[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: Re: [dev-crypto] Weird issue with creating certificate/generating CSR
From: Sai Pullabhotla <sai.pullabhotla () jmethods ! com>
Date: 2011-09-19 19:41:34
Message-ID: CAEdnNNFMTH=_O3k4wn-PcpVZAuoA0ZLSEVRuuzDLn_YxiUr3uw () mail ! gmail ! com
[Download RAW message or body]
Just in case if any one else runs into this, IBM has a fix for this issue.
Applying all latest fixes to the JRE made the issue disappear.
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ78398 Looks like this is
the fix info for Java on AIX.
Thanks for all your help.
Sai Pullabhotla
On Tue, Sep 13, 2011 at 5:44 PM, Sai Pullabhotla <
sai.pullabhotla@jmethods.com> wrote:
> Thanks for the reply, Martin.
>
> Querying the provider properties on the IBM JVM shows the following
> relevant properties:
>
> Alg.Alias.Signature.SHA256withRSA=SHA2withRSA
> Alg.Alias.Signature.2.16.840.1.101.3.4.2.1=SHA2withRSA
> Alg.Alias.Signature.OID.1.2.840.113549.1.1.11=SHA2withRSA
>
> Since I'm not an expert on how providers work and use the aliases... I
> would like some one to confirm that these 3 properties are not enough
> and are causing the issue. I would also like to know if there is a
> standard way to define/override provider specific properties by
> updating the java.security file. I searched and searched, but did not
> see any info on the web. I do know that some provider specific
> properties can be set using this file, but I do not know if the
> property names are provider specific. In other words, what I would
> like to know is if I want to set a new property for provider named, X,
> is there a standard syntax like X.MyProperty=My Value? or
> com.example.X.MyProperty=MyValue?
>
> I did not try updating the code yet (with your suggestion), because I
> do not know which provider is being used in a given JVM, considering
> the fact that our product runs on a variety of platforms and a variety
> of JVMs and some times customers update the security providers
> themselves (e.g. FIPS compliant JCE) etc. Perhaps, I need to first get
> a Signature object for the given algorithm, check which provider
> handled that request, and then update the provider properties with
> what you have suggested?
>
> Thanks for your assistance.
>
> Sai Pullabhotla
>
>
>
> On Tue, Sep 13, 2011 at 3:49 PM, martijn.list <martijn.list@gmail.com>
> wrote:
> > Perhaps the IBM JCE does not contain an alias for 1.2.840.113549.1.1.11?
> >
> > You might try to add the alias
> >
> > THE_DEFAULT_PROVIDER.put("Alg.Alias.Signature.1.2.840.113549.1.1.11",
> > "SHA256WithRSAEncryption");
> >
> > and/or
> >
> > THE_DEFAULT_PROVIDER.put("Alg.Alias.Signature.1.2.840.113549.1.1.11",
> > "SHA256WithRSA");
> >
> > the provider to add the aliases to should be the default provider used
> > by the IBM JCE.
> >
> > Hope this helps,
> >
> > Martijn Brinkers
> >
> >
> > On 09/13/2011 10:00 PM, Sai Pullabhotla wrote:
> > > Hello,
> > >
> > > We are currently using BC Provider version 1.3.8, but the issue below
> > > is still reproducible with the latest version, 1.4.6.
> > >
> > > Our application let's creation of X.509 certificates and generating
> > > CSR and importing CA replies. We use BC provider to perform some of
> > > these functions. Everything works fine under SUN/Oracle JVM, but we
> > > are facing an issue running under IBM JVM (both version 5.0 and 6.0).
> > > This is present in different operating systems (AIX, AS/400) all using
> > > IBM JRE.
> > >
> > > When we create a certificate, if we select the signing algorithm to be
> > > SHA256withRSA, SHA384withRSA or SHA512 with RSA...
> > >
> > > The certificate gets created, but when the certificate is displayed
> > > back, the Signing Algorithm Name is blank.
> > >
> > > To create the certificate, we use
> > > org.bouncycastle.x509.X509V1CertificateGenerator. We call the
> > > setSignatureAlgorithm(String) and pass SHA256withRSA as documented in
> > > the wiki.
> > >
> > > Ignoring the missing signature algorithm name, if we try to generate a
> > > CSR for this certificate (with missing signature algorithm name), we
> > > get the exception below:
> > >
> > > java.lang.IllegalArgumentException: Unknown signature type requested
> > >
> > > We use PKCS10CertificationRequest class from BC to generate the CSR
> > > and that is where the above exception originates from.
> > >
> > > When I print the raw certificate using
> > > System.out.println(Certificate)... It shows the following. Notice the
> > > third line, which shows OID for both name and OID.
> > >
> > > *****
> > > [
> > > [
> > > Version: V1
> > > Subject: CN=x, OU=x, O=x, L=x, ST=x, C=US, EMAILADDRESS=x
> > > Signature Algorithm: 1.2.840.113549.1.1.11, OID =
> > > 1.2.840.113549.1.1.11
> > >
> > > Key: IBMJCE RSA Public Key:
> > > modulus:
> > >
> 925104840318403765048344525090946395307104938086958825873669950235148073547881205336358345236723270111219305850785629471262450260
>
> > >
> 102870802313333771341354603433607756372488587032160023079083984868974433873445467603778739301218757227593596486259961402969952223
>
> > > 55003202050762680961103549434809958493292886441607
> > > public exponent:
> > > 65537
> > >
> > > Validity: [From: Fri Sep 09 16:55:58 CDT 2011,
> > > To: Tue Sep 09 00:00:00 CDT 2014]
> > >
> > > .... more (stripped off)
> > >
> > > *****
> > >
> > > If we select SHA1 as the signature algorithm everything works fine (on
> > > IBM JRE also), and the same 3rd line in the raw certificate looks good
> > > as shown below:
> > >
> > > Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
> > >
> > > Again, using SUN's JVM we do not have any issues with any signature
> > > algorithm. Unlimited strength policy files are installed on all
> > > systems. I was wondering if any one else has noticed this behavior or
> > > has any clue on what is going on/how to get this to work.
> > >
> > > Your help is greatly appreciated. I would be glad to provide any
> > > additional information, if needed.
> > >
> > > Regards,
> > > Sai Pullabhotla
> > >
> > >
> >
> >
> > --
> > Djigzo open source email encryption
> >
>
[Attachment #3 (text/html)]
Just in case if any one else runs into this, IBM has a fix for this issue. Applying \
all latest fixes to the JRE made the issue disappear. <br><br><a \
href="http://www-01.ibm.com/support/docview.wss?uid=swg1IZ78398">http://www-01.ibm.com/support/docview.wss?uid=swg1IZ78398</a> \
Looks like this is the fix info for Java on AIX. <br> <br>Thanks for all your help. \
<br><br clear="all">Sai Pullabhotla<br> <br><br><div class="gmail_quote">On Tue, Sep \
13, 2011 at 5:44 PM, Sai Pullabhotla <span dir="ltr"><<a \
href="mailto:sai.pullabhotla@jmethods.com">sai.pullabhotla@jmethods.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex;"> Thanks for the reply, Martin.<br>
<br>
Querying the provider properties on the IBM JVM shows the following<br>
relevant properties:<br>
<br>
Alg.Alias.Signature.SHA256withRSA=SHA2withRSA<br>
Alg.Alias.Signature.2.16.840.1.101.3.4.2.1=SHA2withRSA<br>
Alg.Alias.Signature.OID.1.2.840.113549.1.1.11=SHA2withRSA<br>
<br>
Since I'm not an expert on how providers work and use the aliases... I<br>
would like some one to confirm that these 3 properties are not enough<br>
and are causing the issue. I would also like to know if there is a<br>
standard way to define/override provider specific properties by<br>
updating the java.security file. I searched and searched, but did not<br>
see any info on the web. I do know that some provider specific<br>
properties can be set using this file, but I do not know if the<br>
property names are provider specific. In other words, what I would<br>
like to know is if I want to set a new property for provider named, X,<br>
is there a standard syntax like X.MyProperty=My Value? or<br>
com.example.X.MyProperty=MyValue?<br>
<br>
I did not try updating the code yet (with your suggestion), because I<br>
do not know which provider is being used in a given JVM, considering<br>
the fact that our product runs on a variety of platforms and a variety<br>
of JVMs and some times customers update the security providers<br>
themselves (e.g. FIPS compliant JCE) etc. Perhaps, I need to first get<br>
a Signature object for the given algorithm, check which provider<br>
handled that request, and then update the provider properties with<br>
what you have suggested?<br>
<br>
Thanks for your assistance.<br>
<font color="#888888"><br>
Sai Pullabhotla<br>
</font><div><div></div><div class="h5"><br>
<br>
<br>
On Tue, Sep 13, 2011 at 3:49 PM, martijn.list <<a \
href="mailto:martijn.list@gmail.com">martijn.list@gmail.com</a>> wrote:<br> > \
Perhaps the IBM JCE does not contain an alias for 1.2.840.113549.1.1.11?<br> ><br>
> You might try to add the alias<br>
><br>
> THE_DEFAULT_PROVIDER.put("Alg.Alias.Signature.1.2.840.113549.1.1.11",<br>
> "SHA256WithRSAEncryption");<br>
><br>
> and/or<br>
><br>
> THE_DEFAULT_PROVIDER.put("Alg.Alias.Signature.1.2.840.113549.1.1.11",<br>
> "SHA256WithRSA");<br>
><br>
> the provider to add the aliases to should be the default provider used<br>
> by the IBM JCE.<br>
><br>
> Hope this helps,<br>
><br>
> Martijn Brinkers<br>
><br>
><br>
> On 09/13/2011 10:00 PM, Sai Pullabhotla wrote:<br>
>> Hello,<br>
>><br>
>> We are currently using BC Provider version 1.3.8, but the issue below<br>
>> is still reproducible with the latest version, 1.4.6.<br>
>><br>
>> Our application let's creation of X.509 certificates and generating<br>
>> CSR and importing CA replies. We use BC provider to perform some of<br>
>> these functions. Everything works fine under SUN/Oracle JVM, but we<br>
>> are facing an issue running under IBM JVM (both version 5.0 and 6.0).<br>
>> This is present in different operating systems (AIX, AS/400) all using<br>
>> IBM JRE.<br>
>><br>
>> When we create a certificate, if we select the signing algorithm to be<br>
>> SHA256withRSA, SHA384withRSA or SHA512 with RSA...<br>
>><br>
>> The certificate gets created, but when the certificate is displayed<br>
>> back, the Signing Algorithm Name is blank.<br>
>><br>
>> To create the certificate, we use<br>
>> org.bouncycastle.x509.X509V1CertificateGenerator. We call the<br>
>> setSignatureAlgorithm(String) and pass SHA256withRSA as documented in<br>
>> the wiki.<br>
>><br>
>> Ignoring the missing signature algorithm name, if we try to generate a<br>
>> CSR for this certificate (with missing signature algorithm name), we<br>
>> get the exception below:<br>
>><br>
>> java.lang.IllegalArgumentException: Unknown signature type requested<br>
>><br>
>> We use PKCS10CertificationRequest class from BC to generate the CSR<br>
>> and that is where the above exception originates from.<br>
>><br>
>> When I print the raw certificate using<br>
>> System.out.println(Certificate)... It shows the following. Notice the<br>
>> third line, which shows OID for both name and OID.<br>
>><br>
>> *****<br>
>> [<br>
>> [<br>
>> Version: V1<br>
>> Subject: CN=x, OU=x, O=x, L=x, ST=x, C=US, EMAILADDRESS=x<br>
>> Signature Algorithm: 1.2.840.113549.1.1.11, OID =<br>
>> 1.2.840.113549.1.1.11<br>
>><br>
>> Key: IBMJCE RSA Public Key:<br>
>> modulus:<br>
>> 925104840318403765048344525090946395307104938086958825873669950235148073547881205336358345236723270111219305850785629471262450260<br>
>> 102870802313333771341354603433607756372488587032160023079083984868974433873445467603778739301218757227593596486259961402969952223<br>
>> 55003202050762680961103549434809958493292886441607<br>
>> public exponent:<br>
>> 65537<br>
>><br>
>> Validity: [From: Fri Sep 09 16:55:58 CDT 2011,<br>
>> To: Tue Sep 09 00:00:00 CDT 2014]<br>
>><br>
>> .... more (stripped off)<br>
>><br>
>> *****<br>
>><br>
>> If we select SHA1 as the signature algorithm everything works fine (on<br>
>> IBM JRE also), and the same 3rd line in the raw certificate looks good<br>
>> as shown below:<br>
>><br>
>> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5<br>
>><br>
>> Again, using SUN's JVM we do not have any issues with any signature<br>
>> algorithm. Unlimited strength policy files are installed on all<br>
>> systems. I was wondering if any one else has noticed this behavior or<br>
>> has any clue on what is going on/how to get this to work.<br>
>><br>
>> Your help is greatly appreciated. I would be glad to provide any<br>
>> additional information, if needed.<br>
>><br>
>> Regards,<br>
>> Sai Pullabhotla<br>
>><br>
>><br>
><br>
><br>
> --<br>
> Djigzo open source email encryption<br>
><br>
</div></div></blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic