Bug 1022950

Summary: java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
Product: Red Hat Enterprise Linux 6 Reporter: Michal Haško <mhasko>
Component: java-1.7.0-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: chuffman, dbhole, hkario, hmiles, jesusr, pslavice, tg
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1008456 Environment:
Last Closed: 2014-03-13 13:59:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1008456    
Bug Blocks: 1056252    

Description Michal Haško 2013-10-24 10:44:13 UTC 
+++ This bug was initially created as a clone of Bug #1008456 +++

First of all, this is most likely not a bug in java-1.7.0-openjdk, because it is also reproducible on java-1.7.0-oracle and java-1.7.0-ibm. I think it is somewhere in the underlying libraries. Please help me identify where the issue is and what is causing it.


Description of problem:
When trying to configure SSL support for tomcat7 from EWS2, the following error was encountered:


Version-Release number of selected component (if applicable):
Tomcat7 from EWS-2.0.1 GA


How reproducible:
100%


Steps to Reproduce:
1. make sure JDK7 is used (java -version)
2. generate the java keystore file:
   # /usr/lib/jvm/java/bin/keytool -genkey -alias tomcat -keyalg RSA \
     -keystore /root/keystore.jks
3. comment out the default APR listener from tomcat7/conf/server.xml:
    <!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->
4. add ssl connector to tomcat7/conf/server.xml:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
               keystoreFile="/root/keystore.jks" keystorePass="tomcat"
               clientAuth="false" sslProtocol="TLS" />
5. start tomcat:
   # tomcat7/bin/startup.sh
6. # wget --no-check-certificate -4 -O - https://localhost:8443/


Actual results:
The following exception is observed in catalina.out:
Oct 24, 2013 6:19:49 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE: 
java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1359)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
	at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1675)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:323)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:687)
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)
	at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1208)
	at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1062)
	at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:889)
	at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
	at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
	at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
	... 5 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:314)
	... 19 more



Expected results:
should return a tomcat welcome page 


Additional info:
 - This is *only* reproducible on JDK7, not on JDK7.
 - Using 'curl -k https://localhost:8443/' instead of wget works fine (weird, right?)
Comment 1 Deepak Bhole 2013-10-24 15:58:50 UTC 
Assigning to Andrew to take a look.
Comment 2 RHEL Program Management 2013-10-28 19:55:31 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Andrew John Hughes 2013-11-07 15:34:59 UTC 
"This is *only* reproducible on JDK7, not on JDK7."

Err... that comment makes no sense :)
Comment 13 Thorsten Glaser 2014-04-25 12:57:23 UTC 
This is caused by ECC differences in supported algorithms, and a bug on the Java™ side causing the server to always offer ECC even if it finds no suitable curves.

Potential workarounds are:
• switch to Sun’s ECC implementation instead of the one using NSS
• disable ECC completely

I’ve used the latter.

Accessing the server with cURL vs. GNU wget showing different behaviour is most likely due to them using diverging crypto libraries; for example, I could connect to a server suffering from the bug just fine from a MirBSD system, whose OpenSSL does not include any ECC, so the bug did not trigger.

Reference: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1006776
Comment 14 Thorsten Glaser 2014-04-25 12:58:56 UTC 
Related RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1022017