| JDK 11 | JDK 17 | JDK 21 | JDK 23 | JDK 8 |
|---|---|---|---|---|
| 11.0.27-oracleFixed | 17.0.15-oracleFixed | 21.0.7-oracleFixed | 23 b23Fixed | 8u451Fixed |
|
CSR :
|
|
|
Relates :
|
|
|
Relates :
|
|
JDK-8329640 :
|
|
|
JDK-8340337 :
|
ADDITIONAL SYSTEM INFORMATION : Windows 10 64 bits / CentOS 7 64 bits A DESCRIPTION OF THE PROBLEM : In France, french healthcare professionals use a card to authenticate and sign. Since jdk8 322 we have a problem. PKCS11 have been disabled : https://bugs.openjdk.org/browse/JDK-8176837 The problem is that the card mechanism is considered legacy and therefore disabled. This check needs a little more flexibility. STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : SunPKCS11 loading ---DummyConfig-1--- Information for provider SunPKCS11-VitCo-0 Library info: cryptokiVersion: 2.20 manufacturerID: ANS flags: 0 libraryDescription: CPS3 PKCS#11 WIN 64 libraryVersion: 2.13 sunpkcs11: Initializing PKCS#11 library C:\Windows\System32\cps3_pkcs11_w64.dll All slots: 0, 1 Slots with tokens: 0 Slot info for slot 0: slotDescription: KAPELSE 00026351 KAP-LINK 0 0 manufacturerID: flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT hardwareVersion: 0.00 firmwareVersion: 0.00 Token info for token in slot 0: label: CPS3v3-2800638708 manufacturerID: ASIP SANTE model: IAS ECC serialNumber: 99231175 flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_EFFECTIVELY_INFINITE ulSessionCount: 0 ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE ulRwSessionCount: 0 ulMaxPinLen: 4 ulMinPinLen: 4 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.00 firmwareVersion: 0.00 utcTime: Mechanism CKM_SHA_1: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_SHA256: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_RSA_X_509: ulMinKeySize: 512 ulMaxKeySize: 2048 flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP DISABLED due to legacy Mechanism CKM_RSA_PKCS: ulMinKeySize: 512 ulMaxKeySize: 2048 flags: 272897 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY | CKF_UNWRAP DISABLED due to legacy Mechanism CKM_SHA1_RSA_PKCS: ulMinKeySize: 512 ulMaxKeySize: 2048 flags: 10240 = CKF_SIGN | CKF_VERIFY Mechanism CKM_SHA256_RSA_PKCS: ulMinKeySize: 512 ulMaxKeySize: 2048 flags: 10240 = CKF_SIGN | CKF_VERIFY DISABLED in configuration sunpkcs11: login succeeded sunpkcs11: user already logged in ACTUAL - javax.net.ssl.SSLException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT at org.apache.hc.core5.reactor.ssl.SSLIOSession.convert(SSLIOSession.java:265) at org.apache.hc.core5.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:272) at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:319) at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$300(SSLIOSession.java:71) at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:175) at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:124) at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51) at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:179) at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:128) at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:85) at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44) at java.lang.Thread.run(Thread.java:750) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method) at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:608) at java.security.Signature$Delegate.engineSign(Signature.java:1382) at java.security.Signature.sign(Signature.java:698) at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:609) at sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:761) at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421) at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981) at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915) at org.apache.hc.core5.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:288) at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:362) ... 9 common frames omitted FREQUENCY : always
|