Bug ID: 6695485 SignedObject constructor throws ProviderException if it's called using provider "SunPKCS11-Solaris"

6695485 : SignedObject constructor throws ProviderException if it's called using provider "SunPKCS11-Solaris"

Details

Type:	Bug	Submit Date:	2008-04-29
Status:	Resolved	Updated Date:	2012-03-22
Project Name:	JDK	Resolved Date:	2010-04-14
Component:	security-libs	OS:	generic,solaris_10
Sub-Component:	javax.crypto:pkcs11	CPU:	sparc,generic
Priority:	P2
Resolution:	Fixed
Affected Versions:	6,6u16
Fixed Versions:	7

Related Reports

Backport:	JDK-2182500 - SignedObject constructor throws ProviderException if it's called using provider "SunPKCS11-Solaris"
Backport:	JDK-2190516 - SignedObject constructor throws ProviderException if it's called using provider "SunPKCS11-Solaris"

Sub Tasks

Description

The constructor SignedObject(Serializable,PrivateKey,Signature) throws ProviderException in case when PrivateKey and Signature parameters are created using provider "SunPKCS11-Solaris".

Please see the minitest and it's output:
-----------------------------------------------------------
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignedObject;

public class SignatureMinitest {
  public static void main(String[] args) throws Exception {
    String provider = "SunPKCS11-Solaris";
    Signature sig = Signature.getInstance("SHA384withRSA", provider);
    KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", provider);
    kpg.initialize(512);
    KeyPair kp = kpg.generateKeyPair();
    PrivateKey privKey = kp.getPrivate();
    PublicKey pubKey = kp.getPublic();

    sig.initSign(privKey);
    new SignedObject("Test string for getSignature test.", privKey, sig);
  }
}

Exception in thread "main" java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DATA_LEN_RANGE
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:483)
        at java.security.Signature$Delegate.engineSign(Signature.java:1128)
        at java.security.Signature.sign(Signature.java:522)
        at java.security.SignedObject.sign(SignedObject.java:227)
        at java.security.SignedObject.<init>(SignedObject.java:144)
        at SignatureMinitest.main(SignatureMinitest.java:20)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DATA_LEN_RANGE
        at sun.security.pkcs11.wrapper.PKCS11.C_Sign(Native Method)
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:474)
        ... 5 more
-----------------------------------------------------------



Possibly the root cause is the key length, because the same code with provider "SunRsaSign" produces InvalidKeyException:

Exception in thread "main" java.security.InvalidKeyException: Key is too short for this signature algorithm
        at sun.security.rsa.RSASignature.initCommon(RSASignature.java:111)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:93)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:84)
        at java.security.Signature$Delegate.engineInitSign(Signature.java:1095)
        at java.security.Signature.initSign(Signature.java:480)
        at SignatureMinitest.main(SignatureMinitest.java:19)

Comments

EVALUATION

It seems that this particular RSA key length check isn't implemented by the underneath crypto library such as NSS.

Thus, SunPKCS11 provider would have to explicitly check and not rely on the native crypto library for RSA signature algorithms.

2009-04-01

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together