openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #07703
[Bug 556549] Re: PCKS11 security provider not working
Launchpad has imported 9 comments from the remote bug at
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=469.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2010-04-06T17:06:05+00:00 Matthias Klose wrote:
should work when configured with --enable-nss, however the tests never
did succeed. Seen this forever on every Debian/Ubuntu build. However
keytool is able to import the certificate with SHA384withECDSA
signatures (see bug #356).
FAILED: com/sun/crypto/provider/KeyFactory/TestProviderLeak.java
FAILED: java/security/KeyPairGenerator/Failover.java
FAILED: sun/security/pkcs11/ec/ReadCertificates.java
FAILED: sun/security/pkcs11/ec/ReadPKCS12.java
FAILED: sun/security/pkcs11/ec/TestCurves.java
FAILED: sun/security/pkcs11/ec/TestECDH.java
FAILED: sun/security/pkcs11/ec/TestECDSA.java
FAILED: sun/security/pkcs11/ec/TestECGenSpec.java
FAILED: sun/security/pkcs11/ec/TestKeyFactory.java
FAILED: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
FAILED: sun/security/pkcs11/tls/TestPRF.java
FAILED: sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java
FAILED: sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java
FAILED: sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
just turning off security.provider.9 in java.security lets the
sun/security/ssl/ tests succeed.
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/2
------------------------------------------------------------------------
On 2010-04-06T17:19:17+00:00 Matthias Klose wrote:
Created attachment 325
jtr files
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/3
------------------------------------------------------------------------
On 2010-04-06T20:15:39+00:00 Andrew John Hughes wrote:
Replicated here.
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/4
------------------------------------------------------------------------
On 2010-04-12T15:34:08+00:00 Andrew John Hughes wrote:
With some more debugging on the ReadCertificates test:
Loading sunlabscerts.pem...
----------System.err:(49/3120)----------
encodedPoint: [4, 41, 4, 74, 38, 59, 63, 127, -83, 45, 42, -32, -28, -123, -38, 19, -10, -34, 31, 2, -95, -72, -70, -99, -5, 101, \
62, 91, -32, -87, 87, 35, -89, -21, -25, -119, -58, -70, -63, 118, 124, 77, -125]
encodedParams: [6, 5, 43, -127, 4, 0, 8]
java.security.cert.CertificateParsingException: java.io.IOException: subject key, Could not create EC public key
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:320)
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:550)
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:434)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:444)
at ReadCertificates.readCertificates(ReadCertificates.java:51)
at ReadCertificates.main(ReadCertificates.java:86)
at PKCS11Test.premain(PKCS11Test.java:79)
at PKCS11Test.testDefault(PKCS11Test.java:113)
at PKCS11Test.main(PKCS11Test.java:86)
at ReadCertificates.main(ReadCertificates.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at com.sun.javatest.regtest.MainAction$SameVMThread.run(MainAction.java:595)
at java.lang.Thread.run(Thread.java:636)
Caused by: java.io.IOException: subject key, Could not create EC public key
at sun.security.x509.X509Key.parse(X509Key.java:174)
at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
... 17 more
Caused by: java.security.InvalidKeyException: Could not create EC public key
at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
at sun.security.x509.X509Key.parse(X509Key.java:170)
... 20 more
Caused by: java.security.spec.InvalidKeySpecException: Could not create EC public key
at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:154)
at java.security.KeyFactory.generatePublic(KeyFactory.java:321)
at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
... 21 more
Caused by: java.security.InvalidKeyException: Could not create EC public key
at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:117)
at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:152)
... 23 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
at sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:229)
at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:103)
... 24 more
The native layer is throwing an error CKR_DOMAIN_PARAMS_INVALID
introduced in 2.20. Had to patch OpenJDK to get the error number to
message translation so presumably this error was not in the version they
referenced.
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/5
------------------------------------------------------------------------
On 2010-04-12T15:49:41+00:00 Andrew John Hughes wrote:
The improved stack trace requires this patch:
http://mail.openjdk.java.net/pipermail/security-
dev/2010-April/001771.html
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/6
------------------------------------------------------------------------
On 2010-04-12T18:38:05+00:00 Andrew John Hughes wrote:
if (EC_FillParams(arena, &pubKey->u.ec.ecParams.DEREncoding,
&pubKey->u.ec.ecParams) != SECSuccess) {
crv = CKR_DOMAIN_PARAMS_INVALID;
break;
}
from pkcs11.c in NSS, 1629-1634 in GetPubKey
which returns
cleanup:
if (!params->cofactor) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
#if EC_DEBUG
printf("Unrecognized curve, returning NULL params\n");
#endif
}
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/7
------------------------------------------------------------------------
On 2010-04-12T18:54:47+00:00 Andrew John Hughes wrote:
This looks like a valid error. NSS does not support the curve
requested:
Breakpoint 2, gf_populate_params (name=ECCurve_SECG_PRIME_112R1,
field_type=ec_field_GFp, params=0x7fffd800e180) at ecdecode.c:145
curveParams = ecCurve_map[params->name];
CHECK_OK(curveParams);
That's from TestCurves. TestECDH wants ECCurve_NIST_P192. Both are
NULL in nss-3.12.6/mozilla/security/nss/lib/freebl/ecl/ecl-curve.h
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/8
------------------------------------------------------------------------
On 2010-04-12T19:15:50+00:00 Andrew John Hughes wrote:
http://hg.mozilla.org/mozilla-
central/file/8526e9e6c9ed/security/nss/lib/freebl/ecl/ecl-curve.h is the
NSS version.
http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/b50cfd4479fa/src/share/native/sun/security/ec/impl
/ecl-curve.h is the version Sun imported into JDK7.
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/9
------------------------------------------------------------------------
On 2010-04-27T20:23:49+00:00 Andrew John Hughes wrote:
Needs new tests; the current ones tests algorithms unavailable to FOSS
distros.
Reply at: https://bugs.launchpad.net/openjdk/+bug/556549/comments/11
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/556549
Title:
PCKS11 security provider not working
Status in OpenJDK:
In Progress
Status in “openjdk-6” package in Ubuntu:
Fix Released
Bug description:
should work when configured with --enable-nss, however the tests never
did succeed:
FAILED: com/sun/crypto/provider/KeyFactory/TestProviderLeak.java
FAILED: java/security/KeyPairGenerator/Failover.java
FAILED: sun/security/pkcs11/ec/ReadCertificates.java
FAILED: sun/security/pkcs11/ec/ReadPKCS12.java
FAILED: sun/security/pkcs11/ec/TestCurves.java
FAILED: sun/security/pkcs11/ec/TestECDH.java
FAILED: sun/security/pkcs11/ec/TestECDSA.java
FAILED: sun/security/pkcs11/ec/TestECGenSpec.java
FAILED: sun/security/pkcs11/ec/TestKeyFactory.java
FAILED: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
FAILED: sun/security/pkcs11/tls/TestPRF.java
FAILED: sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java
FAILED: sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java
FAILED: sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
just turning off security.provider.9 in java.security lets the sun/security/ssl/ succeed.
however there might be pkcs11 certificates in the cacerts file, which could cause upgrade errors when the pkcs11 support is removed/disabled.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openjdk/+bug/556549/+subscriptions
References
