Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1012451: apksigner: Using PKCS11 keystore fails with NoSuchMethodException
213 views
Skip to first unread message
d...@dbrgn.ch
Jun 7, 2022, 10:10:04 AM6/7/22
to
Package: apksigner
Version: 30.0.3-4
Severity: important
When trying to use apksigner on Debian 11 in combination with a
hardware HSM (YubiHSM 2 in my case) through SunPKCS11, signing fails
with an error message:
$ apksigner sign \
--ks NONE --ks-type PKCS11 \
--ks-pass 0001password --ks-key-alias "APK Signing Cert" \
--provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg /etc/pkcs11/sunpkcs11_yubihsm2.cfg \
--min-sdk-version 21 --max-sdk-version 31 \
--out apk-release-signed.apk app-release-unsigned.apk
Exception in thread "main" java.lang.NoSuchMethodException: sun.security.pkcs11.SunPKCS11.<init>(java.lang.String)
at java.base/java.lang.Class.getConstructor0(Class.java:3585)
at java.base/java.lang.Class.getConstructor(Class.java:2271)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.installProvider(ApkSignerTool.java:988)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.access$200(ApkSignerTool.java:963)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:267)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:83)
On the same system, querying the certificates with keytool works
without problems:
# keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/pkcs11/sunpkcs11_yubihsm2.cfg -storepass 0001password -v
Keystore type: PKCS11
Keystore provider: SunPKCS11-yubihsm2-pkcs11
Your keystore contains 1 entry
Alias name: APK Signing Cert
...
I installed this apksigner version:
# dpkg --list | grep apksigner
ii apksigner 30.0.3-4 all command line tool to sign and verify Android APKs
On the system OpenJDK 11 and 17 are installed:
# dpkg --list | grep openjdk
ii openjdk-11-jre:amd64 11.0.15+10-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT
ii openjdk-11-jre-headless:amd64 11.0.15+10-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT (headless)
ii openjdk-17-jdk-headless:amd64 17.0.3+7-1~deb11u1 amd64 OpenJDK Development Kit (JDK) (headless)
ii openjdk-17-jre-headless:amd64 17.0.3+7-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT (headless)
By default, Java 17 is used:
# java --version
openjdk 17.0.3 2022-04-19
OpenJDK Runtime Environment (build 17.0.3+7-Debian-1deb11u1)
OpenJDK 64-Bit Server VM (build 17.0.3+7-Debian-1deb11u1, mixed mode, sharing)
I tried switching to Java 11 with update-alternatives, but that didn't
resolve the error.
From the error message, it seems that the SunPKCS11 class is
instantiated incorrectly. I found this bug report in the Tor issue
tracker that describes the same issue:
https://www.mail-archive.com/tor-...@lists.torproject.org/msg183412.html
I did not really understand how the issue was resolved in their case,
however that person ended up using Fedora and not Debian. In any case,
it looks like apksigner seems to call a Java 8 API that isn't
compatible with Java 11 or 17, which are the only versions available in
Debian 11?
Here is a potentially related bug report and fix of an unrelated project:
https://github.com/zaproxy/zaproxy/issues/4147
My system:
# cat /etc/os-release | grep VERSION=
VERSION="11 (bullseye)"
# uname -r
5.17.9-arch1-1
Cheers,
Danilo
Version: 30.0.3-4
Severity: important
When trying to use apksigner on Debian 11 in combination with a
hardware HSM (YubiHSM 2 in my case) through SunPKCS11, signing fails
with an error message:
$ apksigner sign \
--ks NONE --ks-type PKCS11 \
--ks-pass 0001password --ks-key-alias "APK Signing Cert" \
--provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg /etc/pkcs11/sunpkcs11_yubihsm2.cfg \
--min-sdk-version 21 --max-sdk-version 31 \
--out apk-release-signed.apk app-release-unsigned.apk
Exception in thread "main" java.lang.NoSuchMethodException: sun.security.pkcs11.SunPKCS11.<init>(java.lang.String)
at java.base/java.lang.Class.getConstructor0(Class.java:3585)
at java.base/java.lang.Class.getConstructor(Class.java:2271)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.installProvider(ApkSignerTool.java:988)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.access$200(ApkSignerTool.java:963)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:267)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:83)
On the same system, querying the certificates with keytool works
without problems:
# keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/pkcs11/sunpkcs11_yubihsm2.cfg -storepass 0001password -v
Keystore type: PKCS11
Keystore provider: SunPKCS11-yubihsm2-pkcs11
Your keystore contains 1 entry
Alias name: APK Signing Cert
...
I installed this apksigner version:
# dpkg --list | grep apksigner
ii apksigner 30.0.3-4 all command line tool to sign and verify Android APKs
On the system OpenJDK 11 and 17 are installed:
# dpkg --list | grep openjdk
ii openjdk-11-jre:amd64 11.0.15+10-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT
ii openjdk-11-jre-headless:amd64 11.0.15+10-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT (headless)
ii openjdk-17-jdk-headless:amd64 17.0.3+7-1~deb11u1 amd64 OpenJDK Development Kit (JDK) (headless)
ii openjdk-17-jre-headless:amd64 17.0.3+7-1~deb11u1 amd64 OpenJDK Java runtime, using Hotspot JIT (headless)
By default, Java 17 is used:
# java --version
openjdk 17.0.3 2022-04-19
OpenJDK Runtime Environment (build 17.0.3+7-Debian-1deb11u1)
OpenJDK 64-Bit Server VM (build 17.0.3+7-Debian-1deb11u1, mixed mode, sharing)
I tried switching to Java 11 with update-alternatives, but that didn't
resolve the error.
From the error message, it seems that the SunPKCS11 class is
instantiated incorrectly. I found this bug report in the Tor issue
tracker that describes the same issue:
https://www.mail-archive.com/tor-...@lists.torproject.org/msg183412.html
I did not really understand how the issue was resolved in their case,
however that person ended up using Fedora and not Debian. In any case,
it looks like apksigner seems to call a Java 8 API that isn't
compatible with Java 11 or 17, which are the only versions available in
Debian 11?
Here is a potentially related bug report and fix of an unrelated project:
https://github.com/zaproxy/zaproxy/issues/4147
My system:
# cat /etc/os-release | grep VERSION=
VERSION="11 (bullseye)"
# uname -r
5.17.9-arch1-1
Cheers,
Danilo
Hans-Christoph Steiner
Jun 7, 2022, 3:30:04 PM6/7/22
to
Thanks for the detailed bug report. Have you tried using the Google binaries?
Does this also happen there? IIRC upstream fixed some bugs related to
smartcards in recent releases.
Does this also happen there? IIRC upstream fixed some bugs related to
smartcards in recent releases.
d...@dbrgn.ch
Jun 15, 2022, 11:40:04 AM6/15/22
to
With upstream I assume you mean the apksigner binary shipped with the Android build-tools? I tried with build-tools 30.0.2:
$ /opt/android/cmdline-tools/tools/bin/sdkmanager --install "build-tools;30.0.2"
Followed by:
$ /opt/android/build-tools/30.0.2/apksigner sign \
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.access$200(ApkSignerTool.java:1030)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:281)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:84)
The line numbers in ApkSignerTool are different, but the error remains. I tried both with Java 17 and 11.
Danilo
$ /opt/android/cmdline-tools/tools/bin/sdkmanager --install "build-tools;30.0.2"
Followed by:
$ /opt/android/build-tools/30.0.2/apksigner sign \
--ks NONE --ks-type PKCS11 \
--ks-pass 0001password --ks-key-alias "APK Signing Cert" \
--provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg /etc/pkcs11/sunpkcs11_yubihsm2.cfg \
--min-sdk-version 21 --max-sdk-version 31 \
--out apk-release-signed.apk app-release-unsigned.apk
Exception in thread "main" java.lang.NoSuchMethodException: sun.security.pkcs11.SunPKCS11.<init>(java.lang.String)
at java.base/java.lang.Class.getConstructor0(Class.java:3585)
at java.base/java.lang.Class.getConstructor(Class.java:2271)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.installProvider(ApkSignerTool.java:1055)
--ks-pass 0001password --ks-key-alias "APK Signing Cert" \
--provider-class sun.security.pkcs11.SunPKCS11 \
--provider-arg /etc/pkcs11/sunpkcs11_yubihsm2.cfg \
--min-sdk-version 21 --max-sdk-version 31 \
--out apk-release-signed.apk app-release-unsigned.apk
Exception in thread "main" java.lang.NoSuchMethodException: sun.security.pkcs11.SunPKCS11.<init>(java.lang.String)
at java.base/java.lang.Class.getConstructor0(Class.java:3585)
at java.base/java.lang.Class.getConstructor(Class.java:2271)
at com.android.apksigner.ApkSignerTool$ProviderInstallSpec.access$200(ApkSignerTool.java:1030)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:281)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:84)
The line numbers in ApkSignerTool are different, but the error remains. I tried both with Java 17 and 11.
Danilo
d...@dbrgn.ch
Jul 21, 2022, 3:40:03 AM7/21/22
to
For the record, Debian's apksigner works without issues after installing Java 8 and marking it as default with update-alternatives. This is definitely a compatibility issue that might need to be fixed either upstream or as a patch.
Danilo
Danilo
Hans-Christoph Steiner
Aug 2, 2022, 11:20:04 AM8/2/22
to
Control: fixed 1012451 31.0.2
0 new messages