JDK-8232950 : SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 13,14
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86_64
  • Submitted: 2019-10-23
  • Updated: 2023-07-25
  • Resolved: 2019-10-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 8 Other
11.0.7-oracleFixed 13.0.3Fixed 14 b22Fixed 8u391Fixed openjdk8u352Fixed
Description
ADDITIONAL SYSTEM INFORMATION :
CentOS 6
OpenJDK 13.0.1
PKCS11 driver is LunaHSM cryptoki2 64-bit version 6 (/usr/safenet/lunaclient/lib/libCryptoki2_64.so)

A DESCRIPTION OF THE PROBLEM :
When generating RSASSA-PSS signatures using SunPKCS11 it generates the error: "RSA key must be at least 1024 bytes"  even though I have a 2048 bit RSA key.

P11PSSSignature.java:352 check min and max key length fetched from Mechanism Info but check the key lengths in bytes instead of bits which is defined in PKCS11 v2.40 http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf section 2.1.10.

To fix this should row 345 in P11PSSSignature be changed from
keySize = (((P11Key) key).length() + 7) >> 3;
to something like:
keySize = ((P11Key) key).length();
and row 347:
keySize = ((RSAKey) key).getModulus().bitLength() >> 3;
to something like:
keySize = ((RSAKey) key).getModulus().bitLength();



STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a SUNPKCS11 Provider with a PKCS11 library that returns Mechanism Info according to PKCS11 2.40 such as Safenet LUNA HSM Version 6.

Create a signature with:
            Signature signature = Signature.getInstance("RSASSA-PSS", sunPKCS11Provider)
            signature.setParameter(new PSSParameterSpec("SHA-256", "MGF1",new MGF1ParameterSpec("SHA256"),222,1))
            signature.initSign(privateKey)
            signature.update(signData)
            byte[] signatureData = signature.sign()


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Signature should be generated.
ACTUAL -
The signature operation generates a java.security.InvalidKeyException: RSA key must be at least 1024 bytes

FREQUENCY : always



Comments
Fix request (8u) Applies cleanly. No regressions in jdk_security tests (ran locally).
22-08-2022

A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/109 Date: 2022-08-22 19:06:23 +0000
22-08-2022

Fix request (13u) Applies cleanly.
20-03-2020

Fix request (11u) Small, minimal risk patch, applies cleanly.
24-01-2020

URL: https://hg.openjdk.java.net/jdk/jdk/rev/6d081cef7ea8 User: valeriep Date: 2019-10-31 02:23:48 +0000
31-10-2019

Existing regression test already covers this check, however, the test is run against NSS whose low/high range almost always pass the check even when the incorrect unit (bits vs bytes) is used. When using other PKCS11 library which has a higher minKeySize value such as 1024, existing regression test should catch this bug. So, no new reg test is added. Added noreg-other label.
31-10-2019

Fix the key size check accordingly, i.e. compare bits to bits or bytes to bytes.
30-10-2019