Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl #106

Closed
vatral opened this issue Oct 28, 2021 · 14 comments
Closed

java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl #106

vatral opened this issue Oct 28, 2021 · 14 comments
Milestone
5.0

Comments

@vatral
Copy link

vatral commented Oct 28, 2021

Hello!

I'm using an EV certificate from SSL.com. The latest code after the fix for #105 made some progress, but still goes wrong somewhere. The Yubikey blinks briefly, but then jsign fails with this:

$ ./jsign.sh --keystore /home/vadim/etoken.cfg  --alias "X.509 Certificate for PIV Authentication" --storetype YUBIKEY --storepass $PASS  --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe
Adding Authenticode signature to nxproxy.exe
jsign: Couldn't sign nxproxy.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
	at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
	at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
	at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
	at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
	at net.jsign.SignerHelper.sign(SignerHelper.java:506)
	at net.jsign.JsignCLI.execute(JsignCLI.java:116)
	at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
	at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
	... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
	at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1303)
	at java.base/java.security.Signature$Delegate.engineInitVerify(Signature.java:1349)
	at java.base/java.security.Signature.initVerify(Signature.java:506)
	... 11 more

Some research suggests one of these might be related:

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4953555
https://stackoverflow.com/questions/41534827/java-signature-object-no-installed-provider-supports-this-key-sun-security-rs
@ebourg
Copy link
Owner

ebourg commented Oct 29, 2021

Are you sure the code signing certificate is in the "X.509 Certificate for PIV Authentication" slot ? Usually it's in the "X.509 Certificate for Digital Signature" slot. You can try this instead:

jsign --storetype YUBIKEY --storepass $PASS  --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe

@Strangerxxx
Copy link

Hello!
I've got the same issue as @vatral
Did you solve it somehow?

@Strangerxxx
Copy link

@ebourg yes, I definitely sure that my certificate in the "X.509 Certificate for PIV Authentication" slot

@Strangerxxx
Copy link

Strangerxxx commented Dec 3, 2021
edited
Loading

Even an upgrade to bouncycastle v1.70 did not helped

@devsibwarra
Copy link

devsibwarra commented Jan 19, 2022
edited
Loading

Getting the same error with Google Cloud and SSL.com EV cert. My command is

> java -jar jsign\jsign\target\jsign-4.1-SNAPSHOT.jar --storetype GOOGLECLOUD --storepass $env:JSIGN_STOREPASS --keystore $env:JSIGN_KEYSTORE --alias $env:JSIGN_ALIAS --certfile ./cert-bundle.pem --tsmode RFC3161 --tsaurl "http://ts.ssl.com" .\sign-test.exe
Adding Authenticode signature to .\sign-test.exe
jsign: Couldn't sign .\sign-test.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
        at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
        at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
        at net.jsign.SignerHelper.sign(SignerHelper.java:523)
        at net.jsign.JsignCLI.execute(JsignCLI.java:116)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
        ... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1138)
        at java.security.Signature$Delegate.engineInitVerify(Signature.java:1170)
        at java.security.Signature.initVerify(Signature.java:460)
        ... 11 more
Try `java -jar jsign.jar --help' for more information.

Versions

  • Java: Java(TM) SE Runtime Environment (build 1.8.0_211-b12)
  • Jsign: f93f338

Really appreciate the work on jsign and any suggestions you might have!

@devsibwarra
Copy link

devsibwarra commented Jan 20, 2022
edited
Loading

Following #93 (comment) from another jsign issue, I was able to successfully sign the file with CodeSignTool, but do see the same problem reported in that issue ("No signature was present in the subject"). Happy to help test any jsign changes as the cross-platform multi-service support would be ideal

@ebourg
Copy link
Owner

ebourg commented Jan 20, 2022

@devsibwarra What's the order of the certificates in cert-bundle.pem?

@devsibwarra
Copy link

@devsibwarra What's the order of the certificates in cert-bundle.pem?

The bundle order is

Certificate[1]: company-cert
Certificate[2]: SSL.com EV Code Signing Intermediate CA RSA R3
Certificate[3]: SSL.com EV Root Certification Authority RSA R2
Certificate[4]: Certum Trusted Network CA

@Strangerxxx
Copy link

finally fixed by resetting yubikey and reimporting certificates from scratch

@devsibwarra
Copy link

devsibwarra commented Jan 27, 2022
edited
Loading

@ebourg Turns out I was using the wrong certificate bundle for Google Cloud HSM.

If it helps add error handling, when I was trying to use the bad cert with osslsigncode, I was getting

Failed to checking the consistency of a private key: pkcs11:object=key
          with a public key in any X509 certificate: .\cert.pem

Creating a new signature failed
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0B080073:x509 certificate routines:X509_check_private_key:key type mismatch:../openssl-1.1.1m/crypto/x509/x509_cmp.c:306:
Failed

Using the correct cert bundle with jsign + google cloud hsm gives me a valid signed file 🥂

@ebourg
Copy link
Owner

ebourg commented Jan 27, 2022

Good to hear it works. I'll try to add more checks.

@Spencer-Arbour
Copy link

Hi,
I am running into this issue when using google cloud and ssl.com @devsibwarra can you go into more detail about what fixed it for you? I don't understand what you mean by the correct cert bundle.

@ebourg
Copy link
Owner

ebourg commented Jun 1, 2023

I've checked the behavior of Jsign when the private key and the public key don't match:

  • RSA private key + EC public key -> InvalidKeyException: No installed provider supports this key: sun.security.ec.ECPublicKeyImpl
  • EC private key + RSA public key -> InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
  • RSA 2048 private key + RSA 4096 public key -> SignatureException: Signature length not correct: got 256 but was expecting 512
  • Mismatched RSA public/private keys of the same length -> no error

There are two issues here:

  • The error message when the signature verification fails isn't really helpful. The root exception should be wrapped in an exception with a user friendly message hinting that the public/private keys don't match
  • The result of the signature verification isn't checked. If the verification fails without throwing an exception, nothing happens

@ebourg ebourg added this to the 5.0 milestone Jun 1, 2023
ebourg added a commit that referenced this issue Jun 1, 2023
@ebourg
Display a user friendly error message when the private key and the ce…
b2b47a9 
…rtificate don't match (#106)
@ebourg
Copy link
Owner

ebourg commented Jun 1, 2023

Jsign now displays an explicit error message when the private key and the certificate don't match

@ebourg ebourg closed this as completed Jun 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.0
Development

No branches or pull requests
5 participants
@ebourg @Strangerxxx @vatral @devsibwarra @Spencer-Arbour