FULL PRODUCT VERSION : java version "1.7.0_07" Java(TM) SE Runtime Environment (build 1.7.0_07-b10) Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode) ADDITIONAL OS VERSION INFORMATION : Linux satul-test 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux EXTRA RELEVANT SYSTEM CONFIGURATION : Using Mozilla NSS as documented in http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#NSS A DESCRIPTION OF THE PROBLEM : Up til jre7u5 everything was working fine using NSS 3.4.12. Recently i updated to jre7u6 and SSL handshake started failing. The same problem is there in the latest jre7u7 also. When i compared the sun.security.pkcs11.wrapper.PKCS11 class i see that two new methods were added in u6 which might have broken the pkcs11 interface with NSS. I cannot find any doc or release notes which mention about this change. public native byte[] C_GetOperationState(long l) throws PKCS11Exception; public native void C_SetOperationState(long l, byte abyte0[], long l1, long l2) throws PKCS11Exception; ========== The exception trace i am getting java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method) at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308) at java.security.MessageDigest$Delegate.clone(Unknown Source) at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source) at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source) at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source) at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source) at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) REGRESSION. Last worked in version 7 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : 1) Download NSS 3.12.4. It is currently available at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/ 2) Extract and rename nss-3.12.4.tar.gz to /root/nss/ Execute following commands in Shell to create and configure NSS database. 3) export LD_LIBRARY_PATH=/root/nss/lib/" cd /root/nss/ mkdir db /root/nss/bin/modutil -create -dbdir db/ /root/nss/bin/modutil -fips true -dbdir db/ /root/nss/bin/modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir db/ (A strong password like 'Password123!' is required.) 4) Now insert a key-pair to NSS. For that we first create a .jks file, convert to .p12 format and insert .p12 to nss. 4.1) Create a new jks (test.jks) using keytool command. 4.2) Convert .jks to .p12 /jre/bin/keytool -importkeystore -srckeystore /root/nss/test.jks -srcalias test -destkeystore /root/nss/test.p12 -deststoretype PKCS12 4.3) import keypair into NSS /root/nss/bin/pk12util -d /root/nss/db -i /root/nss/test.p12 Now we have an NSS database which contains a keypair which is ready to be used by the java program. 5) Execute the sample java program which will listen to a ssl server socket and try to initiate ssl handshake from a similar client program. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - SSL Handshake goes through fine. (Uptil jre7 u5) ACTUAL - Getting UnsatisfiedLink error (From jre7 u6 onwards) ERROR MESSAGES/STACK TRACES THAT OCCUR : java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method) at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308) at java.security.MessageDigest$Delegate.clone(Unknown Source) at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source) at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source) at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source) at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source) at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) REPRODUCIBILITY : This bug can be reproduced always.
|