Affects Version/s: 5.4.1, 6.0.0
Fix Version/s: 6.0.1
Java Version:Amazon Coretto 11
The PKCS11PrivateKeyFactoryBean acquires a configured PKCS#11 provider by:
- Using reflection to get the 1-string-arg constructor for the keystore provider class,
- Calling that constructor with the pkcs11Config value to generate the Provider to use.
As far as I'm aware, that was the only way to do this (without editing the global java.security file) when we pulled this code together originally; it may or may not be the only way to do it in Java 8 but as described below I don't know of one.
This doesn't work in Java 9; that constructor has been removed. Instead, you must acquire an unconfigured provider using Security.getProvider("SunPKCS11") and calling its #configure to generate a new, configured, provider.
The existence by default of the unconfigured provider, and the presence of the #configure API, starts with Java 9, the same release in which I think reflective access stopped working.
As a result, I don't think there's a way to fix this on the 5.x (IdP 3.x) branch. On the other hand, this was a relatively late addition and I guess it turns out no-one who has used it is running Java 11 yet.
It's a relatively simple fix for the 6.x (IdP 4.x) branch. I'll add some kind of test while I am there, although I will need to disable the bulk of it as our test environments don't include hardware crypto tokens.