Skip to content

Does Java PKCS11 Keystore support multiple tokens? #137

New issue
New issue
Open
Open
Does Java PKCS11 Keystore support multiple tokens?#137
@jfallows

Description

@jfallows
jfallows
opened on Aug 28, 2024

I have setup an EC2 instance (Amazon 2023 Linux) with AWS Nitro Enclaves for ACM to verify Java PKCS11 Keystore support.

$ java -version

openjdk version "22.0.2" 2024-07-16
OpenJDK Runtime Environment Corretto-22.0.2.9.1 (build 22.0.2+9-FR)
OpenJDK 64-Bit Server VM Corretto-22.0.2.9.1 (build 22.0.2+9-FR, mixed mode, sharing)

$ cat /usr/lib/jvm/java-22-amazon-corretto/conf/security/java.security | grep security.provider | grep PKCS11

security.provider.12=SunPKCS11 /etc/pkcs11/keystore.conf

/etc/pkcs11/keystore.conf

name = p11ne
description = "PKCS#11 Keystore"
library = /usr/lib64/libp11-kit.so.0

/etc/nitro_enclave/acm.yaml

enclave:
  cpu_count: 2
  memory_mib: 256

options:
  sync_interval_secs: 600

tokens:
  - label: acm-token-example
    source:
      Acm:
        certificate_arn: "arn:aws:acm:us-east-1:<account-id>:certificate/<certificate-uuid-*.example.aklivity.io>"
    refresh_interval_secs: 43200
    pin: <random>

$ sudo systemctl restart nitro-enclaves-acm.service

$ journalctl -e -u nitro-enclaves-acm.service

... systemd[1]: Starting nitro-enclaves-acm.service - Nitro Enclaves ACM Agent...
... systemd[1]: Started nitro-enclaves-acm.service - Nitro Enclaves ACM Agent.
... p11ne-agent[17279]: |INFO  | Setting up p11-kit config
... p11ne-agent[17279]: |INFO  | Restarting vsock proxy
... p11ne-agent[17279]: |INFO  | Syncing token acm-token-example

$ keytool -storetype PKCS11 -keystore NONE -storepass <random> -list

Keystore type: PKCS11
Keystore provider: SunPKCS11-p11ne

Your keystore contains 3 entries

acm-ne-cert-0, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 15:84:66:30:52:93:38:2D:D8:D6:BE:2F:84:F7:72:9E:64:E7:CA:63:BE:BC:AA:BA:D7:FE:0E:6B:C0:4E:31:BF
acm-ne-cert-1, trustedCertEntry, 
Certificate fingerprint (SHA-256): B0:F3:30:A3:1A:0C:50:98:7E:1C:3A:7B:B0:2C:2D:DA:68:29:91:D3:16:5B:51:7B:D4:4F:BA:4A:60:20:BD:94
acm-ne-cert-2, trustedCertEntry, 
Certificate fingerprint (SHA-256): 87:DC:D4:DC:74:64:0A:32:2C:D2:05:55:25:06:D1:BE:64:F1:25:96:25:80:96:54:49:86:B4:85:0B:C7:27:06

$ keytool -storetype PKCS11 -keystore NONE -storepass <random> -list -alias acm-ne-cert-0 -v | head -5

Alias name: acm-ne-cert-0
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=*.example.aklivity.io

All good so far. 👍

However, when we add a second token...

enclave:
  cpu_count: 2
  memory_mib: 256

options:
  sync_interval_secs: 600

tokens:
  - label: acm-token-test
    source:
      Acm:
        certificate_arn: "arn:aws:acm:us-east-1:<account-id>:certificate/<certificate-uuid-*.test.aklivity.io>"
    refresh_interval_secs: 43200
    pin: <same random>

  - label: acm-token-example
    source:
      Acm:
        certificate_arn: "arn:aws:acm:us-east-1:<account-id>:certificate/<certificate-uuid-*.example.aklivity.io>"
    refresh_interval_secs: 43200
    pin: <same random>

$ sudo systemctl restart nitro-enclaves-acm.service

$ journalctl -e -u nitro-enclaves-acm.service

... systemd[1]: Starting nitro-enclaves-acm.service - Nitro Enclaves ACM Agent...
... systemd[1]: Started nitro-enclaves-acm.service - Nitro Enclaves ACM Agent.
... p11ne-agent[17849]: |INFO  | Setting up p11-kit config
... p11ne-agent[17849]: |INFO  | Restarting vsock proxy
... p11ne-agent[17849]: |INFO  | Syncing token acm-token-test
... p11ne-agent[17849]: |INFO  | Syncing token acm-token-example

$ keytool -storetype PKCS11 -keystore NONE -storepass <random> -list

Keystore type: PKCS11
Keystore provider: SunPKCS11-p11ne

Your keystore contains 3 entries

acm-ne-cert-0, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 31:C2:D5:77:F0:DF:55:6F:BD:9C:05:57:92:15:7B:BC:67:21:D9:9E:F4:47:35:B8:53:DD:CF:3E:A7:75:66:E9
acm-ne-cert-1, trustedCertEntry, 
Certificate fingerprint (SHA-256): BF:8A:69:02:7B:CC:8D:2D:42:A6:E6:D2:5B:DD:48:73:F6:A3:4B:8F:90:ED:F0:7E:86:C5:D6:91:6D:A0:B9:33
acm-ne-cert-2, trustedCertEntry, 
Certificate fingerprint (SHA-256): 87:DC:D4:DC:74:64:0A:32:2C:D2:05:55:25:06:D1:BE:64:F1:25:96:25:80:96:54:49:86:B4:85:0B:C7:27:06

...there is still only one PrivateKeyEntry.

$ keytool -storetype PKCS11 -keystore NONE -storepass <same random> -list -alias acm-ne-cert-0 -v | head -5

Alias name: acm-ne-cert-0
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=*.test.aklivity.io

...and it represents the first configured token in /etc/nitro_enclaves/acm.yaml.

Is this a bug, or is some configuration change required to get both the PrivateKeyEntry for *.test.aklivity.io and the PrivateKeyEntry for *.example.aklivity.io to show up via keytool?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions