Configuring the SpiffeProvider in java.security is not adding the Provider

[alwaysastudent]

I am trying to plugin the SpiffeProvider using just the java.security properties file, but this is not working for some reason. Can you please help me figure this out? I have to also mention that I don't rely on the SpiffeProvider.install()

The java.security content

# The provider sequence, 11 is accurate 
security.provider.11=io.spiffe.provider.SpiffeProvider
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=Spiffe
ssl.TrustManagerFactory.algorithm=Spiffe

# list of accepted SPIFFE IDs
ssl.spiffe.accept=spiffe://example.org/myservice

Please see this commit on my fork alwaysastudent/java-spiffe-examples@805a56d where I am trying to test a spring boot application jar.

The way I am running this example is by

java-spiffe-examples/spring-boot-x509-demo]$ java -Djava.security.debug=properties -Djava.security.policy=java.policy -Djava.security.properties=java.security -jar ./backend/build/libs/backend-0.1.jar


properties: reading security properties file: /Users/alwaysastudent/.sdkman/candidates/java/8.0.272.hs-adpt/jre/lib/security/java.security
properties: reading security properties file: file:/Users/alwaysastudent/dev/temp-projects/fork/java-spiffe-examples/spring-boot-x509-demo/java.security

But I am getting the following error

java.security.KeyStoreException: Spiffe not found
        at java.security.KeyStore.getInstance(KeyStore.java:851) ~[na:1.8.0_272]
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:184) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:282) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1064) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) [tomcat-embed-core-9.0.37.jar!/:9.0.37]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:282) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:213) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:182) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:53) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:360) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:158) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:122) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:895) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:554) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.3.3.RELEASE.jar!/:2.3.3.RELEASE]
        at com.example.BackendApp.main(BackendApp.java:14) [classes!/:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_272]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_272]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_272]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_272]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [backend-0.1.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:109) [backend-0.1.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [backend-0.1.jar:na]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) [backend-0.1.jar:na]
Caused by: java.security.NoSuchAlgorithmException: Spiffe KeyStore not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) ~[na:1.8.0_272]
        at java.security.Security.getImpl(Security.java:695) ~[na:1.8.0_272]
        at java.security.KeyStore.getInstance(KeyStore.java:848) ~[na:1.8.0_272]
        ... 39 common frames omitted

I tried with and without the java.policy file and it does not work in both cases. If I run the program from intellij it works, but when I run this as an executable jar it does not. Kindly help understand the problem.

[maxlambrecht]

Hey @alwaysastudent, thanks for reporting it. Can you check whether this issue is also happening with later versions of java, i.e, Java 9+ ?

[alwaysastudent]

Yes I tried on java 8 and java 11. It is the same behavior.

[maxlambrecht]

I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through SpiffeProvider.install() besides configuring it through the java.security file.

[alwaysastudent]

I was looking into it, unfortunately I couldn't figure it out, I suspect that the embedded tomcat used by spring boot is not loading the Spiffe provider classes, thus the need for install the provider through SpiffeProvider.install() besides configuring it through the java.security file.

Do you think this has something to do with having the right java.policy ? If we drop the spiffe provider jar in the $java_home/jre/lib/ext it works. I tried fiddling with the java policy and could not figure, I wonder if it is coz of the Uber jar spring boot class loading mechanism.

[maxlambrecht]

Dropping the provider jar in $java_home/jre/lib/ext works in Java 8, but that mechanism was removed in Java 9. I tried adding the jar through -classpath, without luck. I guess it has to do with the spring boot´s embedded tomcat bootstrap classloader.

[alwaysastudent]

Ok, thank you for checking. Meanwhile, I think we should be creating an issue with the spring boot project.