Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8251117

Cannot check P11Key size in P11Cipher and P11AEADCipher

    Details

      Backports

        Description

        When initializing P11Cipher or P11AEADCipher instances, the key size may be checked against an expected one -if there is, as for AES-. To do so, the code retrieves the plain key and checks the array length [1].

        However, if the key is a P11Key with attributes CKA_SENSITIVE and CKA_EXTRACTABLE -as it's the case for NSS software token keys initialized in 'FIPS' mode-, the key cannot be extracted in plain. Thus, the 'key.getEncoded()' call returns null and a NullPointerException happens thereafter when accessing the 'length' attribute. For P11Keys, the size (if available) is provided at construction time. P11Key::length is the method to get the key length (in bits) [2].

        --
        [1] - http://hg.openjdk.java.net/jdk/jdk/file/2f20eadd7031/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#l348
        [2] - http://hg.openjdk.java.net/jdk/jdk/file/2f20eadd7031/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java#l248

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mbalao Martin Balao
                  Reporter:
                  mbalao Martin Balao
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: