java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl

[vatral]

Hello!

I'm using an EV certificate from SSL.com. The latest code after the fix for #105 made some progress, but still goes wrong somewhere. The Yubikey blinks briefly, but then jsign fails with this:

$ ./jsign.sh --keystore /home/vadim/etoken.cfg  --alias "X.509 Certificate for PIV Authentication" --storetype YUBIKEY --storepass $PASS  --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe
Adding Authenticode signature to nxproxy.exe
jsign: Couldn't sign nxproxy.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
	at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
	at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
	at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
	at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
	at net.jsign.SignerHelper.sign(SignerHelper.java:506)
	at net.jsign.JsignCLI.execute(JsignCLI.java:116)
	at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
	at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
	... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
	at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1303)
	at java.base/java.security.Signature$Delegate.engineInitVerify(Signature.java:1349)
	at java.base/java.security.Signature.initVerify(Signature.java:506)
	... 11 more

Some research suggests one of these might be related:

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4953555
https://stackoverflow.com/questions/41534827/java-signature-object-no-installed-provider-supports-this-key-sun-security-rs

[ebourg]

Are you sure the code signing certificate is in the "X.509 Certificate for PIV Authentication" slot ? Usually it's in the "X.509 Certificate for Digital Signature" slot. You can try this instead:

jsign --storetype YUBIKEY --storepass $PASS  --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe

[Strangerxxx]

Hello!
I've got the same issue as @vatral
Did you solve it somehow?

[Strangerxxx]

@ebourg yes, I definitely sure that my certificate in the "X.509 Certificate for PIV Authentication" slot

[Strangerxxx]

Even an upgrade to bouncycastle v1.70 did not helped

[devsibwarra]

Getting the same error with Google Cloud and SSL.com EV cert. My command is

> java -jar jsign\jsign\target\jsign-4.1-SNAPSHOT.jar --storetype GOOGLECLOUD --storepass $env:JSIGN_STOREPASS --keystore $env:JSIGN_KEYSTORE --alias $env:JSIGN_ALIAS --certfile ./cert-bundle.pem --tsmode RFC3161 --tsaurl "http://ts.ssl.com" .\sign-test.exe
Adding Authenticode signature to .\sign-test.exe
jsign: Couldn't sign .\sign-test.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
        at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
        at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
        at net.jsign.SignerHelper.sign(SignerHelper.java:523)
        at net.jsign.JsignCLI.execute(JsignCLI.java:116)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
        ... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1138)
        at java.security.Signature$Delegate.engineInitVerify(Signature.java:1170)
        at java.security.Signature.initVerify(Signature.java:460)
        ... 11 more
Try `java -jar jsign.jar --help' for more information.

Versions

• Java: Java(TM) SE Runtime Environment (build 1.8.0_211-b12)
• Jsign: f93f338

Really appreciate the work on jsign and any suggestions you might have!

[devsibwarra]

Following #93 (comment) from another jsign issue, I was able to successfully sign the file with CodeSignTool, but do see the same problem reported in that issue ("No signature was present in the subject"). Happy to help test any jsign changes as the cross-platform multi-service support would be ideal

[ebourg]

@devsibwarra What's the order of the certificates in cert-bundle.pem?

[devsibwarra]

@devsibwarra What's the order of the certificates in cert-bundle.pem?

The bundle order is

Certificate[1]: company-cert
Certificate[2]: SSL.com EV Code Signing Intermediate CA RSA R3
Certificate[3]: SSL.com EV Root Certification Authority RSA R2
Certificate[4]: Certum Trusted Network CA

[Strangerxxx]

finally fixed by resetting yubikey and reimporting certificates from scratch

[devsibwarra]

@ebourg Turns out I was using the wrong certificate bundle for Google Cloud HSM.

If it helps add error handling, when I was trying to use the bad cert with osslsigncode, I was getting

Failed to checking the consistency of a private key: pkcs11:object=key
          with a public key in any X509 certificate: .\cert.pem

Creating a new signature failed
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0B080073:x509 certificate routines:X509_check_private_key:key type mismatch:../openssl-1.1.1m/crypto/x509/x509_cmp.c:306:
Failed

Using the correct cert bundle with jsign + google cloud hsm gives me a valid signed file 🥂

[ebourg]

Good to hear it works. I'll try to add more checks.

[Spencer-Arbour]

Hi,
I am running into this issue when using google cloud and ssl.com @devsibwarra can you go into more detail about what fixed it for you? I don't understand what you mean by the correct cert bundle.

[ebourg]

I've checked the behavior of Jsign when the private key and the public key don't match:

• RSA private key + EC public key -> InvalidKeyException: No installed provider supports this key: sun.security.ec.ECPublicKeyImpl
• EC private key + RSA public key -> InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
• RSA 2048 private key + RSA 4096 public key -> SignatureException: Signature length not correct: got 256 but was expecting 512
• Mismatched RSA public/private keys of the same length -> no error

There are two issues here:

• The error message when the signature verification fails isn't really helpful. The root exception should be wrapped in an exception with a user friendly message hinting that the public/private keys don't match
• The result of the signature verification isn't checked. If the verification fails without throwing an exception, nothing happens