United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6944361 Missing CKR_ values in PKCS11Exception
JDK-6944361 : Missing CKR_ values in PKCS11Exception

Details
Type:
Bug
Submit Date:
2010-04-15
Status:
Closed
Updated Date:
2011-05-18
Project Name:
JDK
Resolved Date:
2011-05-18
Component:
security-libs
OS:
generic
Sub-Component:
javax.crypto:pkcs11
CPU:
generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
7
Fixed Versions:

Related Reports
Backport:

Sub Tasks

Description
I'm trying to debug an issue with the NSS provider crashing on a
number of JTreg tests.  See
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=469

I found a couple of issues in doing so:

* The stack trace is incomplete as a couple of exceptions are thrown
using only the message without including the cause
* The NSS wrapper can't handle a couple of newer NSS error codes

This patch:

http://cr.openjdk.java.net/~andrew/nss/webrev.01/jdk.patch

fixes both issues and extends:

java.security.cert.CertificateParsingException: java.io.IOException: subject
key, Could not create EC public key
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:320)
        at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:550)
        at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:434)
        at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:444)
        at ReadCertificates.readCertificates(ReadCertificates.java:51)
        at ReadCertificates.main(ReadCertificates.java:86)
        at PKCS11Test.premain(PKCS11Test.java:79)
        at PKCS11Test.testDefault(PKCS11Test.java:113)
        at PKCS11Test.main(PKCS11Test.java:86)
        at ReadCertificates.main(ReadCertificates.java:57)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at com.sun.javatest.regtest.MainAction$SameVMThread.run(MainAction.java:595)
        at java.lang.Thread.run(Thread.java:636)
Caused by: java.io.IOException: subject key, Could not create EC public key
        at sun.security.x509.X509Key.parse(X509Key.java:174)
        at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
        ... 17 more

with:

Caused by: java.security.InvalidKeyException: Could not create EC public key
        at sun.security.x509.X509Key.buildX509Key(X509Key.java:227)
        at sun.security.x509.X509Key.parse(X509Key.java:170)
        ... 20 more
Caused by: java.security.spec.InvalidKeySpecException: Could not create EC
public key
        at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:154)
        at java.security.KeyFactory.generatePublic(KeyFactory.java:321)
        at sun.security.x509.X509Key.buildX509Key(X509Key.java:223)
        ... 21 more
Caused by: java.security.InvalidKeyException: Could not create EC public key
        at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:117)
        at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:152)
        ... 23 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_DOMAIN_PARAMS_INVALID
        at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
        at sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:229)
        at sun.security.pkcs11.P11ECKeyFactory.implTranslatePublicKey(P11ECKeyFactory.java:103)
        ... 24 more

allowing the native NSS error to be seen.

                                    

Comments
SUGGESTED FIX

--- old/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java	2010-04-12 16:37:30.235735207 +0100
+++ new/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java	2010-04-12 16:37:30.056533495 +0100
@@ -148,6 +148,7 @@
             0x00000115,
             0x00000120,
             0x00000121,
+            0x00000130,
             0x00000150,
             0x00000160,
             0x00000170,
@@ -156,6 +157,7 @@
             0x00000191,
             0x000001A0,
             0x000001A1,
+            0x00000200,
             0x80000000,
         };
         String[] errorMessages = new String[] {
@@ -234,6 +236,7 @@
             "CKR_WRAPPING_KEY_TYPE_INCONSISTENT",
             "CKR_RANDOM_SEED_NOT_SUPPORTED",
             "CKR_RANDOM_NO_RNG",
+            "CKR_DOMAIN_PARAMS_INVALID",
             "CKR_BUFFER_TOO_SMALL",
             "CKR_SAVED_STATE_INVALID",
             "CKR_INFORMATION_SENSITIVE",
@@ -242,6 +245,7 @@
             "CKR_CRYPTOKI_ALREADY_INITIALIZED",
             "CKR_MUTEX_BAD",
             "CKR_MUTEX_NOT_LOCKED",
+            "CKR_FUNCTION_REJECTED",
             "CKR_VENDOR_DEFINED",
         };
         errorMap = new HashMap<Long,String>();
--- old/src/share/classes/sun/security/x509/X509Key.java	2010-04-12 16:37:31.338644512 +0100
+++ new/src/share/classes/sun/security/x509/X509Key.java	2010-04-12 16:37:31.167699281 +0100
@@ -171,7 +171,7 @@
                                       in.data.getUnalignedBitString());
 
         } catch (InvalidKeyException e) {
-            throw new IOException("subject key, " + e.getMessage());
+            throw new IOException("subject key, " + e.getMessage(), e);
         }
 
         if (in.data.available() != 0)
@@ -224,7 +224,7 @@
         } catch (NoSuchAlgorithmException e) {
             // Return generic X509Key with opaque key data (see below)
         } catch (InvalidKeySpecException e) {
-            throw new InvalidKeyException(e.getMessage());
+            throw new InvalidKeyException(e.getMessage(), e);
         }
 
         /*
                                     
2010-04-15
EVALUATION

Added the two missing entries from the 28 June 2004:

PKCS #11 v2.20: Cryptographic Token Interface Standard

Made sure values were correct, and no other entries were missing.  Fix looks to be in good shape.
                                     
2010-04-15
SUGGESTED FIX

http://hg.openjdk.java.net/jdk7/tl/jdk/rev/c444651077d2
                                     
2010-04-16



Hardware and Software, Engineered to Work Together