views:

232

answers:

1

I am trying to sign some X509 certificates. My root private key is an ECDSA secp384r1. I am using bouncy castle. What seems to happen is that when generating the certificate signature, the Signature class used is unable to understand my ECDSA key.

The code that generates is as follows:

    X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
    v3CertGen.setSerialNumber(BigInteger.valueOf(serialNumber));
    v3CertGen.setIssuerDN(issuerPrincipal);
    v3CertGen.setNotBefore(notBefore);
    v3CertGen.setNotAfter(notAfter);
    v3CertGen.setSubjectDN(subjectDN);
    v3CertGen.setPublicKey(publicKey);
    v3CertGen.setSignatureAlgorithm(CERT_SIGNATURE_ALGORITHM); // this is ECDSAWITHSHA1
    X509Certificate cert = v3CertGen.generate(privateKey, BOUNCY_CASTLE_PROVIDER); // "BC"

The output from this is:

java.security.InvalidKeyException: can't identify DSA private key.
    at org.bouncycastle.jce.provider.DSAUtil.generatePrivateKeyParameter(Unknown Source)
    at org.bouncycastle.jce.provider.JDKDSASigner.engineInitSign(Unknown Source)
    at java.security.Signature.initSign(Signature.java:480)
    at org.bouncycastle.x509.X509Util.calculateSignature(Unknown Source)
    at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown Source)
    at org.bouncycastle.x509.X509V3CertificateGenerator.generate(Unknown Source)
    at com.snip.utils.CertificateUtility.generateAndSignCertificate(CertificateUtility.java:147)

By reading bouncycastle source code, I've traced this issue and reproduce it with the following code snippet:

Signature sig = Signature.getInstance(CERT_SIGNATURE_ALGORITHM, BOUNCY_CASTLE_PROVIDER);
System.out.println(sig.getAlgorithm());
System.out.println(sig.toString());
System.out.println(sig.getClass().getName());
try
{
    sig.initSign(privateKey);
    System.out.println(sig.toString());
} catch (Exception e) {
    e.printStackTrace();
}

which produces the output:

SHA1withECDSA
Signature object: SHA1withECDSA<not initialized>
org.bouncycastle.jce.provider.JDKDSASigner$ecDSA
java.security.InvalidKeyException: can't identify DSA private key.
        at org.bouncycastle.jce.provider.DSAUtil.generatePrivateKeyParameter(Unknown Source)
        at org.bouncycastle.jce.provider.JDKDSASigner.engineInitSign(Unknown Source)
        at java.security.Signature.initSign(Signature.java:480)
        at com.snip.utils.CertificateUtility.<init>(CertificateUtility.java:99)

The problem is that I am completely lost at this point. I don't know how to make the certificate generator give me a signed certificate. Does anyone have any idea of what I am doing wrong?

A: 

I've traced it down to some old jars which had not been deleted from the POM and which cause the wrong version of Bouncycastle classed to be used.

laura