[Native Image] Custom Security Provider is not being used #12703
Description
Describe the Issue
I am the maintainer of Certificate Ripper which I have build with GraalVM. I was adding a new feature and stumbled into an issue. I am trying to extract postgres db certificates which I got working while using a fat jar. It does not work when I am running the native image. I am not quite sure why there is a difference in behaviour. The pull request is here Hakky54/certificate-ripper#110
Using the latest version of GraalVM can resolve many issues.
- I tried with the latest version of GraalVM.
GraalVM Version
java version "25.0.1" 2025-10-21 LTS
Java(TM) SE Runtime Environment Oracle GraalVM 25.0.1+8.1 (build 25.0.1+8-LTS-jvmci-b01)
Java HotSpot(TM) 64-Bit Server VM Oracle GraalVM 25.0.1+8.1 (build 25.0.1+8-LTS-jvmci-b01, mixed mode, sharing)
Operating System and Version
Darwin MacBookPro 24.6.0 Darwin Kernel Version 24.6.0: Mon Jul 14 11:28:17 PDT 2025; root:xnu-11417.140.69~1/RELEASE_X86_64 x86_64
Troubleshooting Confirmation
- I tried the suggestions in the troubleshooting guide.
Run Command
./target/crip print -u=postgresql://localhost:5432/
Expected Behavior
[Fenix version 1.0, CertificateRipper version 1.0, SUN version 24, SunRsaSign version 24, SunEC version 24, SunJSSE version 24, SunJCE version 24, SunSASL version 24, JdkLDAP version 24, JdkSASL version 24, Apple version 24]
nl.altindag.ssl.socket.FenixSSLSocketFactory
nl.altindag.ssl.socket.FenixSSLSocketFactory
nl.altindag.ssl.socket.FenixSSLSocketFactory
Certificate ripper statistics:
- Certificate count
* 1: postgresql://localhost:5432/
[cn=localhost]
Certificates for url = postgresql://localhost:5432/
[
[
Version: V3
Subject: CN=localhost
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 31211996126076596147999338027719495623709022913370591887632988720610004032097760016008345790156702342195009365368156959125712771875783177237122222689823196867653884881232812806555219009894942490288929180418493391254446706821512257672335346037892662566871554703869495753177918085413564534189604133485556381243824728959475350934112799133217319962706911642363362829383506782715080237659432175302233892295525841514632241532146162042423493679178952709219542178492548540252419613055282285791992580920922147065723236149506037158805915815773798115281679259390591323530600590552570955839294244330974808478242461235603855182171
public exponent: 65537
Validity: [From: Tue Jan 14 03:32:28 CET 2025,
To: Fri Jan 12 03:32:28 CET 2035]
Issuer: CN=localhost
SerialNumber: 26:97:cd:84:a8:93:e2:5d:d3:2c:a0:ea:40:8d:7c:93:bf:06:e4:1d
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ED 8A 72 6D B7 87 AB 26 5E 6C 75 33 5B C9 BE E8 ..rm...&^lu3[...
0010: 04 6E 1A 06 .n..
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 00 EE 2E CB 87 F7 20 FD B6 36 AE E1 7B 3F AA 8F ...... ..6...?..
0010: 44 38 42 94 BB 50 77 BE 69 21 CA 2B 4A 2F 90 1B D8B..Pw.i!.+J/..
0020: 93 B0 3D B7 FA FB DB 56 40 BA F6 20 52 78 FC 0F ..=....V@.. Rx..
0030: EA DE F1 66 13 6F 91 30 B9 48 6A B8 2A 32 32 FE ...f.o.0.Hj.*22.
0040: 79 DF C8 DD B2 6D 83 C7 D7 56 04 5D 0F 4B 6B 98 y....m...V.].Kk.
0050: 73 AE C3 5C A5 3F 52 3C A3 F1 6E CF 6D AF 28 E4 s..\.?R<..n.m.(.
0060: 11 79 97 0D 69 02 D5 77 FF CA 9F B0 F7 ED D4 3F .y..i..w.......?
0070: 17 ED 65 A4 9E CE 2D 42 C5 37 F5 52 98 D7 D9 C2 ..e...-B.7.R....
0080: 9B E5 91 54 A1 64 4C BA 17 BD 7C 14 B8 F2 51 51 ...T.dL.......QQ
0090: 0D 42 CA 2D 19 82 59 5A AF BB 8E B4 AA 9C FB 37 .B.-..YZ.......7
00A0: 64 DC F4 78 EA 17 13 3D 07 88 45 2E FB 02 96 68 d..x...=..E....h
00B0: 9B F1 25 AF 6E 85 02 DB 77 5A CF 40 4E 70 5B 62 ..%.n...wZ.@Np[b
00C0: C1 83 15 3F 3E CE BC 32 BB 45 4F E3 AC 44 8E A5 ...?>..2.EO..D..
00D0: 47 02 D6 D4 86 34 A4 19 04 3E B2 7B 8F 72 3F 62 G....4...>...r?b
00E0: 19 02 AF F8 C6 9B 96 14 D1 36 AA D7 74 39 7F C3 .........6..t9..
00F0: AB 49 02 94 CE 96 7C B1 F2 D5 1F 5B A2 73 DE B9 .I.........[.s..
]
Actual Behavior
[Fenix version 1.0, CertificateRipper version 1.0, SUN version 25, SunRsaSign version 25, SunEC version 25, SunJSSE version 25, SunJCE version 25, SunSASL version 25, JdkLDAP version 25, JdkSASL version 25, Apple version 25]
nl.altindag.ssl.socket.FenixSSLSocketFactory
java.lang.IllegalStateException: SSLContext is not initialized
at java.base@25.0.1/sun.security.ssl.SSLContextImpl.engineGetSocketFactory(SSLContextImpl.java:179)
at java.base@25.0.1/javax.net.ssl.SSLContext.getSocketFactory(SSLContext.java:325)
at nl.altindag.crip.client.postgres.PostgresClientRunnable.run(PostgresClientRunnable.java:39)
at nl.altindag.ssl.util.CertificateExtractingClient.get(CertificateExtractingClient.java:125)
at nl.altindag.crip.command.SharedProperties.getCertificates(SharedProperties.java:143)
at java.base@25.0.1/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:214)
at java.base@25.0.1/java.util.Iterator.forEachRemaining(Iterator.java:133)
at java.base@25.0.1/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1939)
at java.base@25.0.1/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:570)
at java.base@25.0.1/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:560)
at java.base@25.0.1/java.util.stream.ReduceOps$ReduceTask.doLeaf(ReduceOps.java:960)
at java.base@25.0.1/java.util.stream.ReduceOps$ReduceTask.doLeaf(ReduceOps.java:934)
at java.base@25.0.1/java.util.stream.AbstractTask.compute(AbstractTask.java:327)
at java.base@25.0.1/java.util.concurrent.CountedCompleter.exec(CountedCompleter.java:759)
at java.base@25.0.1/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:511)
at java.base@25.0.1/java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:680)
at java.base@25.0.1/java.util.stream.ReduceOps$ReduceOp.evaluateParallel(ReduceOps.java:927)
at java.base@25.0.1/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:264)
at java.base@25.0.1/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:723)
at nl.altindag.crip.command.SharedProperties.getCertificateHolder(SharedProperties.java:92)
at nl.altindag.crip.command.print.PrintCommand.run(PrintCommand.java:52)
at picocli.CommandLine.executeUserObject(CommandLine.java:2045)
at picocli.CommandLine.access$1500(CommandLine.java:148)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2469)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2461)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2423)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2277)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2425)
at picocli.CommandLine.execute(CommandLine.java:2174)
at nl.altindag.crip.CertificateRipper.main(CertificateRipper.java:46)
at java.base@25.0.1/java.lang.invoke.LambdaForm$DMH/sa346b79c.invokeStaticInit(LambdaForm$DMH)
Certificate ripper statistics:
- Certificate count
* 0: postgresql://localhost:5432/
Steps to Reproduce
git clone git@github.com:Hakky54/certificate-ripper.gitcd certificate-rippergit switch feature/support-for-postgres-dbmvn clean install -Pfat-jardocker run -d --rm -e POSTGRES_PASSWORD=password -p 5432:5432 postgres:12 -c ssl=on -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.keyjava -jar target/crip.jar print -u=postgresql://localhost:5432/--> will print the certificatemvn clean install -Pnative-image./target/crip print -u=postgresql://localhost:5432/--> does not print the certificate
Additional Context
I will try to give some context. I am using postgres driver manager to interact with the actual database. When establishing the connection it will create an sslcontext instance under the covers by the postgres library itself, see here. I am intercepting this by adding a custom security provider here. This code snippet create a custom security provider and inserts it in the first position. Under the cover the following code statements will be executed first and second
With this logic I can easily replace an sslcontext of a different library with a custom one. In this case I provide my own one which is able to capture server certificates. This works when running in my IDE and with a fat-jar. However it does not work when running it with a native executable create with native image.
I have attached the reachability-metadata.json here
Any idea what the cause could be?
Run-Time Log Output and Error Messages
No response