Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Generic Security Provider native image registration code is not complete

See original GitHub issue

Describe the bug

The current security provider registration code is limited in what it can do - it can only work for the default Sun providers which are already available - and it only registers them for reflection.

It does not work for providers like sun.security.pkcs11.SunPKCS11

Expected behavior

When a new provider is registered it should be added as a security provider if it is not already available - additionally it should be registered as an additional security provider in native image

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:14 (11 by maintainers)

github_iconTop GitHub Comments

2reactions
sberyozkincommented, Nov 2, 2021

@malys Thanks, this is sufficient, I think the problem is not confined to supporting this specific provider - if we can tune the code such that any 3rd party provider requiring no dedicated processing works in native then it will work for this provider as well

0reactions
zakkakcommented, May 16, 2022

Can you please give me a favor and try to re-run with -Djava.security.debug=sunpkcs11 - it may show some more info and also try setting an env SOFTHSM2_CONF to the config path location ?

Same issue

And if that does not help, replace Security.getProvider("SunPKCS11").configure(pathToConfigFile); with Security.getProvider("SunPKCS11").configure("--" + contentOfConfigFile); ?

I am not sure how to do that given that the config file is multiline. Shall I just seperate key=value pairs by space?

I tried

diff --git a/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java b/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java
index 2fc5053943..8bdb1efb93 100644
--- a/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java
+++ b/integration-tests/bouncycastle/src/main/java/io/quarkus/it/bouncycastle/BouncyCastleEndpoint.java
@@ -4,6 +4,7 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.security.KeyFactory;
 import java.security.KeyPairGenerator;
+import java.security.Provider;
 import java.security.Security;
 import java.security.Signature;
 import java.security.spec.PKCS8EncodedKeySpec;
@@ -25,6 +26,21 @@ public class BouncyCastleEndpoint {
     @GET
     @Path("listProviders")
     public String listProviders() {
+        Provider configuredProvider = Security.getProvider("SunPKCS11")
+                .configure("--name = SoftHSM\n" +
+                "library = /usr/lib64/softhsm/libsofthsm.so\n" +
+                "slot = 1423586702\n" +
+                "attributes(generate, *, *) = {\n" +
+                "   CKA_TOKEN = true\n" +
+                "}\n" +
+                "attributes(generate, CKO_CERTIFICATE, *) = {\n" +
+                "   CKA_PRIVATE = false\n" +
+                "}\n" +
+                "attributes(generate, CKO_PUBLIC_KEY, *) = {\n" +
+                "   CKA_PRIVATE = false\n" +
+                "}\n");
+        Security.addProvider(configuredProvider);
+
         return Arrays.asList(Security.getProviders()).stream()
                 .filter(p -> (p.getName().equals("BC") || p.getName().equals("SunPKCS11")))
                 .map(p -> p.getName()).collect(Collectors.joining(","));

with no luck.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Generic Security Provider native image registration code is not ...
Generic Security Provider native image registration code is not complete #31197. Sign in to view logs · Sign in to view logs ...
Read more >
JCA Security Services on Native Image - Oracle Help Center
Provider Registration. The native image builder captures the list of providers and their preference order from the underlying JVM. The provider order is ......
Read more >
Static Application Security Testing (SAST) - GitLab Docs
If you're using GitLab CI/CD, you can use Static Application Security Testing (SAST) to check your source code for known vulnerabilities.
Read more >
Spring Native documentation
The key differences between a regular JVM and this native image ... see a lot of WARNING: Could not register reflection metadata messages....
Read more >
Documentation Archive - Apple Developer
Title Resource Type Technology Date Xcode Release Notes Release Notes 2018‑06... Apple File System Guide Guides 2018‑06... Understanding and Detecting OpenGL Functionality Technical Notes OpenGL 2018‑06......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How to use Redis pub/sub with Quarkus and ReactiveRedisClient?

Next page

Hibernate Panache sorting not working with Named Query