Up to Java 8 the SunPKCS11 provider was loaded like this:
Provider provider = new sun.security.pkcs11.SunPKCS11 (new ByteArrayInputStream (configFile.getBytes ()));
Security.addProvider (provider);
configFile
is a String with the configuration parameters. So, if the application needed to work with several connected smart cards it could create multiple providers. To access each provider the name used was "SunPKCS11-" followed by the name we indicated in the configuration.
In Java 8, the sun.security.pkcs11.SunPKCS11
class was removed in the JDK. So, I had to program the previous call by reflection.
The operation of the PKCS#11 provider in Java 9 seems very different:
The SunPKCS11
constructor has been changed to an empty one. The configuration is loaded by the "configure" method, so it is mandatory that it is in a file on disk and I can no longer load it through a stream to a string.
If we try to use the reflection the following warnings appear:
WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by PruebaTarjeta (file:/C:/temp/pkcs11java9/classes/) to constructor sun.security.pkcs11.SunPKCS11() WARNING: Please consider reporting this to the maintainers of PruebaTarjeta WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release
Do this also happen to someone else? Any solution?
I noticed looking at the javadoc for configure
:
Apply the supplied configuration argument to this provider instance and return the configured provider. Note that if this provider cannot be configured in-place, a new provider will be created and returned. Therefore, callers should always use the returned provider.
This indicates to me that the prototype pattern is being used here, and that the new control flow for creating multiple providers would be something like:
Provider prototype = Security.getProvider("SunPKCS11");
Provider provider1 = prototype.configure(...);
Provider provider2 = prototype.configure(...);
...
As for using arguments directly instead of a filename, I did some digging into the source code and found this in sun.security.pkcs11.Config
:
Config(String fn) throws IOException {
this.filename = fn;
if (filename.startsWith("--")) {
// inline config
String config = filename.substring(2).replace("\\n", "\n");
reader = new StringReader(config);
Note the line with filename.startsWith("--")
, this filename comes directly from the argument to configure
. So you should be able to pass in the configuration arguments as a string as long as you start the string with --
, and then delimiting your key=value
pairs with \n
. (I am not currently able to test this though).
However, I can't find this fact publicly documented anywhere, so it might be subject to change, as well as it working differently for different providers, i.e. use at own risk!.