graal icon indicating copy to clipboard operation
graal copied to clipboard
verified publisher icon oracle

[native-image] Unable to Access JCEKS KeyStore in Native Image

Open matthenry87 opened this issue 2 years ago • 3 comments

When I try to load or save a key to a JCEKS TrustStore, it fails with the following:

Exception in thread "main" com.oracle.svm.core.jdk.UnsupportedFeatureError: Trying to access the code base of class com.sun.crypto.provider.CipherForKeyProtector.
        at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:89)
        at [email protected]/javax.crypto.JceSecurity.getCodeBase(JceSecurity.java:361)
        at [email protected]/javax.crypto.JceSecurityManager.isCallerTrusted(JceSecurityManager.java:242)
        at [email protected]/javax.crypto.Cipher.<init>(Cipher.java:275)
        at [email protected]/com.sun.crypto.provider.CipherForKeyProtector.<init>(KeyProtector.java:436)
        at [email protected]/com.sun.crypto.provider.KeyProtector.seal(KeyProtector.java:350)
        at [email protected]/com.sun.crypto.provider.JceKeyStore.engineSetKeyEntry(JceKeyStore.java:290)
        at [email protected]/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
        at org.matthenry87.nativekeystoretesting.KeyService.accessKeyStore(NativeKeystoreTestingApplication.java:46)
        at org.matthenry87.nativekeystoretesting.NativeKeystoreTestingApplication.main(NativeKeystoreTestingApplication.java:16)

openjdk 17.0.5 2022-10-18 OpenJDK Runtime Environment GraalVM CE 22.3.0 (build 17.0.5+8-jvmci-22.3-b08) OpenJDK 64-Bit Server VM GraalVM CE 22.3.0 (build 17.0.5+8-jvmci-22.3-b08, mixed mode, sharing)

Reproducer project: https://github.com/matthenry87/native-image-jceks-bug

I can see that the SunJCE provider is registered, as I print them out:

sun.security.provider.Sun sun.security.rsa.SunRsaSign sun.security.ec.SunEC sun.security.ssl.SunJSSE com.sun.crypto.provider.SunJCE sun.security.provider.certpath.ldap.JdkLDAP

Seems it's trying to check the calling type's (CipherForKeyProtector) base class, and this is where it fails. I suspect that getCodeBase() isn't supposed to be reached at runtime, similar to this closed issue.

I've tried adding the following to the plugin args:

<arg>-H:+TraceSecurityServices</arg>
<arg>--enable-all-security-services</arg>
<arg>--initialize-at-build-time=com.sun.crypto.provider,javax.crypto</arg>
<arg>--enable-https</arg>

I also tried registering com.sun.crypto.provider.CipherForKeyProtector in reflection-config.json.

matthenry87 avatar Oct 17 '23 01:10 matthenry87

Beginning to wonder if normal SunJCE is not supported? Hence why Jipher JCE exists?

matthenry87 avatar Oct 17 '23 02:10 matthenry87

Hello @matthenry87, can you please upgrade your GraalVM version to the latest Oracle GraalVM for JDK17.

kassifar avatar Jan 12 '24 16:01 kassifar

@kassifar I am experiencing the same issue as described in this issue, with Oracle GraalVM 17.0.10+11.1 (build 17.0.10+11-LTS-jvmci-23.0-b27).

davmac314 avatar Feb 01 '24 04:02 davmac314