Ubuntu
openjdk-6 package

PCKS11 security provider not working

Bug #556549 reported by Matthias Klose on 2010-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenJDK	In Progress	Medium	icedtea-bugzilla #469
	openjdk-6 (Ubuntu)	Fix Released	High	Unassigned	Ubuntu ubuntu-10.04-beta-2

Bug Description

should work when configured with --enable-nss, however the tests never did succeed:

FAILED: com/sun/crypto/provider/KeyFactory/TestProviderLeak.java
FAILED: java/security/KeyPairGenerator/Failover.java
FAILED: sun/security/pkcs11/ec/ReadCertificates.java
FAILED: sun/security/pkcs11/ec/ReadPKCS12.java
FAILED: sun/security/pkcs11/ec/TestCurves.java
FAILED: sun/security/pkcs11/ec/TestECDH.java
FAILED: sun/security/pkcs11/ec/TestECDSA.java
FAILED: sun/security/pkcs11/ec/TestECGenSpec.java
FAILED: sun/security/pkcs11/ec/TestKeyFactory.java
FAILED: sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java
FAILED: sun/security/pkcs11/tls/TestPRF.java
FAILED: sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java
FAILED: sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java
FAILED: sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java

just turning off security.provider.9 in java.security lets the sun/security/ssl/ succeed.
however there might be pkcs11 certificates in the cacerts file, which could cause upgrade errors when the pkcs11 support is removed/disabled.

Related branches

lp:ubuntu/natty/openjdk-6

Revision history for this message

Matthias Klose (doko) wrote on 2010-04-06:

should be addressed for the release, currently investigating, but hints are welcome

Changed in openjdk-6 (Ubuntu):
importance:	Undecided → High
milestone:	none → ubuntu-10.04-beta-2
status:	New → Confirmed

Revision history for this message

In Iced Tea Bugzilla #469, Matthias Klose (doko) wrote on 2010-04-06:

should work when configured with --enable-nss, however the tests never did succeed. Seen this forever on every Debian/Ubuntu build. However keytool is able to import the certificate with SHA384withECDSA signatures (see bug #356).

just turning off security.provider.9 in java.security lets the sun/security/ssl/ tests succeed.

Revision history for this message

In Iced Tea Bugzilla #469, Matthias Klose (doko) wrote on 2010-04-06:

Created attachment 325
jtr files

Bug Watch Updater (bug-watch-updater) on 2010-04-06

Changed in openjdk:
status:	Unknown → Confirmed

Revision history for this message

In Iced Tea Bugzilla #469, Andrew John Hughes (ahughes) wrote on 2010-04-06:

Replicated here.

Bug Watch Updater (bug-watch-updater) on 2010-04-07

Changed in openjdk:
status:	Confirmed → In Progress

Revision history for this message

In Iced Tea Bugzilla #469, Andrew John Hughes (ahughes) wrote on 2010-04-12:

Download full text (3.5 KiB)

With some more debugging on the ReadCertificates test:

Loading sunlabscerts.pem...
----------System.err:(49/3120)----------
encodedPoint: [4, 41, 4, 74, 38, 59, 63, 127, -83, 45, 42, -32, -28, -123, -38, 19, -10, -34, 31, 2, -95, -72, -70, -99, -5, 101, \
62, 91, -32, -87, 87, 35, -89, -21, -25, -119, -58, -70, -63, 118, 124, 77, -125]
encodedParams: [6, 5, 43, -127, 4, 0, 8]
java.security.cert.CertificateParsingException: java.io.IOException: subject key, Could not create EC public key
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:320)
        at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:550)
        at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:434)
        at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:444)
        at ReadCertificates.readCertificates(ReadCertificates.java:51)
        at ReadCertificates.main(ReadCertificates.java:86)
        at PKCS11Test.premain(PKCS11Test.java:79)
        at PKCS11Test.testDefault(PKCS11Test.java:113)
        at PKCS11Test.main(PKCS11Test.java:86)
at ReadCertificates.main(ReadCertificates.java:57)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at com.sun.javatest.regtest.MainAction$SameVMThread.run(MainAction.java:595)
        at java.lang.Thread.run(Thread.java:636)
Caused by: java.io.IOException: subject key, Could not create EC public key
        at sun.security.x509.X509Key.parse(X509Key.java:174)
        at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
        ... 17 more
Caused by: java.security.InvalidKeyException: Could not create EC public key
        at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
        at sun.security.x509.X509Key.parse(X509Key.java:170)
        ... 20 more
Caused by: java.security.spec.InvalidKeySpecException: Could not create EC public key
        at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:154)
        at java.security.KeyFactory.generatePublic(KeyFactory.java:321)
        at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
        ... 21 more
Caused by: java.security.InvalidKeyException: Could not create EC public key
        at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:117)
        at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:152)
        ... 23 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
        at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
        at sun.security.pkcs11....

With some more debugging on the ReadCertificates test:

Loading sunlabscerts.pem...
----------System.err:(49/3120)----------
encodedPoint: [4, 41, 4, 74, 38, 59, 63, 127, -83, 45, 42, -32, -28, -123, -38, 19, -10, -34, 31, 2, -95, -72, -70, -99, -5, 101, \
62, 91, -32, -87, 87, 35, -89, -21, -25, -119, -58, -70, -63, 118, 124, 77, -125]
encodedParams: [6, 5, 43, -127, 4, 0, 8]
java.security.cert.CertificateParsingException: java.io.IOException: subject key, Could not create EC public key
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:320)
        at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:550)
        at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:434)
        at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:444)
        at ReadCertificates.readCertificates(ReadCertificates.java:51)
        at ReadCertificates.main(ReadCertificates.java:86)
        at PKCS11Test.premain(PKCS11Test.java:79)
        at PKCS11Test.testDefault(PKCS11Test.java:113)
        at PKCS11Test.main(PKCS11Test.java:86)
	at ReadCertificates.main(ReadCertificates.java:57)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at com.sun.javatest.regtest.MainAction$SameVMThread.run(MainAction.java:595)
        at java.lang.Thread.run(Thread.java:636)
Caused by: java.io.IOException: subject key, Could not create EC public key
        at sun.security.x509.X509Key.parse(X509Key.java:174)
        at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
        ... 17 more
Caused by: java.security.InvalidKeyException: Could not create EC public key
        at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
        at sun.security.x509.X509Key.parse(X509Key.java:170)
        ... 20 more
Caused by: java.security.spec.InvalidKeySpecException: Could not create EC public key
        at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:154)
        at java.security.KeyFactory.generatePublic(KeyFactory.java:321)
        at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
        ... 21 more
Caused by: java.security.InvalidKeyException: Could not create EC public key
        at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:117)
        at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:152)
        ... 23 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
        at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
        at sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:229)
        at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:103)
        ... 24 more

The native layer is throwing an error CKR_DOMAIN_PARAMS_INVALID introduced in 2.20.  Had to patch OpenJDK to get the error number to message translation so presumably this error was not in the version they referenced.

Revision history for this message

In Iced Tea Bugzilla #469, Andrew John Hughes (ahughes) wrote on 2010-04-12:

The improved stack trace requires this patch: http://mail.openjdk.java.net/pipermail/security-dev/2010-April/001771.html

Revision history for this message

In Iced Tea Bugzilla #469, Andrew John Hughes (ahughes) wrote on 2010-04-12:

        if (EC_FillParams(arena, &pubKey->u.ec.ecParams.DEREncoding,
                    &pubKey->u.ec.ecParams) != SECSuccess) {
            crv = CKR_DOMAIN_PARAMS_INVALID;
            break;
        }

from pkcs11.c in NSS, 1629-1634 in GetPubKey

which returns

cleanup:
    if (!params->cofactor) {
        PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
#if EC_DEBUG
printf("Unrecognized curve, returning NULL params\n");
#endif
    }

Revision history for this message

In Iced Tea Bugzilla #469, Andrew John Hughes (ahughes) wrote on 2010-04-12:

#10

This looks like a valid error. NSS does not support the curve requested:

Breakpoint 2, gf_populate_params (name=ECCurve_SECG_PRIME_112R1, field_type=ec_field_GFp, params=0x7fffd800e180) at ecdecode.c:145

curveParams = ecCurve_map[params->name];
CHECK_OK(curveParams);

That's from TestCurves. TestECDH wants ECCurve_NIST_P192. Both are NULL in nss-3.12.6/mozilla/security/nss/lib/freebl/ecl/ecl-curve.h

Revision history for this message

In Iced Tea Bugzilla #469, Andrew John Hughes (ahughes) wrote on 2010-04-12:

#11

http://hg.mozilla.org/mozilla-central/file/8526e9e6c9ed/security/nss/lib/freebl/ecl/ecl-curve.h is the NSS version.

http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/b50cfd4479fa/src/share/native/sun/security/ec/impl/ecl-curve.h is the version Sun imported into JDK7.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-04-14:

This bug was fixed in the package openjdk-6 - 6b18-1.8-0ubuntu1

---------------
openjdk-6 (6b18-1.8-0ubuntu1) lucid; urgency=low

  * Update IcedTea6 to the icedtea6-1.8 release.
  * Fix builds on Ubuntu/dapper and Debian/lenny.
  * On hppa, configure --without-rhino --disable-plugin.
  * Fix Hitachi SH configury. Closes: #575346.
  * Start a window manager when running the tests. Prefer metacity,
    as more tests pass with it.
  * Let XToolkit.isTraySupported() return true, if Compiz is running.
    Works around sun#6438179. LP: #300948.
  * Make <java_home>/jre/lib/security/nss.cfg a config file.
  * Fail in the configuration of the packages, if /proc is not mounted.
    java currently uses tricks to find its own shared libraries depending
    on the path of the binary. Will be changed in OpenJDK7. Closes: #576453.
  * Fix PR icedtea/469, testsuite failures with the NSS based security
    provider. LP: #556549.
  * Do not pass LD_LIBRARY_PATH from the plugin to the java process.
    While libnss3.so gets loaded from /usr/lib, the dependent libraries
    are loaded from MOZILLA_FIVE_HOME (See #561216 for the wrong firefox
    config). LP: #561124.
    Closes as well: LP: #551328, #554909, #560829, #549010, #553452.
  * Always build shark with hs14.
-- Matthias Klose <email address hidden> Wed, 14 Apr 2010 01:53:33 +0200

Changed in openjdk-6 (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

In Iced Tea Bugzilla #469, Andrew John Hughes (ahughes) wrote on 2010-04-27:

#12

Needs new tests; the current ones tests algorithms unavailable to FOSS distros.

Revision history for this message

Brian Kelley (brian-kelley) wrote on 2010-05-28:

It seems as if the fix to this bug created another bug which makes NSS unusable for anything other than crypto operations: https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/580982?comments=all

Perhaps the tests are to blame and not NSS itself?

Bug Watch Updater (bug-watch-updater) on 2011-02-04

Changed in openjdk:
importance:	Unknown → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

icedtea-bugzilla #469
[ASSIGNED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuopenjdk-6 package

PCKS11 security provider not working

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
openjdk-6 package