Bug 1022950 - java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
Summary: java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: java-1.7.0-openjdk
Version: 6.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Andrew John Hughes
QA Contact: BaseOS QE - Apps
Depends On: 1008456
Blocks: 1056252
TreeView+ depends on / blocked
Reported: 2013-10-24 10:44 UTC by Michal Haško
Modified: 2018-12-06 15:24 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1008456
Last Closed: 2014-03-13 13:59:25 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Michal Haško 2013-10-24 10:44:13 UTC
+++ This bug was initially created as a clone of Bug #1008456 +++

First of all, this is most likely not a bug in java-1.7.0-openjdk, because it is also reproducible on java-1.7.0-oracle and java-1.7.0-ibm. I think it is somewhere in the underlying libraries. Please help me identify where the issue is and what is causing it.

Description of problem:
When trying to configure SSL support for tomcat7 from EWS2, the following error was encountered:

Version-Release number of selected component (if applicable):
Tomcat7 from EWS-2.0.1 GA

How reproducible:

Steps to Reproduce:
1. make sure JDK7 is used (java -version)
2. generate the java keystore file:
   # /usr/lib/jvm/java/bin/keytool -genkey -alias tomcat -keyalg RSA \
     -keystore /root/keystore.jks
3. comment out the default APR listener from tomcat7/conf/server.xml:
    <!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->
4. add ssl connector to tomcat7/conf/server.xml:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
               keystoreFile="/root/keystore.jks" keystorePass="tomcat"
               clientAuth="false" sslProtocol="TLS" />
5. start tomcat:
   # tomcat7/bin/startup.sh
6. # wget --no-check-certificate -4 -O - https://localhost:8443/

Actual results:
The following exception is observed in catalina.out:
Oct 24, 2013 6:19:49 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
java.lang.RuntimeException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1359)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
	at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1675)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:323)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:687)
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)
	at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1208)
	at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1062)
	at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:889)
	at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
	at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
	at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
	... 5 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
	at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
	at sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:314)
	... 19 more

Expected results:
should return a tomcat welcome page 

Additional info:
 - This is *only* reproducible on JDK7, not on JDK7.
 - Using 'curl -k https://localhost:8443/' instead of wget works fine (weird, right?)

Comment 1 Deepak Bhole 2013-10-24 15:58:50 UTC
Assigning to Andrew to take a look.

Comment 2 RHEL Program Management 2013-10-28 19:55:31 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 3 Andrew John Hughes 2013-11-07 15:34:59 UTC
"This is *only* reproducible on JDK7, not on JDK7."

Err... that comment makes no sense :)

Comment 13 Thorsten Glaser 2014-04-25 12:57:23 UTC
This is caused by ECC differences in supported algorithms, and a bug on the Java™ side causing the server to always offer ECC even if it finds no suitable curves.

Potential workarounds are:
• switch to Sun’s ECC implementation instead of the one using NSS
• disable ECC completely

I’ve used the latter.

Accessing the server with cURL vs. GNU wget showing different behaviour is most likely due to them using diverging crypto libraries; for example, I could connect to a server suffering from the bug just fine from a MirBSD system, whose OpenSSL does not include any ECC, so the bug did not trigger.

Reference: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1006776

Comment 14 Thorsten Glaser 2014-04-25 12:58:56 UTC
Related RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1022017

Note You need to log in before you can comment on or make changes to this bug.