JDK-6695485 : SignedObject constructor throws ProviderException if it's called using provider "SunPKCS11-Solaris"
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 6,6u16
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,solaris_10
  • CPU: generic,sparc
  • Submitted: 2008-04-29
  • Updated: 2012-03-22
  • Resolved: 2010-04-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 Other
6u18Fixed 7 b89Fixed OpenJDK6Fixed
The constructor SignedObject(Serializable,PrivateKey,Signature) throws ProviderException in case when PrivateKey and Signature parameters are created using provider "SunPKCS11-Solaris".

Please see the minitest and it's output:
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignedObject;

public class SignatureMinitest {
  public static void main(String[] args) throws Exception {
    String provider = "SunPKCS11-Solaris";
    Signature sig = Signature.getInstance("SHA384withRSA", provider);
    KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", provider);
    KeyPair kp = kpg.generateKeyPair();
    PrivateKey privKey = kp.getPrivate();
    PublicKey pubKey = kp.getPublic();

    new SignedObject("Test string for getSignature test.", privKey, sig);

Exception in thread "main" java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DATA_LEN_RANGE
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:483)
        at java.security.Signature$Delegate.engineSign(Signature.java:1128)
        at java.security.Signature.sign(Signature.java:522)
        at java.security.SignedObject.sign(SignedObject.java:227)
        at java.security.SignedObject.<init>(SignedObject.java:144)
        at SignatureMinitest.main(SignatureMinitest.java:20)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DATA_LEN_RANGE
        at sun.security.pkcs11.wrapper.PKCS11.C_Sign(Native Method)
        at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:474)
        ... 5 more

Possibly the root cause is the key length, because the same code with provider "SunRsaSign" produces InvalidKeyException:

Exception in thread "main" java.security.InvalidKeyException: Key is too short for this signature algorithm
        at sun.security.rsa.RSASignature.initCommon(RSASignature.java:111)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:93)
        at sun.security.rsa.RSASignature.engineInitSign(RSASignature.java:84)
        at java.security.Signature$Delegate.engineInitSign(Signature.java:1095)
        at java.security.Signature.initSign(Signature.java:480)
        at SignatureMinitest.main(SignatureMinitest.java:19)

EVALUATION It seems that this particular RSA key length check isn't implemented by the underneath crypto library such as NSS. Thus, SunPKCS11 provider would have to explicitly check and not rely on the native crypto library for RSA signature algorithms.