Quarkus native image: Load a PKCS12 file at runtime

Question

I have a Quarkus application which implements the server side of a ProtoBuf-over-TLS communications channel and loads a PFX/P12 file at runtime to get the server certificate and private key.

The application runs fine as a when run from the built jar, but when I try running the native image, I get an error indicating that the PKCS12 algorithm cannot be found. It seems like native images expect to have the security artifact pulled-in at build time. Do I have this correct? Is there any way to work-around this?

Example code:

import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;

import io.quarkus.runtime.QuarkusApplication;
import io.quarkus.runtime.annotations.QuarkusMain;

@QuarkusMain
public class KeystoreTest implements QuarkusApplication {
    String keystoreFile = "/home/sm-dp/... server.pfx";
    String keystoreSecret = "secret";

    @Override
    public int run(String... args) throws Exception {
        KeyStore keystore = KeyStore.getInstance("PKCS12");
        try (InputStream fis = new FileInputStream(new File(keystoreFile))) {
            keystore.load(fis, keystoreSecret.toCharArray());
        }

        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX");
        keyManagerFactory.init(keystore, keystoreSecret.toCharArray());

        SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
        sslContext.init(keyManagerFactory.getKeyManagers(), null, null);

        return 0;
    }
}

Stacktrace:

java.security.KeyStoreException: PKCS12 not found
    at java.security.KeyStore.getInstance(KeyStore.java:851)
    at com.mcleodnet.KeystoreTest.run(KeystoreTest.java:21)
    at com.mcleodnet.KeystoreTest_ClientProxy.run(KeystoreTest_ClientProxy.zig:157)
    at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:112)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:61)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:38)
    at io.quarkus.runner.GeneratedMain.main(GeneratedMain.zig:30)
Caused by: java.security.NoSuchAlgorithmException: class configured for KeyStore (provider: SunJSSE) cannot be found.
    at java.security.Provider$Service.getImplClass(Provider.java:1649)
    at java.security.Provider$Service.newInstance(Provider.java:1592)
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
    at java.security.Security.getImpl(Security.java:695)
    at java.security.KeyStore.getInstance(KeyStore.java:848)
    ... 6 more
Caused by: java.lang.ClassNotFoundException: sun.security.pkcs12.PKCS12KeyStore
    at com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:60)
    at java.lang.Class.forName(DynamicHub.java:1194)
    at java.security.Provider$Service.getImplClass(Provider.java:1634)
    ... 11 more

Answer 1

Try to add quarkus.native.enable-all-security-services=true to your configuration.

If it's not working, you can add a @RegisterForReflection(targets = sun.security.pkcs12.PKCS12KeyStore.class) to one of your application class.