JDK-8006625 : ECParameters, Point does not match field size
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 6u45,7u21,8,9
  • Priority: P3
  • Status: Closed
  • Resolution: Won't Fix
  • OS: solaris_10
  • Submitted: 2013-01-21
  • Updated: 2016-09-30
  • Resolved: 2013-09-12
Related Reports
Duplicate :  
JDK-7157786 - jce/ECC fails on Linux and Solaris-sparc for "Could not parse key"
Duplicate :  
JDK-8026976 - ECParameters, Point does not match field size
Relates :  
JDK-8044794 - ECC ciphers still fail intermittently with "bad_record_mac" on Solaris 11.1
Relates :  
JDK-8154821 - Update issue number for sun/security/pkcs11/ec/TestKeyFactory.java in ProblemList
Relates :  
JDK-8157665 - ProblemList.txt needs to be updated as 7041639 closed
Description
Testing failure of  sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSessionImpl/HashCodeMissing.java:

javax.net.ssl.SSLException: java.lang.RuntimeException: Could not parse key values
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1925)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1882)
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1865)
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1791)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:128)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
	at HashCodeMissing.doClientSide(HashCodeMissing.java:135)
	at HashCodeMissing$2.run(HashCodeMissing.java:289)
Caused by: java.lang.RuntimeException: Could not parse key values
	at sun.security.pkcs11.P11Key$P11ECPublicKey.fetchValues(P11Key.java:1055)
	at sun.security.pkcs11.P11Key$P11ECPublicKey.getW(P11Key.java:1076)
	at sun.security.ssl.ECDHClientKeyExchange.<init>(ECDHClientKeyExchange.java:58)
	at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:846)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:283)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:881)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:816)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1052)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1351)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:720)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	... 3 more
Caused by: java.io.IOException: Point does not match field size
	at sun.security.ec.ECParameters.decodePoint(ECParameters.java:94)
	at sun.security.pkcs11.P11ECKeyFactory.decodePoint(P11ECKeyFactory.java:80)
	at sun.security.pkcs11.P11Key$P11ECPublicKey.fetchValues(P11Key.java:1051)
	... 13 more
Comments
Vincent has closed JDK-8004500 as a duplicate of this bug, so I am addng the logs form JDK-8004500 to this bug for Aurora matching: sun/security/pkcs11/ec/ReadPKCS12.java ----------messages:(3/119)---------- command: main ReadPKCS12 reason: Assumed action based on file name: run main ReadPKCS12 elapsed time (seconds): 1.086 ----------System.out:(11/543)---------- Beginning test run ReadPKCS12... Running test with provider SunPKCS11-Solaris... Reading ECCp224.p12... Aliases: [eccp224] Certificates: 2 SunPKCS11-Solaris EC private key, 224 bits (id 4309358448, session object, not sensitive, extractable) SunPKCS11-Solaris EC public key, 224 bits (id 4312433632, session object) public x coord: 18667271202773382039520808925225759273872975023771619809054668826521 public y coord: 21081197745932017695404160874802756561451976404732788780733477110816 parameters: secp224r1 [NIST P-224] (1.3.132.0.33) ----------System.err:(20/1093)---------- java.security.SignatureException: Signature does not match. at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:444) at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:387) at ReadPKCS12.verifyCerts(ReadPKCS12.java:137) at ReadPKCS12.main(ReadPKCS12.java:99) at PKCS11Test.premain(PKCS11Test.java:30) at PKCS11Test.testDefault(PKCS11Test.java:64) at PKCS11Test.main(PKCS11Test.java:37) at ReadPKCS12.main(ReadPKCS12.java:24) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.javatest.regtest.MainWrapper$MainThread.run(MainWrapper.java:94) at java.lang.Thread.run(Thread.java:680) JavaTest Message: Test threw exception: java.security.SignatureException: Signature does not match. JavaTest Message: shutting down test STATUS:Failed.`main' threw exception: java.security.SignatureException: Signature does not match.
16-05-2014
bug was marked as resolved - wont fix. Hence not verifying.
29-10-2013
The root cause is in Solaris native PKCS11 and Mozilla NSS libraries.
12-09-2013
One more SQE test affected (see JDK-7157786 that was closed as a duplicate of this bug): jce/ECC
12-09-2013
For DKFL - JSSE/Interop/eccHttps/ECCWithSunEC JSSE/Interop/eccHttps/ECCWithoutSunEC JSSE/Interop/eccHttps/ECCWithSunEC_internal JSSE/Interop/eccHttps/ECCWithoutSunEC_internal
06-08-2013
This issue is not specific to a CPU release but rather appears to be caused by a Solaris bug. I am currently investigating the issue. If a JDK fix is required (not certain yet) then we will fix it in jdk8 first. Once it has baked, and if there is a need for this in a 7u release then we can create an appropriate backport issue.
02-05-2013
This issue is caused by stricter checking on EC keys that was added to conform to ANSI X9.63. The check can fail on Sparc Sun4v platforms due to the less strict checking in its PKCS11 native implementation. As the failure is intermittent the fix can be safely deferred until a future release.
01-05-2013
SQE is OK to deffer the fix from CPU13_02
28-03-2013
We will need testing status on JDK 8 builds, especially before and after the fix for 7152169 and 7198901, as well as if the failures are consistent or intermittent. If the failures are consistent then we would like to get access information to the system that the failures are being observed so that Dev can debug.
28-03-2013
I have no reproduced or evaluated the issue. From the exception stack, it looks like an issue of PKCS11 of the platform. Please re-target the issue to javax.net.ssl if it is not a PKCS11 bug.
21-01-2013