SunPkcs11 provider throws out of bounds exception during encryption when
specific conditions are met.
Exception:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Array
index out of range: 32
at java.base/java.util.Arrays.rangeCheck(Arrays.java:725)
at java.base/java.util.Arrays.fill(Arrays.java:3308)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11Cipher$PKCS5Padding.setPaddingBytes(P11Cipher.java:96)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11Cipher.implDoFinal(P11Cipher.java:813)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:585)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2417)
...
Details:
This problems happens when reqBlockUpdates is true and implUpdate, which does
not end on block boundary, is performed followed by final implUpdate, which
ends exactly on block boundary. In that case final implUpdate fills padBuffer
and then just returns. [1] Following implDoFinal then tries to add padding and
throws OOB exception. Problem is, that in this case (input is multiple of block
size) whole padding block should be added, but there is no space for it in
padBuffer causing OOB exception.
Solution:
Solution is to detect this case (implDoFinal is called with full padBuffer) and
to perform additional C_EncryptUpdate to free up padBuffer so that padBuffer
can than be used to add whole new padding block.
[1]
https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L622
-------------
Commit messages:
- Fixed out of bounds exception in P11Cipher class
Changes: https://git.openjdk.org/jdk/pull/9310/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=9310&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8289301
Stats: 126 lines in 2 files changed: 120 ins; 0 del; 6 mod
Patch: https://git.openjdk.org/jdk/pull/9310.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/9310/head:pull/9310
PR: https://git.openjdk.org/jdk/pull/9310
