Bug#1012451: apksigner: Using PKCS11 keystore fails with NoSuchMethodException

[dev]

Package: apksigner
Version: 30.0.3-4
Severity: important

When trying to use apksigner on Debian 11 in combination with a
hardware HSM (YubiHSM 2 in my case) through SunPKCS11, signing fails
with an error message:

    $ apksigner sign \
      --ks NONE --ks-type PKCS11 \
      --ks-pass 0001password --ks-key-alias "APK Signing Cert" \
      --provider-class sun.security.pkcs11.SunPKCS11 \
      --provider-arg /etc/pkcs11/sunpkcs11_yubihsm2.cfg \
      --min-sdk-version 21 --max-sdk-version 31 \
      --out apk-release-signed.apk app-release-unsigned.apk
    Exception in thread "main" java.lang.NoSuchMethodException: 
sun.security.pkcs11.SunPKCS11.<init>(java.lang.String)
        at java.base/java.lang.Class.getConstructor0(Class.java:3585)
        at java.base/java.lang.Class.getConstructor(Class.java:2271)
        at 
com.android.apksigner.ApkSignerTool$ProviderInstallSpec.installProvider(ApkSignerTool.java:988)
        at 
com.android.apksigner.ApkSignerTool$ProviderInstallSpec.access$200(ApkSignerTool.java:963)
        at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:267)
        at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:83)

On the same system, querying the certificates with keytool works
without problems:

    # keytool -list -keystore NONE -storetype PKCS11 -providerClass 
sun.security.pkcs11.SunPKCS11 -providerArg /etc/pkcs11/sunpkcs11_yubihsm2.cfg 
-storepass 0001password -v
    Keystore type: PKCS11
    Keystore provider: SunPKCS11-yubihsm2-pkcs11
    
    Your keystore contains 1 entry
    
    Alias name: APK Signing Cert
    ...

I installed this apksigner version:

    # dpkg --list | grep apksigner
    ii  apksigner                      30.0.3-4                       all       
   command line tool to sign and verify Android APKs

On the system OpenJDK 11 and 17 are installed:

    # dpkg --list | grep openjdk
    ii  openjdk-11-jre:amd64           11.0.15+10-1~deb11u1           amd64     
   OpenJDK Java runtime, using Hotspot JIT
    ii  openjdk-11-jre-headless:amd64  11.0.15+10-1~deb11u1           amd64     
   OpenJDK Java runtime, using Hotspot JIT (headless)
    ii  openjdk-17-jdk-headless:amd64  17.0.3+7-1~deb11u1             amd64     
   OpenJDK Development Kit (JDK) (headless)
    ii  openjdk-17-jre-headless:amd64  17.0.3+7-1~deb11u1             amd64     
   OpenJDK Java runtime, using Hotspot JIT (headless)

By default, Java 17 is used:

    # java --version
    openjdk 17.0.3 2022-04-19
    OpenJDK Runtime Environment (build 17.0.3+7-Debian-1deb11u1)
    OpenJDK 64-Bit Server VM (build 17.0.3+7-Debian-1deb11u1, mixed mode, 
sharing)

I tried switching to Java 11 with update-alternatives, but that didn't
resolve the error.

>From the error message, it seems that the SunPKCS11 class is
instantiated incorrectly. I found this bug report in the Tor issue
tracker that describes the same issue:
https://www.mail-archive.com/tor-bugs@lists.torproject.org/msg183412.html
I did not really understand how the issue was resolved in their case,
however that person ended up using Fedora and not Debian. In any case,
it looks like apksigner seems to call a Java 8 API that isn't
compatible with Java 11 or 17, which are the only versions available in
Debian 11?

Here is a potentially related bug report and fix of an unrelated project:
https://github.com/zaproxy/zaproxy/issues/4147

My system:

    # cat /etc/os-release | grep VERSION=
    VERSION="11 (bullseye)"
    # uname -r
    5.17.9-arch1-1

Cheers,
Danilo