Menu
▾
▴
Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
|
From: Markus K. <ma...@pr...> - 2013-06-14 15:18:12
|
On 2013-06-14 16:57, Goran Šurina wrote: > Hi Markus, > Thanx but we have succesfuly get SOD with RSA-PSS using IAIK. > After we succesfuly load IAIK provider, we have made changes in configuration when setting algorithmParameters. Instead of setting > WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in the properties we have set WORKERGENID1.SIGNATUREALGORITHM=SHA256withRSAandMGF1. > Case sensitive issue on string. > > Reason for that is when we use WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in > Source code class SODFile, line lines 769/770 > digestEncryptionAlgorithmParams = > algorithmParameters.get(digestEncryptionAlgorithm); > > we didn get right parameters fo signature. But when you use SHA256withRSAandMGF1 signature is valid. > My colege found this. I can ask him to get precize instructions on what line he found this issue. Ok Great and thanks for the report. I have created https://jira.primekey.se/browse/DSS-643 for the issue. If you or your college could add some more details to the report if you have it would be great. > > > Can you plase tell me is it possible to get patch the SunPKCS11 provider with support for the RSASSA-PSS signature algorithm somewhere? > If we could we would use it with SignServer instead of IAIK? I will ask someone about the status and location of the patches. Best regards, Markus > Regards, > Goran > > > -----Original Message----- > From: Markus Kilås [mailto:ma...@pr...] > Sent: Friday, June 14, 2013 4:31 PM > To: sig...@li... > Subject: Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider. > > Maybe you could test signing and verification with an minimal application to see that the provider is working. Something like this > (note: needs some modifications): > > --- > Security.addProvider(new BouncyCastleProvider()); Provider provider = ...; // IAIK provider KeyPair keyPair = ...; // Generate some keys byte[] input = ...; some bytes; > > Signature signature = Signature.getInstance("SHA256WithRSAandMGF1", > provider); > signature.initSign( pair.getPrivate() ); signature.update( input ); signBV = signature.sign(); > > Signature signature2 = Signature.getInstance("SHA256WithRSAandMGF1", "BC"); signature2.initVerify(pair.getPublic()); > signature2.update(input); > System.out.println("Result: " + signature2.verify(signBV)); > --- > > First test with "SHA256WithRSA". > > Best regards, > Markus > > > On 2013-06-14 16:19, Markus Kilås wrote: >> Hi Goran, >> >> The "Signature not consistent" just means that the signature did not >> match when trying to verify it using the public key from the certificate. >> >> >> Best regards, >> Markus >> >> On 2013-06-14 16:11, Goran Šurina wrote: >>> Hi Markus, >>> >>> Stack trace of Error: >>> >>> >>> >>> 013-06-13 00:43:37,162 ERROR >>> [org.signserver.module.mrtdsodsigner.MRTDSODSigner] >>> (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves. >>> >>> java.security.GeneralSecurityException: Signature not consistent >>> >>> at >>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndC >>> hain(MRTDSODSigner.java:318) >>> >>> at >>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD >>> Signer.java:234) >>> >>> at >>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2 >>> 77) >>> >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>> Method) >>> >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. >>> java:39) >>> >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces >>> sorImpl.java:25) >>> >>> at java.lang.reflect.Method.invoke(Method.java:597) >>> >>> at >>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocatio >>> n.java:122) >>> >>> >>> >>> 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean] >>> (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 : >>> SOD verification failure >>> >>> org.signserver.common.SignServerException: SignServerException >>> calling signer with id 1 : SOD verification failure >>> >>> at >>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2 >>> 81) >>> >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>> Method) >>> >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. >>> java:39) >>> >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces >>> sorImpl.java:25) >>> >>> at java.lang.reflect.Method.invoke(Method.java:597) >>> >>> at >>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocatio >>> n.java:122) >>> >>> at >>> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation. >>> java:111) >>> >>> at >>> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerI >>> nvocationWrapper.java:69) >>> >>> at >>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(Intercept >>> orSequencer.java:73) >>> >>> at >>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(Int >>> erceptorSequencer.java:59) >>> >>> at >>> sun.reflect.GeneratedMethodAccessor275.invoke(Unknown >>> Source) >>> >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces >>> sorImpl.java:25) >>> >>> >>> >>> Caused by: org.signserver.common.SignServerException: SOD >>> verification failure >>> >>> at >>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD >>> Signer.java:247) >>> >>> at >>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2 >>> 77) >>> >>> ... 76 more >>> >>> Caused by: java.security.GeneralSecurityException: Signature not >>> consistent >>> >>> at >>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndC >>> hain(MRTDSODSigner.java:318) >>> >>> at >>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD >>> Signer.java:234) >>> >>> ... 77 more >>> >>> >>> >>> Best Regards, >>> >>> Goran >>> >>> >>> >>> *From:*Markus Kilås [mailto:ejb...@pr...] >>> *Sent:* Thursday, June 13, 2013 5:20 PM >>> *To:* Goran Šurina >>> *Cc:* sig...@li... >>> *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with >>> SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider. >>> >>> >>> >>> Hi Goran, >>> >>> (Repeating some of the answers for those not following DSS-642) >>> >>> Usage of other PKCS11 providers than the SunPKCS11 one is not >>> supported in SignServer that was why you would have to make that changes. >>> >>> We usually patch the SunPKCS11 provider to add support for the >>> RSASSA-PSS signature algorithm. >>> >>> What stacktrace do you get from the SOD verification error, maybe >>> that could tell something about the reason? >>> >>> >>> Best regards, >>> Markus >>> >>> PrimeKey Solutions offers a commercial EJBCA & SignServer support >>> subscription and training. Please see www.primekey.se >>> <http://www.primekey.se> or contact in...@pr... >>> <mailto:in...@pr...> for more information. >>> http://www.primekey.se/Services/Support/ >>> http://www.primekey.se/Services/Training/ >>> >>> >>> On 2013-06-13 16:48, Goran Šurina wrote: >>> >>> SignServer 3.3.0 >>> >>> I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not >>> support SHA256WithRSAAndMGF1. I am testing the SOD signature with >>> SHA256WithRSAAndMGF1. >>> >>> >>> >>> Conclusion: >>> >>> Signing and verification with standard SHA256WithRSA and >>> SHA256WithRSAAndMGF1 using IAIK does not work until I make some >>> changes in source kod (). >>> The change I make to get IAIK to work are: >>> In class PKCS11CAToken.java we have put setJCAProvider(provider); >>> line 92, before >>> if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11") >>> ); line 87. >>> After that change in the source code, we have succesfully activate >>> ca token with IAIK. >>> >>> >>> >>> But after I get : >>> >>> SignServerException calling signer with id 1 : SOD verification >>> failure. >>> When disabling Verifcation method in source code, we have tested the >>> SOD object with external application and get SOD verification error. >>> Error occured on 2 different HSM devices(Luna SA, nCipher). >>> >>> Lp, >>> >>> >>> >>> *Goran Šurina* >>> >>> Tel: + 385 1 3657 735 >>> >>> Mob: + 385 99 257 1259 >>> >>> E-mail: _go...@ak... <mailto:gor...@ak...>_ >>> >>> >>> >>> cid:image004.jpg@01CB97DF.80F59370 >>> Savska cesta 31, 10 000 Zagreb, Croatia >>> >>> Web: www.akd.hr <http://www.akd.hr/> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> --- >>> >>> Ova poruka elektronicke poste i njezini privici namijenjeni su >>> iskljucivo primatelju i sadrze informacije povjerljive prirode. U >>> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate >>> privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim >>> osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite >>> posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, >>> misljenja i zakljucci koji se ne odnose na posao posiljateljeva >>> poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca. >>> >>> >>> --------------------------------------------------------------------- >>> --- >>> >>> This e-mail is intended solely for the addressee(s) and may contain >>> privileged and/or confidential information. If you have received >>> this e-mail in error or are not the intended recipient you may not >>> open it, read it (or its attachment(s)), copy it and disseminate or >>> distribute it to others. Please delete it immediately from your >>> system and notify the sender promptly by e-mail that you have done >>> so. All information within this e-mail, opinions and conclusions >>> that do not refer to the business matter of the sender’s employer >>> shall be treated as sender’s personal views, and not as the >>> employer’s policy. >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> --------- >>> >>> This SF.net email is sponsored by Windows: >>> >>> >>> >>> Build for Windows Store. >>> >>> >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> >>> >>> >>> >>> _______________________________________________ >>> >>> SignServer-develop mailing list >>> >>> Sig...@li... >>> <mailto:Sig...@li...> >>> >>> https://lists.sourceforge.net/lists/listinfo/signserver-develop >>> >>> >>> >>> >>> -- >>> >>> >>> >>> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information. >>> >>> http://www.primekey.se/Services/Support/ >>> >>> http://www.primekey.se/Services/Training/ >>> >>> --------------------------------------------------------------------- >>> --- Ova poruka elektronicke poste i njezini privici namijenjeni su >>> iskljucivo primatelju i sadrze informacije povjerljive prirode. U >>> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate >>> privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama. >>> Izbrisite je iz svojega racunalnog sustava te obavijestite >>> posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, >>> misljenja i zakljucci koji se ne odnose na posao posiljateljeva >>> poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca. >>> --------------------------------------------------------------------- >>> --- This e-mail is intended solely for the addressee(s) and may >>> contain privileged and/or confidential information. If you have >>> received this e-mail in error or are not the intended recipient you >>> may not open it, read it (or its attachment(s)), copy it and >>> disseminate or distribute it to others. Please delete it immediately >>> from your system and notify the sender promptly by e-mail that you >>> have done so. All information within this e-mail, opinions and >>> conclusions that do not refer to the business matter of the sender’s >>> employer shall be treated as sender’s personal views, and not as the >>> employer’s policy. >>> >>> >>> --------------------------------------------------------------------- >>> --------- This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> >>> >>> >>> _______________________________________________ >>> SignServer-develop mailing list >>> Sig...@li... >>> https://lists.sourceforge.net/lists/listinfo/signserver-develop >>> >> >> >> > > > > -- > Kind regards, > Markus Kilås > PKI Specialist > > PrimeKey Solutions AB > > Anderstorpsv. 16 > 171 54 Solna > Sweden > > Phone: +46 70 424 94 85 > Skype: markusatskype > Email: mar...@pr... > > www.primekey.se > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > ________________________________ > Ova poruka elektronicke poste i njezini privici namijenjeni su iskljucivo primatelju i sadrze informacije povjerljive prirode. U slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, misljenja i zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca. > ________________________________ > This e-mail is intended solely for the addressee(s) and may contain privileged and/or confidential information. If you have received this e-mail in error or are not the intended recipient you may not open it, read it (or its attachment(s)), copy it and disseminate or distribute it to others. Please delete it immediately from your system and notify the sender promptly by e-mail that you have done so. All information within this e-mail, opinions and conclusions that do not refer to the business matter of the sender’s employer shall be treated as sender’s personal views, and not as the employer’s policy. > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
