Bug #13196

C_DeriveKey() doesn't always set object handle value

Added by Jason King 6 months ago. Updated 5 months ago.

lib - userland libraries
Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:


We had a customer report some problems with a Java app: Could not generate secret
        at java.base/$ECDHEKAKeyDerivation.t12DeriveKey(
        at java.base/$ECDHEKAKeyDerivation.deriveKey(
        at java.base/$ECDHEClientKeyExchangeProducer.produce(
        at java.base/$ClientKeyExchangeProducer.produce(
        at java.base/
        at java.base/$ServerHelloDoneConsumer.consume(
        at java.base/
        at java.base/
        at java.base/
        at java.base/
        at java.base/
        at java.base/
        at java.base/
        at java.base/
        at java.base/
        at java.base/$AppOutputStream.write(
        at java.base/$AppOutputStream.write(
        at SSLPoke.main(
Caused by: Could not derive key
        at jdk.crypto.cryptoki/
        at jdk.crypto.cryptoki/
        at java.base/javax.crypto.KeyAgreement.generateSecret(
        at java.base/$ECDHEKAKeyDerivation.t12DeriveKey(
        ... 17 more
        at jdk.crypto.cryptoki/ Method)
        at jdk.crypto.cryptoki/
        ... 20 more

Unfortunately, trying to dtrace is challenging due to it being dlopen()ed. However using a provided test program with a modified to spit out some data:

C_GetAttributeValue: sess=272512b13b014035 obj=0 Could not generate secret
    at java.base/$ECDHEKAKeyDerivation.t12DeriveKey(

'0' is always an invalid session or object handle. Digging a bit more, the problem is that soft_derivekey() doesn't always set phKey to the created object id. Both the CKM_DH_PKCS_DERIVE and CKM_ECDH1_DERIVE mechanisms in that function skip past the 'common' label (unlike the other mechanisms). That means the *phKey = secret_key->handle; statement isn't always getting executed. The flow in this function is somewhat convoluted, we should try to mildly refactor this to fix this.

Files (48.7 KB) Jason King, 2020-11-05 04:29 PM

Updated by Jason King 6 months ago

There is a small java program called 'SSLPoke' that can recreate the issue. While it is claimed to be Apache licensed, the original source from Atlassan had no license, so I don't want to link or attach to it here.


Updated by Andy Fiddaman 6 months ago

This simple java program should replicate it. When I compile and run this under openjdk11, I get the cannot derive key error.

public class af {
   public static void main(String[] args) throws IOException{
           URLConnection conn = new URL("").openConnection();

Updated by Electric Monk 6 months ago

  • Gerrit CR set to 1009

Updated by Jason King 5 months ago

To test, I used both the SSLPoke program as well as the small test program Andy provided (in this ticket). Note that with Java, the crypto provider used depends on the contents of the file. To ensure the PKCS11 provider was being used for the tests, I used the attached file and ran java with

Without the fixed library, the java programs failed as described in the ticket description. With the fixed library, they both succeeded.


Updated by Electric Monk 5 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 6cb54de2051534cc59e36ddc42abe1960e47c133

commit  6cb54de2051534cc59e36ddc42abe1960e47c133
Author: Jason King <>
Date:   2020-11-06T20:45:44.000Z

    13196 C_DeriveKey() doesn't always set object handle value
    Reviewed by: C Fraire <>
    Reviewed by: Andy Fiddaman <>
    Reviewed by: Toomas Soome <>
    Approved by: Dan McDonald <>

Also available in: Atom PDF