From b23d1bc5ac6b9a8ca0155b951277bc0c0ba58cdd Mon Sep 17 00:00:00 2001
From: Paul Latzelsperger <43503240+paullatzelsperger@users.noreply.github.com>
Date: Thu, 25 Jan 2024 14:41:18 +0100
Subject: [PATCH] chore: add BouncyCastle provider to JWSSigner and JWSVerifier
 (#3804)

---
 .../security/token/jwt/CryptoConverter.java   | 19 +++++++++++++++++--
 .../token/jwt/CryptoConverterTest.java        |  9 +++++++--
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/extensions/common/crypto/crypto-common/src/main/java/org/eclipse/edc/security/token/jwt/CryptoConverter.java b/extensions/common/crypto/crypto-common/src/main/java/org/eclipse/edc/security/token/jwt/CryptoConverter.java
index d1c85fe5739..e7f81a0fe46 100644
--- a/extensions/common/crypto/crypto-common/src/main/java/org/eclipse/edc/security/token/jwt/CryptoConverter.java
+++ b/extensions/common/crypto/crypto-common/src/main/java/org/eclipse/edc/security/token/jwt/CryptoConverter.java
@@ -25,6 +25,7 @@
 import com.nimbusds.jose.crypto.Ed25519Verifier;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
 import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWK;
@@ -101,7 +102,7 @@ private static String notSupportedError(String algorithm) {
     public static JWSSigner createSignerFor(PrivateKey key) {
         try {
             return switch (key.getAlgorithm()) {
-                case ALGORITHM_EC -> new ECDSASigner((ECPrivateKey) key);
+                case ALGORITHM_EC -> getEcdsaSigner((ECPrivateKey) key);
                 case ALGORITHM_RSA -> new RSASSASigner(key);
                 case ALGORITHM_ECDSA, ALGORITHM_ED25519 -> createEdDsaVerifier(key);
                 default -> throw new IllegalArgumentException(notSupportedError(key.getAlgorithm()));
@@ -111,6 +112,13 @@ public static JWSSigner createSignerFor(PrivateKey key) {
         }
     }
 
+    @NotNull
+    private static ECDSASigner getEcdsaSigner(ECPrivateKey key) throws JOSEException {
+        var signer = new ECDSASigner(key);
+        signer.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
+        return signer;
+    }
+
     /**
      * Takes a Java {@link PublicKey} object and creates a corresponding Nimbus {@link JWSVerifier} for convenient use with JWTs.
      * Note that currently only the following key types are supported:
@@ -129,7 +137,7 @@ public static JWSSigner createSignerFor(PrivateKey key) {
     public static JWSVerifier createVerifierFor(PublicKey publicKey) {
         try {
             return switch (publicKey.getAlgorithm()) {
-                case ALGORITHM_EC -> new ECDSAVerifier((ECPublicKey) publicKey);
+                case ALGORITHM_EC -> getEcdsaVerifier((ECPublicKey) publicKey);
                 case ALGORITHM_RSA -> new RSASSAVerifier((RSAPublicKey) publicKey);
                 case ALGORITHM_ECDSA, ALGORITHM_ED25519 -> createEdDsaVerifier(publicKey);
                 default -> throw new IllegalArgumentException(notSupportedError(publicKey.getAlgorithm()));
@@ -139,6 +147,13 @@ public static JWSVerifier createVerifierFor(PublicKey publicKey) {
         }
     }
 
+    @NotNull
+    private static ECDSAVerifier getEcdsaVerifier(ECPublicKey publicKey) throws JOSEException {
+        var verifier = new ECDSAVerifier(publicKey);
+        verifier.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
+        return verifier;
+    }
+
     /**
      * Converts a Java {@link KeyPair} into its JWK counterpart from Nimbus. Currently, only RSA, EC and EdDSA keys are supported, specifically:
      * <ul>
diff --git a/extensions/common/crypto/crypto-common/src/test/java/org/eclipse/edc/security/token/jwt/CryptoConverterTest.java b/extensions/common/crypto/crypto-common/src/test/java/org/eclipse/edc/security/token/jwt/CryptoConverterTest.java
index f1051e6b3c2..804f8e4ad11 100644
--- a/extensions/common/crypto/crypto-common/src/test/java/org/eclipse/edc/security/token/jwt/CryptoConverterTest.java
+++ b/extensions/common/crypto/crypto-common/src/test/java/org/eclipse/edc/security/token/jwt/CryptoConverterTest.java
@@ -23,6 +23,7 @@
 import com.nimbusds.jose.crypto.Ed25519Verifier;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
 import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWK;
@@ -95,7 +96,9 @@ void createSignerFor_rsaKey() throws NoSuchAlgorithmException {
     void createSignerFor_ecKey() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         var pk = createEc();
 
-        assertThat(CryptoConverter.createSignerFor(pk.getPrivate())).isInstanceOf(ECDSASigner.class);
+        var signer = CryptoConverter.createSignerFor(pk.getPrivate());
+        assertThat(signer).isInstanceOf(ECDSASigner.class);
+        assertThat(signer.getJCAContext().getProvider()).isEqualTo(BouncyCastleProviderSingleton.getInstance());
     }
 
     @Test
@@ -119,7 +122,9 @@ void createVerifierFor_rsaKey() throws NoSuchAlgorithmException {
     @Test
     void createVerifierFor_ecKey() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         var pk = createEc().getPublic();
-        assertThat(CryptoConverter.createVerifierFor(pk)).isInstanceOf(ECDSAVerifier.class);
+        var verifier = CryptoConverter.createVerifierFor(pk);
+        assertThat(verifier).isInstanceOf(ECDSAVerifier.class);
+        assertThat(verifier.getJCAContext().getProvider()).isEqualTo(BouncyCastleProviderSingleton.getInstance());
     }
 
     @Test