Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

[Markus K. <ma...@pr...>]

Maybe you could test signing and verification with an minimal
application to see that the provider is working. Something like this
(note: needs some modifications):

---
Security.addProvider(new BouncyCastleProvider());
Provider provider = ...; // IAIK provider
KeyPair keyPair = ...; // Generate some keys
byte[] input = ...; some bytes;

Signature signature = Signature.getInstance("SHA256WithRSAandMGF1",
provider);
signature.initSign( pair.getPrivate() );
signature.update( input );
signBV = signature.sign();

Signature signature2 = Signature.getInstance("SHA256WithRSAandMGF1", "BC");
signature2.initVerify(pair.getPublic());
signature2.update(input);
System.out.println("Result: " + signature2.verify(signBV));
---

First test with "SHA256WithRSA".

Best regards,
Markus


On 2013-06-14 16:19, Markus Kilås wrote:
> Hi Goran,
> 
> The "Signature not consistent" just means that the signature did not
> match when trying to verify it using the public key from the certificate.
> 
> 
> Best regards,
> Markus
> 
> On 2013-06-14 16:11, Goran Šurina wrote:
>> Hi Markus,
>>
>> Stack trace of Error:
>>
>>  
>>
>> 013-06-13 00:43:37,162 ERROR
>> [org.signserver.module.mrtdsodsigner.MRTDSODSigner]
>> (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves.
>>
>> java.security.GeneralSecurityException: Signature not consistent
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318)
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234)
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277)
>>
>>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>
>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
>>
>>  
>>
>> 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean]
>> (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 :
>> SOD verification failure
>>
>> org.signserver.common.SignServerException: SignServerException calling
>> signer with id 1 : SOD verification failure
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:281)
>>
>>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>
>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
>>
>>                 at
>> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
>>
>>                 at
>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
>>
>>                 at
>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
>>
>>                 at sun.reflect.GeneratedMethodAccessor275.invoke(Unknown
>> Source)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>
>>  
>>
>> Caused by: org.signserver.common.SignServerException: SOD verification
>> failure
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:247)
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277)
>>
>>                 ... 76 more
>>
>> Caused by: java.security.GeneralSecurityException: Signature not consistent
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318)
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234)
>>
>>                 ... 77 more
>>
>>  
>>
>> Best Regards,
>>
>> Goran
>>
>>  
>>
>> *From:*Markus Kilås [mailto:ejb...@pr...]
>> *Sent:* Thursday, June 13, 2013 5:20 PM
>> *To:* Goran Šurina
>> *Cc:* sig...@li...
>> *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with
>> SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
>>
>>  
>>
>> Hi Goran,
>>
>> (Repeating some of the answers for those not following DSS-642)
>>
>> Usage of other PKCS11 providers than the SunPKCS11 one is not supported
>> in SignServer that was why you would have to make that changes.
>>
>> We usually patch the SunPKCS11 provider to add support for the
>> RSASSA-PSS signature algorithm.
>>
>> What stacktrace do you get from the SOD verification error, maybe that
>> could tell something about the reason?
>>
>>
>> Best regards,
>> Markus
>>
>> PrimeKey Solutions offers a commercial EJBCA & SignServer support
>> subscription and training. Please see www.primekey.se
>> <http://www.primekey.se> or contact in...@pr...
>> <mailto:in...@pr...> for more information. 
>> http://www.primekey.se/Services/Support/
>> http://www.primekey.se/Services/Training/
>>
>>
>> On 2013-06-13 16:48, Goran Šurina wrote:
>>
>>     SignServer 3.3.0
>>
>>     I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not
>>     support SHA256WithRSAAndMGF1. I am testing the SOD signature with
>>     SHA256WithRSAAndMGF1.
>>
>>      
>>
>>     Conclusion:
>>
>>     Signing and verification with standard SHA256WithRSA and
>>     SHA256WithRSAAndMGF1 using IAIK does not work until I make some
>>     changes in source kod ().
>>     The change I make to get IAIK to work are:
>>     In class PKCS11CAToken.java we have put setJCAProvider(provider);
>>     line 92, before
>>      if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11")
>>     ); line 87.
>>     After that change in the source code, we have succesfully activate
>>     ca token with IAIK.
>>
>>      
>>
>>     But after I get :
>>
>>     SignServerException calling signer with id 1 : SOD verification
>>     failure.
>>     When disabling Verifcation method in source code, we have tested the
>>     SOD object with external application and get SOD verification error.
>>     Error occured on 2 different HSM devices(Luna SA, nCipher).
>>
>>     Lp,
>>
>>      
>>
>>     *Goran Šurina*
>>
>>     Tel:   + 385 1 3657 735
>>
>>     Mob:  + 385 99 257 1259
>>
>>     E-mail: _go...@ak... <mailto:gor...@ak...>_
>>
>>      
>>
>>     cid:image004.jpg@01CB97DF.80F59370
>>     Savska cesta 31, 10 000 Zagreb, Croatia
>>
>>     Web: www.akd.hr <http://www.akd.hr/>
>>
>>      
>>
>>     ------------------------------------------------------------------------
>>
>>     Ova poruka elektronicke poste i njezini privici namijenjeni su
>>     iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>>     slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>>     privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
>>     osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
>>     posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>>     misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>>     poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>>
>>     ------------------------------------------------------------------------
>>
>>     This e-mail is intended solely for the addressee(s) and may contain
>>     privileged and/or confidential information. If you have  received
>>     this e-mail in error or are not the intended recipient you may not
>>     open it, read it (or its attachment(s)), copy it and disseminate or
>>     distribute it to others. Please delete it immediately from your
>>     system and notify the sender promptly by e-mail that you have done
>>     so. All information within this e-mail, opinions and conclusions
>>     that do not refer to the business matter of the sender’s employer
>>     shall be treated as sender’s personal views, and not as the
>>     employer’s policy.
>>
>>
>>
>>     ------------------------------------------------------------------------------
>>
>>     This SF.net email is sponsored by Windows:
>>
>>      
>>
>>     Build for Windows Store.
>>
>>      
>>
>>     http://p.sf.net/sfu/windows-dev2dev
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     SignServer-develop mailing list
>>
>>     Sig...@li... <mailto:Sig...@li...>
>>
>>     https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>>
>>
>>
>> -- 
>>
>>  
>>
>> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information.
>>
>> http://www.primekey.se/Services/Support/
>>
>> http://www.primekey.se/Services/Training/
>>
>> ------------------------------------------------------------------------
>> Ova poruka elektronicke poste i njezini privici namijenjeni su
>> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke,
>> ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama.
>> Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja
>> da ste to ucinili. Sve informacije unutar ove poruke, misljenja i
>> zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju
>> se kao osobni stavovi, a ne stavovi poslodavca.
>> ------------------------------------------------------------------------
>> This e-mail is intended solely for the addressee(s) and may contain
>> privileged and/or confidential information. If you have  received this
>> e-mail in error or are not the intended recipient you may not open it,
>> read it (or its attachment(s)), copy it and disseminate or distribute it
>> to others. Please delete it immediately from your system and notify the
>> sender promptly by e-mail that you have done so. All information within
>> this e-mail, opinions and conclusions that do not refer to the business
>> matter of the sender’s employer shall be treated as sender’s personal
>> views, and not as the employer’s policy.
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>>
>>
>>
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
> 
> 
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se