Remove call to Signature.getProvider() in debug log

[narras-oss]

The debug log message makes a call to Signature.getProvider() too early.
This causes Signature.chooseFirstProvider() to be called which matches the first provider always rather than the correct provider based on PrivateKey.getAlgorithm() when there are multiple providers.
This debug log was changed in this commit and introduced the issue: 1f48918
Added unit test cases with fake provider

[narras-oss]

@coheigea and @seanjmullan We are unable to upgrade to 3.0.3 or 4.0.0 to get the fix for CVE-2023-44483 because of this issue. Appreciate your attention to this pull request.

[seanjmullan]

Sorry for the delay. I will take a look now.

[coheigea]

Backmerging to 3.0.x as well.

[narras-oss]

@coheigea Is there an ETA for next release ? We are unable to upgrade to latest version to get the CVE fix until this fix included (other than copy-pasting this class into our application to override it)

[coheigea]

@narras-oss What release do you specifically need a fix in?

[narras-oss]

This particular pull request (which is merged) is what I am referring to as the fix, either 3.0.4 or 4.0.1 (next release) would work.

[coheigea]

I'm calling a vote on 4.0.1 today with the fix

[coheigea]

4.0.1 is in maven central now

[ivassile]

@coheigea Do you have ETA when 2.3.5 will be tagged? We have to upgrade to this version to resolve the issue. Thanks!

[coheigea]

@ivassile A release vote is now under way on the dev list, please follow that.