JDK-6994008 : PKCS11 should support "RSA" and "RSA/ECB/NoPadding" ciphers
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: solaris_10u10,5.0u12,7
  • Priority: P2
  • Status: Closed
  • Resolution: Won't Fix
  • OS: generic,solaris_10
  • CPU: generic,sparc
  • Submitted: 2010-10-21
  • Updated: 2011-05-23
  • Resolved: 2011-04-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7Fixed
Description
JDK 5.0/Weblogic/Solaris 10 fails to use T2000 onboard crypto accelerator for SSL operations

customer uses kstat to verify use of ncp0 

bash-3.00# kstat -n ncp0 -s rsaprivate
module: ncp                             instance: 0   
name:   ncp0                            class:    misc
        rsaprivate                      35247
 
bash-3.00# kstat -n ncp0 -s rsaprivate
module: ncp                             instance: 0   
name:   ncp0                            class:    misc
        rsaprivate                      35247

The rsaprivate number does not increase over time while weblogic is doing ssl ops.

Customer has verified:

-that java.security file has pkcs11 provider listed first (default file settings, actually)

-that he's not using any java options to disable pkcs11 provider.

-there are crypto operations being performed by WLS

-that WLS is configured to listen and respond on secure port

<Aug 12, 2010 12:23:15 PM EDT> <Notice> <Server> <BEA-002613> <Channel "DefaultAdministration" is now listening on 147.141.83.138:60700 for protocols admin, ldaps, https.>
 
Customer has also verified that openSSL is offloading to the hw accelerator, by running `kstat -n ncp0 -s rsaprivate` and seeing the rsaprivate number increasing.

java.security and sunpkcs11-solaris.cfg files are attached along with weblogic log from a run with security debug flag set to all (also included are weblogic policy file and java options).  These are in initial_settings* tar file attached.

From these, it was noticed that 1) the settings in pkcs11 config file did not match the log, and 2) JCE provider was being used instead of PKCS provider. 

We verified with customer that the /tools/weblogic9/jdk1.5.0_12/jre/lib/security/sunpkcs11-solaris.cfg file was the same one he sent us.  However, an anomaly remains, as the initial debug log file reports:
Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN:
DISABLED in configuration

But the sunpkcs11 config file does not have this mechanism in the disabled list.

For observation 2, we tried disabling JCE provider and seeing what happens, but per the attached noJCE* debug log, it looks like JCE provider is still being used.  

Additionally, customer has tried enabling and disabling various mechanisms according to documentation, such as these instructions from "Wire-speed Cryptography for Securing Oracle SOA & Java EE Applications on Solaris (Emphasis on using Sun Chip Multi-threading (CMT) systems)" by Chad Prucha, Solutions Engineer, and Ramesh Nagappan, Security Architect...

Option 2: SSL Acceleration for Weblogic
1.Setup SSL listener for your Weblogic Server instance
> Follow your Admin guide instructions for configuring SSL
> Install the SSL certificates
2.Enable cryptographic acceleration for Weblogic SSL by
editing JRE's SunPKCS11 provider configuration.
> SunPKCS#11 provider is a generic provider to utilize any PKCS11 provider
implementation.
> The sunpkcs11 configuration file contains the attributes for accessing the
hardware accelerator.
? Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg
> Mechanisms/attributes supported by the underlying hardware accelerator can
be enabled or disabled at SunPKCS11 configuration file.
? Include the RSA mechanisms in disableMechanisms list of SunPKCS11 softoken.
? Helps to force those RSA mechanisms performed by NCP (Sun CMT accelerator)
3.Restart the Weblogic server instance.

Example: SunPKCS11 Provider configuration
Disabling Soft-token and enabling RSA mechanisms to use HW accelerator
name = Solaris
description = SunPKCS11 accessing Solaris Cryptographic Framework
library = /usr/lib/$ISA/libpkcs11.so
handleStartupErrors = ignoreAll
attributes = compatibility
disabledMechanisms = {
CKM_MD2
CKM_MD5
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_DSA_KEY_PAIR_GEN
CKM_SHA1_RSA_PKCS
CKM_MD5_RSA_PKCS
CKM_DSA_SHA1
CKM_TLS_KEY_AND_MAC_DERIVE
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_SSL3_PRE_MASTER_KEY_GEN
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_MASTER_KEY_DERIVE_DH
CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC
}

Customer disabled all the mechanisms in the example, but still does not see the Weblogic server using the hw accelerator.  Also, customer has enabled all mechanisms and that had no effect either.
Comments
EVALUATION Release note wording suggestion: SunPKCS11 provider now supports Raw RSA encryption, i.e. Cipher.getInstance("RSA/ECB/NoPadding") calls, when the underlying PKCS11 library supports CKM_RSA_X_509 mechanism. In addition, SunPKCS11 provider recognizes "RSA" as an alias for the "RSA/ECB/PKCS1Padding" transformation when requesting a Cipher object.
23-05-2011
EVALUATION Since I'm not able to see the calling code...sigh...Sean/I had to instrument the JCA to get some info as to what is happening here. In the debug log Sean posted, there are instances of Cipher.getInstance with the arguments: "RSA" and "RSA/ECB/NoPadding". It appears as though there is a Certicom JSSE/SSL provider, and it wants to use the Ciphers "RSA" and "RSA/ECB/NoPadding" for SSL. These modes are currently unsupported in SunPKCS11, and thus the implementations fall back to SunJCE. "RSA/ECB/PKCS1Padding" is the only currently supported mode/padding in SunPKCS11. "RSA" defaults to platform-dependent modes/padding, so using "RSA" is very risky. In JSSE, when we are doing client certificate verification, we use Signature.getInstance("NONEwithRSA"), which is what I'm guessing they might be wanting to do with their call to Cipher "RSA/ECB/NoPadding". So, to use this with today's JDK, I think WLS/Certicom would want to: 1) specify "RSA/ECB/PKCS1Padding" where they were using "RSA". 2) change their sig mechanism to use Signature "NONEwithRSA" instead of the Cipher "RSA/ECB/NoPadding". How easy is it to change the Certicom code? P.S. I haven't confirmed, but switching to the SunJSSE SSL/TLS implementation should use the on-chip SSL accelerations.
01-02-2011