looks like after JDK-8228565, a specific handling has been added
       // Special handling to match SunJCE provider behavior
                      if (bytesBuffered == 0 && padBufferLen == 0) {
                          return 0;
                      }
      In that case (NoPadding), the doFinal returns and calls the 'reset' in the finally block. (doCancel is true)




      REGRESSION : Last worked in version 8u231

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Cipher some clear data with random padding to 8 or 16 byte block (DESede OR AES) --> OK
      2. Decipher the result using the same algo --> OK
      3. Try another cipher --> failed (CKR_USER_NOT_LOGGED_IN)


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      We expect the Step 3 to return a new ciphered result.
      ACTUAL -
      At the end of step 2, the pkcs11 layer logs: Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
      At step 3, an error is returned : CKR_USER_NOT_LOGGED_IN

      ---------- BEGIN SOURCE ----------
      SunPKCS11 p = new SunPKCS11(configName); // pkcs11 config file to HSM equipement
      p.setCallbackHandler(handler); // login handler to PKCS11 layer
      Security.addProvider(p);
      // Initialize keystore
      KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(handler);
      KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp);
      KeyStore keystore = builder.getKeyStore();
      // Load a secret key handle
      SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MySecretKeyAlias", null);
      // Cipher some clear text with NoPadding
      Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName());
      IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]);
      cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
      byte[] clearData = "clear text111111".getBytes();
      byte[] cipheredData = cipher.doFinal(clearData);
      // Decipher the result
      cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
      byte[] clearTextResult = cipher.doFinal(cipheredData);
      // Output the clear result
      System.out.println(new String(clearTextResult));
      // try another cipher
      cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec);
      byte[] clearData2 = "clear text222222".getBytes();
      byte[] cipheredData2 = cipher.doFinal(clearData);

      --> Fails


      sunpkcs11: login succeeded
      Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1
      clear text111111
      Exception in thread "main" java.security.ProviderException: update() failed
      at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:629)
      at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:526)
      at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:555)
      at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:541)
      at javax.crypto.Cipher.doFinal(Cipher.java:2164)
      Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
      at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
      at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)
      ... 5 more

      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Wrapping all cipher and decipher calls with :
       ((sun.security.pkcs11.SunPKCS11)p).login(null, handler);

      FREQUENCY : always


        Attachments

          Activity

            People

            • Assignee:
              valeriep Valerie Peng
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: