JDK-8233954 : UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
- Type: Bug
- Component: security-libs
- Sub-Component: javax.crypto
- Affected Version: 11.0.5-oracle,13,14
- Priority: P2
- Status: Closed
- Resolution: Fixed
- OS: windows_10
- CPU: x86_64
- Submitted: 2019-11-08
- Updated: 2022-06-27
- Resolved: 2019-11-22
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 11 | JDK 13 | JDK 14 | JDK 8 | Other |
|---|---|---|---|---|
| 11.0.6-oracleFixed | 13.0.6Fixed | 14 b25Fixed  |
8u261Fixed |
openjdk8u272Fixed |
Related Reports
|
Relates :
|
|
|
Relates :
|
|
|
Relates :
|
Description
ADDITIONAL SYSTEM INFORMATION :
java version "11.0.5" 2019-10-15 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.5+10-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode)
Windows 10 Pro
A DESCRIPTION OF THE PROBLEM :
We develop an application with which we bundle the Oracle JDK. We currently use Java 8 but are looking to go to Java 11.
Our Legal department requires that the Elliptic Curve Cryptography library is removed so we have done so, according to the instructions in jdk/legal/jdk.crypto.ec/ecc.md which tells us to simply delete libsunec.so/libsunec.dylib/sunec.dll.
Doing so works well on Java 8 but with Java 11(.0.5, but as it appears earlier versions as well) this results in failure to establish TLS connections. We've seen two types of failures as shown below. The first one is from the small test program I'm attaching.
1)
Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114)
at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at com.example.NoEcTest.main(NoEcTest.java:13)
2)
java.lang.RuntimeException: Could not generate ECDH keypair
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:117)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:735)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:710)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:598)
[REDACTED]
Caused by: java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available
at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236)
at java.base/sun.security.ssl.JsseJce.getKeyPairGenerator(JsseJce.java:237)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:109)
... 35 more}
REGRESSION : Last worked in version 8u231
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Install Oracle JDK 11.0.5 on Windows
2) Remove sunec.dll
3) Try to establish a TLS connection
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
To be able to connect (as long as the server accepts some non-EC cipher suites).
ACTUAL -
Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.isCurveSupported([B)Z
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.isCurveSupported(Native Method)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.ensureCurveIsSupported(ECKeyPairGenerator.java:135)
at jdk.crypto.ec/sun.security.ec.ECKeyPairGenerator.initialize(ECKeyPairGenerator.java:114)
at java.base/java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:699)
at java.base/sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:112)
at java.base/sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:575)
at java.base/sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:88)
at java.base/sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at java.base/sun.security.ssl.SSLExtension.produce(SSLExtension.java:532)
at java.base/sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:249)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:648)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at com.example.NoEcTest.main(NoEcTest.java:13)
---------- BEGIN SOURCE ----------
package com.example;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
public class NoEcTest {
public static void main(String[] args) throws IOException {
URL url = new URL("https://example.com/");
HttpURLConnection con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
con.connect();
System.out.println(con.getResponseCode());
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Providing another EC library (like Bouncy Castle).
FREQUENCY : always
Comments
|