[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: RE: [dev-crypto] OCSP - unable to verify with algorithm SHA256WithRSA signed server certificate - No
From: "Sabalpara, Mrugesh" <mrugesh_sabalpara () mcafee ! com>
Date: 2019-02-26 6:26:37
Message-ID: MWHPR1601MB1136B5DEBDE6CDE38A7E5687EF7B0 () MWHPR1601MB1136 ! namprd16 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi David,
We are using bc-fips-1.0.1.jar & bcpkix-fips-1.0.1.jar. We don't use bcprov.jar file.
Will it work with current jars ?
Regards,
Mrugesh
From: David Hook <dgh@cryptoworkshop.com>
Sent: Tuesday, February 26, 2019 11:46 AM
To: Sabalpara, Mrugesh <mrugesh_sabalpara@mcafee.com>; dev-crypto@bouncycastle.org
Subject: Re: [dev-crypto] OCSP - unable to verify with algorithm SHA256WithRSA signed \
server certificate - NoSuchAlgorithmException from "BCFIPS" provider
CAUTION: External email. Do not click links or open attachments unless you recognize \
the sender and know the content is safe.
________________________________
Hi Mrugesh,
The algorithm is definitely supported. I suspect something else might be going on - \
the bcprov jar isn't in the class path as well is it?
Thanks,
David
On 25/2/19 11:41 pm, Sabalpara, Mrugesh wrote:
Hi,
Facing an issue may be known and can straight forward for you☺
I recently start working with bc-fips-1.0.1.jar and tangled in a situation - OCSP \
validation with certificate signing signature SHA256WithRSA algorithm.
NOTE: - Referring to :- https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf \
[Example 55 – Creating an OCSP Request & Example 56 – Creating an OCSP Response]
Server provides certificate with signature algorithm SHA256WithRSA. Hence passing \
SHA256WithRSA to fetch DigestCalculatorProvider to get digest and generate CertID \
while creating OCSP request, which returned "NoSuchAlgorithmException" exception.
When I saw "No such algorithm exception for SHA256WithRSA", tried to add it as below \
:-
public static BouncyCastleFipsProvider bc = null;
static {
bc = new BouncyCastleFipsProvider();
bc.put("SHA256WITHRSA",PKCSObjectIdentifiers.sha256WithRSAEncryption);
Security.addProvider(bc);
}
Set "bc" object as provider, to validate server certificate in OCSPRequest and \
OCSPResponse method.
In OCSPRequest method:-
I used AlgorithmIdentifier to get required algorithm and set into
{
…
DigestCalculatorProvider digCalcProv = new \
JcaDigestCalculatorProviderBuilder().setProvider(bc).build();
AlgorithmIdentifier algorithmIdentifier = new \
AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption);
CertificateID certId = new JcaCertificateID(digCalcProv.get(algorithmIdentifier), \
caCert, certToCheck.getSerialNumber());
…
}
In OCSPResponse method:-
{
…
new JcaContentVerifierProviderBuilder().setProvider(bc).build(caCert.getPublicKey())
…
}
org.bouncycastle.operator.OperatorCreationException: exception on setup: \
java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider \
BCFIPS
at org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder$1.get(Unknown \
Source)
at syslog.OCSPValidator.makeOcspRequest(OCSPValidator.java:62)
………
………..
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA \
for provider BCFIPS
at sun.security.jca.GetInstance.getService(GetInstance.java:101)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
at java.security.Security.getImpl(Security.java:724)
at java.security.MessageDigest.getInstance(MessageDigest.java:275)
at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createDigest(Unknown \
Source)
at org.bouncycastle.operator.jcajce.OperatorHelper.createDigest(Unknown \
Source)
... 21 more
Please let me know if anything incorrect in understanding.
Thank you.
Regards,
Mrugesh
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Courier New \;color\:navy";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Courier New \;color\:black";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Courier New \;color\:\#660E7A";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Courier New \;color\:green";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Hi David,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">We are using bc-fips-1.0.1.jar \
& bcpkix-fips-1.0.1.jar. We don't use bcprov.jar file. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">Will it work with current jars \
?<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:windowtext"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:windowtext"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:windowtext">Regards,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:windowtext">Mrugesh<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:windowtext"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:windowtext"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span \
style="color:windowtext"> David Hook <dgh@cryptoworkshop.com> <br>
<b>Sent:</b> Tuesday, February 26, 2019 11:46 AM<br>
<b>To:</b> Sabalpara, Mrugesh <mrugesh_sabalpara@mcafee.com>; \
dev-crypto@bouncycastle.org<br> <b>Subject:</b> Re: [dev-crypto] OCSP - unable to \
verify with algorithm SHA256WithRSA signed server certificate - \
NoSuchAlgorithmException from "BCFIPS" provider<o:p></o:p></span></p> \
</div> </div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<table class="MsoNormalTable" border="1" cellspacing="3" cellpadding="0" \
style="background:#F3FF33;border:solid #9B9A87 1.5pt"> <tbody>
<tr>
<td style="border:none;padding:.75pt .75pt .75pt .75pt">
<p><strong><span style="font-family:"Arial",sans-serif;color:#9B8B3E">CAUTION</span></strong><span \
style="font-family:"Arial",sans-serif;color:#9B8B3E">:</span><span \
style="font-family:"Arial",sans-serif"> External email. Do not click links \
or open attachments unless you recognize the sender and know the content is \
safe.<o:p></o:p></span></p> </td>
</tr>
</tbody>
</table>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="3" width="100%" align="center">
</div>
</div>
<div>
<p class="MsoNormal">Hi Mrugesh,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The algorithm is definitely supported. I suspect something else \
might be going on - the bcprov jar isn't in the class path as well is \
it?<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">David<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On 25/2/19 11:41 pm, Sabalpara, Mrugesh wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Facing an issue may be known and can straight forward for \
you<span style="font-family:Wingdings">J</span><o:p></o:p></p> <p \
class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal">I recently start working \
with bc-fips-1.0.1.jar and tangled in a situation - OCSP validation with certificate \
signing signature SHA256WithRSA algorithm.<o:p></o:p></p> <p \
class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal">NOTE: - Referring \
to :- <a href="https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf"> \
https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf</a> [Example \
55 – Creating an OCSP Request & Example 56 – Creating an OCSP \
Response]<o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Server provides certificate with signature algorithm \
SHA256WithRSA. Hence passing SHA256WithRSA to fetch DigestCalculatorProvider to get \
digest and generate CertID while creating OCSP request, which returned \
"NoSuchAlgorithmException" exception.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">When I saw "No such algorithm exception for SHA256WithRSA", \
tried to add it as below :-<o:p></o:p></p> <p \
class="MsoNormal"> <o:p></o:p></p> <p class="MsoNormal" \
style="background:white"><b><span style="font-size:9.0pt;font-family:"Courier \
New ;color:navy",serif">public static </span></b><span \
style="font-size:9.0pt;font-family:"Courier New \
;color:black",serif">BouncyCastleFipsProvider </span><i><span \
style="font-size:9.0pt;font-family:"Courier New ;color:#660E7A",serif">bc \
</span></i><span style="font-size:9.0pt;font-family:"Courier New \
;color:black",serif">= </span><b><span \
style="font-size:9.0pt;font-family:"Courier New \
;color:navy",serif">null</span></b><span \
style="font-size:9.0pt;font-family:"Courier New ;color:black",serif">;<br> \
</span><b><span style="font-size:9.0pt;font-family:"Courier New \
;color:navy",serif">static </span></b><span \
style="font-size:9.0pt;font-family:"Courier New ;color:black",serif">{<br> \
<br> </span><i><span \
style="font-size:9.0pt;font-family:"Courier New ;color:#660E7A",serif">bc \
</span></i><span style="font-size:9.0pt;font-family:"Courier New \
;color:black",serif">= </span><b><span \
style="font-size:9.0pt;font-family:"Courier New ;color:navy",serif">new \
</span></b><span style="font-size:9.0pt;font-family:"Courier New \
;color:black",serif">BouncyCastleFipsProvider();<br> \
</span><i><span style="font-size:9.0pt;font-family:"Courier New \
;color:#660E7A",serif">bc</span></i><span \
style="font-size:9.0pt;font-family:"Courier New \
;color:black",serif">.put(</span><b><span \
style="font-size:9.0pt;font-family:"Courier New \
;color:green",serif">"SHA256WITHRSA"</span></b><span \
style="font-size:9.0pt;font-family:"Courier New \
;color:black",serif">,PKCSObjectIdentifiers.</span><b><i><span \
style="font-size:9.0pt;font-family:"Courier New \
;color:#660E7A",serif">sha256WithRSAEncryption</span></i></b><span \
style="font-size:9.0pt;font-family:"Courier New ;color:black",serif">);<br> \
Security.<i>addProvider</i>(</span><i><span \
style="font-size:9.0pt;font-family:"Courier New \
;color:#660E7A",serif">bc</span></i><span \
style="font-size:9.0pt;font-family:"Courier New ;color:black",serif">);<br> \
}</span><o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Set "bc" object as provider, to validate server certificate in \
OCSPRequest and OCSPResponse method.<o:p></o:p></p> <p \
class="MsoNormal"><b> </b><o:p></o:p></p> <p class="MsoNormal"><b>In OCSPRequest \
method:- </b><o:p></o:p></p> <p class="MsoNormal"><b> </b><o:p></o:p></p>
<p class="MsoNormal">I used AlgorithmIdentifier to get required algorithm and set \
into <o:p></o:p></p>
<p class="MsoNormal">{<o:p></o:p></p>
<p class="MsoNormal">…<o:p></o:p></p>
<pre style="margin-left:.5in;background:white"><span \
style="font-size:9.0pt">DigestCalculatorProvider digCalcProv = </span><b><span \
style="font-size:9.0pt;color:navy">new </span></b><span \
style="font-size:9.0pt">JcaDigestCalculatorProviderBuilder().setProvider(</span><i><span \
style="font-size:9.0pt;color:#660E7A">bc</span></i><span \
style="font-size:9.0pt">).build();<o:p></o:p></span></pre> <pre \
style="margin-left:.5in;background:white"><span \
style="font-size:9.0pt">AlgorithmIdentifier algorithmIdentifier = </span><b><span \
style="font-size:9.0pt;color:navy">new </span></b><span \
style="font-size:9.0pt">AlgorithmIdentifier(PKCSObjectIdentifiers.</span><b><i><span \
style="font-size:9.0pt;color:#660E7A">sha256WithRSAEncryption</span></i></b><span \
style="font-size:9.0pt">);<o:p></o:p></span></pre> <pre \
style="margin-left:.5in;background:white"><span style="font-size:9.0pt">CertificateID \
certId = </span><b><span style="font-size:9.0pt;color:navy">new </span></b><span \
style="font-size:9.0pt">JcaCertificateID(digCalcProv.get(algorithmIdentifier), \
caCert, certToCheck.getSerialNumber());</span><o:p></o:p></pre> <pre \
style="background:white"><span style="font-size:9.0pt">…</span><o:p></o:p></pre> <p \
class="MsoNormal">}<o:p></o:p></p> <p class="MsoNormal"><b> </b><o:p></o:p></p>
<p class="MsoNormal"><b>In OCSPResponse method:- </b><o:p></o:p></p>
<p class="MsoNormal"><b>{</b><o:p></o:p></p>
<p class="MsoNormal"><b>…</b><o:p></o:p></p>
<pre style="margin-left:.5in;background:white"><b><span \
style="font-size:9.0pt;color:navy">new </span></b><span \
style="font-size:9.0pt">JcaContentVerifierProviderBuilder().setProvider(</span><i><span \
style="font-size:9.0pt;color:#660E7A">bc</span></i><span \
style="font-size:9.0pt">).build(caCert.getPublicKey())</span><o:p></o:p></pre> <pre \
style="background:white"><span style="font-size:9.0pt">…</span><o:p></o:p></pre> <p \
class="MsoNormal">}<o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">org.bouncycastle.operator.OperatorCreationException: exception \
on setup: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA \
for provider BCFIPS<o:p></o:p></p> <p \
class="MsoNormal"> \
at org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder$1.get(Unknown \
Source)<o:p></o:p></p> <p \
class="MsoNormal"> \
at syslog.OCSPValidator.makeOcspRequest(OCSPValidator.java:62)<o:p></o:p></p> <p \
class="MsoNormal">………<o:p></o:p></p> <p \
class="MsoNormal">………..<o:p></o:p></p> <p class="MsoNormal">Caused by: \
java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider \
BCFIPS<o:p></o:p></p> <p \
class="MsoNormal"> \
at sun.security.jca.GetInstance.getService(GetInstance.java:101)<o:p></o:p></p> <p \
class="MsoNormal"> \
at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)<o:p></o:p></p> <p \
class="MsoNormal"> \
at java.security.Security.getImpl(Security.java:724)<o:p></o:p></p> <p \
class="MsoNormal"> \
at java.security.MessageDigest.getInstance(MessageDigest.java:275)<o:p></o:p></p> <p \
class="MsoNormal"> \
at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createDigest(Unknown \
Source)<o:p></o:p></p> <p \
class="MsoNormal"> \
at org.bouncycastle.operator.jcajce.OperatorHelper.createDigest(Unknown \
Source)<o:p></o:p></p> <p \
class="MsoNormal"> \
... 21 more<o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Please let me know if anything incorrect in \
understanding.<o:p></o:p></p> <p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thank you.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Mrugesh<o:p></o:p></p>
</blockquote>
<p><o:p> </o:p></p>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic