Hello, Following the update to OpenJDK 8_232, we did face a problem after a DECRYPT with no padding. We use a SunPKCS11 provider linked to a Network HSM. After a DECRYPT command (DES or AES) NOPADDING, we noticed the log : "Killing session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) active: 1" All following commands failed with error : CKR_USER_NOT_LOGGED_IN
After a quick investigation, it looks like the fix JDK-8228565 done in P11Cipher.java is the root cause of this new behavior. .... // Special handling to match SunJCE provider behavior if (bytesBuffered == 0 && padBufferLen == 0) { return 0; } .... } finally { reset(doCancel); // doCancel is true, so killSession is called. } This is a source code to reproduce the problem: SunPKCS11 p = new SunPKCS11(configName); // config to Network HSM p.setCallbackHandler(handler); // Handler for password Security.addProvider(p); KeyStore.CallbackHandlerProtection chp = new KeyStore.CallbackHandlerProtection(handler); KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", p, chp); KeyStore keystore = builder.getKeyStore(); SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MyKeyAlias", null); Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", p.getName()); IvParameterSpec ivParameterSpec = new IvParameterSpec(new byte[8]); // cipher a text cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec); byte[] clearData = "clear text111111".getBytes(); byte[] cipheredData = cipher.doFinal(clearData); // Decipher the result cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), ivParameterSpec); byte[] clearTextResult = cipher.doFinal(cipheredData); // display the result System.out.println(new String(clearTextResult)); // So far, no problem // Try another cipher cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), ivParameterSpec); byte[] clearData2 = "clear text222222".getBytes(); byte[] cipheredData2 = cipher.doFinal(clearData); // --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method) at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581) Workarounds: . use the SunPkcs11 jar file from openJDK 8_222 . add a login after every decrypt commands . use PKCS5Padding when possible Could you tell me if you can reproduce this problem and what is the best way for me to report it ? Thanks you Best Regards, Hubert