CodeDump
Pepe Gutiérrez Pepe Gutiérrez - 1 year ago 191
Java Question

SunPKCS11 provider in Java 9

Up to Java 8 the SunPKCS11 provider was loaded like this:

Provider provider = new sun.security.pkcs11.SunPKCS11 (new ByteArrayInputStream (configFile.getBytes ());

Security.addProvider (provider);


"configFile" is a String with the configuration parameters. So, if the application needed to work with several connected smart cards it could create multiple providers. To access each provider the name used was "SunPKCS11-" followed by the name we indicated in the configuration.

In Java 8, the
sun.security.pkcs11.SunPKCS11
class was removed in the JDK. So, I had to program the previous call by reflection.

The operation of the PKCS#11 provider in Java 9 seems very different:


  • The SunPKCS11 constructor has been changed to an empty one. The configuration is loaded by the "configure" method, so it is mandatory that it is in a file on disk and I can no longer load it through a stream to a string.

  • If we try to use the reflection the following warnings appear:




WARNING: An illegal reflective access operation has occurred

WARNING: Illegal reflective access by PruebaTarjeta (file:/C:/temp/pkcs11java9/classes/) to constructor

sun.security.pkcs11.SunPKCS11()

WARNING: Please consider reporting this to the maintainers of PruebaTarjeta

WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

WARNING: All illegal access operations will be denied in a future release




  • In Java 9, a SunPKCS11 provider is automatically generated and is in the list of cryptographic providers. It can be obtained from the list and configured. The problem is that you can only have one PKCS#11 provider loaded in the list. The Java 9 documentation indicates that we can get the PKCS#11 provider with "SunPKCS11-" followed by the name we indicated in the configuration, but it's not true. If we look at the list of providers the only one is "SunPKCS11" so I can not have one provider per smart card.



Do this also happen to someone else? Any solution?

Jorn Vernee Jorn Vernee
Answer Source

If you look at the javadoc for configure:

Apply the supplied configuration argument to this provider instance and return the configured provider. Note that if this provider cannot be configured in-place, a new provider will be created and returned. Therefore, callers should always use the returned provider.

This indicates that the new control flow for creating multiple providers would be something like:

Provider prototype = Security.getProvider("SunPKCS11");
Provider provider1 = prototype.configure(...);
Provider provider2 = prototype.configure(...);
...
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Sign up

Sign up with GitHub
Latest added
test2test2
testttt
nehahill
mariasmith
angeleena
CCIE center network security
CCIE center network
CCIE center
CHARMDATE SCAM
tikal-trivia-game-1
trivia-game
auto cookie login faalt
manual cookie
soaptest
Shell dump
Print an external url without opening the external url
Best Hibernate Interview Questions
Hibernate Interview Questions
30 Best Hibernate Questions for your next Interview.
Sportido - Find People & Places to Play Any Sport