SunPKCS11 connection lost after Decrypt doFinal (noPadding) openjdk 8_232

Mon, 02 Dec 2019 13:13:42 -0800 

Hello,
Following the update to OpenJDK 8_232, we did face a problem after a DECRYPT 
with no padding.
We use a SunPKCS11 provider linked to a Network HSM.
After a DECRYPT command (DES or AES) NOPADDING, we noticed the log : "Killing 
session (sun.security.pkcs11.P11Cipher.cancelOperation(P11Cipher.java:428)) 
active: 1"
All following commands failed with error : CKR_USER_NOT_LOGGED_IN

After a quick investigation, it looks like the fix JDK-8228565 done in 
P11Cipher.java is the root cause of this new behavior.
        ....
        // Special handling to match SunJCE provider behavior
                if (bytesBuffered == 0 && padBufferLen == 0) {
                    return 0;
                }
        ....
        } finally {
                        reset(doCancel);   // doCancel is true, so killSession 
is called.
                }

This is a source code to reproduce the problem:
        SunPKCS11 p = new SunPKCS11(configName);           // config to Network 
HSM    
        p.setCallbackHandler(handler);    // Handler for password
                Security.addProvider(p);
        
                KeyStore.CallbackHandlerProtection chp =
                        new KeyStore.CallbackHandlerProtection(handler);
                KeyStore.Builder builder = 
KeyStore.Builder.newInstance("PKCS11", p, chp);          
                KeyStore keystore = builder.getKeyStore();
        SecretKeyEntry entry = (SecretKeyEntry) keystore.getEntry("MyKeyAlias", 
null);         
        
                Cipher cipher = Cipher.getInstance("DESede/CBC/NOPADDING", 
p.getName());                
                IvParameterSpec ivParameterSpec = new IvParameterSpec(new 
byte[8]);  
                // cipher a text
                cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), 
ivParameterSpec);
                byte[] clearData = "clear text111111".getBytes();
                byte[] cipheredData = cipher.doFinal(clearData);
                // Decipher the result
                cipher.init(Cipher.DECRYPT_MODE, entry.getSecretKey(), 
ivParameterSpec);         
                byte[] clearTextResult = cipher.doFinal(cipheredData);
        // display the result        
        System.out.println(new String(clearTextResult));  // So far, no problem
        
              // Try another cipher
                cipher.init(Cipher.ENCRYPT_MODE, entry.getSecretKey(), 
ivParameterSpec);
        byte[] clearData2 = "clear text222222".getBytes();
        byte[] cipheredData2 = cipher.doFinal(clearData);
        // --> Failed with sun.security.pkcs11.wrapper.PKCS11Exception: 
CKR_USER_NOT_LOGGED_IN

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
        at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native Method)
        at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:581)

        
Workarounds:
        . use the SunPkcs11 jar file from openJDK 8_222
        . add a login after every decrypt commands
        . use PKCS5Padding when possible

Could you tell me if you can reproduce this problem and what is the best way 
for me to report it ?

Thanks you
Best Regards,
Hubert

Reply via email to