weblogic - BouncyCastle jars giving SHA1 Digest Error for JDK 1.7 -
for project, have digitally sign string , using bouncycastle jars same. environment details follows.
weblogic 12c jsf, primefaces java version : 1.7.0_45 bc jars : bcmail-jdk15on-152.jar, bcpkix-jdk15on-152.jar, bcprov-ext-jdk15on-152.jar, bcprov-jdk15on-152.jar
alternatively have used bcprov-jdk16-1.45.jar , bcmail-jdk16-1.45.jar result same. error getting is,
java.security.nosuchalgorithmexception: error constructing implementation (algorithm: sha1withrsaencryption, provider: bc, class: org.bouncycastle.jce.provider.jdkdigestsignature$sha1withrsaencryption) @ java.security.provider$service.newinstance(provider.java:1262) ~[?:1.7.0_45] @ sun.security.jca.getinstance.getinstance(getinstance.java:236) ~[?:1.7.0_45] @ sun.security.jca.getinstance.getinstance(getinstance.java:206) ~[?:1.7.0_45] @ java.security.signature.getinstance(signature.java:355) ~[?:1.7.0_45] @ digisigner.sign(digisigner.java:185) [digisigner.class:?] ... 40 more caused by: java.lang.securityexception: sha1 digest error org/bouncycastle/jce/provider/jdkdigestsignature$sha1withrsaencryption.class @ sun.security.util.manifestentryverifier.verify(manifestentryverifier.java:220) ~[?:1.7.0_45] @ java.util.jar.jarverifier.processentry(jarverifier.java:229) ~[?:1.7.0_45] @ java.util.jar.jarverifier.update(jarverifier.java:216) ~[?:1.7.0_45] @ java.util.jar.jarverifier$verifierstream.read(jarverifier.java:471) ~[?:1.7.0_45] @ sun.misc.resource.getbytes(resource.java:124) ~[?:1.7.0_45] @ java.net.urlclassloader.defineclass(urlclassloader.java:444) ~[?:1.7.0_45] @ java.net.urlclassloader.access$100(urlclassloader.java:71) ~[?:1.7.0_45] @ java.net.urlclassloader$1.run(urlclassloader.java:361) ~[?:1.7.0_45] @ java.net.urlclassloader$1.run(urlclassloader.java:355) ~[?:1.7.0_45] @ java.security.accesscontroller.doprivileged(native method) ~[?:1.7.0_45] @ java.net.urlclassloader.findclass(urlclassloader.java:354) ~[?:1.7.0_45] @ java.lang.classloader.loadclass(classloader.java:425) ~[?:1.7.0_45] @ sun.misc.launcher$appclassloader.loadclass(launcher.java:308) ~[?:1.7.0_45] @ java.lang.classloader.loadclass(classloader.java:358) ~[?:1.7.0_45] @ java.security.provider$service.getimplclass(provider.java:1279) ~[?:1.7.0_45] @ java.security.provider$service.newinstance(provider.java:1237) ~[?:1.7.0_45] ... 44 more
the code digisigner.java is
import java.io.file; import java.io.fileinputstream; import java.io.filenotfoundexception; import java.io.fileoutputstream; import java.io.ioexception; import java.io.inputstream; import java.io.outputstream; import java.security.invalidkeyexception; import java.security.keystore; import java.security.keystoreexception; import java.security.nosuchalgorithmexception; import java.security.nosuchproviderexception; import java.security.privatekey; import java.security.security; import java.security.signature; import java.security.signatureexception; import java.security.unrecoverablekeyexception; import java.security.cert.certificate; import java.security.cert.certificateencodingexception; import java.security.cert.certificateexception; import java.security.cert.x509certificate; import java.util.arraylist; import java.util.enumeration; import java.util.list; import org.bouncycastle.cert.jcajce.jcacertstore; import org.bouncycastle.cms.cmsexception; import org.bouncycastle.cms.cmsprocessablebytearray; import org.bouncycastle.cms.cmssigneddata; import org.bouncycastle.cms.cmssigneddatagenerator; import org.bouncycastle.cms.cmstypeddata; import org.bouncycastle.cms.jcajce.jcasignerinfogeneratorbuilder; import org.bouncycastle.jce.provider.bouncycastleprovider; import org.bouncycastle.operator.contentsigner; import org.bouncycastle.operator.operatorcreationexception; import org.bouncycastle.operator.jcajce.jcacontentsignerbuilder; import org.bouncycastle.operator.jcajce.jcadigestcalculatorproviderbuilder; import org.bouncycastle.util.store; import sun.misc.base64encoder; @suppresswarnings("rawtypes") public class digisigner { private string certfilepath = null; private string pfxfilename = null; private string jksfilename = null; private string certpassword = null; private char[] certpasswordarr = null; private keystore keystore = null; cmssigneddatagenerator sgen = null; @suppresswarnings("unchecked") public digisigner(string certificateprefix) throws ibexception{ configmanager config = configmanager.getconfigmanager(); this.certfilepath = "d:/chintan/cert_files"; this.pfxfilename = "chintan.pfx"; this.jksfilename = "chintan.jks"; this.certpassword = "abc123"; certpasswordarr = certpassword.tochararray(); try{ this.keystore = keystore.getinstance("jks"); file jksfile = new file(certfilepath + "/" + jksfilename); if(!jksfile.exists()){ this.createjks(); } inputstream input = new fileinputstream(certfilepath + "/" + jksfilename); keystore.load(input, certpasswordarr); } catch(keystoreexception e){ e.printstacktrace(); } catch (nosuchalgorithmexception e) { e.printstacktrace(); } catch (certificateexception e) { e.printstacktrace(); } catch (ioexception e) { e.printstacktrace(); } } @suppresswarnings("unchecked") public string sign(string datatosign) throws ibexception{ string signeddata = null; try { byte[] datatosignarr = datatosign.getbytes(); security.addprovider(new bouncycastleprovider()); enumeration e = keystore.aliases(); string alias = ""; if(e != null){ while(e.hasmoreelements()){ string n = (string)e.nextelement(); if (keystore.iskeyentry(n)){ alias = n; } } } privatekey privatekey = (privatekey) keystore.getkey(alias, certpasswordarr); signature signature = signature.getinstance("sha1withrsa", "bc"); signature.initsign(privatekey); signature.update(datatosignarr); //build cms x509certificate cert = (x509certificate) this.keystore.getcertificate(alias); list certlist = new arraylist(); cmstypeddata msg = new cmsprocessablebytearray(signature.sign()); certlist.add(cert); store certs = new jcacertstore(certlist); cmssigneddatagenerator gen = new cmssigneddatagenerator(); contentsigner sha1signer = new jcacontentsignerbuilder("sha1withrsa").setprovider("bc").build(privatekey); gen.addsignerinfogenerator(new jcasignerinfogeneratorbuilder(new jcadigestcalculatorproviderbuilder().setprovider("bc").build()).build(sha1signer, cert)); gen.addcertificates(certs); cmssigneddata sigdata = gen.generate(msg, false); base64encoder encoder = new base64encoder(); signeddata = encoder.encode((byte[]) sigdata.getsignedcontent().getcontent()); system.out.println("signature : " + signeddata); } catch(keystoreexception e){ e.printstacktrace(); } catch (nosuchalgorithmexception e) { e.printstacktrace(); } catch (nosuchproviderexception e) { e.printstacktrace(); } catch (cmsexception e) { e.printstacktrace(); } catch (unrecoverablekeyexception e) { e.printstacktrace(); } catch (signatureexception e) { e.printstacktrace(); } catch (invalidkeyexception e) { e.printstacktrace(); } catch (certificateencodingexception e) { e.printstacktrace(); } catch (operatorcreationexception e) { e.printstacktrace(); } return signeddata; } public void createjks() throws ibexception{ try{ file filein = new file(certfilepath + "/" + pfxfilename); file fileout = new file(certfilepath + "/" + jksfilename); if(!filein.canread()){ throw new ibexception("unable access input keystore: " + filein.getpath()); } if(fileout.exists() && !fileout.canwrite()){ throw new ibexception("output file not writable: " + fileout.getpath()); } keystore kspkcs12 = keystore.getinstance("pkcs12"); keystore ksjks = keystore.getinstance("jks"); char inphrase[] = certpassword.tochararray(); char outphrase[] = certpassword.tochararray(); kspkcs12.load(new fileinputstream(filein), inphrase); ksjks.load(fileout.exists() ? ((java.io.inputstream) (new fileinputstream(fileout))) : null, outphrase); enumeration ealiases = kspkcs12.aliases(); do{ if(!ealiases.hasmoreelements()) break; string stralias = (string)ealiases.nextelement(); if(kspkcs12.iskeyentry(stralias)) { java.security.key key = kspkcs12.getkey(stralias, inphrase); certificate chain[] = kspkcs12.getcertificatechain(stralias); ksjks.setkeyentry(stralias, key, outphrase, chain); } } while(true); outputstream out = new fileoutputstream(fileout); ksjks.store(out, outphrase); out.close(); } catch(keystoreexception e){ e.printstacktrace(); } catch (nosuchalgorithmexception e) { e.printstacktrace(); } catch (certificateexception e) { e.printstacktrace(); } catch (filenotfoundexception e) { e.printstacktrace(); } catch (ioexception e) { e.printstacktrace(); } catch (unrecoverablekeyexception e) { e.printstacktrace(); } system.out.println("java key store created successfully"); } }
i referred link : bouncycastle jdk 1.7 , pkcs libraries - well, it's not working me.
the error on line : signature signature = signature.getinstance("sha1withrsa", "bc");
as mentioned here, weblogic contains invalid bcprov-jdk16-1.45.jar
try verify mw_home/oracle_common/modules/bcprov-jdk16-1.45.jar
jarsigner utility:
jarsigner -verify bcprov-jdk16-1.45.jar
the securityexception thrown:
jarsigner: java.lang.securityexception: sha1 digest error org/bouncycastle/jce/eckeyutil$unexpectedexception.class
the file differs 1 in maven repository, passes verification successfully.
Comments
Post a Comment