2173781 – C_GetInfo can throw an exception if called before initialization in some PKCS #11 tokens [rhel-8, openjdk-17]

Bug 2173781 - C_GetInfo can throw an exception if called before initialization in some PKCS #11 tokens [rhel-8, openjdk-17]

Summary: C_GetInfo can throw an exception if called before initialization in some PKCS...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	java-17-openjdk
Sub Component:
Version:	8.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Balao
QA Contact:	OpenJDK QA
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2186830 2186831 2186832 2186833
TreeView+	depends on / blocked

Reported:	2023-02-28 00:06 UTC by Martin Balao
Modified:	2023-06-26 15:09 UTC (History)
CC List:	3 users (show)
Fixed In Version:	java-17-openjdk-17.0.7.0.7-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2186830 2186831 2186832 2186833 (view as bug list)
Environment:
Last Closed:	2023-06-26 15:09:25 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	rh-openjdk jdk pull 26	0	None	open	Avoid calling C_GetInfo() too early, before cryptoki is initialized	2023-02-28 00:06:27 UTC
Red Hat Issue Tracker	RHELPLAN-149969	0	None	None	None	2023-02-28 00:21:18 UTC

Description Martin Balao 2023-02-28 00:06:28 UTC

In some PKCS #11 tokens, calling C_GetInfo before initialization returns a CKR_CRYPTOKI_NOT_INITIALIZED error [1]. If this happens, the error is then transformed into a PKCS11Exception and thrown in the PKCS11 constructor [2]. Throwing an exception at that point would be unnecessarily fatal: execution should continue and it's only Password-Based Encryption who might, at some point, require the information —hopefully, the token will be initialized by then. Notice that this problem could not be reproduced with the NSS Software Token but with p11-kit-trust.so.

JDK-8255409 [3], available since JDK-18 (OpenJDK upstream), seems to handle a C_GetInfo throwing an exception in the constructor of PKCS11 [4]. It's not the goal of this ticket to backport JDK-8255409 to 17u but to fix this regression. Other options, such as backporting JDK-8255409 to 17u, will be considered in the future once the Password-Based Cryptography enhancement is accepted in OpenJDK head and backported to 17u [5].

PR discussion: https://github.com/rh-openjdk/jdk/pull/26

--
[1] - https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/pkcs11-spec-v3.1-cs01.html#_Toc111203257
[2] - https://github.com/rh-openjdk/jdk/blob/1e26894969d911776f60eaa557d25a2b389060da/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java#L156
[3] - https://bugs.openjdk.org/browse/JDK-8255409
[4] - https://github.com/openjdk/jdk/commit/83e6a4c0e9e4a9474ae0c1252378b1a09d1d2df0#diff-507046ab6e8d2a75a31fe49822a43729eefa2ca12b4fe1c27f427ebb0702e208R160
[5] - https://github.com/openjdk/jdk/pull/12396

Note You need to log in before you can comment on or make changes to this bug.