JDK-8335288 : SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto:pkcs11
  • Affected Version: 21,22,23
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2024-06-27
  • Updated: 2025-02-04
  • Resolved: 2024-09-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 21 JDK 24
21.0.7-oracleFixed 24 b16Fixed
Related Reports
Causes :  
JDK-8301553 - Support Password-Based Cryptography in SunPKCS11
Duplicate :  
JDK-8337742 - CKR_FUNCTION_FAILED error when trying to connect to HSM
Description
ADDITIONAL SYSTEM INFORMATION :
Problem observed with Utimaco CryptoServer PKCS11 device, but is of general scope

A DESCRIPTION OF THE PROBLEM :
With the introduction of https://bugs.openjdk.org/browse/JDK-8301553  (CSR: https://bugs.openjdk.org/browse/JDK-8308719), the SunPKCS11 provider will query the PKCS11 device (C_GetMechanismInfo) for mechanisms that are not supported.
This happens because of new logic, which queries info for "required mechanisms" for a feature, even if that mechanism is not returned by C_GetMechanismList and even if the mechanism is blacklisted in disabledMechanisms.
At least some PKCS11 implementations will respond with CKR_FUNCTION_FAILED when C_GetMechanismInfo is called with an unknown mechanism. This makes it impossible to initialize the PKCS11 interface.
This happens in SunPKCS11.java line 1309ff
            // Check that other mechanisms required for the
                        // service are supported before listing it as
                        // available for the first time.
                        for (int requiredMech : d.requiredMechs) {
                            if (token.getMechanismInfo(
                                    requiredMech & 0xFFFFFFFFL) == null) {
                                continue descLoop;
                            }
                        }
                    }

REGRESSION : Last worked in version 20

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Configure a PKCS11 device as described in:
https://docs.oracle.com/en/java/javase/21/security/pkcs11-reference-guide1.html
Run
keytool -v -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg c:
/pkcs11/pkcs11.cfg

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
List of keys in PKCS11 device
ACTUAL -
keytool error: java.security.ProviderException: Initialization failed
java.security.ProviderException: Initialization failed
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:391)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:126)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:123)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:571)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:123)
        at java.base/sun.security.tools.KeyStoreUtil.loadProviderByName(KeyStoreUtil.java:283)
        at java.base/sun.security.tools.KeyStoreUtil.loadProviderByClass(KeyStoreUtil.java:316)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:834)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:419)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:412)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GetMechanismInfo(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.Token.getMechanismInfo(Token.java:399)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.initToken(SunPKCS11.java:1313)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:382)
        ... 9 more

CUSTOMER SUBMITTED WORKAROUND :
Downgrade to Java 20 or below

FREQUENCY : always
Comments
Fix request [21u] I backport this for parity with 21.0.7-oracle. Low to medium risk, simple change in important component. Clean backport, but I had to adapt the code as JDK-8324585 is not in 21. Test passes, it passes also without the fix. SAP nighlty testing passed.
23-12-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1283 Date: 2024-12-22 15:03:55 +0000
22-12-2024
Additional Information from submitter: ============================ I see that the issue is now fixed in https://bugs.openjdk.org/browse/JDK-8335288 but has been targeted at only Java 24. Are there any plans to back port this to Java 21, which is the current LTS version, and where the regression was introduced?
26-09-2024
Changeset: fdfe503d Branch: master Author: Valerie Peng <valeriep@openjdk.org> Date: 2024-09-13 21:13:54 +0000 URL: https://git.openjdk.org/jdk/commit/fdfe503d016086cf78b5a8c27dbe45f0261c68ab
13-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/20207 Date: 2024-07-17 00:48:20 +0000
17-07-2024
Instead of calling C_GetMechanismInfo(), we should check if the particular mechanism is in the list of mechanisms returned by C_GetMechanismList() and whether the provider config disables it.
12-07-2024
The submitter the details of the root causes.
27-06-2024