Menu
▾
▴
Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
|
From: Markus K. <ma...@pr...> - 2013-06-14 14:20:08
|
Hi Goran, The "Signature not consistent" just means that the signature did not match when trying to verify it using the public key from the certificate. Best regards, Markus On 2013-06-14 16:11, Goran Šurina wrote: > Hi Markus, > > Stack trace of Error: > > > > 013-06-13 00:43:37,162 ERROR > [org.signserver.module.mrtdsodsigner.MRTDSODSigner] > (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves. > > java.security.GeneralSecurityException: Signature not consistent > > at > org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318) > > at > org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234) > > at > org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > > at java.lang.reflect.Method.invoke(Method.java:597) > > at > org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) > > > > 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean] > (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 : > SOD verification failure > > org.signserver.common.SignServerException: SignServerException calling > signer with id 1 : SOD verification failure > > at > org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:281) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > > at java.lang.reflect.Method.invoke(Method.java:597) > > at > org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) > > at > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) > > at > org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69) > > at > org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73) > > at > org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59) > > at sun.reflect.GeneratedMethodAccessor275.invoke(Unknown > Source) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > > > > Caused by: org.signserver.common.SignServerException: SOD verification > failure > > at > org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:247) > > at > org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277) > > ... 76 more > > Caused by: java.security.GeneralSecurityException: Signature not consistent > > at > org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318) > > at > org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234) > > ... 77 more > > > > Best Regards, > > Goran > > > > *From:*Markus Kilås [mailto:ejb...@pr...] > *Sent:* Thursday, June 13, 2013 5:20 PM > *To:* Goran Šurina > *Cc:* sig...@li... > *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with > SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider. > > > > Hi Goran, > > (Repeating some of the answers for those not following DSS-642) > > Usage of other PKCS11 providers than the SunPKCS11 one is not supported > in SignServer that was why you would have to make that changes. > > We usually patch the SunPKCS11 provider to add support for the > RSASSA-PSS signature algorithm. > > What stacktrace do you get from the SOD verification error, maybe that > could tell something about the reason? > > > Best regards, > Markus > > PrimeKey Solutions offers a commercial EJBCA & SignServer support > subscription and training. Please see www.primekey.se > <http://www.primekey.se> or contact in...@pr... > <mailto:in...@pr...> for more information. > http://www.primekey.se/Services/Support/ > http://www.primekey.se/Services/Training/ > > > On 2013-06-13 16:48, Goran Šurina wrote: > > SignServer 3.3.0 > > I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not > support SHA256WithRSAAndMGF1. I am testing the SOD signature with > SHA256WithRSAAndMGF1. > > > > Conclusion: > > Signing and verification with standard SHA256WithRSA and > SHA256WithRSAAndMGF1 using IAIK does not work until I make some > changes in source kod (). > The change I make to get IAIK to work are: > In class PKCS11CAToken.java we have put setJCAProvider(provider); > line 92, before > if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11") > ); line 87. > After that change in the source code, we have succesfully activate > ca token with IAIK. > > > > But after I get : > > SignServerException calling signer with id 1 : SOD verification > failure. > When disabling Verifcation method in source code, we have tested the > SOD object with external application and get SOD verification error. > Error occured on 2 different HSM devices(Luna SA, nCipher). > > Lp, > > > > *Goran Šurina* > > Tel: + 385 1 3657 735 > > Mob: + 385 99 257 1259 > > E-mail: _go...@ak... <mailto:gor...@ak...>_ > > > > cid:image004.jpg@01CB97DF.80F59370 > Savska cesta 31, 10 000 Zagreb, Croatia > > Web: www.akd.hr <http://www.akd.hr/> > > > > ------------------------------------------------------------------------ > > Ova poruka elektronicke poste i njezini privici namijenjeni su > iskljucivo primatelju i sadrze informacije povjerljive prirode. U > slucaju da ste je primili pogreskom, molimo Vas da ne otvarate > privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim > osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite > posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, > misljenja i zakljucci koji se ne odnose na posao posiljateljeva > poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca. > > ------------------------------------------------------------------------ > > This e-mail is intended solely for the addressee(s) and may contain > privileged and/or confidential information. If you have received > this e-mail in error or are not the intended recipient you may not > open it, read it (or its attachment(s)), copy it and disseminate or > distribute it to others. Please delete it immediately from your > system and notify the sender promptly by e-mail that you have done > so. All information within this e-mail, opinions and conclusions > that do not refer to the business matter of the sender’s employer > shall be treated as sender’s personal views, and not as the > employer’s policy. > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by Windows: > > > > Build for Windows Store. > > > > http://p.sf.net/sfu/windows-dev2dev > > > > > _______________________________________________ > > SignServer-develop mailing list > > Sig...@li... <mailto:Sig...@li...> > > https://lists.sourceforge.net/lists/listinfo/signserver-develop > > > > > -- > > > > PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information. > > http://www.primekey.se/Services/Support/ > > http://www.primekey.se/Services/Training/ > > ------------------------------------------------------------------------ > Ova poruka elektronicke poste i njezini privici namijenjeni su > iskljucivo primatelju i sadrze informacije povjerljive prirode. U > slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke, > ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama. > Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja > da ste to ucinili. Sve informacije unutar ove poruke, misljenja i > zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju > se kao osobni stavovi, a ne stavovi poslodavca. > ------------------------------------------------------------------------ > This e-mail is intended solely for the addressee(s) and may contain > privileged and/or confidential information. If you have received this > e-mail in error or are not the intended recipient you may not open it, > read it (or its attachment(s)), copy it and disseminate or distribute it > to others. Please delete it immediately from your system and notify the > sender promptly by e-mail that you have done so. All information within > this e-mail, opinions and conclusions that do not refer to the business > matter of the sender’s employer shall be treated as sender’s personal > views, and not as the employer’s policy. > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > > > > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
