jsign icon indicating copy to clipboard operation
jsign copied to clipboard
verified publisher icon ebourg

IllegalAccessError with maven plugin and SafeNetEToken

Open InsideTheo opened this issue 1 year ago • 4 comments

Hi everyone,

Using the maven plugin in a Java 17 Project to sign an executable with a SafeNet token yields the following error:

[ERROR] Failed to execute goal net.jsign:jsign-maven-plugin:6.0:sign (default) on project direct-connect-client: Execution default of goal net.jsign:jsign-maven-plugin:6.0:sign failed: An API incompatibility was encountered while executing net.jsign:jsign-maven-plugin:6.0:sign: java.lang.IllegalAccessError: class net.jsign.SafeNetEToken (in unnamed module @0x550635c6) cannot access class sun.security.pkcs11.wrapper.PKCS11 (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export sun.security.pkcs11.wrapper to unnamed module @0x550635c6

Using the command line tool works just fine: jsign --storetype ETOKEN --storepass ... -t http://timestamp.sectigo.com ...exe

I suspect it has to do with the Java version, as the sun packages imported in SafeNetEToken become unavailable in java versions 9+.

InsideTheo avatar Sep 05 '24 13:09 InsideTheo

I was able to solve it by adding this to my maven options, as suggested by a different GitHub Issue (I think only the first two are needed, but could be wrong): --add-exports jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED --add-exports jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-exports java.base/sun.security.action=ALL-UNNAMED --add-exports java.base/sun.security.rsa=ALL-UNNAMED --add-opens java.base/sun.security.util=ALL-UNNAMED

InsideTheo avatar Sep 05 '24 13:09 InsideTheo

Reopening, I have to document this.

ebourg avatar Sep 05 '24 16:09 ebourg

Works fine with my gradle.properties at project root:

org.gradle.jvmargs=--add-exports jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED

krasa avatar Dec 17 '24 18:12 krasa

CLI

# When using >=JDK 17 we have to make "sun.security.pkcs11.wrapper.PKCS11" available to "net.jsign.SafeNetEToken"
MAVEN_OPTS="--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"
mvn clean install

Maven

echo "--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED" > .mvn/jvm.config

Intellij IDEA

  • reads .mvn/jvm.config but requires this file to be present in submodules, root config is not applied
  • can be overriden in Settings > Build Tools > Maven > Runner > "VM Options"

vovcacik avatar Jul 07 '25 14:07 vovcacik