java.security.ProviderException: Initialization failed

JDK Bug System | Webbug Group | 8 months ago
  1. 0

    FULL PRODUCT VERSION : java version "1.8.0_77" Java(TM) SE Runtime Environment (build 1.8.0_77-b03) Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode) ADDITIONAL OS VERSION INFORMATION : Linux localhost.localdomain 4.4.6-301.fc23.x86_64 #1 SMP Wed Mar 30 16:43:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux EXTRA RELEVANT SYSTEM CONFIGURATION : Using Thales nShield HSM with Security World software v12.10, and associated PKCS#11 provider (/opt/nfast/toolkits/pkcs11/libcknfast.so). Note that this setup requires that the HSM belong to a valid Security World. A DESCRIPTION OF THE PROBLEM : 1. Create sample code: import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FileOutputStream; import java.io.InputStream; import java.io.PrintStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.KeyPairGenerator; import javax.crypto.KeyGenerator; import javax.crypto.Cipher; import java.security.Key; import java.security.PublicKey; import java.security.KeyPair; import java.security.Provider; import java.security.Security; import java.security.cert.X509Certificate; import java.security.cert.Certificate; import sun.security.pkcs11.SunPKCS11; public class SunPKCS11Sample { private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray(); private SunPKCS11Sample(){ ByteArrayOutputStream byteStream = new ByteArrayOutputStream(); PrintStream ps = new PrintStream(byteStream); ps.println("name = nCipher"); ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so"); ps.println("attributes = compatibility"); ps.println("slotListIndex = 0"); InputStream config = new ByteArrayInputStream(byteStream.toByteArray()); Provider pkcs11Provider = new SunPKCS11(config); Security.addProvider(pkcs11Provider); } private void run() throws Exception{ try { KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher" ); //KeyStore ks = KeyStore.getInstance("PKCS11"); ks.load(null, CARDSET_PASSPHRASE ); Key mykey = ks.getKey("test123", null); } catch ( Exception e) { System.out.println("Error with keystore."); } } public static void main(String [] args) { try { (new SunPKCS11Sample()).run(); }catch (Throwable e){ e.printStackTrace(); System.exit(1); } System.exit(0); } } PKCS#11 debugging: 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> C_GetFunctionList 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 > ppFunctionList 0x7fd9ac1190c8 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> C_Initialize 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 > voidp 0x7fd9ac116470 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 >> 2.19.1cam9 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D init_tweakflags 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D Turn on loadsharing 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D Ignore accelerator slots 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D init_mutexes 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D CK_C_INITIALIZE_ARGS flags 0x2 2016-04-13 13:49:30 [18477]: pkcs11: 00000000 D CKF_OS_LOCKING_OK, use default mutex callbacks 016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetInfo 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotList 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > tokenPresent 0 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pSlotList (nil) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D Get loadsharing slots 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *pulCount 1 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotList 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > tokenPresent 0 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pSlotList 0x7fd9ac134300 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > *pulCount 1 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D Get loadsharing slots 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *pulCount 1 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < pSlotList[0] 0x2D622495 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotInfo 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x2D622495 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pInfo 0x7fd9b50b0630 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < pInfo->flags 0x0000020D 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_OpenSession 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x2D622495 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < *phSession 0x000008CB 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetMechanismList 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x7FD9B50B05C0 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pMechanismList (nil) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pulCount 140573022029280 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetMechanismList 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x7FD9B50B05C0 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pMechanismList 0x7fd9ac13faf0 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pulCount 106 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 D mechanism CKM_NC_AES_CMAC_KEY_DERIVATION_SCP03 disabled 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetInfo 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000000 (CKR_OK) 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 >> C_GetSlotInfo 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > slotID 0x00000000 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 > pInfo 0x7fd9b50aefc0 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 Application error: NFC__lookup_slot CK_INVALID_HANDLE 2016-04-13 13:49:32 [18477] t00170bb5d97f0000: pkcs11: 00000000 < rv 0x00000003 (CKR_SLOT_ID_INVALID) java.security.ProviderException: Initialization failed at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.loadAll(ProviderList.java:282) at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299) at sun.security.jca.Providers.getFullProviderList(Providers.java:173) at java.security.Security.insertProviderAt(Security.java:360) at java.security.Security.addProvider(Security.java:403) at SunPKCS11Sample.<init>(SunPKCS11Sample.java:37) at SunPKCS11Sample.main(SunPKCS11Sample.java:57) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:365) ... 17 more STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : Create and execute the following sample code: 1. Create sample code: import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FileOutputStream; import java.io.InputStream; import java.io.PrintStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.KeyPairGenerator; import javax.crypto.KeyGenerator; import javax.crypto.Cipher; import java.security.Key; import java.security.PublicKey; import java.security.KeyPair; import java.security.Provider; import java.security.Security; import java.security.cert.X509Certificate; import java.security.cert.Certificate; import sun.security.pkcs11.SunPKCS11; public class SunPKCS11Sample { private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray(); private SunPKCS11Sample(){ ByteArrayOutputStream byteStream = new ByteArrayOutputStream(); PrintStream ps = new PrintStream(byteStream); ps.println("name = nCipher"); ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so"); ps.println("attributes = compatibility"); ps.println("slotListIndex = 0"); InputStream config = new ByteArrayInputStream(byteStream.toByteArray()); Provider pkcs11Provider = new SunPKCS11(config); Security.addProvider(pkcs11Provider); } private void run() throws Exception{ try { KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher" ); //KeyStore ks = KeyStore.getInstance("PKCS11"); ks.load(null, CARDSET_PASSPHRASE ); Key mykey = ks.getKey("test123", null); } catch ( Exception e) { System.out.println("Error with keystore."); } } public static void main(String [] args) { try { (new SunPKCS11Sample()).run(); }catch (Throwable e){ e.printStackTrace(); System.exit(1); } System.exit(0); } } EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - Key should just load based on the following code: KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher" ); //KeyStore ks = KeyStore.getInstance("PKCS11"); ks.load(null, CARDSET_PASSPHRASE ); Key mykey = ks.getKey("test123", null); ACTUAL - java.security.ProviderException: Initialization failed at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:376) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.loadAll(ProviderList.java:282) at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299) at sun.security.jca.Providers.getFullProviderList(Providers.java:173) at java.security.Security.insertProviderAt(Security.java:360) at java.security.Security.addProvider(Security.java:403) at SunPKCS11Sample.<init>(SunPKCS11Sample.java:37) at SunPKCS11Sample.main(SunPKCS11Sample.java:57) Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SLOT_ID_INVALID at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:365) ... 17 more REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FileOutputStream; import java.io.InputStream; import java.io.PrintStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.KeyPairGenerator; import javax.crypto.KeyGenerator; import javax.crypto.Cipher; import java.security.Key; import java.security.PublicKey; import java.security.KeyPair; import java.security.Provider; import java.security.Security; import java.security.cert.X509Certificate; import java.security.cert.Certificate; import sun.security.pkcs11.SunPKCS11; public class SunPKCS11Sample { private static final char[] CARDSET_PASSPHRASE = "123456".toCharArray(); private SunPKCS11Sample(){ ByteArrayOutputStream byteStream = new ByteArrayOutputStream(); PrintStream ps = new PrintStream(byteStream); ps.println("name = nCipher"); ps.println("library = /opt/nfast/toolkits/pkcs11/libcknfast.so"); ps.println("attributes = compatibility"); ps.println("slotListIndex = 0"); InputStream config = new ByteArrayInputStream(byteStream.toByteArray()); Provider pkcs11Provider = new SunPKCS11(config); Security.addProvider(pkcs11Provider); } private void run() throws Exception{ try { KeyStore ks = KeyStore.getInstance("PKCS11", "SunPKCS11-nCipher" ); //KeyStore ks = KeyStore.getInstance("PKCS11"); ks.load(null, CARDSET_PASSPHRASE ); Key mykey = ks.getKey("test123", null); } catch ( Exception e) { System.out.println("Error with keystore."); } } public static void main(String [] args) { try { (new SunPKCS11Sample()).run(); }catch (Throwable e){ e.printStackTrace(); System.exit(1); } System.exit(0); } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Workaround is to use the following version of OpenJDK 1.8: penjdk version "1.8.0_77" OpenJDK Runtime Environment (build 1.8.0_77-b03) OpenJDK 64-Bit Server VM (build 25.77-b03, mixed mode)

    JDK Bug System | 8 months ago | Webbug Group
    java.security.ProviderException: Initialization failed
  2. 0

    Questions about PKCS11

    Oracle Community | 9 years ago | 843811
    java.security.ProviderException: SunPKCS11 requires configuration file argument
  3. 0

    CKR_SLOT_ID_INVALID Exception with java pkcs11

    GitHub | 1 year ago | wtmann
    java.security.ProviderException: Initialization failed
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    iText®, a JAVA PDF library / Mailing Lists

    sourceforge.net | 1 year ago
    java.security.ProviderException: Initialization failed
  6. 0

    SignServer / Discussion / Help:TSA using a PKCS#11 device

    sourceforge.net | 1 year ago
    org.ejbca.core.model.ca.catoken.CATokenOfflineException: Not possible to create provider. See cause.

    7 unregistered visitors
    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. sun.security.pkcs11.wrapper.PKCS11Exception

      CKR_SLOT_ID_INVALID

      at sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo()
    2. sun.security.pkcs11
      SunPKCS11.<init>
      1. sun.security.pkcs11.wrapper.PKCS11.C_GetSlotInfo(Native Method)
      2. sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:365)
      3. sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
      3 frames
    3. Java RT
      Security.addProvider
      1. sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      2. sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      3. sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      4. java.lang.reflect.Constructor.newInstance(Constructor.java:423)
      5. sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
      6. sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
      7. java.security.AccessController.doPrivileged(Native Method)
      8. sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
      9. sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
      10. sun.security.jca.ProviderList.loadAll(ProviderList.java:282)
      11. sun.security.jca.ProviderList.removeInvalid(ProviderList.java:299)
      12. sun.security.jca.Providers.getFullProviderList(Providers.java:173)
      13. java.security.Security.insertProviderAt(Security.java:360)
      14. java.security.Security.addProvider(Security.java:403)
      14 frames
    4. Unknown
      SunPKCS11Sample.main
      1. SunPKCS11Sample.<init>(SunPKCS11Sample.java:37)
      2. SunPKCS11Sample.main(SunPKCS11Sample.java:57)
      2 frames