Spongycastle Signature.sign() returns null

Question

Using com.madgag.spongycastle:pkix:1.54.0.0 on Android 7.0

  byte[] testData = "test data".getBytes("UTF_8");
  Signature sign = Signature.getInstance("SHA256withRSA");
  sign.initSign(privateKey);
  sign.update(testData);
  byte[] signature = sign.sign();
  assert signature != null;

Assert would fail occasionally.

Any clue why/when sign() method can return null ?

Stacktraces:

(1) When trying to generate CSR

Caused by java.lang.NullPointerException: data cannot be null
       at org.spongycastle.asn1.ASN1BitString.(ASN1BitString.java:114)
       at org.spongycastle.asn1.DERBitString.(DERBitString.java:83)
       at org.spongycastle.asn1.DERBitString.(DERBitString.java:89)
       at org.spongycastle.pkcs.PKCS10CertificationRequestBuilder.build(PKCS10CertificationRequestBuilder.java:149)

(2) When trying to verify test signature

Caused by java.security.SignatureException: java.lang.NullPointerException: Attempt to get length of null array
       at com.android.org.conscrypt.OpenSSLSignature.engineVerify(OpenSSLSignature.java:258)
       at java.security.Signature$Delegate.engineVerify(Signature.java:1275)
       at java.security.Signature.verify(Signature.java:719)

As far as I can see there are no code paths that can return null. — President James K. Polk, Apr 19 '18 at 14:11
@JamesKPolk that's why it's so frustrated. I've attached stacktrace of observed crashes - maybe my original assumption about Signature.sign() wasn't valid and problem is elsewhere... — Oleksandr, Apr 19 '18 at 14:18
Ok, I'm a little confused here. The exceptions are something different, an exception won't cause `Signature.sign()` to return null. — President James K. Polk, Apr 19 '18 at 14:21
@JamesKPolk I mean that those exceptions are caused by Signature.sign() returning null — Oleksandr, Apr 19 '18 at 14:22
ah, ok. Well, as I said, I read through what I thought was the relevant Bouncycastle engine code and every code path either returns a non-null array or an exception is thrown. Perhaps I didn't read the correct code, or perhaps your example is not quite accurate (I assume this is abstracted from a much larger program), or perhaps it's something more mysterious like unsafe concurrency or even a bug somewhere outside of your code. — President James K. Polk, Apr 19 '18 at 14:28

Spongycastle Signature.sign() returns null

0 Answers0