"no signing algorithm specified" OCSP response log

Help
2013-08-14
2013-08-27
1 2 > >> (Page 1 of 2)
  • Hi,
    I am running standalone OCSP server. we have certificates using SHA256withECDSA. when I'm trying to verify the certs using openssl, I'm getting the weird response? anybody can help me ? although i have mentioned the singing algorithm in ocsp.properties file as SHA256withECDSA

    root@internal-ocsp:/vol/pki/ejbca# 19:04:34,763 INFO [OCSPServletBase] Received OCSP request for certificate with serNo: 523da8cd2ff19124, and issuerNameHash: 6ba06bce59c259b7e641e99db9b8c6cef0444613. Client ip 10.10.10.147.
    19:04:34,772 INFO [OCSPServletBase] Adding status information (good) for certificate with serial '523da8cd2ff19124' from issuer 'CN=AdminCA1,OU=admin,O=--'.
    19:04:34,774 ERROR [OCSPUtil] IllegalArgumentException:
    java.lang.IllegalArgumentException: no signing algorithm specified
    at org.bouncycastle.ocsp.BasicOCSPRespGenerator.generate(Unknown Source)
    at org.bouncycastle.ocsp.BasicOCSPRespGenerator.generate(Unknown Source)
    at org.ejbca.core.protocol.ocsp.OCSPUtil.generateBasicOCSPResp(OCSPUtil.java:138)
    at org.ejbca.core.protocol.ocsp.OCSPUtil.createOCSPCAServiceResponse(OCSPUtil.java:228)
    at org.ejbca.core.protocol.ocsp.standalonesession.SigningEntity.sign(SigningEntity.java:140)
    at org.ejbca.core.protocol.ocsp.standalonesession.SignerThread.run(SignerThread.java:46)
    at java.lang.Thread.run(Thread.java:679)
    19:04:34,775 ERROR [OCSPServletBase] Error processing OCSP request. Message: java.lang.IllegalArgumentException: no signing algorithm specified.
    org.ejbca.core.model.ca.caadmin.extendedcaservices.IllegalExtendedCAServiceRequestException: java.lang.IllegalArgumentException: no signing algorithm specified
    at org.ejbca.core.protocol.ocsp.OCSPUtil.createOCSPCAServiceResponse(OCSPUtil.java:241)
    at org.ejbca.core.protocol.ocsp.standalonesession.SigningEntity.sign(SigningEntity.java:140)
    at org.ejbca.core.protocol.ocsp.standalonesession.SignerThread.run(SignerThread.java:46)
    at java.lang.Thread.run(Thread.java:679)
    Caused by: java.lang.IllegalArgumentException: no signing algorithm specified
    at org.bouncycastle.ocsp.BasicOCSPRespGenerator.generate(Unknown Source)
    at org.bouncycastle.ocsp.BasicOCSPRespGenerator.generate(Unknown Source)
    at org.ejbca.core.protocol.ocsp.OCSPUtil.generateBasicOCSPResp(OCSPUtil.java:138)
    at org.ejbca.core.protocol.ocsp.OCSPUtil.createOCSPCAServiceResponse(OCSPUtil.java:228)
    ... 3 more

    Regards,
    San

     
  • Mike Kushner
    Mike Kushner
    2013-08-15

    Hello San,

    There are two initial explanations to your problems.

    1. What version of Java are you running? JDK5 doesn't out of the box support elliptic curves, you can find patching instructions at http://www.ejbca.org/adminguide.html
      Alternatively, JDK6 should support EC

    2. ocsp.properties has the value ocsp.signaturealgorithm which lists available signing algorithms. Make sure that SHA256withECDSA is in this list.

    Cheers,
    Mike Kushner
    Developer, Primekey Solutions


    PrimeKey Solutions offers commercial EJBCA and SignServer support
    subscriptions and training courses. Please see www.primekey.se or
    contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/


     
  • Dear Mike,
    Thanks for the reply.
    I am using jdk6
    by default SHA256withECDSA is not available in the list. I had manually added this in the configuration file.

    Regards,
    san

     
    Last edit: sanaullah ashraf 2013-08-17
  • I have made few more testing on OCSP server. My OCSP signing certificate has algorithm specified SHA256WithECDSA but the ocsp server only reply back the signed ocsp reply using SHA1WithRSA.
    if i mentioned SHA1WithECDSA or SHA256WithECDSA in ocsp.properties file, server thrown exception "no signing algorithm specified"

    Can anyone suggest me where i am doing mistakes? I need this to work with SHA256WithECDSA

    Regards,

     
    Last edit: sanaullah ashraf 2013-08-21
  • Hi San,

    You need ECC keys on the responder to sign with ECDSA. If you responder has RSA keys, only RSA signatures are possible.

    Cheers,
    Tomas

     
  • Dear Tomas,

    Thanks for your response. I have created the CA with ECC prime256v1 and for ocsp, I have created a profile with Singing Algorithm is inherit from CA. when I check the CA its clearly showing me the public key algorithm is ECC but when I get the certificate from ocsp profile with the same CA the public key is RSA?

    is there any special way to create the ECC based cert for end entity or ocsp signer? its automatically generating the RSA as public key and for signing its display ECDSA? I am confused here?

    how can i get the end user cert with public key as ECC instead of RSA ?

    Regards,
    San

     
    Last edit: sanaullah ashraf 2013-08-21
  • You have to look at how you generate your OCSP responder key. How are you generating the responder keystore?

     
  • I have create the user profile for OCSP signing using the standard template with ECDSA and generate the p12 keystore using add end entity profile. download the cert from public webpage and copy to ocsp server.

     
  • whenever i get the certificate from public web->create Browser certificate, its always with RSA? no option for ECC

     
  • Right. Use bin/ejbca.sh batch, there is a bin/batchtool.properties config file.

     
  • I have configured that for ECDSA and prime256v1 and got the certs with ECDSA and ECC. but these certificates are unable to import in web browser? either Firefox or Chrome. both generating the error?
    is there a way we can generate the ECC based certs from GUI for every user? and that can be work with all of the browser?

    Regards,
    Sanaullah

     
  • Browsers do not support ECC. You can always ask Google, Mozilla or Microsoft to start supporting it :-)

     
  • ah, so i have to use the RSA with browser :( can i use the ECC using smart cards with browser? although its a stupid question but still looking some hope?

     
  • ECC with browsers...I would recommend dropping hope completely. I recomment to stick with something that works unless you want to develop yourself on the cutting edge.

     
  • I drop that idea :) but still I am looking some solution to get the ECC based certificate from EJBCA External-RaGUI.
    I have heard EJBCA support that but its required some special configuration? can you help me out with those configurations?

    Regards,
    San

     
  • Sorry, that's a little too much work for me. I have not used ECC with that so I don't have any quick answers, and it will never work with browsers anyhow.

    Cheers,
    Tomas

     
  • Can CAPI support this in windows? if i can store the ECC keys using CAPI in windows keystore and import this to web browser? Do you have any idea about that?

     
  • Sorry, no idea from my side. Perhaps somebody else?

    /Tomas

     
  • is there anyone who can help me to deal with this issue?

     
    Last edit: sanaullah ashraf 2013-08-23
  • I have found something strange related to ECC supported curves in EJBCA either its a bug or my mistake.
    I have defined P-256 and also scep256r1 in ECDSA key spec parameter from GUI but the CA is always generated with Prime256v1 why its like that? I have changed this even in batachtool.properties file. the result is the same.

    Regards,
    Sanaullah

     
  • These curves are the same, just different alias. EJBCA's default name for this curve is Prime256v1. The curve is in fact made up of a number of parameters, these are "translated" into an alias from a list.

     
  • I have created the certificates using openssl with ECC. they are perfectly working with all of the web browsers. is there something special that prevent the EJBCA generated certs to work with web browsers?

    Regards,
    Sanaullah

     
  • cool. can you see what the difference is? or can you send me two different keystores så I can compare?

    cheers,
    Tomas

     
  • I will share the both. but I haven't seen much differences except the ECDSA is with sha1. I have attached prime256v1Client.p12 which is generated through openssl and the p12 keystore password is prime256.

     
    Last edit: sanaullah ashraf 2013-08-26
    Attachments
1 2 > >> (Page 1 of 2)