JDK-8162379 : RSA premaster secret decryption error: java.security.ProviderException: Could not construct CipherSpi instance
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u102
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: linux
  • CPU: x86_64
  • Submitted: 2016-07-21
  • Updated: 2016-07-22
  • Resolved: 2016-07-22
Related Reports
Duplicate :  
JDK-8158111 - Make handling of 3rd party providers more stable
Description
FULL PRODUCT VERSION :
java version "1.8.0_102"
Java(TM) SE Runtime Environment (build 1.8.0_102-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.102-b14, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux 2.6.32-573.22.1.el6.x86_64 #1 SMP Thu Mar 17 03:23:39 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux


EXTRA RELEVANT SYSTEM CONFIGURATION :
Unlimited Strength JCE installed 
Using nfast client libraries to connect with Thales NCipher HSM device

A DESCRIPTION OF THE PROBLEM :
The original bug is http://bugs.java.com/view_bug.do?bug_id=8161984

The issue relates to the above bug which was reported earlier and has been closed saying its Duplicate of JDK-8149017 and comments says fixed in JDK 1.8.0_102

We tested with latest version and the original issue with Premaster secret too long has been fixed but now resulting in another error why performing the decryption: The error descripton is  
RSA premaster secret decryption error:
java.security.ProviderException: Could not construct CipherSpi instance

fatal error: 80: problem unwrapping net record
java.lang.RuntimeException: Could not generate dummy secret

The original issue has been fixed but now a new issue is seen with JDK 1.8.0_102. It works fine with JDK 1.8.0_112 (early access release). 

Also, we trailed back the Java archive to see when it was introduced and our finding is that it works with JDK 1.8.0_11  but no other version as that. So this was introduced after  JDK 1.8.0_11 release version and not JDK 1.8.0_45 which JDK-8149017 bug reports as the last working version. 

So in my view both bugs are different though the error description returned is the same.

Could you please investigate?





REGRESSION.  Last worked in version 8u102

ADDITIONAL REGRESSION INFORMATION: 
Last worked in version JDK 8u11

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Just establish SSL connection with the Server using the TLS_RSA cipher suites enabled. 


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Should establish SSL successfully 

ACTUAL -
RSA premaster secret decryption error:
java.security.ProviderException: Could not construct CipherSpi instance

fatal error: 80: problem unwrapping net record
java.lang.RuntimeException: Could not generate dummy secret


ERROR MESSAGES/STACK TRACES THAT OCCUR :
2016-07-20 12:33:48,153  INFO  [SystemOut] qtp820422499-55, READ: TLSv1 Handshake, length = 134
2016-07-20 12:33:48,155  INFO  [SystemOut] RSA premaster secret decryption error:
2016-07-20 12:33:48,155  INFO  [SystemOut] java.security.ProviderException: Could not construct CipherSpi instance
2016-07-20 12:33:48,155  INFO  [SystemOut]      at javax.crypto.Cipher.chooseFirstProvider(Cipher.java:781)
2016-07-20 12:33:48,155  INFO  [SystemOut]      at javax.crypto.Cipher.getProvider(Cipher.java:905)
2016-07-20 12:33:48,155  INFO  [SystemOut]      at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:134)
2016-07-20 12:33:48,155  INFO  [SystemOut]      at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:246)
2016-07-20 12:33:48,155  INFO  [SystemOut]      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at java.security.AccessController.doPrivileged(Native Method)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:613)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:313)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:223)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:192)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572)
2016-07-20 12:33:48,156  INFO  [SystemOut]      at java.lang.Thread.run(Thread.java:745)
2016-07-20 12:33:48,156  INFO  [SystemOut] qtp820422499-55, fatal error: 80: problem unwrapping net record
java.lang.RuntimeException: Could not generate dummy secret
2016-07-20 12:33:48,156  INFO  [SystemOut] %% Invalidated:  [Session-5, TLS_RSA_WITH_AES_128_CBC_SHA]
2016-07-20 12:33:48,156  INFO  [SystemOut] qtp820422499-55
2016-07-20 12:33:48,156  INFO  [SystemOut] , SEND TLSv1 ALERT:
2016-07-20 12:33:48,156  INFO  [SystemOut] fatal,
2016-07-20 12:33:48,156  INFO  [SystemOut] description = internal_error
2016-07-20 12:33:48,156  INFO  [SystemOut] qtp820422499-55, WRITE: TLSv1 Alert, length = 2
2016-07-20 12:33:48,156  WARN  [org.eclipse.jetty.util.thread.QueuedThreadPool]
java.lang.RuntimeException: Could not generate dummy secret
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429) ~[?:1.8.0_102]
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_102]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_102]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_102]
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_102]
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:509) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:313) ~[jetty-server-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:223) ~[jetty-server-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:192) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213) ~[jetty-util-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147) ~[jetty-util-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654) ~[jetty-util-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572) ~[jetty-util-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
Caused by: java.lang.RuntimeException: Could not generate dummy secret
        at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:172) ~[?:1.8.0_102]
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:246) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:1.8.0_102]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:1.8.0_102]
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:613) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        ... 13 more
Caused by: java.security.ProviderException: Could not construct CipherSpi instance
        at javax.crypto.Cipher.chooseFirstProvider(Cipher.java:781) ~[?:1.8.0_102]
        at javax.crypto.Cipher.getProvider(Cipher.java:905) ~[?:1.8.0_102]
        at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:134) ~[?:1.8.0_102]
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:246) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:1.8.0_102]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_102]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:1.8.0_102]
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:613) ~[jetty-io-9.3.6.v20151106patch1.jar:9.3.6.v20151106patch1]
        ... 13 more
2016-07-20 12:33:48,156  WARN  [org.eclipse.jetty.util.thread.QueuedThreadPool] Unexpected thread death: org.eclipse.jetty.util.thread.QueuedThreadPool$3@4f5ea9e2 in qtp820422499{STARTED,10<=10<=200,i=7,q=0}

REPRODUCIBILITY :
This bug can be reproduced always.

SUPPORT :
YES
Comments
Please try removing javax.net.debug system property as workaround. This is fixed in JDK 8u112 with JDK-8158111. Your company may have a Java SE Advanced support contract, and you may want to check with your Java POC and file a SR through My Oracle Support in case you require some immediate action.
22-07-2016