X509v3CertificateBuilder:java.lang.IllegalArgumentException:无法生成证书签名

X509v3CertificateBuilder: java.lang.IllegalArgumentException: cannot produce certificate signature

我正在创建一个 KeyPair 并试图用它创建一个 X509Certificate(在 Android 上使用 BouncyCastle),但是 运行 出现以下错误:

java.lang.IllegalArgumentException: cannot produce certificate signature
    at org.bouncycastle.cert.X509v3CertificateBuilder.build(Unknown Source:57)

我是这样创建 KeyPair:

        val kpg = KeyPairGenerator.getInstance(
                KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore")
        kpg.initialize(KeyGenParameterSpec.Builder(
                       "alias",
                        KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY)
                .setDigests(KeyProperties.DIGEST_SHA256,
                        KeyProperties.DIGEST_SHA512,
                        KeyProperties.DIGEST_NONE)
                .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
                .setUserAuthenticationRequired(true)
                .build())
        return kpg.generateKeyPair()

以及我如何尝试生成证书:

        // replace the default BC implementation, and use:  implementation 'org.bouncycastle:bcpkix-jdk15on:1.64'
        Security.removeProvider("BC")
        val bc = BouncyCastleProvider()
        Security.insertProviderAt(bc, 1)

        val builder = JcaContentSignerBuilder("SHA256WithRSA")
        builder.setProvider("AndroidKeyStoreBCWorkaround")
        val certGen: X509v3CertificateBuilder = JcaX509v3CertificateBuilder(X500Name("name removed"),
                BigInteger.valueOf(SecureRandom().nextLong()),
                Date(),
                Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000),
                X500Name("Name removed"),
                keyPair.public)


        val contentSigner: ContentSigner = builder.build(keyPair.private)
        val certHolder = certGen.build(contentSigner) <- THE ERROR OCCURS HERE
        val cert = JcaX509CertificateConverter().getCertificate(certHolder)

调用 X509v3CertificateBuilder' build() 方法时发生错误,但错误消息并没有太大帮助。

编辑:这是完整的堆栈跟踪:

E/AndroidRuntime: FATAL EXCEPTION: main
Process: com.example.app, PID: 31547
java.lang.IllegalArgumentException: cannot produce certificate signature
    at org.bouncycastle.cert.X509v3CertificateBuilder.build(Unknown Source:57)
    at com.example.app.Helper$Companion.createX509Certificate(Helper.kt:104)
    at com.example.app.Presenter.getLocalKeyPair(Presenter.kt:123)
    at com.example.app.Presenter$getKey.onComplete(Presenter.kt:109)
    at com.example.app.Manager$getKey.onResponse(Manager.kt:30)
    at retrofit2.DefaultCallAdapterFactory$ExecutorCallbackCall.run(DefaultCallAdapterFactory.java:83)
    at android.os.Handler.handleCallback(Handler.java:790)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loop(Looper.java:164)
    at android.app.ActivityThread.main(ActivityThread.java:6626)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:811)

几个小时后,我找到了解决这个问题的方法。

我试图调试我想到的一切,我注意到 contentSigner.signature 抛出异常:

android.security.KeyStoreException: Key user not authenticated

这当然表明生物认证有问题。变化:

.setUserAuthenticationRequired(false)

似乎一切正常。

最后我使用了以下两行:

.setUserAuthenticationRequired(true)    
.setUserAuthenticationValidityDurationSeconds(100)

这也符合预期。