JDK-8285774 : java.lang.RuntimeException: invalid key or spec in GCM mode
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8
  • Priority: P3
  • Status: Resolved
  • Resolution: Incomplete
  • OS: generic
  • CPU: generic
  • Submitted: 2022-04-22
  • Updated: 2022-08-19
  • Resolved: 2022-08-19
Related Reports
Relates :  
JDK-8206968 - java/net/httpclient/CancelledResponse.java after TLS 1.3 changeset
Description
ADDITIONAL SYSTEM INFORMATION :
Debian linux

A DESCRIPTION OF THE PROBLEM :

we are deploying application in the cloud. When we do the deployment, i am getting below error frequently and my kubernetes pod is getting restarted.

If I use "jre:8u242" openjdk version, I dont see this issue. But in the latest 1.8 patch version like "jre:8u302" I am seeing this issue.

Please give some guidelines to fix this issue.

Error Stacktrace:

2022-04-18 15:10:52,717 [][][] WARN  internal.WatchConnectionManager [OkHttp https://10.96.0.1/...]  - Exec Failure
java.lang.RuntimeException: invalid key or spec in GCM mode
        at sun.security.ssl.SSLCipher$T12GcmWriteCipherGenerator$GcmWriteCipher.encrypt(SSLCipher.java:1703) ~[?:1.8.0_302]
        at sun.security.ssl.OutputRecord.t10Encrypt(OutputRecord.java:411) ~[?:1.8.0_302]
        at sun.security.ssl.OutputRecord.encrypt(OutputRecord.java:347) ~[?:1.8.0_302]
        at sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:78) ~[?:1.8.0_302]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:355) ~[?:1.8.0_302]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:1.8.0_302]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) ~[?:1.8.0_302]
        at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1563) ~[?:1.8.0_302]
        at sun.security.ssl.SSLSocketImpl.access$400(SSLSocketImpl.java:73) ~[?:1.8.0_302]
        at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:973) ~[?:1.8.0_302]
        at okio.Okio$2.read(Okio.java:138) ~[okio-1.11.0.jar!/:?]
        at okio.AsyncTimeout$2.read(AsyncTimeout.java:236) ~[okio-1.11.0.jar!/:?]
        at okio.RealBufferedSource.request(RealBufferedSource.java:66) ~[okio-1.11.0.jar!/:?]
        at okio.RealBufferedSource.require(RealBufferedSource.java:59) ~[okio-1.11.0.jar!/:?]
        at okio.RealBufferedSource.readByte(RealBufferedSource.java:72) ~[okio-1.11.0.jar!/:?]
        at okhttp3.internal.ws.WebSocketReader.readHeader(WebSocketReader.java:113) ~[okhttp-3.6.0.jar!/:?]
        at okhttp3.internal.ws.WebSocketReader.processNextFrame(WebSocketReader.java:97) ~[okhttp-3.6.0.jar!/:?]
        at okhttp3.internal.ws.RealWebSocket.loopReader(RealWebSocket.java:262) [okhttp-3.6.0.jar!/:?]
        at okhttp3.internal.ws.RealWebSocket$2.onResponse(RealWebSocket.java:201) [okhttp-3.6.0.jar!/:?]
        at okhttp3.RealCall$AsyncCall.execute(RealCall.java:135) [okhttp-3.6.0.jar!/:?]
        at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) [okhttp-3.6.0.jar!/:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_302]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_302]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_302]
Caused by: java.security.InvalidKeyException: Could not initialize cipher
        at sun.security.pkcs11.P11AEADCipher.implInit(P11AEADCipher.java:330) ~[sunpkcs11.jar:1.8.0_302]
        at sun.security.pkcs11.P11AEADCipher.engineInit(P11AEADCipher.java:248) ~[sunpkcs11.jar:1.8.0_302]
        at javax.crypto.Cipher.init(Cipher.java:1397) ~[?:1.8.0_302]
        at sun.security.ssl.SSLCipher$T12GcmWriteCipherGenerator$GcmWriteCipher.encrypt(SSLCipher.java:1699) ~[?:1.8.0_302]
        ... 23 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_ACTIVE
        at sun.security.pkcs11.wrapper.PKCS11.C_EncryptInit(Native Method) ~[sunpkcs11.jar:1.8.0_302]
        at sun.security.pkcs11.P11AEADCipher.initialize(P11AEADCipher.java:404) ~[sunpkcs11.jar:1.8.0_302]
        at sun.security.pkcs11.P11AEADCipher.implInit(P11AEADCipher.java:328) ~[sunpkcs11.jar:1.8.0_302]
        at sun.security.pkcs11.P11AEADCipher.engineInit(P11AEADCipher.java:248) ~[sunpkcs11.jar:1.8.0_302]
        at javax.crypto.Cipher.init(Cipher.java:1397) ~[?:1.8.0_302]
        at sun.security.ssl.SSLCipher$T12GcmWriteCipherGenerator$GcmWriteCipher.encrypt(SSLCipher.java:1699) ~[?:1.8.0_302]
        ... 23 more

REGRESSION : Last worked in version 8


FREQUENCY : always
Comments
Closing as incomplete: 1) No reproducible test case, so we don't know where to start. 2) A 3rd party IO library used, okio and okhttp3. If a test case using jdk io can be provided, this bug can be reopenned
19-08-2022
Requested the debug log (-Djavax.net.debug=all) for both releases, or a reproducer from the submitter. Also try the latest JDK 18 release, https://jdk.java.net/18/.
10-05-2022
It would be good if the submitter could send the debug log (-Djavax.net.debug=all) for both releases, or a test case for the reproducing. Did the latest JDK release (JDK 18) get tested?
06-05-2022
No response from the submiiter. It looks like similar to JDK-8206968
28-04-2022
Requested a simple reproducer from the submitter.
22-04-2022