JDK-8191175 : P11KeyPairGenerator throws ProviderException instead of InvalidParameterException with unsupported keysize
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u181
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2017-11-14
  • Updated: 2018-01-02
  • Resolved: 2017-11-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u191 b01Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Description
In 6u, the bug fix JDK-8072452 increased DH/DSA keysize limits. 

From regression test (sun.security.pkcs11.KeyPairGenerator.TestDH2048) with SunPKCS11-NSS
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH", p);
        kpg.initialize(3072);//not supported with nss version 3.13
        KeyPair kp1 = kpg.generateKeyPair();


In this case  (when tested with unsupported keysize) the sun/security/pkcs11/P11KeyPairGenerator.java throws java.security.ProviderException instead if IPE:

java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCOMPLETE
        at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:338)
        at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:650)
        at TestDH2048.main(TestDH2048.java:45)
        at PKCS11Test.premain(PKCS11Test.java:30)
        at PKCS11Test.testNSS(PKCS11Test.java:162)
        at PKCS11Test.main(PKCS11Test.java:38)
        at TestDH2048.main(TestDH2048.java:66)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:110)
        at java.lang.Thread.run(Thread.java:682)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCOMPLETE
        at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
        at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:329)
        ... 12 more

The 7u-cpu build jdk1.7.0_171b06 gives InvalidParameterException as expected when checked with higher unsupported keysize.

Comments
Same test in jdk1.7.0_171b06 throws java.security.InvalidParameterException when tested with DH keysize 16384 bit.
14-11-2017