Module Signer with PKCS11 and Java9+

pturmel · November 13, 2018, 7:42pm

It turns out that Java9 changed the implementation and usage of SunPKCS11, breaking Java8 code. I had to apply the following patch to the module-signer:

From: "Philip J. Turmel" <philip@turmel.org>
Date: Tue, 13 Nov 2018 14:26:26 -0500
Subject: [PATCH] Java 11 Support, not backwards compatible

---
 pom.xml                                                      | 5 ++---
 .../com/inductiveautomation/ignitionsdk/ModuleSigner.java    | 5 +++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index ee564d5..4bfe5c0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,10 +27,9 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
+                <version>3.8.0</version>
                 <configuration>
-                    <source>1.8</source>
-                    <target>1.8</target>
+                    <release>11</release>
                 </configuration>
             </plugin>
             <plugin>
diff --git a/src/main/java/com/inductiveautomation/ignitionsdk/ModuleSigner.java b/src/main/java/com/inductiveautomation/ignitionsdk/ModuleSigner.java
index a727fe2..b4621e7 100644
--- a/src/main/java/com/inductiveautomation/ignitionsdk/ModuleSigner.java
+++ b/src/main/java/com/inductiveautomation/ignitionsdk/ModuleSigner.java
@@ -18,6 +18,7 @@ import java.security.Signature;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Properties;
+import java.util.Set;
 
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
@@ -26,7 +27,6 @@ import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.output.NullOutputStream;
-import sun.security.pkcs11.SunPKCS11;
 
 @SuppressWarnings("restriction")
 public class ModuleSigner {
@@ -123,7 +123,8 @@ public class ModuleSigner {
             String aliasPwd = commandLine.getOptionValue(OPT_ALIAS_PWD, "");
 
             if (commandLine.hasOption(OPT_PKCS11_CFG)) {
-                Provider p = new SunPKCS11(commandLine.getOptionValue(OPT_PKCS11_CFG));
+                Provider p = Security.getProvider("SunPKCS11");
+                p = p.configure(commandLine.getOptionValue(OPT_PKCS11_CFG));
                 Security.addProvider(p);
                 keyStore = KeyStore.getInstance("PKCS11");
                 keyStore.load(null, keyStorePwd.toCharArray());

Note that this change breaks the module signer for Java8 and earlier!

Kevin.Herron · November 13, 2018, 7:55pm

Thanks, I’ll apply this in a branch that can become master once Ignition 8 is released.

pturmel · November 13, 2018, 7:57pm

Hmm. The import of java.util.Set is a stray from my debugging efforts… you can drop that hunk.

Kevin.Herron · November 13, 2018, 7:58pm

Yep, I already did

https://github.com/inductiveautomation/module-signer/tree/java-11

mazeyrat · November 16, 2018, 6:54pm

I rebuild the module signer with Java 11.
When I try to sign a module for Ignition 8, I have the following issue

D:\dev\ignition\modules\src\Signer-module>java -jar module-signer8.jar -keystore=D:\dev\ignition\modules\src\Signer-module/certif/export_certif.jks -keystore-pwd=siai -alias=byes-siai -alias-pwd=******* -chain=D:\dev\ignition\modules\src\Signer-module/certif/byes_siai.p7b -module-in=D:/dev/ignition/modules/src/VideoViewer/VideoViewer-build/target/BYES-VideoViewer-unsigned.modl -module-out=D:/dev/ignition/modules/dist/BYES-VideoViewer-signed-1.4.0.modl
Erreur : LinkageError lors du chargement de la classe principale com.inductiveautomation.ignitionsdk.ModuleSigner$Main
        java.lang.UnsupportedClassVersionError: com/inductiveautomation/ignitionsdk/ModuleSigner$Main has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 53.0

Build with Oracle JDK 11.0.1

pturmel · November 16, 2018, 6:57pm

You have to run the modified module signer with Java11, too.

mazeyrat · November 16, 2018, 7:13pm

Thanks @pturmel , I’ve forgot this with all the java version on my machine for buiding modules and running Iignition 7.9.8,7.9.10-beta and 8.0-beta…

andrea.morando · April 27, 2020, 9:52am

Dear all,
I cloned the master project from GitHub, compiled the project and run.
The following error occured:

C:\DataBusiness\moranandr1\Desktop\ignition\sdk\module signer\module-signer-master\module-signer-master\target>java -jar module-signer-1.0.0-jar-with-dependencies.jar -keystore=C:\Users\moranandr1\sdk.jks -keystore-pwd=*** -alias=fts-eng -alias-pwd=*** -c
hain=C:\Users\moranandr1\fts_eng.p7b -module-in=C:\DataBusiness\moranandr1\Desktop\ignition\sdk\modules\kernel\base\base-build\target\Base-unsigned.modl -module-out=C:\DataBusiness\moranandr1\Desktop\ignition\sdk\modules\kernel\base\base-build\target\Base.modl
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.UnsupportedClassVersionError: com/inductiveautomation/ignitionsdk/ModuleSigner$Main has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class
 file versions up to 52.0
        at java.lang.ClassLoader.defineClass1(Native Method)
        at java.lang.ClassLoader.defineClass(Unknown Source)
        at java.security.SecureClassLoader.defineClass(Unknown Source)
        at java.net.URLClassLoader.defineClass(Unknown Source)
        at java.net.URLClassLoader.access$100(Unknown Source)
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.launcher.LauncherHelper.checkAndLoadMain(Unknown Source)

I saw the modifications from @pturmel have been correctly added.
I also tried to compile with both 11.0.5 and 11.0.3 jdk versions.
What’s going on?

@mazeyrat were you able to sign your module with that configuration?

Thank you all.
Best,
Andrea

mazeyrat · April 27, 2020, 10:03am

The module signer jar need to be compiled with jdk 11 and the call of this command need to use jre 11. You have to provide a full path of the java from jre 11 to avoid this kind of issue if multiples java are installed on your machine

andrea.morando · April 27, 2020, 10:25am

Thank you @mazeyrat for the quick reply.
I suppose to do so. The settings inside IntelliJ point to the expected java version:

mazeyrat · April 27, 2020, 11:27am

You need to check java version for C:\DataBusiness\moranandr1\Desktop\ignition\sdk\module signer\module-signer-master\module-signer-master\target>java -version

andrea.morando · April 27, 2020, 1:02pm

@mazeyrat, you are right. I was executing the old jre 1.8 version.
Thank you very much for you kind support.