JDK-8074580 : sun/security/pkcs11/rsa/TestKeyPairGenerator.java fails due to PKCS11Exception: CKR_FUNCTION_FAILED
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 7,8,9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: linux,solaris,windows
  • CPU: generic
  • Submitted: 2015-03-06
  • Updated: 2017-09-19
  • Resolved: 2016-06-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b125Fixed
Related Reports
Duplicate :  
JDK-8022313 - sun/security/pkcs11/rsa/TestKeyPairGenerator.java failed in aurora
Relates :  
JDK-8078880 - Mark a few more intermittently failing security-libs tests
Relates :  
JDK-8160337 - Remove intermittent key from sun/security/pkcs11/rsa/TestKeyPairGenerator.java
Relates :  
JDK-8131184 - Add test sun/security/pkcs11/rsa/TestKeyPairGenerator.java to the problem list
Relates :  
JDK-8022313 - sun/security/pkcs11/rsa/TestKeyPairGenerator.java failed in aurora
Description
This failure was spotted in an Aurora adhoc job:

sun/security/pkcs11/rsa/TestKeyPairGenerator.java

    This test failed due to 'java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception:
    CKR_FUNCTION_FAILED"


Here is a snippet of the .jtr file:

----------System.err:(23/1495)----------
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:386)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697)
	at TestKeyPairGenerator.main(TestKeyPairGenerator.java:119)
	at PKCS11Test.premain(PKCS11Test.java:86)
	at PKCS11Test.testNSS(PKCS11Test.java:403)
	at PKCS11Test.main(PKCS11Test.java:96)
	at TestKeyPairGenerator.main(TestKeyPairGenerator.java:97)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:502)
	at com.sun.javatest.regtest.MainWrapper$MainThread.run(MainWrapper.java:94)
	at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
	at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:378)
	... 12 more

JavaTest Message: Test threw exception: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
JavaTest Message: shutting down test

STATUS:Failed.`main' threw exception: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
Comments
The fix has been integrated in to jdk9/dev/jdk, and the test has been removed from the problem list. Please file a new bug if CKR_FUNCTION_FAILED error occurs again.
22-06-2016
We may have to modify the test if the recalling of NSS still fails. Let's integrate and observe.
22-06-2016
Code review: http://mail.openjdk.java.net/pipermail/security-dev/2016-June/014205.html
20-06-2016
Would implementing the sort of configuration test mentioned in JDK-8086004 "Create regression test to verify environment for security tests" be of help here?
10-06-2016
We have no control on when NSS fixes this bug. However, we should limit the re-try to this particular scenario as a workaround if recalling NSS works. If recalling does not work or have a low chance of working, maybe just update the test to ignore this error until we can update NSS version to one which has this fixed.
10-06-2016
https://bugzilla.mozilla.org/show_bug.cgi?id=1012786 is open and unassigned, so I suppose latest NSS versions are affected. It doesn't look like there is any plan to fix it soon. I would prefer to follow the note above from PKCS11 spec, and try to call the function again in case of CKR_FUNCTION_FAILED error.
08-06-2016
Good findings, thanks! I wonder if we don't see this issue when provided by SunPKCS11-Solaris, should the fix be made in PKCS11 provider or not. Is this issue fixed in later versions of NSS library, if any?
08-06-2016
PKCS11 spec says the following about CKR_FUNCTION_FAILED error: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf ... CKR_FUNCTION_FAILED: The requested function could not be performed, but detailed information about why not is not available in this error return. If the failed function uses a session, it is possible that the CK_SESSION_INFO structure that can be obtained by calling C_GetSessionInfo will hold useful information about what happened in its ulDeviceError field. In any event, although the function call failed, the situation is not necessarily totally hopeless, as it is likely to be when CKR_GENERAL_ERROR is returned. Depending on what the root cause of the error actually was, it is possible that an attempt to make the exact same function call again would succeed. ... In this particular case, CKR_FUNCTION_FAILED error doesn't seem to be hopeless, and next call may succeed. So it may be better to follow this advice from the spec, and implement the second approach above.
08-06-2016
I found a bug against NSS which may cause this issue https://bugzilla.mozilla.org/show_bug.cgi?id=1012786 It says in description: ... See bug 1002814 comment 14: What I'm seeing is that RSA_NewKey is occasionally failing with SEC_ERROR_NEED_RANDOM (which gets unhelpfully translated to CKR_FUNCTION_FAILED and then SEC_ERROR_PKCS11_FUNCTION_FAILED by the time PK11_GenerateKeyPair reports the error to GenerateKeyPair in pkixtestutil.cpp) ... If I understand it correctly, the problem is in RSA_NewKey() fucntion which may fail with SEC_ERROR_NEED_RANDOM in case of lack of entropy. Then, this error is converted to CKR_FUNCTION_FAILED error. SEC_ERROR_PKCS11_FUNCTION_FAILED error is related only to GenerateKeyPair() in pkixtestutil.cpp which belongs to Mozilla code (not NSS libs). I see two ways to avoid this test failure: 1. Update the test to expect CKR_FUNCTION_FAILED error in case of NSS (it can also rerun the failed test case to make sure that this error doesn't happen always) 2. Update SunPKCS11 provider to expect CKR_FUNCTION_FAILED error, and attempt to generate RSA keys again (this workaround was implemented in Mozilla, see https://hg.mozilla.org/integration/mozilla-inbound/file/f99ad5c1e65e/security/pkix/test/lib/pkixtestutil.cpp#l593 and https://bugzilla.mozilla.org/show_bug.cgi?id=1002814 ) The second way would make SunPKCS11 provided more stable.
08-06-2016
The bug was originally reported about CKR_FUNCTION_FAILED error. The CKR_ARGUMENTS_BAD failure above occurred with SunPKCS11-Solaris provider, and it seems to be a different issue. Please file a separate bug if CKR_ARGUMENTS_BAD happens again. While looking at all provided logs, I noticed that CKR_FUNCTION_FAILED error occurs on Linux, Solaris and Windows, but only when NSS libs are used. I don't see that this error has occurred with SunPKCS11-Solaris provided. Given that, it may be an NSS issue.
08-06-2016
At Google we're also seeing this test fail with jdk8. STDOUT: Beginning test run TestKeyPairGenerator... Running test with provider SunPKCS11-NSS... Generating 512 bit keypair... SunPKCS11-NSS RSA public key, 512 bits (id 2, session object) modulus: 9670079322129975052938940318569892224433716030950449713395401477320695838314898495176166528296343471719274328394838935672143915755324123744394532233199563 public exponent: 65537 Testing MD2withRSA... Testing MD5withRSA... Testing SHA1withRSA... Testing SHA224withRSA... Testing SHA256withRSA... Generating 512 bit keypair... STDERR: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:386) at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:697) at TestKeyPairGenerator.main(TestKeyPairGenerator.java:119) at PKCS11Test.premain(PKCS11Test.java:86) at PKCS11Test.testNSS(PKCS11Test.java:404) at PKCS11Test.main(PKCS11Test.java:96) at TestKeyPairGenerator.main(TestKeyPairGenerator.java:97) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:110) at java.lang.Thread.run(Thread.java:745) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method) at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:378) ... 12 more JavaTest Message: Test threw exception: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
29-03-2016
It'd be very helpful if more stack trace info can be included in addition to the new Exception message/code.
09-09-2015
Test failed in 1.8.0_51 b16 for Solaris 11.3 x64 RULE "sun/security/pkcs11/rsa/TestKeyPairGenerator.java" Exception java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD RULE "sun/security/pkcs11/rsa/TestKeyPairGenerator.java" Exception sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ARGUMENTS_BAD
28-08-2015
Test failed in 7u95 Nightly: http://aurora.ru.oracle.com/functional/faces/RunDetails.xhtml?names=1089748.CORELIBS-JDK7u-NIGHTLY-JTREG-14
18-08-2015
Raising priority to P3 since this has been failing intermittently for quite some time.
26-06-2015
I noticed that this test uses Random (and might cause test fails intermittently): data = new byte[2048]; ... new Random().nextBytes(data); ... Test might need keyword "uses-randomness" in this case. Please refer to: http://mail.openjdk.java.net/pipermail/jdk9-dev/2015-March/001991.html
31-03-2015
I had not seen your confidential entries when I evaluated this
09-03-2015
Please re-read the comment above the last comment. I very clearly showed that the fix for JDK-8022313 was present in the test run that I did.
09-03-2015
This was recently fixed with JDK-8022313. This bug give no details as to what build this failure occurred. Please verify whether JDK-8022313 was in test run. If it was, then you can reopen the bug.
09-03-2015