Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 1.46
-
Fix Version/s: None
-
Labels:None
-
Environment:sun-jdk1.5
Description
When I validate the certificate chain of this (admittedly corrupted) message, I get the error
java.security.InvalidKeyException: Public key presented not for certificate signature
at org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(X509CertificateObject.java:755)
at org.bouncycastle.jce.provider.X509CertificateObject.verify(X509CertificateObject.java:718)
at com.privasphere.privalope.security.pki.X509CertificatePSPH.verify(X509CertificatePSPH.java:431)
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(CertPathValidatorUtilities.java:1397)
at org.bouncycastle.x509.PKIXCertPathReviewer.checkSignatures(PKIXCertPathReviewer.java:871)
at org.bouncycastle.x509.PKIXCertPathReviewer.doChecks(PKIXCertPathReviewer.java:366)
at org.bouncycastle.x509.PKIXCertPathReviewer.getTrustAnchor(PKIXCertPathReviewer.java:295)
When I step through it, I realise that the real reason is
org.bouncycastle.crypto.InvalidCipherTextException: unknown block type
org.bouncycastle.jce.provider.JDKDigestSignature$SHA1WithRSAEncryption(org.bouncycastle.jce.provider.JDKDigestSignature).engineVerify(byte[]) line: 169
java.security.Signature$Delegate.engineVerify(byte[]) line: 1143
java.security.Signature$Delegate(java.security.Signature).verify(byte[]) line: 597
org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(java.security.PublicKey, java.security.Signature) line: 753
org.bouncycastle.jce.provider.X509CertificateObject.verify(java.security.PublicKey, java.lang.String) line: 730
...X509Certificate.verify(java.security.PublicKey, java.lang.String)
Questions/Suggestions:
1) be more specific than "Public key presented not for certificate signature" - e.g. say that the key was a "RSA Public Key" and the signature was of type "JDKDigestSignature$SHA1WithRSAEncryption"
2) in JDKDigestSignature.engineVerify(byte[] sigBytes), there are about 4 different reasons why it can fail - shouldn't we report to some degree why it happened
... and finally the usual:
3) why does this error happen - my windows vista doesn't appear to have a problem with that chain (once I trusted the root)
java.security.InvalidKeyException: Public key presented not for certificate signature
at org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(X509CertificateObject.java:755)
at org.bouncycastle.jce.provider.X509CertificateObject.verify(X509CertificateObject.java:718)
at com.privasphere.privalope.security.pki.X509CertificatePSPH.verify(X509CertificatePSPH.java:431)
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(CertPathValidatorUtilities.java:1397)
at org.bouncycastle.x509.PKIXCertPathReviewer.checkSignatures(PKIXCertPathReviewer.java:871)
at org.bouncycastle.x509.PKIXCertPathReviewer.doChecks(PKIXCertPathReviewer.java:366)
at org.bouncycastle.x509.PKIXCertPathReviewer.getTrustAnchor(PKIXCertPathReviewer.java:295)
When I step through it, I realise that the real reason is
org.bouncycastle.crypto.InvalidCipherTextException: unknown block type
org.bouncycastle.jce.provider.JDKDigestSignature$SHA1WithRSAEncryption(org.bouncycastle.jce.provider.JDKDigestSignature).engineVerify(byte[]) line: 169
java.security.Signature$Delegate.engineVerify(byte[]) line: 1143
java.security.Signature$Delegate(java.security.Signature).verify(byte[]) line: 597
org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(java.security.PublicKey, java.security.Signature) line: 753
org.bouncycastle.jce.provider.X509CertificateObject.verify(java.security.PublicKey, java.lang.String) line: 730
...X509Certificate.verify(java.security.PublicKey, java.lang.String)
Questions/Suggestions:
1) be more specific than "Public key presented not for certificate signature" - e.g. say that the key was a "RSA Public Key" and the signature was of type "JDKDigestSignature$SHA1WithRSAEncryption"
2) in JDKDigestSignature.engineVerify(byte[] sigBytes), there are about 4 different reasons why it can fail - shouldn't we report to some degree why it happened
... and finally the usual:
3) why does this error happen - my windows vista doesn't appear to have a problem with that chain (once I trusted the root)
