cert path validation with CRL checking enabled fails, sigProvider is always null about xades4j HOT 13 CLOSED

May I request that this issue be raised above Medium. This is the most 
important issue for us at the moment.

I have attached a sample application that reproduces this problem. If you call 
the batch file doit.cmd without an argument, it will run the class without a 
provider and the signature will be created correctly. If you run the batch file 
with an argument like this: doit.cmd BC,  it will create the KeyStores and 
CertStores with that JCE provider and the signature will fail. You will need to 
download the BouncyCastle jar from 
http://www.bouncycastle.org/latest_releases.html

When running your app with the BC provider I'm getting an InvalidKeyException 
(illegal key size). Here's the stack trace:

Exception in thread "main" java.io.IOException: exception unwrapping private 
key - java.security.InvalidKeyException: Illegal key size
        at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.unwrapKey(Unknown Source)
        at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
        at java.security.KeyStore.load(KeyStore.java:1185)
        at Issue16.main(Issue16.java:55)

Do you have any quick hint on this? Some problem with the .p12 keystore? I'll 
look into it later, and possibly create a test for this scenario (using the BC 
provider).

Did you install the Unlimited Strength Jurisdiction Policy Files?

I hadn't installed the files, thanks! It now behaves as you described. 

I made some tests and couldn't figure out the requirements in terms of 
providers yet. I tried different combinations of providers (on the different 
JCE components in use) and the problem only seems to come up when the provider 
of the CertificateFactory (for the CRL's) is BC and the cert path builder is 
SUN's. If BC's cert path builder is used, the problem never comes up, even if 
everything else is using SUN's provider. I can't really tell that whether it's 
working because of the BC provider.. I need to go further on the cert path 
building steps.

You mentioned Signature.getInstance(alg, null)..you're referring to somewhere 
in the PKIXCertPathBuilder code?

You can put a breakpoint on Signature.getInstance to see where it is being 
called. My guess is it will be called by the CertPathBuilder when verifying the 
Issuer signature in a certificate.

Have you tried hard-coding the Signature provider in the PKIX parameters just 
to see if that makes it work with the SUN CertPathBuilder?

This bug is not asking you to debug why the Sun cert path builder is not 
working with BC. I believe all you have to do is expose a parameter for the 
Signature provider. You should also show how users could choose the 
CertPathBuilder provider. This way a user could choose to use BC everywhere and 
have a consistent environment.

I was looking into provider combinations to try to figure out if I could use 
some of the supplied providers (e.g. from the trust anchors key store) to get 
the CertPathBuilder. But the best solution probably is to just allow the 
provider configuration, as you suggested.

You mentioned the CertPathBuilder provider.. do you suggest adding another 
parameter for this?  

I'm starting to wonder if a more centralized way to define providers would be 
useful, also considering issue 19. Maybe something per engine class. But it 
seems overkill and might not be easy to make that config available on xades4j 
providers such as PKIXCertificateValidationProvider.

Just for reference, the problem seems to be that SUN's X509CRL implementation 
checks for null provider argument on verify(PublicKey k, String sigProvider) 
and calls the appropriate Signature.getInstance overload, while BC's doesn't.

On Feb 29 2012, I sent an email on the BouncyCastle mailing list to report the 
bug in X509CRLObject.verify() when it calls 
Signature.getInstance(String,String) with null in the second argument. It 
should improve things if they fix their bug, though it is still important to 
allow the configuration of the JCE provider in XAdES4J.

I agree. The XAdES4j providers that use JCE have been updated to include 
constructor arguments to specify the JCE provider. Maybe in the future a wider 
configuration of JCE providers could be considered.