JDK-8334284 : InvalidKeyException: Unsupported key type: SunPKCS11-SmartCard
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u411
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • OS: generic
  • CPU: generic
  • Submitted: 2024-06-05
  • Updated: 2024-06-21
Related Reports
Relates :  
JDK-8176837 - SunPKCS11 provider needs to check more details on PKCS11 Mechanism
Description
A DESCRIPTION OF THE PROBLEM :
We have a functionality that involves the signing of a document. This feature always worked with many versions of JRE 1.8, but suddenly stopped working after the last update 411 and it's giving us the following exception:
java.security.InvalidKeyException: Unsupported key type: SunPKCS11-SmartCard RSA private key, 2048 bits (id 1002, token object, sensitive, unextractable)

The failing method is java.security.Signature.initSign().

	Signature signatureAlgorithm = Signature.getInstance(algorithm);
	signatureAlgorithm.initSign(pkey);

where algorithm is "NONEwithRSA"
and pKey is the privateKey that has been read from the smartcard correctly (and without any issue) via the following piece of code:

	PrivateKey privateKey = (PrivateKey) keyStore.getKey(aliasId, password != null ? password.toCharArray() : null);
	
The keystore is read (also in this case, without any issue) via specific dll (bit4xpki.dll) and with the following piece of code:

public static KeyStore loadKeyStoreFromSmartCard(String aPKCS11LibraryFileName, String aSmartCardPIN, ClassLoader  classLoader) throws GeneralSecurityException, IOException {
    String pkcs11ConfigSettings = "name = SmartCard\n" + "library = " + aPKCS11LibraryFileName + "\n";
    pkcs11ConfigSettings += "disabledMechanisms={ CKM_SHA1_RSA_PKCS }\n";

    byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
    ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);

    try {
      Class<?> sunPkcs11Class = (classLoader != null) ?  classLoader.loadClass(SUN_PKCS11_PROVIDER_CLASS) : Class.forName(SUN_PKCS11_PROVIDER_CLASS);
      Constructor<?> pkcs11Constr = sunPkcs11Class.getConstructor(java.io.InputStream.class);
      Provider pkcs11Provider = (Provider) pkcs11Constr.newInstance(confStream);
      Security.addProvider(pkcs11Provider);
      System.out.println("Provider name:" + pkcs11Provider.getName());
    } catch (Exception e) {
      throw new KeyStoreException("Can initialize Sun PKCS#11 security " + "provider. Reason: " + e, e);
    }

    char[] pin = (aSmartCardPIN != null) ? aSmartCardPIN.toCharArray() : null;
    KeyStore keyStore = KeyStore.getInstance(PKCS11_KEYSTORE_TYPE);
    keyStore.load(null, pin);
    return keyStore;
  }
  
I read all the changelog of Java 411, but I didn't find any bugfix that could explain such a change of behaviour

REGRESSION : Last worked in version 8


FREQUENCY : always
Comments
Requested the debug output from the submitter.
21-06-2024