jca/jarsigner IllegalArgumentException with private and public algorithm mismatch when specifying algorithm in Google Cloud KMS keyalias

[davoustp]

Using jsign JCA provider with Google Cloud KMS allows to specify both the crypto key version and the algorithm (here using an Elliptic Curve key, generated with ec-sign-p256-sha256 key type):

jarsigner -J-classpath -Jjsign-5.1-SNAPSHOT.jar -J--add-modules -Jjava.sql \
  -providerClass net.jsign.jca.JsignJcaProvider \
  -providerArg "projects/${gcpproject}/locations/${gcpkmskeyringlocation}/keyRings/${gcpkmskeyringname}" \
  -keystore NONE \
  -storetype GOOGLECLOUD \
  -storepass "$(gcloud auth application-default print-access-token)" \
  -certchain "${gcpkmskeyname}.crt" \
  -tsa http://timestamp.digicert.com \
  "path/to/jar/file/to/sign" \
  "${gcpkmskeyname}/cryptoKeyVersions/1:EC"

leads to:

jarsigner error: java.lang.IllegalArgumentException: private key algorithm does not match algorithm of public key in end entity certificate (the 1st in certPath)

Analysis

This code is located at: https://github.com/ebourg/jsign/blob/93da678cb66ae36fa5c417c084676a48ef534e35/jsign-core/src/main/java/net/jsign/jca/GoogleCloudSigningService.java#L121-L124

Obviously, line 124 cannot work because the alias has already been stripped out of the trailing :<sigalg> part by line 123.

[davoustp]

Pull request #194 submitted.

[ebourg]

Merged, bien vu merci !