Pin JCE KeyFactory lookups to wolfJCE and accept opaque CRT-encoded RSA keys

[cconlon]

This PR fixes two issues that show up when a non-wolfSSL JCE Provider is registered above wolfJCE in the Provider list and returns RSA/EC/DH keys that wolfCrypt cannot consume directly.

• Route internal KeyFactory.getInstance("RSA"|"EC"|"DH") lookups in WolfCryptKeyPairGenerator and WolfSSLKeyStore through a new WolfCryptUtil.getKeyFactoryPreferWolfJCE() helper that prefers wolfJCE by name (so generated/loaded keys retain CRT parameters and full encodings regardless of Provider priority order), and falls back to default Provider lookup in builds where wolfJCE does not register that KeyFactory (e.g. KeyFactory.RSA when !WOLFSSL_PUBLIC_MP).
• In the RSASSA-PSS branch of WolfCryptKeyPairGenerator, only use the PSS KeyFactory output when it preserves RSAPrivateCrtKey, and broaden the fallback to also catch InvalidKeySpecException and ClassCastException so a non-wolfSSL PSS factory cannot fail key generation.
• Relax WolfCryptSignature.engineInitSign() to accept an RSAPrivateKey that does not implement RSAPrivateCrtKey as long as its PKCS#8 encoding still contains the CRT components.

Additional unit tests are added here to cover these changes, including:

• Add MockNonCrtProvider test helper and JUnit tests in WolfCryptKeyPairGeneratorTest, WolfSSLKeyStoreTest, and WolfCryptSignatureTest covering RSA, RSASSA-PSS, EC, and DH paths under a degraded higher-priority Provider.

ZD 21784

[Copilot]

Pull request overview

Pins several internal KeyFactory.getInstance(...) lookups to the wolfJCE provider to avoid degraded key material when other JCE providers have higher priority, and relaxes RSA signing initialization to accept non-RSAPrivateCrtKey inputs when the PKCS#8 encoding still contains CRT components.

Changes:

• Pin RSA/EC/DH KeyFactory usage in WolfCryptKeyPairGenerator and RSA/EC in WolfSSLKeyStore to "wolfJCE" to avoid higher-priority provider interference.
• Update WolfCryptSignature.engineInitSign() to attempt native import for non-CRT-typed RSA keys and produce clearer CRT-specific failures only when import fails.
• Add MockNonCrtProvider plus new unit tests covering RSA/RSASSA-PSS/EC/DH and keystore/signature behavior under a degraded higher-priority provider.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/main/java/com/wolfssl/provider/jce/WolfCryptKeyPairGenerator.java	Pins RSA/EC/DH KeyFactory lookups to wolfJCE; adjusts RSASSA-PSS fallback behavior.
src/main/java/com/wolfssl/provider/jce/WolfSSLKeyStore.java	Pins RSA/EC key reconstruction KeyFactory lookups to wolfJCE.
src/main/java/com/wolfssl/provider/jce/WolfCryptSignature.java	Relaxes RSA initSign acceptance; improves error mapping when native import fails.
src/test/java/com/wolfssl/provider/jce/test/MockNonCrtProvider.java	Adds a test-only provider that returns intentionally degraded RSA/EC/DH keys.
src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java	Adds tests verifying generated keys remain usable under a degraded higher-priority provider.
src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java	Adds tests ensuring WKS load/getKey remains correct under a degraded higher-priority provider.
src/test/java/com/wolfssl/provider/jce/test/WolfCryptSignatureTest.java	Adds tests for accepting opaque/non-CRT-typed RSA keys with CRT-containing encodings and provider-priority scenarios.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #215

Scan targets checked: wolfcrypt-jni-bugs, wolfcrypt-jni-src

No new issues found in the changed files. ✅