Bug ID: JDK-8132082 Let OracleUcrypto accept RSAPrivateKey

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 7	JDK 8	JDK 9	Other
7u85Fixed	8u60Fixed	9 b82Fixed	openjdk7uFixed

An issue since fix for JDK-8081297 - seen in this testcase : 

sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/RSAExport.java

The exception message shows as : 
"javax.net.ssl.SSLProtocolException: Unable to process PreMasterSecret, may be too big"

but the main exception is swallowed by security code. Some instrumenting shows this : 

** needFailover is : false
** DEBUG java.security.InvalidKeyException: RSAPrivateCrtKey required for decryption
java.security.InvalidKeyException: RSAPrivateCrtKey required for decryption
        at com.oracle.security.ucrypto.NativeRSACipher.engineInit(NativeRSACipher.java:209)
        at javax.crypto.Cipher.init(Cipher.java:1394)
        at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:133)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:241)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:983)
        at sun.security.ssl.Handshaker.processRecord(Handshaker.java:917)
        at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1101)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1038)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:949)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1356)
        at sun.security.ssl.SSLSocketImpl.bytesInCompletePacket(SSLSocketImpl.java:883)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:144)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:84)
        at RSAExport.doServerSide(RSAExport.java:359)

SQE OK to defer it from CPU15_04 if RTeam agree with JDK-8081297 deferral
31-08-2015
Escape-exclude label is added since it affects not CPU15_03, but BPR for 7u85. Bug was filed in proper time.
27-08-2015
Removing testbug label. Please provide justification if you see this as a test only bug.
27-08-2015
adding just "cipher.getProvider().getName()" to the current vanilla jdk 9 code in this class is enough to trigger this Ucrypto issue. It's like UCrypto wasn't used before this fix. Strange. The proposed fix for now is quite simple : --- a/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java +++ b/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java @@ -115,6 +115,11 @@ try { Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); + if (cipher.getProvider().getName().equals("OracleUcrypto")) { + // Ucrypto doesn't work with RSAPrivateKey (needs RSAPrivateCrtKey) + cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1, "SunJCE"); + } cipher.init(Cipher.UNWRAP_MODE, privateKey, Yet to test this on JPRT.
21-07-2015
instrumented the Ucrypto exception message - we really need to improve exception messages! java.security.InvalidKeyException: RSAPrivateCrtKey required for decryption. Received: sun.security.rsa.RSAPrivateKeyImpl at com.oracle.security.ucrypto.NativeRSACipher.engineInit(NativeRSACipher.java:211) at javax.crypto.Cipher.init(Cipher.java:1394) Not sure why this change is seen now - have we a Provider initialization race issue? more debugging to be done. If not, why didn't ucrypto code complain before the jdk-8081297 change.
21-07-2015