search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
259 stars 108 forks source link

java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl #106

Closed vatral closed 1 year ago

vatral commented 2 years ago

Hello!

I'm using an EV certificate from SSL.com. The latest code after the fix for #105 made some progress, but still goes wrong somewhere. The Yubikey blinks briefly, but then jsign fails with this:

$ ./jsign.sh --keystore /home/vadim/etoken.cfg  --alias "X.509 Certificate for PIV Authentication" --storetype YUBIKEY --storepass $PASS  --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe
Adding Authenticode signature to nxproxy.exe
jsign: Couldn't sign nxproxy.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
    at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
    at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
    at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
    at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
    at net.jsign.SignerHelper.sign(SignerHelper.java:506)
    at net.jsign.JsignCLI.execute(JsignCLI.java:116)
    at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
    at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
    at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
    at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
    at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
    ... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
    at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1303)
    at java.base/java.security.Signature$Delegate.engineInitVerify(Signature.java:1349)
    at java.base/java.security.Signature.initVerify(Signature.java:506)
    ... 11 more

Some research suggests one of these might be related:

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4953555 https://stackoverflow.com/questions/41534827/java-signature-object-no-installed-provider-supports-this-key-sun-security-rs

ebourg commented 2 years ago

Are you sure the code signing certificate is in the "X.509 Certificate for PIV Authentication" slot ? Usually it's in the "X.509 Certificate for Digital Signature" slot. You can try this instead:

jsign --storetype YUBIKEY --storepass $PASS  --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe
Strangerxxx commented 2 years ago

Hello! I've got the same issue as @vatral Did you solve it somehow?

Strangerxxx commented 2 years ago

@ebourg yes, I definitely sure that my certificate in the "X.509 Certificate for PIV Authentication" slot

Strangerxxx commented 2 years ago

Even an upgrade to bouncycastle v1.70 did not helped

devsibwarra commented 2 years ago

Getting the same error with Google Cloud and SSL.com EV cert. My command is

> java -jar jsign\jsign\target\jsign-4.1-SNAPSHOT.jar --storetype GOOGLECLOUD --storepass $env:JSIGN_STOREPASS --keystore $env:JSIGN_KEYSTORE --alias $env:JSIGN_ALIAS --certfile ./cert-bundle.pem --tsmode RFC3161 --tsaurl "http://ts.ssl.com" .\sign-test.exe
Adding Authenticode signature to .\sign-test.exe
jsign: Couldn't sign .\sign-test.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
        at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
        at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
        at net.jsign.SignerHelper.sign(SignerHelper.java:523)
        at net.jsign.JsignCLI.execute(JsignCLI.java:116)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
        ... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1138)
        at java.security.Signature$Delegate.engineInitVerify(Signature.java:1170)
        at java.security.Signature.initVerify(Signature.java:460)
        ... 11 more
Try `java -jar jsign.jar --help' for more information.

Versions

Really appreciate the work on jsign and any suggestions you might have!

devsibwarra commented 2 years ago

Following https://github.com/ebourg/jsign/issues/93#issuecomment-872050100 from another jsign issue, I was able to successfully sign the file with CodeSignTool, but do see the same problem reported in that issue ("No signature was present in the subject"). Happy to help test any jsign changes as the cross-platform multi-service support would be ideal

ebourg commented 2 years ago

@devsibwarra What's the order of the certificates in cert-bundle.pem?

devsibwarra commented 2 years ago

@devsibwarra What's the order of the certificates in cert-bundle.pem?

The bundle order is

Certificate[1]: company-cert
Certificate[2]: SSL.com EV Code Signing Intermediate CA RSA R3
Certificate[3]: SSL.com EV Root Certification Authority RSA R2
Certificate[4]: Certum Trusted Network CA
Strangerxxx commented 2 years ago

finally fixed by resetting yubikey and reimporting certificates from scratch

devsibwarra commented 2 years ago

@ebourg Turns out I was using the wrong certificate bundle for Google Cloud HSM.

If it helps add error handling, when I was trying to use the bad cert with osslsigncode, I was getting

Failed to checking the consistency of a private key: pkcs11:object=key
          with a public key in any X509 certificate: .\cert.pem

Creating a new signature failed
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0B080073:x509 certificate routines:X509_check_private_key:key type mismatch:../openssl-1.1.1m/crypto/x509/x509_cmp.c:306:
Failed

Using the correct cert bundle with jsign + google cloud hsm gives me a valid signed file 🥂

ebourg commented 2 years ago

Good to hear it works. I'll try to add more checks.

Spencer-Arbour commented 2 years ago

Hi, I am running into this issue when using google cloud and ssl.com @devsibwarra can you go into more detail about what fixed it for you? I don't understand what you mean by the correct cert bundle.

ebourg commented 1 year ago

I've checked the behavior of Jsign when the private key and the public key don't match:

There are two issues here:

ebourg commented 1 year ago

Jsign now displays an explicit error message when the private key and the certificate don't match