search

intoolswetrust / jsignpdf

PDF signing software written in Java. It supports visible signatures, timestamping, certificate verification and many other cool features
https://intoolswetrust.github.io/jsignpdf/
Other
310 stars 120 forks source link

Illegal reflective access operation has occured with pkcs11.cfg #50

Closed michnovka closed 2 years ago

michnovka commented 2 years ago

Jsignpdf 2.0.0

I am opening this issue because this will be an issue in the future version of OpenJDK (and I imagine also Java)

superuser@TheTower:~/jsignpdf-2.0.0$ GDK_SCALE=2 java -Djava.security.debug=pkcs11keystore -Djava.security.debug=sunpkcs11 -jar JSignPdf.jar                            
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jsignpdf.utils.PKCS11Utils (file:/home/superuser/jsignpdf-2.0.0/JSignPdf.jar) to constructor sun.security.pkcs11.SunPKCS11()
WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.PKCS11Utils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
SunPKCS11 loading /home/superuser/jsignpdf-2.0.0/conf/pkcs11.cfg
sunpkcs11: Initializing PKCS#11 library /usr/lib/x86_64-linux-gnu/libeop2v1czep11.so
Information for provider SunPKCS11-eObcanka
Library info:
  cryptokiVersion: 2.20
  manufacturerID: Monet+,a.s. Zlin Stipa          
  flags: 0
  libraryDescription: Czech eID v2.1 PKCS#11 library  
  libraryVersion: 2.20

My JAVA version:

superuser@TheTower:~/jsignpdf-2.0.0$ java --version
openjdk 14.0.2 2020-07-14
OpenJDK Runtime Environment (build 14.0.2+12-Ubuntu-120.04)
OpenJDK 64-Bit Server VM (build 14.0.2+12-Ubuntu-120.04, mixed mode, sharing)

Contents of conf/pkcs11.cfg:

name=eObcanka
library=/usr/lib/x86_64-linux-gnu/libeop2v1czep11.so
kwart commented 2 years ago

Does it happen when you use the jsignpdf.sh script? The script contains additional arguments for Java to avoid the warnings.

michnovka commented 2 years ago

@kwart Hi, yes, the same happens with bash wrapper:

superuser@TheTower:~/Applications/jsignpdf-2.0.0$ ./jsignpdf.sh 
FINE Relaxing SSL security.
FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfg
FINE PKCS11 provider registered with name SunPKCS11-eObcanka
FINE PKCS11 provider registered with name JSignPKCS11-eObcanka
INFO Starting JSignPdf
INFO Checking input and output PDF paths.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jsignpdf.utils.KeyStoreUtils (file:/home/superuser/Applications/jsignpdf-2.0.0/JSignPdf.jar) to field java.security.KeyStore.keyStoreSpi
WARNING: Please consider reporting this to the maintainers of net.sf.jsignpdf.utils.KeyStoreUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
kwart commented 2 years ago

Nice catch. The KeyStore access was fixed now in the master branch by adding --add-opens java.base/java.security=ALL-UNNAMED argument.

There may be other places that need to be granted additional access. Please create a new issue or reopen this one if you find such one.