Does Java PKCS11 Keystore support multiple tokens?

[jfallows]

I have setup an EC2 instance (Amazon 2023 Linux) with AWS Nitro Enclaves for ACM to verify Java PKCS11 Keystore support.

$ java -version

openjdk version "22.0.2" 2024-07-16
OpenJDK Runtime Environment Corretto-22.0.2.9.1 (build 22.0.2+9-FR)
OpenJDK 64-Bit Server VM Corretto-22.0.2.9.1 (build 22.0.2+9-FR, mixed mode, sharing)

$ cat /usr/lib/jvm/java-22-amazon-corretto/conf/security/java.security | grep security.provider | grep PKCS11

security.provider.12=SunPKCS11 /etc/pkcs11/keystore.conf

/etc/pkcs11/keystore.conf

name = p11ne
description = "PKCS#11 Keystore"
library = /usr/lib64/libp11-kit.so.0

/etc/nitro_enclave/acm.yaml

enclave:
  cpu_count: 2
  memory_mib: 256

options:
  sync_interval_secs: 600

tokens:
  - label: acm-token-example
    source:
      Acm:
        certificate_arn: "arn:aws:acm:us-east-1:<account-id>:certificate/<certificate-uuid-*.example.aklivity.io>"
    refresh_interval_secs: 43200
    pin: <random>

$ sudo systemctl restart nitro-enclaves-acm.service

$ journalctl -e -u nitro-enclaves-acm.service

... systemd[1]: Starting nitro-enclaves-acm.service - Nitro Enclaves ACM Agent...
... systemd[1]: Started nitro-enclaves-acm.service - Nitro Enclaves ACM Agent.
... p11ne-agent[17279]: |INFO  | Setting up p11-kit config
... p11ne-agent[17279]: |INFO  | Restarting vsock proxy
... p11ne-agent[17279]: |INFO  | Syncing token acm-token-example

$ keytool -storetype PKCS11 -keystore NONE -storepass <random> -list

Keystore type: PKCS11
Keystore provider: SunPKCS11-p11ne

Your keystore contains 3 entries

acm-ne-cert-0, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 15:84:66:30:52:93:38:2D:D8:D6:BE:2F:84:F7:72:9E:64:E7:CA:63:BE:BC:AA:BA:D7:FE:0E:6B:C0:4E:31:BF
acm-ne-cert-1, trustedCertEntry, 
Certificate fingerprint (SHA-256): B0:F3:30:A3:1A:0C:50:98:7E:1C:3A:7B:B0:2C:2D:DA:68:29:91:D3:16:5B:51:7B:D4:4F:BA:4A:60:20:BD:94
acm-ne-cert-2, trustedCertEntry, 
Certificate fingerprint (SHA-256): 87:DC:D4:DC:74:64:0A:32:2C:D2:05:55:25:06:D1:BE:64:F1:25:96:25:80:96:54:49:86:B4:85:0B:C7:27:06

$ keytool -storetype PKCS11 -keystore NONE -storepass <random> -list -alias acm-ne-cert-0 -v | head -5

Alias name: acm-ne-cert-0
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=*.example.aklivity.io

All good so far. 👍

However, when we add a second token...

enclave:
  cpu_count: 2
  memory_mib: 256

options:
  sync_interval_secs: 600

tokens:
  - label: acm-token-test
    source:
      Acm:
        certificate_arn: "arn:aws:acm:us-east-1:<account-id>:certificate/<certificate-uuid-*.test.aklivity.io>"
    refresh_interval_secs: 43200
    pin: <same random>

  - label: acm-token-example
    source:
      Acm:
        certificate_arn: "arn:aws:acm:us-east-1:<account-id>:certificate/<certificate-uuid-*.example.aklivity.io>"
    refresh_interval_secs: 43200
    pin: <same random>

$ sudo systemctl restart nitro-enclaves-acm.service

$ journalctl -e -u nitro-enclaves-acm.service

... systemd[1]: Starting nitro-enclaves-acm.service - Nitro Enclaves ACM Agent...
... systemd[1]: Started nitro-enclaves-acm.service - Nitro Enclaves ACM Agent.
... p11ne-agent[17849]: |INFO  | Setting up p11-kit config
... p11ne-agent[17849]: |INFO  | Restarting vsock proxy
... p11ne-agent[17849]: |INFO  | Syncing token acm-token-test
... p11ne-agent[17849]: |INFO  | Syncing token acm-token-example

$ keytool -storetype PKCS11 -keystore NONE -storepass <random> -list

Keystore type: PKCS11
Keystore provider: SunPKCS11-p11ne

Your keystore contains 3 entries

acm-ne-cert-0, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 31:C2:D5:77:F0:DF:55:6F:BD:9C:05:57:92:15:7B:BC:67:21:D9:9E:F4:47:35:B8:53:DD:CF:3E:A7:75:66:E9
acm-ne-cert-1, trustedCertEntry, 
Certificate fingerprint (SHA-256): BF:8A:69:02:7B:CC:8D:2D:42:A6:E6:D2:5B:DD:48:73:F6:A3:4B:8F:90:ED:F0:7E:86:C5:D6:91:6D:A0:B9:33
acm-ne-cert-2, trustedCertEntry, 
Certificate fingerprint (SHA-256): 87:DC:D4:DC:74:64:0A:32:2C:D2:05:55:25:06:D1:BE:64:F1:25:96:25:80:96:54:49:86:B4:85:0B:C7:27:06

...there is still only one PrivateKeyEntry.

$ keytool -storetype PKCS11 -keystore NONE -storepass <same random> -list -alias acm-ne-cert-0 -v | head -5

Alias name: acm-ne-cert-0
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=*.test.aklivity.io

...and it represents the first configured token in /etc/nitro_enclaves/acm.yaml.

Is this a bug, or is some configuration change required to get both the PrivateKeyEntry for *.test.aklivity.io and the PrivateKeyEntry for *.example.aklivity.io to show up via keytool?