search

aws-samples / aws-cloudhsm-jce-examples

Sample applications demonstrating how to use the CloudHSM JCE
MIT No Attribution
36 stars 56 forks source link

KeyStore examples not working #56

Open raul-avila-ph opened 2 years ago

raul-avila-ph commented 2 years ago

I'm having a look at the examples after creating an HSM cluster. Most of them work well, except the examples using KeyStore, in those cases I always get an exception like this one:

Exception in thread "main" java.security.KeyStoreException: CloudHSM not found
    at java.base/java.security.KeyStore.getInstance(KeyStore.java:871)
    at com.amazonaws.cloudhsm.examples.AESCBCEncryptDecryptRunner.getKeyByLabel(AESCBCEncryptDecryptRunner.java:82)
    at com.amazonaws.cloudhsm.examples.AESCBCEncryptDecryptRunner.main(AESCBCEncryptDecryptRunner.java:54)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: CloudHSM, provider: CloudHSM, class: com.amazonaws.cloudhsm.jce.provider.CloudHsmKeyStore)
    at java.base/java.security.Provider$Service.newInstance(Provider.java:1868)
    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
    at java.base/java.security.Security.getImpl(Security.java:701)
    at java.base/java.security.KeyStore.getInstance(KeyStore.java:868)
    ... 2 more
Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make field private java.security.KeyStoreSpi java.security.KeyStore.keyStoreSpi accessible: module java.base does not "opens java.security" to unnamed module @39fb3ab6
    at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
    at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
    at java.base/java.lang.reflect.Field.checkCanSetAccessible(Field.java:178)
    at java.base/java.lang.reflect.Field.setAccessible(Field.java:172)
    at com.amazonaws.cloudhsm.jce.provider.CloudHsmKeyStore.getSpiFromKeyStore(CloudHsmKeyStore.java:96)
    at com.amazonaws.cloudhsm.jce.provider.CloudHsmKeyStore.<init>(CloudHsmKeyStore.java:123)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
    at java.base/java.security.Provider$Service.newInstanceOf(Provider.java:1879)
    at java.base/java.security.Provider$Service.newInstanceUtil(Provider.java:1886)
    at java.base/java.security.Provider$Service.newInstance(Provider.java:1861)
    ... 6 more

I have tried to run this example using different versions of the JDK (8, 11, 17), and also installing a previous version of the JCE provider (5.4.0), as the latest version now is 5.5.0, but I'm always getting the same result.

Is there anything I'm missing here?

mailtoarpitshah commented 2 years ago

Its not working for me as well. Could it be due security feature mentioned on https://openjdk.org/jeps/403?

jamesHanKey commented 1 year ago

The solution I found was to add a jvm arg. --add-opens=java.base/java.security=ALL-UNNAMED Breaking-encapsulation apache netbeans solution

imalhasaranga commented 1 year ago

Is this sorted now ?