Problems sign XML with java 8u121 in windows

Question

I have signed a XML document with java 8 without problems, until I upgrade to the Java 8u121 version, the code is:

    String xml_entrada = "D:\\CeslySoft\\Ivap_facturador\\CPE\\FirmaXML\\Schema-20480510144-RC-20170327-0001.xml";
    String xml_salida  = "D:\\CeslySoft\\Ivap_facturador\\CPE\\FirmaXML\\20480510144-RC-20170327-0001.xml";
    String certi_digital = "D:\\CeslySoft\\Ivap_facturador\\Certificados\\molchiclayo1.jks";        
    String clave = "9ghi0nmbR0ft";
    String alias = "1"; 
    String tipodoc = "09";      

    int indice = (tipodoc.equals("09")? 0: 1);      
    XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
    Reference ref = fac.newReference("", fac.newDigestMethod(DigestMethod.SHA1,null),
            Collections.singletonList(fac.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)),
            null,null);     
    SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, 
            (C14NMethodParameterSpec) null), 
            fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
            Collections.singletonList(ref));

    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(new FileInputStream(certi_digital), clave.toCharArray());
    KeyStore.PrivateKeyEntry keyEntry 
        = (KeyStore.PrivateKeyEntry) ks.getEntry(alias, new KeyStore.PasswordProtection(clave.toCharArray()));

    X509Certificate cert = (X509Certificate) keyEntry.getCertificate();

    KeyInfoFactory kif = fac.getKeyInfoFactory();
    List<Object> x509content = new ArrayList<>();
    x509content.add(cert.getSubjectX500Principal().getName());
    x509content.add(cert);      
    X509Data xd = kif.newX509Data(x509content);
    KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));

    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);        
    //Document doc = dbf.newDocumentBuilder().parse(new FileInputStream(xml_entrada));
    InputSource is = new InputSource(new InputStreamReader(new FileInputStream(xml_entrada), "ISO-8859-1"));
    Document doc = dbf.newDocumentBuilder().parse(is);

    Node nodePadre = doc.getElementsByTagName("ext:ExtensionContent").item(indice);     
    nodePadre.getNodeValue();
    DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(), nodePadre);

    XMLSignature signature = fac.newXMLSignature(si, ki, null, "SignatureSP", null);
    signature.sign(dsc);

    OutputStream os = new FileOutputStream(xml_salida);
    TransformerFactory tf = TransformerFactory.newInstance();
    Transformer trans = tf.newTransformer();
    trans.setOutputProperty(OutputKeys.ENCODING, "ISO-8859-1");

    trans.transform(new DOMSource(doc), new StreamResult(os));      

The error is in the line of code:

   signature.sign(dsc)

The error is:

javax.xml.crypto.XMLSignatureException: java.security.InvalidKeyException: Invalid RSA private key

......

With versions prior to Java 8u121, do not occur nothing errors.

Answer 1

This is a bug caused due to the fix made in JDK 8u121 (http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html ) "More checks added to DER encoding parsing code More checks are added to the DER encoding parsing code to catch various encoding errors. In addition, signatures which contain constructed indefinite length encoding will now lead to IOException during parsing. Note that signatures generated using JDK default providers are not affected by this change. JDK-8168714 (not public) "

This has been fixed already with JDK-8175251(https://bugs.openjdk.java.net/browse/JDK-8175251 ) , which will be available in the next JDK update. The fix is already there in JDK 8u152, the early access version of which can be downloaded from https://jdk8.java.net/download.html