I had used this code for years to produce a CMS signature:
JcaContentSignerBuilder cb = new JcaContentSignerBuilder(Algorithms.getSignature(cert.getPublicKey(), algoid));
if (provider != null)
cb.setProvider(provider);
gen.addSignerInfoGenerator(bld.build(cb.build(key), cert));
in a specific instance I was using a PrivateKey from my own provider (which the key correctly contains), but recently upgrading to BC 1.85 broke this signature:
Caused by: org.bouncycastle.operator.RuntimeOperatorException: exception obtaining signature: java.lang.NullPointerException
at myproj.war//org.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown Source)
at myproj.war//org.bouncycastle.operator.jcajce.JcaContentSignerBuilder$3.getSignature(Unknown Source)
at myproj.war//org.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source)
at myproj.war//org.bouncycastle.cms.CMSSignedDataGenerator.generateSignerInfo(Unknown Source)
at myproj.war//org.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)
Caused by: java.security.SignatureException: java.lang.NullPointerException
at myproj.war//org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineSign(Unknown Source)
at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1404)
at java.base/java.security.Signature.sign(Signature.java:713)
As you can see the signature gets attempted using BC as a provider, not the provider of the key.
I'm not sure it was ever okay, but it was working fine up until recently.
Now it only works if I correctly specify the specific provider.
This might either be a bug/regression, or something to write in the release notes (when #2355 gets closed) as a HEADSUP for users.
I had used this code for years to produce a CMS signature:
in a specific instance I was using a PrivateKey from my own provider (which the key correctly contains), but recently upgrading to BC 1.85 broke this signature:
As you can see the signature gets attempted using BC as a provider, not the provider of the key.
I'm not sure it was ever okay, but it was working fine up until recently.
Now it only works if I correctly specify the specific provider.
This might either be a bug/regression, or something to write in the release notes (when #2355 gets closed) as a HEADSUP for users.