JDK-8328556 : Do not extract large CKO_SECRET_KEY keys from the NSS Software Token
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2024-03-19
  • Updated: 2024-03-28
  • Resolved: 2024-03-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 23
23 b16Fixed
Related Reports
Relates :  
SunPKCS11 tries to extract keys from the native to the Java heap when the underlying token is NSS in order to avoid memory leak issues. Extracted keys are re-built in the token when needed. The PKCS #11 API C_UnwrapKey is used as part of this process. However, when the key class is CKO_SECRET_KEY and the key's length is greater than 256 bytes (defined as MAX_KEY_LEN in pkcs11i.h), NSS' NSC_UnwrapKey returns a CKR_TEMPLATE_INCONSISTENT error [1].

To avoid the described problem we will not extract large CKO_SECRET_KEY keys out of the NSS Software Token. The destruction of these keys will be handled by the SessionKeyRef mechanism and the GC.

This bug is hard to reproduce under normal circumstances. It requires a FIPS-configured NSS Software Token so C_UnwrapKey is called from Java_sun_security_pkcs11_wrapper_PKCS11_createNativeKey. In addition, creating a large secret key is not common because there are checks depending on the key type. Methods such as C_GenerateKey have checks as well, and refuse to create secret keys larger than 256 bytes. I attached to this ticket the TestLargeKeys.java reproducer that will generate a large key and trigger the check in NSS. Please notice that this reproducer does not reflect the case that we are fixing here: we will only fix the C_UnwrapKey call from Java_sun_security_pkcs11_wrapper_PKCS11_createNativeKey by making the large native key non-extractable.

[1] - https://github.com/nss-dev/nss/blob/NSS_3_90_RTM/lib/softoken/pkcs11c.c#L6492
Martin, which JDK versions this realistically affects? Do we need to backport the fix?

Changeset: 13cf0707 Author: Martin Balao <mbalao@openjdk.org> Date: 2024-03-22 15:28:05 +0000 URL: https://git.openjdk.org/jdk/commit/13cf0707f903609c9bda99a9bf7511f494f9feae

A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/18389 Date: 2024-03-20 03:39:58 +0000