Search code examples
androidkotlinbouncycastlekey-pair

X509v3CertificateBuilder: java.lang.IllegalArgumentException: cannot produce certificate signature

I'm creating a KeyPair and trying to create a X509Certificate with it (using BouncyCastle on Android), but running into the following error:

java.lang.IllegalArgumentException: cannot produce certificate signature
    at org.bouncycastle.cert.X509v3CertificateBuilder.build(Unknown Source:57)

Here's how I'm creating the KeyPair:

        val kpg = KeyPairGenerator.getInstance(
                KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore")
        kpg.initialize(KeyGenParameterSpec.Builder(
                       "alias",
                        KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY)
                .setDigests(KeyProperties.DIGEST_SHA256,
                        KeyProperties.DIGEST_SHA512,
                        KeyProperties.DIGEST_NONE)
                .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
                .setUserAuthenticationRequired(true)
                .build())
        return kpg.generateKeyPair()

And how I'm trying to generate the certificate:

        // replace the default BC implementation, and use:  implementation 'org.bouncycastle:bcpkix-jdk15on:1.64'
        Security.removeProvider("BC")
        val bc = BouncyCastleProvider()
        Security.insertProviderAt(bc, 1)

        val builder = JcaContentSignerBuilder("SHA256WithRSA")
        builder.setProvider("AndroidKeyStoreBCWorkaround")
        val certGen: X509v3CertificateBuilder = JcaX509v3CertificateBuilder(X500Name("name removed"),
                BigInteger.valueOf(SecureRandom().nextLong()),
                Date(),
                Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000),
                X500Name("Name removed"),
                keyPair.public)


        val contentSigner: ContentSigner = builder.build(keyPair.private)
        val certHolder = certGen.build(contentSigner) <- THE ERROR OCCURS HERE
        val cert = JcaX509CertificateConverter().getCertificate(certHolder)

The error occurs while calling X509v3CertificateBuilder' build() method, but the error message is not really helpful.

EDIT: Here is the full stacktrace:

E/AndroidRuntime: FATAL EXCEPTION: main
Process: com.example.app, PID: 31547
java.lang.IllegalArgumentException: cannot produce certificate signature
    at org.bouncycastle.cert.X509v3CertificateBuilder.build(Unknown Source:57)
    at com.example.app.Helper$Companion.createX509Certificate(Helper.kt:104)
    at com.example.app.Presenter.getLocalKeyPair(Presenter.kt:123)
    at com.example.app.Presenter$getKey$1.onComplete(Presenter.kt:109)
    at com.example.app.Manager$getKey$1.onResponse(Manager.kt:30)
    at retrofit2.DefaultCallAdapterFactory$ExecutorCallbackCall$1$1.run(DefaultCallAdapterFactory.java:83)
    at android.os.Handler.handleCallback(Handler.java:790)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loop(Looper.java:164)
    at android.app.ActivityThread.main(ActivityThread.java:6626)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:811)
Solution

  • After a few more hours I sorta found a solution for this issue.

    I was trying to debug everything that I was thinking of and I noticed that the contentSigner.signature was throwing an exception:

    android.security.KeyStoreException: Key user not authenticated

    This of course suggests that something is wrong with the biometric authentication. Changing:

    .setUserAuthenticationRequired(false)

    seems to make everything work fine.

    In the end I ended up using the following 2 lines:

    .setUserAuthenticationRequired(true)    
.setUserAuthenticationValidityDurationSeconds(100)

    which also works as expected.