Bug ID: JDK-7195931 UnsatisfiedLinkError on PKCS11.C_GetOperationState while using NSS from jre7u6 +

Type: Bug
Component: security-libs
Sub-Component: javax.crypto:pkcs11
Affected Version: 7u6

Priority: P3
Status: Closed
Resolution: Fixed
OS: linux
CPU: x86

Submitted: 2012-09-04
Updated: 2012-10-26
Resolved: 2012-09-13

JDK 7
7u40Fixed

FULL PRODUCT VERSION :
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux satul-test 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux


EXTRA RELEVANT SYSTEM CONFIGURATION :
Using Mozilla NSS as documented in

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#NSS

A DESCRIPTION OF THE PROBLEM :
Up til jre7u5 everything was working fine using NSS 3.4.12.

Recently i updated to jre7u6 and SSL handshake started failing. The same problem is there in the latest jre7u7 also.

When i compared the sun.security.pkcs11.wrapper.PKCS11 class i see that two new methods were added in u6 which might have broken the pkcs11 interface with NSS. I cannot find any doc or release notes which mention about this change.

public native byte[] C_GetOperationState(long l)
        throws PKCS11Exception;

    public native void C_SetOperationState(long l, byte abyte0[], long l1, long l2)
        throws PKCS11Exception;

==========
The exception trace i am getting

java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B
    at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method)
    at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308)
    at java.security.MessageDigest$Delegate.clone(Unknown Source)
    at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source)
    at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source)
    at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source)
    at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)



REGRESSION.  Last worked in version 7

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Download NSS 3.12.4. It is currently available at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/

2) Extract and rename nss-3.12.4.tar.gz to /root/nss/

Execute following commands in Shell to create and configure NSS database.

3)
 export LD_LIBRARY_PATH=/root/nss/lib/"
 cd /root/nss/
 mkdir db
 /root/nss/bin/modutil -create -dbdir db/
 /root/nss/bin/modutil -fips true -dbdir db/
 /root/nss/bin/modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir db/
(A strong password like 'Password123!' is required.)

4) Now insert a key-pair to NSS. For that we first create a .jks file, convert to .p12 format and insert .p12 to nss.

4.1) Create a new jks (test.jks) using keytool command.
4.2) Convert .jks to .p12

    /jre/bin/keytool -importkeystore -srckeystore /root/nss/test.jks -srcalias test -destkeystore /root/nss/test.p12 -deststoretype PKCS12

4.3)  import keypair into NSS
    /root/nss/bin/pk12util -d /root/nss/db -i /root/nss/test.p12

Now we have an NSS database which contains a keypair which is ready to be used by the java program.

5) Execute the sample java program which will listen to a ssl server socket and try to initiate ssl handshake from a similar client program.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
SSL Handshake goes through fine.  (Uptil jre7 u5)
ACTUAL -
Getting UnsatisfiedLink error (From jre7 u6 onwards)

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.UnsatisfiedLinkError: sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(J)[B
    at sun.security.pkcs11.wrapper.PKCS11.C_GetOperationState(Native Method)
    at sun.security.pkcs11.P11Digest.clone(P11Digest.java:308)
    at java.security.MessageDigest$Delegate.clone(Unknown Source)
    at sun.security.ssl.HandshakeHash.cloneDigest(Unknown Source)
    at sun.security.ssl.HandshakeHash.getMD5Clone(Unknown Source)
    at sun.security.ssl.HandshakeMessage$Finished.getFinished(Unknown Source)
    at sun.security.ssl.HandshakeMessage$Finished.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.

EVALUATION Release Engineering Issue discovered, fixing.

10-09-2012

EVALUATION This doesn't make sense to me: the 7u7/7u10 code this is still showing these two methods as commented out in sun.security.pkcs11/wrapper/PKCS11.java, and the last change in this file was in May 2010. http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/log/23fb5a871f56/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java Hopefully the RE can make more headway than I was.

04-09-2012