java-manta
java-manta copied to clipboard
Partial reads of HMAC bytes with libnss and AES/CBC throws java.security.ProviderException
As noted in #250 there are cases where MantaEncryptedObjectInputStream will fail to read all the bytes requested. This is possible since java.io.InputStream.read(byte[], int, int) warns that:
An attempt is made to read as many as len bytes, but a smaller number may be read.
Unfortunately the test cases created for partial reads in #251 fail on CBC ciphers if libnss is installed. It may be possible to add configuration values to nss.cfg which resolve this issue or there may be a deeper problem that requires a bug to be filed with libnss or the JDK.
Pasted below is the exception thrown:
java.security.ProviderException: doFinal() failed
at sun.security.pkcs11.P11Cipher.implDoFinal(P11Cipher.java:776)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:543)
at sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:526)
at javax.crypto.Cipher.doFinal(Cipher.java:2048)
at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
at org.bouncycastle.jcajce.io.CipherInputStream.close(Unknown Source)
at org.apache.commons.io.IOUtils.closeQuietly(IOUtils.java:339)
at org.apache.commons.io.IOUtils.closeQuietly(IOUtils.java:270)
at com.joyent.manta.client.crypto.MantaEncryptedObjectInputStream.close(MantaEncryptedObjectInputStream.java:711)
... test case frames omitted
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_ACTIVE
at sun.security.pkcs11.wrapper.PKCS11.C_DecryptInit(Native Method)
at sun.security.pkcs11.P11Cipher.initialize(P11Cipher.java:445)
at sun.security.pkcs11.P11Cipher.ensureInitialized(P11Cipher.java:429)
at sun.security.pkcs11.P11Cipher.implDoFinal(P11Cipher.java:744)
... common frames omitted
#545 is related to the problem observed here.