Cannot sign data with keys from a SmartCard-HSM after Java update

[tir2]

Hello,
since Java-Update from jdk8u312 to jdk8u322 (OpenJDK) it isn't possiblem to sign any data with our SmartCard-HSM-Keys anymore. The server.log contains this Exception:

2022-09-05 16:04:05,616 ERROR [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-2) Error during CMP processing. .: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WithRSA for provider SunPKCS11-opensc-pkcs11.so-s$
server.log

Testing with ejbcaClientToolBox also fails:

java.security.NoSuchAlgorithmException: No such algorithm: RSA/ECB/PKCS1Padding

ClientToolBox_output.txt

The same problem with Java 11. Switching back to jdk8u312 seems to work properly.
Could it be this caused by this fix: https://bugs.openjdk.org/browse/JDK-8176837 ?

Can you help me with this problem?

Environment:

• ejbca-ce-7.9.0.2 (same problem with older versions),
• Wildfly 18
• opensc, last version 0.22.0
• SmartCard-HSM

[primetomas]

Yes there was an update to Java that changed/broke some PKCS#11 functionality. We have fixed this in the next upcoming release, it should be out in a few weeks, and then works both with the old and new java versions.

[primetomas]

No, 7.10.0.1 is the new release that I talked about. Should be no issues with 7.10.0.1

[tir2]

Unfortunately there ist the same error message "no such algorithm: SHA256WithRSA for provider SunPKCS11-opensc-pkcs11.so-s" in server.log with Java from 8_322 and 7.10.0.1.

[primetomas]

Can you provide the full stack trace.

[tir2]

Stack trace for creating a CRL:
server_CreateCRL.log

[primetomas]

Is that the first error message you get? That one is typically a symptom of failed connection to the HSM. Also for clientToolBox the error message is a bit sparse. When it comes to HSMs and EJBCA, testing with clientToolBox is actually the most efficient. It seems to be able to list keys, but not sign or encrypt. You never really know with Java PKCS#11 does.
You can try with P11spy, which lists the PKCS#11 calls that are done, and then it should be more visible exactly what happens in the communication between Java and the HSM.
https://doc.primekey.com/ejbca/ejbca-integration/hardware-security-modules-hsm#HardwareSecurityModules(HSM)-PKCS11Spy