signserver-develop

Re: [SignServer-develop] Timestamp authority in pdf

[Antoine L. <ant...@yo...>]

Thanks for your quick answer !

I'll try that !

Have a nice day !

Antoine

On Tue, 6 Aug 2013 12:27:01 +0200, Valentin Peltier
<val...@ar...> wrote:
> You just need to add TSA_URL = "http://timestampautority_url [1]"
> without TSA_USERNAME/PASSWORD.
> 
> I don't know what is for TSA_USERNAME/PASSWORD, probably when you
> need authentication from the TSA using username/password.
>  But you don't need it when using free TSA like
> http://timestamping.edelweb.fr/ [2] or using your own signserver'TSA
> like http://localhost:8080/signserver/tsa?workerName=TimeStampServer
> [3]
> 
> 2013/8/6 Antoine Louiset 
>  Hi,
> 
>  Thanks a lot for your answer !
>  Shoul we use TSA_URL (with TSA_USERNAME & TSA_PASSWORD) to call a
> local
>  timestamp signer ?
> 
>  Have a nice day !
> 
>  On Mon, 5 Aug 2013 09:30:51 +0200, Valentin Peltier
>   wrote:
>  > Hi,
>  >
>  > You can timestamp pdf with your local machine, but you need a
>  > timestamp certificate that you can make with Openssl. Don't forget
> to
>  > add only the timestamp usage for key extension.
>  >
>  > Here, free timestamp authorities:
>  > http://timestamping.edelweb.fr/ [6] [1]
>  > http://tsa.safecreative.org/ [7] [2]
>  >
>  > Regards,
>  >
>  > 2013/8/2 Antoine Louiset
> 
>>  Hi everyone,
>  >
>  >  Is it possible to use a local timestamp signer with a pdf signer
>  >  (instead of remote) ?
>  >
>  >  If not, do you know free (or cheap) timestamp authorities ?
>  >
>  >  Thanks !
>  >
>  >  --
>  >  Antoine Louiset
>  >
>  >
>  >
> ------------------------------------------------------------------------------
>  >  Get your SQL database under version control now!
>  >  Version control is standard for application code, but databases
>  > havent
>  >  caught up. So what steps can you take to put your SQL databases
>  > under
>  >  version control? Why should you start doing it? Read more to
> find
>  > out.
>  >
>  >
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> [8]
>  > [4]
>  >  _______________________________________________
>  >  SignServer-develop mailing list
>  >  Sig...@li... [9] [5]
>  >  https://lists.sourceforge.net/lists/listinfo/signserver-develop
> [10] [6]
> 
>  --
>  Antoine Louiset

-- 
Antoine Louiset

[SignServer-develop] Timestamp authority in pdf

[Antoine L. <ant...@yo...>]

Hi everyone,

Is it possible to use a local timestamp signer with a pdf signer 
(instead of remote) ?

If not, do you know free (or cheap) timestamp authorities ?

Thanks !

--
Antoine Louiset

Re: [SignServer-develop] Authorization Type

[Marcus L. <mar...@pr...>]

ons 2013-07-31 klockan 12:36 +0200 skrev Valentin Peltier:
> Hi,

Hi Valentine!

> 
> Detail of the request: 
> bin/client.sh timestamp -instr mystring -outrep response.tsr -url
> http://localhost:8080/signserver/tsa?workerId=1
> -keystore /tmp/client.jks -keystorepwd "my_pass" -keyalias "my_alias"
> 

You would need to use client-authenticated HTTPS for the request.
Something like:
-url https://localhost:8443/signserver/tsa?workerId=1 -keystore ...

Regards,
Marcus Lundblad

> 
> Detail of the error message: 
> Exception in thread "main"
> org.signserver.cli.spi.UnexpectedCommandFailureException:
> java.io.IOException: Server returned HTTP response code: 400 for URL:
> http://localhost:8080/signserver/tsa?workerId=1
>     at
> org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:320)
>     at
> org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97)
>     at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45)
> Caused by: java.io.IOException: Server returned HTTP response code:
> 400 for URL: http://localhost:8080/signserver/tsa?workerId=1
>     at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
>     at
> org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:586)
>     at
> org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:334)
>     at
> org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:312)
>     ... 2 more
> 
> 
> Detail of the server.log:
> [#|2013-07-31T12:12:19.463+0200|INFO|sun-appserver2.1|
> javax.enterprise.system.stream.out|
> _ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;|INFO
> [IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID:
> db8d7ba8-f6f9-4f66-bf93-bea140d0f8d3; CLIENT_IP: 127.0.0.1;
> REQUEST_FULLURL: http://localhost:8080/signserver/tsa?workerId=1;
> RequestTime: 1375265539461; ResponseTime: 1; TimeStamp: ${TSA_TIME};
> PKIStatus: ${TSA_PKISTATUS}; PKIFailureInfo: ${TSA_PKIFAILUREINFO};
> SerialNumber: ${TSA_SERIALNUMBER}; TSA_POLICYID: ${TSA_POLICYID};
> SIGNER_CERT_SERIALNUMBER: ${SIGNER_CERT_SERIALNUMBER};
> SIGNER_CERT_ISSUERDN: ${SIGNER_CERT_ISSUERDN};
> TIMESTAMPREQUEST_ENCODED: ${TSA_TIMESTAMPREQUEST_ENCODED};
> TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED};
> ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION:
> ${TSA_EXCEPTION}; EXCEPTION: Error, client authentication is required.
> 
> 
> 
> However when I configure the worker with AUTH = NOAUTH, the request is
> successful.
> 
> 
> Can somebody help me !?
> 
> 
> 
> Regard,
> 
> 
> Valentin.
> 
> 
> 
> 
> 
> -- 
> Valentin PELTIER
> Stagiaire
> 
> val...@ar...
> 
> 
> AriadNEXT
> 
> 80 av. des Buttes de Coësmes
> 
> 35700 RENNES - FRANCE
> 
> 
> 
> 
> 
> Ce message et toutes les pièces jointes sont confidentiels et établis
> à l'intention exclusive de son ou ses destinataires. Si vous avez reçu
> ce message par erreur, merci d'en avertir immédiatement l'émetteur et
> de détruire le message. Toute modification, édition, utilisation ou
> diffusion non autorisée est interdite. L'émetteur décline toute
> responsabilité au titre de ce message s'il a été modifié, déformé,
> falsifié, infecté par un virus ou encore édité ou diffusé sans
> autorisation.
> 
> This message and any attachments are confidential and intended for the
> named addressee(s) only. If you have received this message in error,
> please notify immediately the sender, then delete the message. Any
> unauthorized modification, edition, use or dissemination is
> prohibited. The sender shall not be liable for this message if it has
> been modified, altered, falsified, infected by a virus or even edited
> or disseminated without authorization.
> 
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent 
> caught up. So what steps can you take to put your SQL databases under 
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> _______________________________________________ SignServer-develop mailing list Sig...@li... https://lists.sourceforge.net/lists/listinfo/signserver-develop

[SignServer-develop] Authorization Type

[Valentin P. <val...@ar...>]

Hi,

I have some problem with web service (bin/client.sh request), using a
client certificate authentication.

My worker is set with AUTH = CLIENTCERT (it's a TIMESTAMP worker)
I have add authorized client for this worker using a certificate (we call it
* client.crt*)
The certificate *client.crt* is present in the application server's
truststore (I use GlassFish APPSRV)

But when I try to request the worker, It return me an error: "client
authentication"
Detail of the request:
*bin/client.sh timestamp -instr mystring -outrep response.tsr -url
http://localhost:8080/signserver/tsa?workerId=1 -keystore /tmp/client.jks
-keystorepwd "my_pass" -keyalias "my_alias"*

Detail of the error message:
*Exception in thread "main"
org.signserver.cli.spi.UnexpectedCommandFailureException:
java.io.IOException: Server returned HTTP response code: 400 for URL:
http://localhost:8080/signserver/tsa?workerId=1
    at
org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:320)
    at
org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97)
    at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45)
Caused by: java.io.IOException: Server returned HTTP response code: 400 for
URL: http://localhost:8080/signserver/tsa?workerId=1
    at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
    at
org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:586)
    at
org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:334)
    at
org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:312)
    ... 2 more*

Detail of the server.log:
*[#|2013-07-31T12:12:19.463+0200|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;|INFO
[IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID:
db8d7ba8-f6f9-4f66-bf93-bea140d0f8d3; CLIENT_IP: 127.0.0.1;
REQUEST_FULLURL: http://localhost:8080/signserver/tsa?workerId=1;
RequestTime: 1375265539461; ResponseTime: 1; TimeStamp: ${TSA_TIME};
PKIStatus: ${TSA_PKISTATUS}; PKIFailureInfo: ${TSA_PKIFAILUREINFO};
SerialNumber: ${TSA_SERIALNUMBER}; TSA_POLICYID: ${TSA_POLICYID};
SIGNER_CERT_SERIALNUMBER: ${SIGNER_CERT_SERIALNUMBER};
SIGNER_CERT_ISSUERDN: ${SIGNER_CERT_ISSUERDN}; TIMESTAMPREQUEST_ENCODED:
${TSA_TIMESTAMPREQUEST_ENCODED}; TSA_TIMESTAMPRESPONSE_ENCODED:
${TSA_TIMESTAMPRESPONSE_ENCODED}; ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED:
${PURCHASED}; TSA_EXCEPTION: ${TSA_EXCEPTION}; EXCEPTION: Error, client
authentication is required.*

However when I configure the worker with AUTH = NOAUTH, the request is
successful.

Can somebody help me !?

Regard,

Valentin.



-- 

*Valentin PELTIER**
Stagiaire
*
val...@ar...

*AriadNEXT*
80 av. des Buttes de Coësmes
35700 RENNES - FRANCE

-- 
 


<http://www.ariadnext.com/solutions/securisation-des-documents/>

Ce message et toutes les pièces jointes sont confidentiels et établis à 
l'intention exclusive de son ou ses destinataires. Si vous avez reçu ce 
message par erreur, merci d'en avertir immédiatement l'émetteur et de 
détruire le message. Toute modification, édition, utilisation ou diffusion 
non autorisée est interdite. L'émetteur décline toute responsabilité au 
titre de ce message s'il a été modifié, déformé, falsifié, infecté par un 
virus ou encore édité ou diffusé sans autorisation.

This message and any attachments are confidential and intended for the 
named addressee(s) only. If you have received this message in error, please 
notify immediately the sender, then delete the message. Any unauthorized 
modification, edition, use or dissemination is prohibited. The sender shall 
not be liable for this message if it has been modified, altered, falsified, 
infected by a virus or even edited or disseminated without authorization.

Re: [SignServer-develop] Validate CMS signature

[Jesús A. <jes...@0z...>]

Thanks Marukus.

I will take a look on the tests.

Best Regards,
Jesús Arnáiz.



El 15/07/2013 16:43, Markus Kilås escribió:
> Hi Jesús,
>
> SignServer does not currently contain any tool for verifying CMS signatures.
>
> However it you want some sample code for how it could be done have a
> look at the JUnit tests for the CMSSigner:
> http://fisheye.primekey.se/browse/SignServer/trunk/signserver/modules/SignServer-Test-System/test/org/signserver/module/cmssigner/CMSSignerTest.java?r=3522
>
> It should give you an idea about how it can be done.
>
>
> Best regards,
> Markus
>
> On 2013-07-14 02:25, Jesús Arnáiz wrote:
>> Hi again.
>>
>> Is there any way to validate a CMS signature (as one obtained with
>> CMSSigner) using de Java API (or, at least, the shell client)? I'm
>> trying to do it inside a Java Application but I don't know how.
>>
>> Any help would be appreciate again :)
>>
>> Thanks in advance.
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>
>
>

Re: [SignServer-develop] Validate CMS signature

[Markus K. <ma...@pr...>]

Hi Jesús,

SignServer does not currently contain any tool for verifying CMS signatures.

However it you want some sample code for how it could be done have a
look at the JUnit tests for the CMSSigner:
http://fisheye.primekey.se/browse/SignServer/trunk/signserver/modules/SignServer-Test-System/test/org/signserver/module/cmssigner/CMSSignerTest.java?r=3522

It should give you an idea about how it can be done.


Best regards,
Markus

On 2013-07-14 02:25, Jesús Arnáiz wrote:
> Hi again.
> 
> Is there any way to validate a CMS signature (as one obtained with 
> CMSSigner) using de Java API (or, at least, the shell client)? I'm 
> trying to do it inside a Java Application but I don't know how.
> 
> Any help would be appreciate again :)
> 
> Thanks in advance.
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

[SignServer-develop] Validate CMS signature

[Jesús A. <jes...@0z...>]

Hi again.

Is there any way to validate a CMS signature (as one obtained with 
CMSSigner) using de Java API (or, at least, the shell client)? I'm 
trying to do it inside a Java Application but I don't know how.

Any help would be appreciate again :)

Thanks in advance.

Re: [SignServer-develop] HTTP transport error: java.net.ConnectException: Connection refused: connect

[Jesús A. <jes...@0z...>]

That is; commenting the next line:

----
<property name="webServiceHost">${jboss.bind.address}</property>
----

on "jboss-beans.xml" fixed the problem.

I see some warnings when I run my application:
---
log4j:WARN No appenders could be found for logger 
(org.ejbca.util.dn.DnComponents).
log4j:WARN Please initialize the log4j system properly.
---

But I think it is due because everything is logged using jboss log (and 
for me is ok).

Regards.

El 12/07/2013 14:33, Markus Kilås escribió:
> Yes, sounds like the "web service problem in JBoss".
>
> Best regards,
> Markus
>
> On 2013-07-12 14:30, Jesús Arnáiz wrote:
>> Hi.
>>
>> I saw with a sniffer that I connect correctly to livecd (I have his IP
>> on my "hosts" file), and I receive the WSDL, but it has a 127.0.0.1 IP
>> on it, instead of "livecd" (or the IP of the network card), so I think
>> the problem is within the jboss configuration.
>>
>> I see some information on:
>> http://signserver.org/manual/installguide.html
>> ---
>> 6. Configure application server
>> ---
>>
>> I will test it and then tell you if that fix the problem.
>>
>> Thanks again.
>>
>>
>> El 11/07/2013 22:21, Markus Kilås escribió:
>>> Hi Jesús,
>>>
>>> The "connection refused" looks like the client application is not able
>>> to open a connection to the host livecd on port 8080.
>>>
>>> Please, make sure you can connect, from the same host as your client
>>> code is running, for instance using telnet:
>>> telnet livecd 8080
>>>
>>>
>>> Best regards,
>>> Markus
>>>
>>> On 2013-07-10 19:14, Jesús Arnáiz wrote:
>>>> Hi.
>>>>
>>>> I'm trying to use SignServer API, my code is:
>>>> ------------
>>>>
>>>> public static void sign(SignOptions options, InputStream input,
>>>> OutputStream output)
>>>> 			throws ConnectionProblemExeption {
>>>> 		try {
>>>> 			ISigningAndValidation signserver = new
>>>> SigningAndValidationWS(options.getHost(), options.getPort(),
>>>> options.getUseSSL());
>>>> 		    GenericSignResponse signResponse = 	
>>>> signserver.sign(options.getSigner(), IOUtils.toByteArray(input));
>>>>
>>>> 		}
>>>> 		catch (Exception ex) {
>>>> 			throw new ConnectionProblemExeption(ex.getMessage());
>>>> 		}
>>>> 	}
>>>> ----------------
>>>> I set the options to be: "livecd" (host), 8080 (port), and false (useSSL).
>>>>
>>>> But I get:
>>>>
>>>> "HTTP transport error: java.net.ConnectException: Connection refused:
>>>> connect" exception due to the call to "signserver.sign".
>>>>
>>>> I'm able to sign using web JSP:
>>>>
>>>> http://livecd:8080/signserver/demo/genericsign.jsp
>>>>
>>>> using CMSSignerJ3 Signer and a string as Data.
>>>>
>>>> Why I'm getting "connection refused"?
>>>>
>>>> Any help would be appreciated.
>>>>
>>>> Thanks in advance.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> See everything from the browser to the database with AppDynamics
>>>> Get end-to-end visibility with application monitoring from AppDynamics
>>>> Isolate bottlenecks and diagnose root cause in seconds.
>>>> Start your free trial of AppDynamics Pro today!
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> SignServer-develop mailing list
>>>> Sig...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> See everything from the browser to the database with AppDynamics
>>> Get end-to-end visibility with application monitoring from AppDynamics
>>> Isolate bottlenecks and diagnose root cause in seconds.
>>> Start your free trial of AppDynamics Pro today!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>
>
>

Re: [SignServer-develop] HTTP transport error: java.net.ConnectException: Connection refused: connect

[Markus K. <ma...@pr...>]

Yes, sounds like the "web service problem in JBoss".

Best regards,
Markus

On 2013-07-12 14:30, Jesús Arnáiz wrote:
> Hi.
> 
> I saw with a sniffer that I connect correctly to livecd (I have his IP 
> on my "hosts" file), and I receive the WSDL, but it has a 127.0.0.1 IP 
> on it, instead of "livecd" (or the IP of the network card), so I think 
> the problem is within the jboss configuration.
> 
> I see some information on:
> http://signserver.org/manual/installguide.html
> ---
> 6. Configure application server
> ---
> 
> I will test it and then tell you if that fix the problem.
> 
> Thanks again.
> 
> 
> El 11/07/2013 22:21, Markus Kilås escribió:
>> Hi Jesús,
>>
>> The "connection refused" looks like the client application is not able
>> to open a connection to the host livecd on port 8080.
>>
>> Please, make sure you can connect, from the same host as your client
>> code is running, for instance using telnet:
>> telnet livecd 8080
>>
>>
>> Best regards,
>> Markus
>>
>> On 2013-07-10 19:14, Jesús Arnáiz wrote:
>>> Hi.
>>>
>>> I'm trying to use SignServer API, my code is:
>>> ------------
>>>
>>> public static void sign(SignOptions options, InputStream input,
>>> OutputStream output)
>>> 			throws ConnectionProblemExeption {
>>> 		try {
>>> 			ISigningAndValidation signserver = new
>>> SigningAndValidationWS(options.getHost(), options.getPort(),
>>> options.getUseSSL());
>>> 		    GenericSignResponse signResponse = 	
>>> signserver.sign(options.getSigner(), IOUtils.toByteArray(input));
>>>
>>> 		}
>>> 		catch (Exception ex) {
>>> 			throw new ConnectionProblemExeption(ex.getMessage());
>>> 		}
>>> 	}
>>> ----------------
>>> I set the options to be: "livecd" (host), 8080 (port), and false (useSSL).
>>>
>>> But I get:
>>>
>>> "HTTP transport error: java.net.ConnectException: Connection refused:
>>> connect" exception due to the call to "signserver.sign".
>>>
>>> I'm able to sign using web JSP:
>>>
>>> http://livecd:8080/signserver/demo/genericsign.jsp
>>>
>>> using CMSSignerJ3 Signer and a string as Data.
>>>
>>> Why I'm getting "connection refused"?
>>>
>>> Any help would be appreciated.
>>>
>>> Thanks in advance.
>>>
>>> ------------------------------------------------------------------------------
>>> See everything from the browser to the database with AppDynamics
>>> Get end-to-end visibility with application monitoring from AppDynamics
>>> Isolate bottlenecks and diagnose root cause in seconds.
>>> Start your free trial of AppDynamics Pro today!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
> 
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] HTTP transport error: java.net.ConnectException: Connection refused: connect

[Jesús A. <jes...@0z...>]

Hi.

I saw with a sniffer that I connect correctly to livecd (I have his IP 
on my "hosts" file), and I receive the WSDL, but it has a 127.0.0.1 IP 
on it, instead of "livecd" (or the IP of the network card), so I think 
the problem is within the jboss configuration.

I see some information on:
http://signserver.org/manual/installguide.html
---
6. Configure application server
---

I will test it and then tell you if that fix the problem.

Thanks again.


El 11/07/2013 22:21, Markus Kilås escribió:
> Hi Jesús,
>
> The "connection refused" looks like the client application is not able
> to open a connection to the host livecd on port 8080.
>
> Please, make sure you can connect, from the same host as your client
> code is running, for instance using telnet:
> telnet livecd 8080
>
>
> Best regards,
> Markus
>
> On 2013-07-10 19:14, Jesús Arnáiz wrote:
>> Hi.
>>
>> I'm trying to use SignServer API, my code is:
>> ------------
>>
>> public static void sign(SignOptions options, InputStream input,
>> OutputStream output)
>> 			throws ConnectionProblemExeption {
>> 		try {
>> 			ISigningAndValidation signserver = new
>> SigningAndValidationWS(options.getHost(), options.getPort(),
>> options.getUseSSL());
>> 		    GenericSignResponse signResponse = 	
>> signserver.sign(options.getSigner(), IOUtils.toByteArray(input));
>>
>> 		}
>> 		catch (Exception ex) {
>> 			throw new ConnectionProblemExeption(ex.getMessage());
>> 		}
>> 	}
>> ----------------
>> I set the options to be: "livecd" (host), 8080 (port), and false (useSSL).
>>
>> But I get:
>>
>> "HTTP transport error: java.net.ConnectException: Connection refused:
>> connect" exception due to the call to "signserver.sign".
>>
>> I'm able to sign using web JSP:
>>
>> http://livecd:8080/signserver/demo/genericsign.jsp
>>
>> using CMSSignerJ3 Signer and a string as Data.
>>
>> Why I'm getting "connection refused"?
>>
>> Any help would be appreciated.
>>
>> Thanks in advance.
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>

Re: [SignServer-develop] HTTP transport error: java.net.ConnectException: Connection refused: connect

[Markus K. <ma...@pr...>]

Hi Jesús,

The "connection refused" looks like the client application is not able
to open a connection to the host livecd on port 8080.

Please, make sure you can connect, from the same host as your client
code is running, for instance using telnet:
telnet livecd 8080


Best regards,
Markus

On 2013-07-10 19:14, Jesús Arnáiz wrote:
> Hi.
> 
> I'm trying to use SignServer API, my code is:
> ------------
> 
> public static void sign(SignOptions options, InputStream input, 
> OutputStream output)
> 			throws ConnectionProblemExeption {
> 		try {
> 			ISigningAndValidation signserver = new 
> SigningAndValidationWS(options.getHost(), options.getPort(), 
> options.getUseSSL());
> 		    GenericSignResponse signResponse = 	 
> signserver.sign(options.getSigner(), IOUtils.toByteArray(input));
> 
> 		}
> 		catch (Exception ex) {
> 			throw new ConnectionProblemExeption(ex.getMessage());
> 		}
> 	}
> ----------------
> I set the options to be: "livecd" (host), 8080 (port), and false (useSSL).
> 
> But I get:
> 
> "HTTP transport error: java.net.ConnectException: Connection refused: 
> connect" exception due to the call to "signserver.sign".
> 
> I'm able to sign using web JSP:
> 
> http://livecd:8080/signserver/demo/genericsign.jsp
> 
> using CMSSignerJ3 Signer and a string as Data.
> 
> Why I'm getting "connection refused"?
> 
> Any help would be appreciated.
> 
> Thanks in advance.
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 

[SignServer-develop] HTTP transport error: java.net.ConnectException: Connection refused: connect

[Jesús A. <jes...@0z...>]

Hi.

I'm trying to use SignServer API, my code is:
------------

public static void sign(SignOptions options, InputStream input, 
OutputStream output)
			throws ConnectionProblemExeption {
		try {
			ISigningAndValidation signserver = new 
SigningAndValidationWS(options.getHost(), options.getPort(), 
options.getUseSSL());
		    GenericSignResponse signResponse = 	 
signserver.sign(options.getSigner(), IOUtils.toByteArray(input));

		}
		catch (Exception ex) {
			throw new ConnectionProblemExeption(ex.getMessage());
		}
	}
----------------
I set the options to be: "livecd" (host), 8080 (port), and false (useSSL).

But I get:

"HTTP transport error: java.net.ConnectException: Connection refused: 
connect" exception due to the call to "signserver.sign".

I'm able to sign using web JSP:

http://livecd:8080/signserver/demo/genericsign.jsp

using CMSSignerJ3 Signer and a string as Data.

Why I'm getting "connection refused"?

Any help would be appreciated.

Thanks in advance.

Re: [SignServer-develop] ClassNotFoundException when trying to use the API

[Jesús A. <jes...@0z...>]

OK, thanks Markus.

I will do that.

El 08/07/2013 17:05, Markus Kilås escribió:
> Hi Jesús,
>
> The live CD only contains an old and limited version of SignServer where
> some files has been removed in order to fit it on one CD.
>
> You can download the complete SignServer at:
> http://sourceforge.net/projects/signserver/files/
>
> And then build SignServer locally to get all the required jars.
>
> Best regards,
> Markus
>
> On 2013-07-08 13:40, Jesús Arnáiz wrote:
>> Hi Markus.
>>
>> I'm using liveCD installed on a VM. On this path there is no such file,
>> but, I found that file on:
>>
>> /home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar
>> .
>>
>> I try to unzip it in order to see if there is MANIFEST.MF, and I see it:
>>
>> root@livecd:~/jar# unzip SignServer-Client-SigningAndValidationAPI.jar
>> Archive:  SignServer-Client-SigningAndValidationAPI.jar
>>     creating: META-INF/
>>   extracting: META-INF/MANIFEST.MF
>>     creating: org/
>>     creating: org/signserver/
>>     creating: org/signserver/client/
>>     creating: org/signserver/client/api/
>>   extracting: org/signserver/client/api/ISignServerWorker.class
>>   extracting: org/signserver/client/api/ISigningAndValidation.class
>>   extracting: org/signserver/client/api/SigningAndValidationEJB.class
>>   extracting: org/signserver/client/api/SigningAndValidationWS.class
>>   extracting:
>> org/signserver/client/api/SigningAndValidationWSBalanced$LogErrorCallback.class
>>
>>   extracting: org/signserver/client/api/SigningAndValidationWSBalanced.class
>> root@livecd:~/jar# cp SignServer-Client-SigningAndValidationAPI.jar ..
>> root@livecd:~/jar# cd ..
>> root@livecd:~# ls
>>
>> But I get the same error trying tu run it on eclipse. I open the
>> MANIFEST, but I no see information about other jar:
>>
>> ------------
>> root@livecd:~/jar/META-INF# cat MANIFEST.MF
>> Manifest-Version: 1.0
>> Ant-Version: Apache Ant 1.7.1
>> Created-By: 20.0-b12 (Sun Microsystems Inc.)
>>
>> root@livecd:~/jar/META-INF#
>> -------------
>>
>>
>>
>>
>> El 08/07/2013 9:17, Markus Kilås escribió:
>>> Hi Jesús,
>>>
>>> It is better to use the jar
>>> /home/jboss/signserver-trunk/signserver/lib/SignServer-Client-SigningAndValidationAPI.jar
>>>
>>> as it includes a reference to all the JARs it depends on in its
>>> META-INF/manifest.mf file.
>>>
>>> That being said, I am not myself using Eclipse so I am not sure if just
>>> including that JAR instead will solved the problem. If not, you will
>>> have to also add all the jars listed in the manifest file.
>>>
>>>
>>> Best regards,
>>> Markus
>>>
>>> PrimeKey Solutions offers a commercial EJBCA & SignServer support
>>> subscription and training. Please see www.primekey.se or contact
>>> in...@pr... for more information.
>>> http://www.primekey.se/Services/Support/
>>> http://www.primekey.se/Services/Training/
>>>
>>>
>>>
>>> On 2013-07-07 01:47, Jesús Arnáiz wrote:
>>>> Hi.
>>>>
>>>> I'm trying to use the SigningAndValidation API. I create a Java Project
>>>> on eclipse and then in the "Libraries" tab of "Java Build Path" (Project
>>>> Properties) I add with "Add External JARs":
>>>>
>>>> /home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar
>>>>
>>>>
>>>> I try to create a simple program, but when I create a new object I get
>>>> and exception. Here is my code:
>>>>
>>>> ---
>>>> import org.signserver.client.api.ISigningAndValidation;
>>>> import org.signserver.client.api.SigningAndValidationWS;
>>>>
>>>> public class test {
>>>>
>>>>      public static void main(String[] args) {
>>>>          // TODO Auto-generated method stub
>>>>          try {
>>>>              ISigningAndValidation signserver = new
>>>> SigningAndValidationWS("localhost", 8442, true);
>>>>
>>>>
>>>>          } catch (Exception ex) {
>>>>              ex.printStackTrace();
>>>>          }
>>>>      }
>>>>
>>>> }
>>>> -----
>>>>
>>>> And the exception I get:
>>>> ---------
>>>> Caused by: java.lang.ClassNotFoundException:
>>>> org.signserver.common.ProcessRequest
>>>>      at java.net.URLClassLoader$1.run(Unknown Source)
>>>>      at java.net.URLClassLoader$1.run(Unknown Source)
>>>>      at java.security.AccessController.doPrivileged(Native Method)
>>>>      at java.net.URLClassLoader.findClass(Unknown Source)
>>>>      at java.lang.ClassLoader.loadClass(Unknown Source)
>>>>      at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
>>>>      at java.lang.ClassLoader.loadClass(Unknown Source)
>>>>      ... 1 more
>>>> ----------
>>>>
>>>> I try different methods to add the JAR but I get the same, any help?
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> This SF.net email is sponsored by Windows:
>>>>
>>>> Build for Windows Store.
>>>>
>>>> http://p.sf.net/sfu/windows-dev2dev
>>>> _______________________________________________
>>>> SignServer-develop mailing list
>>>> Sig...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>>
>>>
>>>
>>>
>>
>
>
>

Re: [SignServer-develop] ClassNotFoundException when trying to use the API

[Markus K. <ma...@pr...>]

Hi Jesús,

The live CD only contains an old and limited version of SignServer where
some files has been removed in order to fit it on one CD.

You can download the complete SignServer at:
http://sourceforge.net/projects/signserver/files/

And then build SignServer locally to get all the required jars.

Best regards,
Markus

On 2013-07-08 13:40, Jesús Arnáiz wrote:
> Hi Markus.
> 
> I'm using liveCD installed on a VM. On this path there is no such file,
> but, I found that file on:
> 
> /home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar
> .
> 
> I try to unzip it in order to see if there is MANIFEST.MF, and I see it:
> 
> root@livecd:~/jar# unzip SignServer-Client-SigningAndValidationAPI.jar
> Archive:  SignServer-Client-SigningAndValidationAPI.jar
>    creating: META-INF/
>  extracting: META-INF/MANIFEST.MF
>    creating: org/
>    creating: org/signserver/
>    creating: org/signserver/client/
>    creating: org/signserver/client/api/
>  extracting: org/signserver/client/api/ISignServerWorker.class
>  extracting: org/signserver/client/api/ISigningAndValidation.class
>  extracting: org/signserver/client/api/SigningAndValidationEJB.class
>  extracting: org/signserver/client/api/SigningAndValidationWS.class
>  extracting:
> org/signserver/client/api/SigningAndValidationWSBalanced$LogErrorCallback.class
> 
>  extracting: org/signserver/client/api/SigningAndValidationWSBalanced.class
> root@livecd:~/jar# cp SignServer-Client-SigningAndValidationAPI.jar ..
> root@livecd:~/jar# cd ..
> root@livecd:~# ls
> 
> But I get the same error trying tu run it on eclipse. I open the
> MANIFEST, but I no see information about other jar:
> 
> ------------
> root@livecd:~/jar/META-INF# cat MANIFEST.MF
> Manifest-Version: 1.0
> Ant-Version: Apache Ant 1.7.1
> Created-By: 20.0-b12 (Sun Microsystems Inc.)
> 
> root@livecd:~/jar/META-INF#
> -------------
> 
> 
> 
> 
> El 08/07/2013 9:17, Markus Kilås escribió:
>> Hi Jesús,
>>
>> It is better to use the jar
>> /home/jboss/signserver-trunk/signserver/lib/SignServer-Client-SigningAndValidationAPI.jar
>>
>> as it includes a reference to all the JARs it depends on in its
>> META-INF/manifest.mf file.
>>
>> That being said, I am not myself using Eclipse so I am not sure if just
>> including that JAR instead will solved the problem. If not, you will
>> have to also add all the jars listed in the manifest file.
>>
>>
>> Best regards,
>> Markus
>>
>> PrimeKey Solutions offers a commercial EJBCA & SignServer support
>> subscription and training. Please see www.primekey.se or contact
>> in...@pr... for more information.
>> http://www.primekey.se/Services/Support/
>> http://www.primekey.se/Services/Training/
>>
>>
>>
>> On 2013-07-07 01:47, Jesús Arnáiz wrote:
>>> Hi.
>>>
>>> I'm trying to use the SigningAndValidation API. I create a Java Project
>>> on eclipse and then in the "Libraries" tab of "Java Build Path" (Project
>>> Properties) I add with "Add External JARs":
>>>
>>> /home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar
>>>
>>>
>>> I try to create a simple program, but when I create a new object I get
>>> and exception. Here is my code:
>>>
>>> ---
>>> import org.signserver.client.api.ISigningAndValidation;
>>> import org.signserver.client.api.SigningAndValidationWS;
>>>
>>> public class test {
>>>
>>>     public static void main(String[] args) {
>>>         // TODO Auto-generated method stub
>>>         try {   
>>>             ISigningAndValidation signserver = new
>>> SigningAndValidationWS("localhost", 8442, true);
>>>
>>>        
>>>         } catch (Exception ex) {
>>>             ex.printStackTrace();
>>>         }
>>>     }
>>>
>>> }
>>> -----
>>>
>>> And the exception I get:
>>> ---------
>>> Caused by: java.lang.ClassNotFoundException:
>>> org.signserver.common.ProcessRequest
>>>     at java.net.URLClassLoader$1.run(Unknown Source)
>>>     at java.net.URLClassLoader$1.run(Unknown Source)
>>>     at java.security.AccessController.doPrivileged(Native Method)
>>>     at java.net.URLClassLoader.findClass(Unknown Source)
>>>     at java.lang.ClassLoader.loadClass(Unknown Source)
>>>     at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
>>>     at java.lang.ClassLoader.loadClass(Unknown Source)
>>>     ... 1 more
>>> ----------
>>>
>>> I try different methods to add the JAR but I get the same, any help?
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>
>>
>>
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] ClassNotFoundException when trying to use the API

[Jesús A. <jes...@0z...>]

Hi Markus.

I'm using liveCD installed on a VM. On this path there is no such file, 
but, I found that file on:

/home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar 
.

I try to unzip it in order to see if there is MANIFEST.MF, and I see it:

root@livecd:~/jar# unzip SignServer-Client-SigningAndValidationAPI.jar
Archive:  SignServer-Client-SigningAndValidationAPI.jar
    creating: META-INF/
  extracting: META-INF/MANIFEST.MF
    creating: org/
    creating: org/signserver/
    creating: org/signserver/client/
    creating: org/signserver/client/api/
  extracting: org/signserver/client/api/ISignServerWorker.class
  extracting: org/signserver/client/api/ISigningAndValidation.class
  extracting: org/signserver/client/api/SigningAndValidationEJB.class
  extracting: org/signserver/client/api/SigningAndValidationWS.class
  extracting: 
org/signserver/client/api/SigningAndValidationWSBalanced$LogErrorCallback.class
  extracting: org/signserver/client/api/SigningAndValidationWSBalanced.class
root@livecd:~/jar# cp SignServer-Client-SigningAndValidationAPI.jar ..
root@livecd:~/jar# cd ..
root@livecd:~# ls

But I get the same error trying tu run it on eclipse. I open the 
MANIFEST, but I no see information about other jar:

------------
root@livecd:~/jar/META-INF# cat MANIFEST.MF
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.1
Created-By: 20.0-b12 (Sun Microsystems Inc.)

root@livecd:~/jar/META-INF#
-------------




El 08/07/2013 9:17, Markus Kilås escribió:
> Hi Jesús,
>
> It is better to use the jar
> /home/jboss/signserver-trunk/signserver/lib/SignServer-Client-SigningAndValidationAPI.jar
> as it includes a reference to all the JARs it depends on in its
> META-INF/manifest.mf file.
>
> That being said, I am not myself using Eclipse so I am not sure if just
> including that JAR instead will solved the problem. If not, you will
> have to also add all the jars listed in the manifest file.
>
>
> Best regards,
> Markus
>
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se or contact
> in...@pr... for more information.
> http://www.primekey.se/Services/Support/
> http://www.primekey.se/Services/Training/
>
>
>
> On 2013-07-07 01:47, Jesús Arnáiz wrote:
>> Hi.
>>
>> I'm trying to use the SigningAndValidation API. I create a Java Project
>> on eclipse and then in the "Libraries" tab of "Java Build Path" (Project
>> Properties) I add with "Add External JARs":
>>
>> /home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar
>>
>> I try to create a simple program, but when I create a new object I get
>> and exception. Here is my code:
>>
>> ---
>> import org.signserver.client.api.ISigningAndValidation;
>> import org.signserver.client.api.SigningAndValidationWS;
>>
>> public class test {
>>
>> 	public static void main(String[] args) {
>> 		// TODO Auto-generated method stub
>> 		try {	
>> 		    ISigningAndValidation signserver = new
>> SigningAndValidationWS("localhost", 8442, true);
>>
>> 		
>> 		} catch (Exception ex) {
>> 		    ex.printStackTrace();
>> 		}
>> 	}
>>
>> }
>> -----
>>
>> And the exception I get:
>> ---------
>> Caused by: java.lang.ClassNotFoundException:
>> org.signserver.common.ProcessRequest
>> 	at java.net.URLClassLoader$1.run(Unknown Source)
>> 	at java.net.URLClassLoader$1.run(Unknown Source)
>> 	at java.security.AccessController.doPrivileged(Native Method)
>> 	at java.net.URLClassLoader.findClass(Unknown Source)
>> 	at java.lang.ClassLoader.loadClass(Unknown Source)
>> 	at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
>> 	at java.lang.ClassLoader.loadClass(Unknown Source)
>> 	... 1 more
>> ----------
>>
>> I try different methods to add the JAR but I get the same, any help?
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>
>
>

Re: [SignServer-develop] ClassNotFoundException when trying to use the API

[Markus K. <ma...@pr...>]

Hi Jesús,

It is better to use the jar
/home/jboss/signserver-trunk/signserver/lib/SignServer-Client-SigningAndValidationAPI.jar
as it includes a reference to all the JARs it depends on in its
META-INF/manifest.mf file.

That being said, I am not myself using Eclipse so I am not sure if just
including that JAR instead will solved the problem. If not, you will
have to also add all the jars listed in the manifest file.


Best regards,
Markus

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/



On 2013-07-07 01:47, Jesús Arnáiz wrote:
> Hi.
> 
> I'm trying to use the SigningAndValidation API. I create a Java Project 
> on eclipse and then in the "Libraries" tab of "Java Build Path" (Project 
> Properties) I add with "Add External JARs":
> 
> /home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar
> 
> I try to create a simple program, but when I create a new object I get 
> and exception. Here is my code:
> 
> ---
> import org.signserver.client.api.ISigningAndValidation;
> import org.signserver.client.api.SigningAndValidationWS;
> 
> public class test {
> 
> 	public static void main(String[] args) {
> 		// TODO Auto-generated method stub
> 		try {	
> 		    ISigningAndValidation signserver = new 
> SigningAndValidationWS("localhost", 8442, true);
> 
> 		
> 		} catch (Exception ex) {
> 		    ex.printStackTrace();
> 		}
> 	}
> 
> }
> -----
> 
> And the exception I get:
> ---------
> Caused by: java.lang.ClassNotFoundException: 
> org.signserver.common.ProcessRequest
> 	at java.net.URLClassLoader$1.run(Unknown Source)
> 	at java.net.URLClassLoader$1.run(Unknown Source)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at java.net.URLClassLoader.findClass(Unknown Source)
> 	at java.lang.ClassLoader.loadClass(Unknown Source)
> 	at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
> 	at java.lang.ClassLoader.loadClass(Unknown Source)
> 	... 1 more
> ----------
> 
> I try different methods to add the JAR but I get the same, any help?
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

[SignServer-develop] ClassNotFoundException when trying to use the API

[Jesús A. <jes...@0z...>]

Hi.

I'm trying to use the SigningAndValidation API. I create a Java Project 
on eclipse and then in the "Libraries" tab of "Java Build Path" (Project 
Properties) I add with "Add External JARs":

/home/jboss/signserver-trunk/signserver/modules/SignServer-Client-SigningAndValidationAPI/dist/SignServer-Client-SigningAndValidationAPI.jar

I try to create a simple program, but when I create a new object I get 
and exception. Here is my code:

---
import org.signserver.client.api.ISigningAndValidation;
import org.signserver.client.api.SigningAndValidationWS;

public class test {

	public static void main(String[] args) {
		// TODO Auto-generated method stub
		try {	
		    ISigningAndValidation signserver = new 
SigningAndValidationWS("localhost", 8442, true);

		
		} catch (Exception ex) {
		    ex.printStackTrace();
		}
	}

}
-----

And the exception I get:
---------
Caused by: java.lang.ClassNotFoundException: 
org.signserver.common.ProcessRequest
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	... 1 more
----------

I try different methods to add the JAR but I get the same, any help?

Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

[Goran Š. <gor...@ak...>]

We will !
Best regards,
Goran

-----Original Message-----
From: Markus Kilås [mailto:ma...@pr...]
Sent: Friday, June 14, 2013 5:18 PM
To: Goran Šurina
Cc: sig...@li...
Subject: Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

On 2013-06-14 16:57, Goran Šurina wrote:
> Hi Markus,
> Thanx but we have succesfuly get SOD with RSA-PSS using IAIK.
> After we succesfuly load IAIK provider, we have made changes in
> configuration when setting algorithmParameters. Instead of setting
> WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in the properties we have set WORKERGENID1.SIGNATUREALGORITHM=SHA256withRSAandMGF1.
> Case sensitive issue on string.
>
> Reason for that is when we use
> WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in Source code class SODFile, line lines 769/770
>                     digestEncryptionAlgorithmParams =
>
> algorithmParameters.get(digestEncryptionAlgorithm);
>
> we didn get right parameters fo signature. But when you use SHA256withRSAandMGF1 signature is valid.
> My colege found this. I can ask him to get precize instructions on what line he found this issue.

Ok Great and thanks for the report. I have created
https://jira.primekey.se/browse/DSS-643 for the issue. If you or your college could add some more details to the report if you have it would be great.

>
>
> Can you plase tell me is it possible to get patch the SunPKCS11 provider with support for the  RSASSA-PSS signature algorithm somewhere?
> If we could we would use it with SignServer instead of IAIK?

I will ask someone about the status and location of the patches.

Best regards,
Markus


> Regards,
> Goran
>
>
> -----Original Message-----
> From: Markus Kilås [mailto:ma...@pr...]
> Sent: Friday, June 14, 2013 4:31 PM
> To: sig...@li...
> Subject: Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
>
> Maybe you could test signing and verification with an minimal
> application to see that the provider is working. Something like this
> (note: needs some modifications):
>
> ---
> Security.addProvider(new BouncyCastleProvider()); Provider provider =
> ...; // IAIK provider KeyPair keyPair = ...; // Generate some keys
> byte[] input = ...; some bytes;
>
> Signature signature = Signature.getInstance("SHA256WithRSAandMGF1",
> provider);
> signature.initSign( pair.getPrivate() ); signature.update( input );
> signBV = signature.sign();
>
> Signature signature2 = Signature.getInstance("SHA256WithRSAandMGF1",
> "BC"); signature2.initVerify(pair.getPublic());
> signature2.update(input);
> System.out.println("Result: " + signature2.verify(signBV));
> ---
>
> First test with "SHA256WithRSA".
>
> Best regards,
> Markus
>
>
> On 2013-06-14 16:19, Markus Kilås wrote:
>> Hi Goran,
>>
>> The "Signature not consistent" just means that the signature did not
>> match when trying to verify it using the public key from the certificate.
>>
>>
>> Best regards,
>> Markus
>>
>> On 2013-06-14 16:11, Goran Šurina wrote:
>>> Hi Markus,
>>>
>>> Stack trace of Error:
>>>
>>>
>>>
>>> 013-06-13 00:43:37,162 ERROR
>>> [org.signserver.module.mrtdsodsigner.MRTDSODSigner]
>>> (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves.
>>>
>>> java.security.GeneralSecurityException: Signature not consistent
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAnd
>>> C
>>> hain(MRTDSODSigner.java:318)
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSO
>>> D
>>> Signer.java:234)
>>>
>>>                 at
>>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:
>>> 2
>>> 77)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> Method)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>>> java:39)
>>>
>>>                 at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
>>> s
>>> sorImpl.java:25)
>>>
>>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>>
>>>                 at
>>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocati
>>> o
>>> n.java:122)
>>>
>>>
>>>
>>> 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean]
>>> (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 :
>>> SOD verification failure
>>>
>>> org.signserver.common.SignServerException: SignServerException
>>> calling signer with id 1 : SOD verification failure
>>>
>>>                 at
>>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:
>>> 2
>>> 81)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> Method)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>>> java:39)
>>>
>>>                 at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
>>> s
>>> sorImpl.java:25)
>>>
>>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>>
>>>                 at
>>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocati
>>> o
>>> n.java:122)
>>>
>>>                 at
>>> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
>>> java:111)
>>>
>>>                 at
>>> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainer
>>> I
>>> nvocationWrapper.java:69)
>>>
>>>                 at
>>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(Intercep
>>> t
>>> orSequencer.java:73)
>>>
>>>                 at
>>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(In
>>> t
>>> erceptorSequencer.java:59)
>>>
>>>                 at
>>> sun.reflect.GeneratedMethodAccessor275.invoke(Unknown
>>> Source)
>>>
>>>                 at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
>>> s
>>> sorImpl.java:25)
>>>
>>>
>>>
>>> Caused by: org.signserver.common.SignServerException: SOD
>>> verification failure
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSO
>>> D
>>> Signer.java:247)
>>>
>>>                 at
>>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:
>>> 2
>>> 77)
>>>
>>>                 ... 76 more
>>>
>>> Caused by: java.security.GeneralSecurityException: Signature not
>>> consistent
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAnd
>>> C
>>> hain(MRTDSODSigner.java:318)
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSO
>>> D
>>> Signer.java:234)
>>>
>>>                 ... 77 more
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> Goran
>>>
>>>
>>>
>>> *From:*Markus Kilås [mailto:ejb...@pr...]
>>> *Sent:* Thursday, June 13, 2013 5:20 PM
>>> *To:* Goran Šurina
>>> *Cc:* sig...@li...
>>> *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with
>>> SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
>>>
>>>
>>>
>>> Hi Goran,
>>>
>>> (Repeating some of the answers for those not following DSS-642)
>>>
>>> Usage of other PKCS11 providers than the SunPKCS11 one is not
>>> supported in SignServer that was why you would have to make that changes.
>>>
>>> We usually patch the SunPKCS11 provider to add support for the
>>> RSASSA-PSS signature algorithm.
>>>
>>> What stacktrace do you get from the SOD verification error, maybe
>>> that could tell something about the reason?
>>>
>>>
>>> Best regards,
>>> Markus
>>>
>>> PrimeKey Solutions offers a commercial EJBCA & SignServer support
>>> subscription and training. Please see www.primekey.se
>>> <http://www.primekey.se> or contact in...@pr...
>>> <mailto:in...@pr...> for more information.
>>> http://www.primekey.se/Services/Support/
>>> http://www.primekey.se/Services/Training/
>>>
>>>
>>> On 2013-06-13 16:48, Goran Šurina wrote:
>>>
>>>     SignServer 3.3.0
>>>
>>>     I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not
>>>     support SHA256WithRSAAndMGF1. I am testing the SOD signature with
>>>     SHA256WithRSAAndMGF1.
>>>
>>>
>>>
>>>     Conclusion:
>>>
>>>     Signing and verification with standard SHA256WithRSA and
>>>     SHA256WithRSAAndMGF1 using IAIK does not work until I make some
>>>     changes in source kod ().
>>>     The change I make to get IAIK to work are:
>>>     In class PKCS11CAToken.java we have put setJCAProvider(provider);
>>>     line 92, before
>>>      if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11")
>>>     ); line 87.
>>>     After that change in the source code, we have succesfully activate
>>>     ca token with IAIK.
>>>
>>>
>>>
>>>     But after I get :
>>>
>>>     SignServerException calling signer with id 1 : SOD verification
>>>     failure.
>>>     When disabling Verifcation method in source code, we have tested the
>>>     SOD object with external application and get SOD verification error.
>>>     Error occured on 2 different HSM devices(Luna SA, nCipher).
>>>
>>>     Lp,
>>>
>>>
>>>
>>>     *Goran Šurina*
>>>
>>>     Tel:   + 385 1 3657 735
>>>
>>>     Mob:  + 385 99 257 1259
>>>
>>>     E-mail: _go...@ak... <mailto:gor...@ak...>_
>>>
>>>
>>>
>>>     cid:image004.jpg@01CB97DF.80F59370
>>>     Savska cesta 31, 10 000 Zagreb, Croatia
>>>
>>>     Web: www.akd.hr <http://www.akd.hr/>
>>>
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> -
>>> ---
>>>
>>>     Ova poruka elektronicke poste i njezini privici namijenjeni su
>>>     iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>>>     slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>>>     privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
>>>     osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
>>>     posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>>>     misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>>>     poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>>>
>>>
>>> --------------------------------------------------------------------
>>> -
>>> ---
>>>
>>>     This e-mail is intended solely for the addressee(s) and may contain
>>>     privileged and/or confidential information. If you have  received
>>>     this e-mail in error or are not the intended recipient you may not
>>>     open it, read it (or its attachment(s)), copy it and disseminate or
>>>     distribute it to others. Please delete it immediately from your
>>>     system and notify the sender promptly by e-mail that you have done
>>>     so. All information within this e-mail, opinions and conclusions
>>>     that do not refer to the business matter of the sender’s employer
>>>     shall be treated as sender’s personal views, and not as the
>>>     employer’s policy.
>>>
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> -
>>> ---------
>>>
>>>     This SF.net email is sponsored by Windows:
>>>
>>>
>>>
>>>     Build for Windows Store.
>>>
>>>
>>>
>>>     http://p.sf.net/sfu/windows-dev2dev
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>
>>>     SignServer-develop mailing list
>>>
>>>     Sig...@li...
>>> <mailto:Sig...@li...>
>>>
>>>     https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information.
>>>
>>> http://www.primekey.se/Services/Support/
>>>
>>> http://www.primekey.se/Services/Training/
>>>
>>> --------------------------------------------------------------------
>>> -
>>> --- Ova poruka elektronicke poste i njezini privici namijenjeni su
>>> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>>> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>>> privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama.
>>> Izbrisite je iz svojega racunalnog sustava te obavijestite
>>> posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>>> misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>>> poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>>> --------------------------------------------------------------------
>>> -
>>> --- This e-mail is intended solely for the addressee(s) and may
>>> contain privileged and/or confidential information. If you have
>>> received this e-mail in error or are not the intended recipient you
>>> may not open it, read it (or its attachment(s)), copy it and
>>> disseminate or distribute it to others. Please delete it immediately
>>> from your system and notify the sender promptly by e-mail that you
>>> have done so. All information within this e-mail, opinions and
>>> conclusions that do not refer to the business matter of the sender’s
>>> employer shall be treated as sender’s personal views, and not as the
>>> employer’s policy.
>>>
>>>
>>> --------------------------------------------------------------------
>>> -
>>> --------- This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>>
>>>
>>>
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>
>>
>>
>
>
>
> --
> Kind regards,
> Markus Kilås
> PKI Specialist
>
> PrimeKey Solutions AB
>
> Anderstorpsv. 16
> 171 54 Solna
> Sweden
>
> Phone: +46 70 424 94 85
> Skype: markusatskype
> Email: mar...@pr...
>
> www.primekey.se
>
>
>
> ----------------------------------------------------------------------
> -------- This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> ________________________________
> Ova poruka elektronicke poste i njezini privici namijenjeni su iskljucivo primatelju i sadrze informacije povjerljive prirode. U slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, misljenja i zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
> ________________________________
> This e-mail is intended solely for the addressee(s) and may contain privileged and/or confidential information. If you have  received this e-mail in error or are not the intended recipient you may not open it, read it (or its attachment(s)), copy it and disseminate or distribute it to others. Please delete it immediately from your system and notify the sender promptly by e-mail that you have done so. All information within this e-mail, opinions and conclusions that do not refer to the business matter of the sender’s employer shall be treated as sender’s personal views, and not as the employer’s policy.
>



--
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se


________________________________
Ova poruka elektronicke poste i njezini privici namijenjeni su iskljucivo primatelju i sadrze informacije povjerljive prirode. U slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, misljenja i zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
________________________________
This e-mail is intended solely for the addressee(s) and may contain privileged and/or confidential information. If you have  received this e-mail in error or are not the intended recipient you may not open it, read it (or its attachment(s)), copy it and disseminate or distribute it to others. Please delete it immediately from your system and notify the sender promptly by e-mail that you have done so. All information within this e-mail, opinions and conclusions that do not refer to the business matter of the sender’s employer shall be treated as sender’s personal views, and not as the employer’s policy.

Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

[Markus K. <ma...@pr...>]

On 2013-06-14 16:57, Goran Šurina wrote:
> Hi Markus,
> Thanx but we have succesfuly get SOD with RSA-PSS using IAIK.
> After we succesfuly load IAIK provider, we have made changes in configuration when setting algorithmParameters. Instead of setting
> WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in the properties we have set WORKERGENID1.SIGNATUREALGORITHM=SHA256withRSAandMGF1.
> Case sensitive issue on string.
> 
> Reason for that is when we use WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in
> Source code class SODFile, line lines 769/770
>                     digestEncryptionAlgorithmParams =
>                             algorithmParameters.get(digestEncryptionAlgorithm);
> 
> we didn get right parameters fo signature. But when you use SHA256withRSAandMGF1 signature is valid.
> My colege found this. I can ask him to get precize instructions on what line he found this issue.

Ok Great and thanks for the report. I have created
https://jira.primekey.se/browse/DSS-643 for the issue. If you or your
college could add some more details to the report if you have it would
be great.

> 
> 
> Can you plase tell me is it possible to get patch the SunPKCS11 provider with support for the  RSASSA-PSS signature algorithm somewhere?
> If we could we would use it with SignServer instead of IAIK?

I will ask someone about the status and location of the patches.

Best regards,
Markus


> Regards,
> Goran
> 
> 
> -----Original Message-----
> From: Markus Kilås [mailto:ma...@pr...]
> Sent: Friday, June 14, 2013 4:31 PM
> To: sig...@li...
> Subject: Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
> 
> Maybe you could test signing and verification with an minimal application to see that the provider is working. Something like this
> (note: needs some modifications):
> 
> ---
> Security.addProvider(new BouncyCastleProvider()); Provider provider = ...; // IAIK provider KeyPair keyPair = ...; // Generate some keys byte[] input = ...; some bytes;
> 
> Signature signature = Signature.getInstance("SHA256WithRSAandMGF1",
> provider);
> signature.initSign( pair.getPrivate() ); signature.update( input ); signBV = signature.sign();
> 
> Signature signature2 = Signature.getInstance("SHA256WithRSAandMGF1", "BC"); signature2.initVerify(pair.getPublic());
> signature2.update(input);
> System.out.println("Result: " + signature2.verify(signBV));
> ---
> 
> First test with "SHA256WithRSA".
> 
> Best regards,
> Markus
> 
> 
> On 2013-06-14 16:19, Markus Kilås wrote:
>> Hi Goran,
>>
>> The "Signature not consistent" just means that the signature did not
>> match when trying to verify it using the public key from the certificate.
>>
>>
>> Best regards,
>> Markus
>>
>> On 2013-06-14 16:11, Goran Šurina wrote:
>>> Hi Markus,
>>>
>>> Stack trace of Error:
>>>
>>>
>>>
>>> 013-06-13 00:43:37,162 ERROR
>>> [org.signserver.module.mrtdsodsigner.MRTDSODSigner]
>>> (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves.
>>>
>>> java.security.GeneralSecurityException: Signature not consistent
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndC
>>> hain(MRTDSODSigner.java:318)
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD
>>> Signer.java:234)
>>>
>>>                 at
>>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2
>>> 77)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> Method)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>>> java:39)
>>>
>>>                 at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>> sorImpl.java:25)
>>>
>>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>>
>>>                 at
>>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocatio
>>> n.java:122)
>>>
>>>
>>>
>>> 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean]
>>> (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 :
>>> SOD verification failure
>>>
>>> org.signserver.common.SignServerException: SignServerException
>>> calling signer with id 1 : SOD verification failure
>>>
>>>                 at
>>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2
>>> 81)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> Method)
>>>
>>>                 at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>>> java:39)
>>>
>>>                 at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>> sorImpl.java:25)
>>>
>>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>>
>>>                 at
>>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocatio
>>> n.java:122)
>>>
>>>                 at
>>> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
>>> java:111)
>>>
>>>                 at
>>> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerI
>>> nvocationWrapper.java:69)
>>>
>>>                 at
>>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(Intercept
>>> orSequencer.java:73)
>>>
>>>                 at
>>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(Int
>>> erceptorSequencer.java:59)
>>>
>>>                 at
>>> sun.reflect.GeneratedMethodAccessor275.invoke(Unknown
>>> Source)
>>>
>>>                 at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>> sorImpl.java:25)
>>>
>>>
>>>
>>> Caused by: org.signserver.common.SignServerException: SOD
>>> verification failure
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD
>>> Signer.java:247)
>>>
>>>                 at
>>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2
>>> 77)
>>>
>>>                 ... 76 more
>>>
>>> Caused by: java.security.GeneralSecurityException: Signature not
>>> consistent
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndC
>>> hain(MRTDSODSigner.java:318)
>>>
>>>                 at
>>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD
>>> Signer.java:234)
>>>
>>>                 ... 77 more
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> Goran
>>>
>>>
>>>
>>> *From:*Markus Kilås [mailto:ejb...@pr...]
>>> *Sent:* Thursday, June 13, 2013 5:20 PM
>>> *To:* Goran Šurina
>>> *Cc:* sig...@li...
>>> *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with
>>> SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
>>>
>>>
>>>
>>> Hi Goran,
>>>
>>> (Repeating some of the answers for those not following DSS-642)
>>>
>>> Usage of other PKCS11 providers than the SunPKCS11 one is not
>>> supported in SignServer that was why you would have to make that changes.
>>>
>>> We usually patch the SunPKCS11 provider to add support for the
>>> RSASSA-PSS signature algorithm.
>>>
>>> What stacktrace do you get from the SOD verification error, maybe
>>> that could tell something about the reason?
>>>
>>>
>>> Best regards,
>>> Markus
>>>
>>> PrimeKey Solutions offers a commercial EJBCA & SignServer support
>>> subscription and training. Please see www.primekey.se
>>> <http://www.primekey.se> or contact in...@pr...
>>> <mailto:in...@pr...> for more information.
>>> http://www.primekey.se/Services/Support/
>>> http://www.primekey.se/Services/Training/
>>>
>>>
>>> On 2013-06-13 16:48, Goran Šurina wrote:
>>>
>>>     SignServer 3.3.0
>>>
>>>     I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not
>>>     support SHA256WithRSAAndMGF1. I am testing the SOD signature with
>>>     SHA256WithRSAAndMGF1.
>>>
>>>
>>>
>>>     Conclusion:
>>>
>>>     Signing and verification with standard SHA256WithRSA and
>>>     SHA256WithRSAAndMGF1 using IAIK does not work until I make some
>>>     changes in source kod ().
>>>     The change I make to get IAIK to work are:
>>>     In class PKCS11CAToken.java we have put setJCAProvider(provider);
>>>     line 92, before
>>>      if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11")
>>>     ); line 87.
>>>     After that change in the source code, we have succesfully activate
>>>     ca token with IAIK.
>>>
>>>
>>>
>>>     But after I get :
>>>
>>>     SignServerException calling signer with id 1 : SOD verification
>>>     failure.
>>>     When disabling Verifcation method in source code, we have tested the
>>>     SOD object with external application and get SOD verification error.
>>>     Error occured on 2 different HSM devices(Luna SA, nCipher).
>>>
>>>     Lp,
>>>
>>>
>>>
>>>     *Goran Šurina*
>>>
>>>     Tel:   + 385 1 3657 735
>>>
>>>     Mob:  + 385 99 257 1259
>>>
>>>     E-mail: _go...@ak... <mailto:gor...@ak...>_
>>>
>>>
>>>
>>>     cid:image004.jpg@01CB97DF.80F59370
>>>     Savska cesta 31, 10 000 Zagreb, Croatia
>>>
>>>     Web: www.akd.hr <http://www.akd.hr/>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> ---
>>>
>>>     Ova poruka elektronicke poste i njezini privici namijenjeni su
>>>     iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>>>     slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>>>     privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
>>>     osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
>>>     posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>>>     misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>>>     poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> ---
>>>
>>>     This e-mail is intended solely for the addressee(s) and may contain
>>>     privileged and/or confidential information. If you have  received
>>>     this e-mail in error or are not the intended recipient you may not
>>>     open it, read it (or its attachment(s)), copy it and disseminate or
>>>     distribute it to others. Please delete it immediately from your
>>>     system and notify the sender promptly by e-mail that you have done
>>>     so. All information within this e-mail, opinions and conclusions
>>>     that do not refer to the business matter of the sender’s employer
>>>     shall be treated as sender’s personal views, and not as the
>>>     employer’s policy.
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> ---------
>>>
>>>     This SF.net email is sponsored by Windows:
>>>
>>>
>>>
>>>     Build for Windows Store.
>>>
>>>
>>>
>>>     http://p.sf.net/sfu/windows-dev2dev
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>
>>>     SignServer-develop mailing list
>>>
>>>     Sig...@li...
>>> <mailto:Sig...@li...>
>>>
>>>     https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information.
>>>
>>> http://www.primekey.se/Services/Support/
>>>
>>> http://www.primekey.se/Services/Training/
>>>
>>> ---------------------------------------------------------------------
>>> --- Ova poruka elektronicke poste i njezini privici namijenjeni su
>>> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>>> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>>> privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama.
>>> Izbrisite je iz svojega racunalnog sustava te obavijestite
>>> posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>>> misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>>> poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>>> ---------------------------------------------------------------------
>>> --- This e-mail is intended solely for the addressee(s) and may
>>> contain privileged and/or confidential information. If you have
>>> received this e-mail in error or are not the intended recipient you
>>> may not open it, read it (or its attachment(s)), copy it and
>>> disseminate or distribute it to others. Please delete it immediately
>>> from your system and notify the sender promptly by e-mail that you
>>> have done so. All information within this e-mail, opinions and
>>> conclusions that do not refer to the business matter of the sender’s
>>> employer shall be treated as sender’s personal views, and not as the
>>> employer’s policy.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> --------- This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>>
>>>
>>>
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>
>>
>>
> 
> 
> 
> --
> Kind regards,
> Markus Kilås
> PKI Specialist
> 
> PrimeKey Solutions AB
> 
> Anderstorpsv. 16
> 171 54 Solna
> Sweden
> 
> Phone: +46 70 424 94 85
> Skype: markusatskype
> Email: mar...@pr...
> 
> www.primekey.se
> 
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> ________________________________
> Ova poruka elektronicke poste i njezini privici namijenjeni su iskljucivo primatelju i sadrze informacije povjerljive prirode. U slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, misljenja i zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
> ________________________________
> This e-mail is intended solely for the addressee(s) and may contain privileged and/or confidential information. If you have  received this e-mail in error or are not the intended recipient you may not open it, read it (or its attachment(s)), copy it and disseminate or distribute it to others. Please delete it immediately from your system and notify the sender promptly by e-mail that you have done so. All information within this e-mail, opinions and conclusions that do not refer to the business matter of the sender’s employer shall be treated as sender’s personal views, and not as the employer’s policy.
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

[Goran Š. <gor...@ak...>]

Hi Markus,
Thanx but we have succesfuly get SOD with RSA-PSS using IAIK.
After we succesfuly load IAIK provider, we have made changes in configuration when setting algorithmParameters. Instead of setting
WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in the properties we have set WORKERGENID1.SIGNATUREALGORITHM=SHA256withRSAandMGF1.
Case sensitive issue on string.

Reason for that is when we use WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSAandMGF1 in
Source code class SODFile, line lines 769/770
                    digestEncryptionAlgorithmParams =
                            algorithmParameters.get(digestEncryptionAlgorithm);

we didn get right parameters fo signature. But when you use SHA256withRSAandMGF1 signature is valid.
My colege found this. I can ask him to get precize instructions on what line he found this issue.


Can you plase tell me is it possible to get patch the SunPKCS11 provider with support for the  RSASSA-PSS signature algorithm somewhere?
If we could we would use it with SignServer instead of IAIK?
Regards,
Goran


-----Original Message-----
From: Markus Kilås [mailto:ma...@pr...]
Sent: Friday, June 14, 2013 4:31 PM
To: sig...@li...
Subject: Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

Maybe you could test signing and verification with an minimal application to see that the provider is working. Something like this
(note: needs some modifications):

---
Security.addProvider(new BouncyCastleProvider()); Provider provider = ...; // IAIK provider KeyPair keyPair = ...; // Generate some keys byte[] input = ...; some bytes;

Signature signature = Signature.getInstance("SHA256WithRSAandMGF1",
provider);
signature.initSign( pair.getPrivate() ); signature.update( input ); signBV = signature.sign();

Signature signature2 = Signature.getInstance("SHA256WithRSAandMGF1", "BC"); signature2.initVerify(pair.getPublic());
signature2.update(input);
System.out.println("Result: " + signature2.verify(signBV));
---

First test with "SHA256WithRSA".

Best regards,
Markus


On 2013-06-14 16:19, Markus Kilås wrote:
> Hi Goran,
>
> The "Signature not consistent" just means that the signature did not
> match when trying to verify it using the public key from the certificate.
>
>
> Best regards,
> Markus
>
> On 2013-06-14 16:11, Goran Šurina wrote:
>> Hi Markus,
>>
>> Stack trace of Error:
>>
>>
>>
>> 013-06-13 00:43:37,162 ERROR
>> [org.signserver.module.mrtdsodsigner.MRTDSODSigner]
>> (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves.
>>
>> java.security.GeneralSecurityException: Signature not consistent
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndC
>> hain(MRTDSODSigner.java:318)
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD
>> Signer.java:234)
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2
>> 77)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>> java:39)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>> sorImpl.java:25)
>>
>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocatio
>> n.java:122)
>>
>>
>>
>> 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean]
>> (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 :
>> SOD verification failure
>>
>> org.signserver.common.SignServerException: SignServerException
>> calling signer with id 1 : SOD verification failure
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2
>> 81)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>> java:39)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>> sorImpl.java:25)
>>
>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocatio
>> n.java:122)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
>> java:111)
>>
>>                 at
>> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerI
>> nvocationWrapper.java:69)
>>
>>                 at
>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(Intercept
>> orSequencer.java:73)
>>
>>                 at
>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(Int
>> erceptorSequencer.java:59)
>>
>>                 at
>> sun.reflect.GeneratedMethodAccessor275.invoke(Unknown
>> Source)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>> sorImpl.java:25)
>>
>>
>>
>> Caused by: org.signserver.common.SignServerException: SOD
>> verification failure
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD
>> Signer.java:247)
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:2
>> 77)
>>
>>                 ... 76 more
>>
>> Caused by: java.security.GeneralSecurityException: Signature not
>> consistent
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndC
>> hain(MRTDSODSigner.java:318)
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSOD
>> Signer.java:234)
>>
>>                 ... 77 more
>>
>>
>>
>> Best Regards,
>>
>> Goran
>>
>>
>>
>> *From:*Markus Kilås [mailto:ejb...@pr...]
>> *Sent:* Thursday, June 13, 2013 5:20 PM
>> *To:* Goran Šurina
>> *Cc:* sig...@li...
>> *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with
>> SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
>>
>>
>>
>> Hi Goran,
>>
>> (Repeating some of the answers for those not following DSS-642)
>>
>> Usage of other PKCS11 providers than the SunPKCS11 one is not
>> supported in SignServer that was why you would have to make that changes.
>>
>> We usually patch the SunPKCS11 provider to add support for the
>> RSASSA-PSS signature algorithm.
>>
>> What stacktrace do you get from the SOD verification error, maybe
>> that could tell something about the reason?
>>
>>
>> Best regards,
>> Markus
>>
>> PrimeKey Solutions offers a commercial EJBCA & SignServer support
>> subscription and training. Please see www.primekey.se
>> <http://www.primekey.se> or contact in...@pr...
>> <mailto:in...@pr...> for more information.
>> http://www.primekey.se/Services/Support/
>> http://www.primekey.se/Services/Training/
>>
>>
>> On 2013-06-13 16:48, Goran Šurina wrote:
>>
>>     SignServer 3.3.0
>>
>>     I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not
>>     support SHA256WithRSAAndMGF1. I am testing the SOD signature with
>>     SHA256WithRSAAndMGF1.
>>
>>
>>
>>     Conclusion:
>>
>>     Signing and verification with standard SHA256WithRSA and
>>     SHA256WithRSAAndMGF1 using IAIK does not work until I make some
>>     changes in source kod ().
>>     The change I make to get IAIK to work are:
>>     In class PKCS11CAToken.java we have put setJCAProvider(provider);
>>     line 92, before
>>      if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11")
>>     ); line 87.
>>     After that change in the source code, we have succesfully activate
>>     ca token with IAIK.
>>
>>
>>
>>     But after I get :
>>
>>     SignServerException calling signer with id 1 : SOD verification
>>     failure.
>>     When disabling Verifcation method in source code, we have tested the
>>     SOD object with external application and get SOD verification error.
>>     Error occured on 2 different HSM devices(Luna SA, nCipher).
>>
>>     Lp,
>>
>>
>>
>>     *Goran Šurina*
>>
>>     Tel:   + 385 1 3657 735
>>
>>     Mob:  + 385 99 257 1259
>>
>>     E-mail: _go...@ak... <mailto:gor...@ak...>_
>>
>>
>>
>>     cid:image004.jpg@01CB97DF.80F59370
>>     Savska cesta 31, 10 000 Zagreb, Croatia
>>
>>     Web: www.akd.hr <http://www.akd.hr/>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>>     Ova poruka elektronicke poste i njezini privici namijenjeni su
>>     iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>>     slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>>     privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
>>     osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
>>     posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>>     misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>>     poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>>     This e-mail is intended solely for the addressee(s) and may contain
>>     privileged and/or confidential information. If you have  received
>>     this e-mail in error or are not the intended recipient you may not
>>     open it, read it (or its attachment(s)), copy it and disseminate or
>>     distribute it to others. Please delete it immediately from your
>>     system and notify the sender promptly by e-mail that you have done
>>     so. All information within this e-mail, opinions and conclusions
>>     that do not refer to the business matter of the sender’s employer
>>     shall be treated as sender’s personal views, and not as the
>>     employer’s policy.
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> ---------
>>
>>     This SF.net email is sponsored by Windows:
>>
>>
>>
>>     Build for Windows Store.
>>
>>
>>
>>     http://p.sf.net/sfu/windows-dev2dev
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     SignServer-develop mailing list
>>
>>     Sig...@li...
>> <mailto:Sig...@li...>
>>
>>     https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>>
>>
>>
>> --
>>
>>
>>
>> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information.
>>
>> http://www.primekey.se/Services/Support/
>>
>> http://www.primekey.se/Services/Training/
>>
>> ---------------------------------------------------------------------
>> --- Ova poruka elektronicke poste i njezini privici namijenjeni su
>> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>> privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama.
>> Izbrisite je iz svojega racunalnog sustava te obavijestite
>> posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>> misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>> poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>> ---------------------------------------------------------------------
>> --- This e-mail is intended solely for the addressee(s) and may
>> contain privileged and/or confidential information. If you have
>> received this e-mail in error or are not the intended recipient you
>> may not open it, read it (or its attachment(s)), copy it and
>> disseminate or distribute it to others. Please delete it immediately
>> from your system and notify the sender promptly by e-mail that you
>> have done so. All information within this e-mail, opinions and
>> conclusions that do not refer to the business matter of the sender’s
>> employer shall be treated as sender’s personal views, and not as the
>> employer’s policy.
>>
>>
>> ---------------------------------------------------------------------
>> --------- This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>>
>>
>>
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>
>
>



--
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
SignServer-develop mailing list
Sig...@li...
https://lists.sourceforge.net/lists/listinfo/signserver-develop
________________________________
Ova poruka elektronicke poste i njezini privici namijenjeni su iskljucivo primatelju i sadrze informacije povjerljive prirode. U slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja da ste to ucinili. Sve informacije unutar ove poruke, misljenja i zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
________________________________
This e-mail is intended solely for the addressee(s) and may contain privileged and/or confidential information. If you have  received this e-mail in error or are not the intended recipient you may not open it, read it (or its attachment(s)), copy it and disseminate or distribute it to others. Please delete it immediately from your system and notify the sender promptly by e-mail that you have done so. All information within this e-mail, opinions and conclusions that do not refer to the business matter of the sender’s employer shall be treated as sender’s personal views, and not as the employer’s policy.

Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

[Markus K. <ma...@pr...>]

Maybe you could test signing and verification with an minimal
application to see that the provider is working. Something like this
(note: needs some modifications):

---
Security.addProvider(new BouncyCastleProvider());
Provider provider = ...; // IAIK provider
KeyPair keyPair = ...; // Generate some keys
byte[] input = ...; some bytes;

Signature signature = Signature.getInstance("SHA256WithRSAandMGF1",
provider);
signature.initSign( pair.getPrivate() );
signature.update( input );
signBV = signature.sign();

Signature signature2 = Signature.getInstance("SHA256WithRSAandMGF1", "BC");
signature2.initVerify(pair.getPublic());
signature2.update(input);
System.out.println("Result: " + signature2.verify(signBV));
---

First test with "SHA256WithRSA".

Best regards,
Markus


On 2013-06-14 16:19, Markus Kilås wrote:
> Hi Goran,
> 
> The "Signature not consistent" just means that the signature did not
> match when trying to verify it using the public key from the certificate.
> 
> 
> Best regards,
> Markus
> 
> On 2013-06-14 16:11, Goran Šurina wrote:
>> Hi Markus,
>>
>> Stack trace of Error:
>>
>>  
>>
>> 013-06-13 00:43:37,162 ERROR
>> [org.signserver.module.mrtdsodsigner.MRTDSODSigner]
>> (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves.
>>
>> java.security.GeneralSecurityException: Signature not consistent
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318)
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234)
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277)
>>
>>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>
>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
>>
>>  
>>
>> 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean]
>> (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 :
>> SOD verification failure
>>
>> org.signserver.common.SignServerException: SignServerException calling
>> signer with id 1 : SOD verification failure
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:281)
>>
>>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>
>>                 at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>
>>                 at java.lang.reflect.Method.invoke(Method.java:597)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
>>
>>                 at
>> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
>>
>>                 at
>> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
>>
>>                 at
>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
>>
>>                 at
>> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
>>
>>                 at sun.reflect.GeneratedMethodAccessor275.invoke(Unknown
>> Source)
>>
>>                 at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>
>>  
>>
>> Caused by: org.signserver.common.SignServerException: SOD verification
>> failure
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:247)
>>
>>                 at
>> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277)
>>
>>                 ... 76 more
>>
>> Caused by: java.security.GeneralSecurityException: Signature not consistent
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318)
>>
>>                 at
>> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234)
>>
>>                 ... 77 more
>>
>>  
>>
>> Best Regards,
>>
>> Goran
>>
>>  
>>
>> *From:*Markus Kilås [mailto:ejb...@pr...]
>> *Sent:* Thursday, June 13, 2013 5:20 PM
>> *To:* Goran Šurina
>> *Cc:* sig...@li...
>> *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with
>> SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
>>
>>  
>>
>> Hi Goran,
>>
>> (Repeating some of the answers for those not following DSS-642)
>>
>> Usage of other PKCS11 providers than the SunPKCS11 one is not supported
>> in SignServer that was why you would have to make that changes.
>>
>> We usually patch the SunPKCS11 provider to add support for the
>> RSASSA-PSS signature algorithm.
>>
>> What stacktrace do you get from the SOD verification error, maybe that
>> could tell something about the reason?
>>
>>
>> Best regards,
>> Markus
>>
>> PrimeKey Solutions offers a commercial EJBCA & SignServer support
>> subscription and training. Please see www.primekey.se
>> <http://www.primekey.se> or contact in...@pr...
>> <mailto:in...@pr...> for more information. 
>> http://www.primekey.se/Services/Support/
>> http://www.primekey.se/Services/Training/
>>
>>
>> On 2013-06-13 16:48, Goran Šurina wrote:
>>
>>     SignServer 3.3.0
>>
>>     I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not
>>     support SHA256WithRSAAndMGF1. I am testing the SOD signature with
>>     SHA256WithRSAAndMGF1.
>>
>>      
>>
>>     Conclusion:
>>
>>     Signing and verification with standard SHA256WithRSA and
>>     SHA256WithRSAAndMGF1 using IAIK does not work until I make some
>>     changes in source kod ().
>>     The change I make to get IAIK to work are:
>>     In class PKCS11CAToken.java we have put setJCAProvider(provider);
>>     line 92, before
>>      if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11")
>>     ); line 87.
>>     After that change in the source code, we have succesfully activate
>>     ca token with IAIK.
>>
>>      
>>
>>     But after I get :
>>
>>     SignServerException calling signer with id 1 : SOD verification
>>     failure.
>>     When disabling Verifcation method in source code, we have tested the
>>     SOD object with external application and get SOD verification error.
>>     Error occured on 2 different HSM devices(Luna SA, nCipher).
>>
>>     Lp,
>>
>>      
>>
>>     *Goran Šurina*
>>
>>     Tel:   + 385 1 3657 735
>>
>>     Mob:  + 385 99 257 1259
>>
>>     E-mail: _go...@ak... <mailto:gor...@ak...>_
>>
>>      
>>
>>     cid:image004.jpg@01CB97DF.80F59370
>>     Savska cesta 31, 10 000 Zagreb, Croatia
>>
>>     Web: www.akd.hr <http://www.akd.hr/>
>>
>>      
>>
>>     ------------------------------------------------------------------------
>>
>>     Ova poruka elektronicke poste i njezini privici namijenjeni su
>>     iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>>     slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>>     privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
>>     osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
>>     posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>>     misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>>     poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
>>
>>     ------------------------------------------------------------------------
>>
>>     This e-mail is intended solely for the addressee(s) and may contain
>>     privileged and/or confidential information. If you have  received
>>     this e-mail in error or are not the intended recipient you may not
>>     open it, read it (or its attachment(s)), copy it and disseminate or
>>     distribute it to others. Please delete it immediately from your
>>     system and notify the sender promptly by e-mail that you have done
>>     so. All information within this e-mail, opinions and conclusions
>>     that do not refer to the business matter of the sender’s employer
>>     shall be treated as sender’s personal views, and not as the
>>     employer’s policy.
>>
>>
>>
>>     ------------------------------------------------------------------------------
>>
>>     This SF.net email is sponsored by Windows:
>>
>>      
>>
>>     Build for Windows Store.
>>
>>      
>>
>>     http://p.sf.net/sfu/windows-dev2dev
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     SignServer-develop mailing list
>>
>>     Sig...@li... <mailto:Sig...@li...>
>>
>>     https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>>
>>
>>
>> -- 
>>
>>  
>>
>> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information.
>>
>> http://www.primekey.se/Services/Support/
>>
>> http://www.primekey.se/Services/Training/
>>
>> ------------------------------------------------------------------------
>> Ova poruka elektronicke poste i njezini privici namijenjeni su
>> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke,
>> ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama.
>> Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja
>> da ste to ucinili. Sve informacije unutar ove poruke, misljenja i
>> zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju
>> se kao osobni stavovi, a ne stavovi poslodavca.
>> ------------------------------------------------------------------------
>> This e-mail is intended solely for the addressee(s) and may contain
>> privileged and/or confidential information. If you have  received this
>> e-mail in error or are not the intended recipient you may not open it,
>> read it (or its attachment(s)), copy it and disseminate or distribute it
>> to others. Please delete it immediately from your system and notify the
>> sender promptly by e-mail that you have done so. All information within
>> this e-mail, opinions and conclusions that do not refer to the business
>> matter of the sender’s employer shall be treated as sender’s personal
>> views, and not as the employer’s policy.
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>>
>>
>>
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
> 
> 
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

[Markus K. <ma...@pr...>]

Hi Goran,

The "Signature not consistent" just means that the signature did not
match when trying to verify it using the public key from the certificate.


Best regards,
Markus

On 2013-06-14 16:11, Goran Šurina wrote:
> Hi Markus,
> 
> Stack trace of Error:
> 
>  
> 
> 013-06-13 00:43:37,162 ERROR
> [org.signserver.module.mrtdsodsigner.MRTDSODSigner]
> (http-127.0.0.1-8080-2) Error verifying the SOD we signed ourselves.
> 
> java.security.GeneralSecurityException: Signature not consistent
> 
>                 at
> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318)
> 
>                 at
> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234)
> 
>                 at
> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277)
> 
>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> 
>                 at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 
>                 at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 
>                 at java.lang.reflect.Method.invoke(Method.java:597)
> 
>                 at
> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
> 
>  
> 
> 2013-06-13 00:43:37,177 ERROR [org.signserver.ejb.WorkerSessionBean]
> (http-127.0.0.1-8080-2) SignServerException calling signer with id 1 :
> SOD verification failure
> 
> org.signserver.common.SignServerException: SignServerException calling
> signer with id 1 : SOD verification failure
> 
>                 at
> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:281)
> 
>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> 
>                 at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 
>                 at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 
>                 at java.lang.reflect.Method.invoke(Method.java:597)
> 
>                 at
> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
> 
>                 at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
> 
>                 at
> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
> 
>                 at
> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
> 
>                 at
> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
> 
>                 at sun.reflect.GeneratedMethodAccessor275.invoke(Unknown
> Source)
> 
>                 at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 
>  
> 
> Caused by: org.signserver.common.SignServerException: SOD verification
> failure
> 
>                 at
> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:247)
> 
>                 at
> org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:277)
> 
>                 ... 76 more
> 
> Caused by: java.security.GeneralSecurityException: Signature not consistent
> 
>                 at
> org.signserver.module.mrtdsodsigner.MRTDSODSigner.verifySignatureAndChain(MRTDSODSigner.java:318)
> 
>                 at
> org.signserver.module.mrtdsodsigner.MRTDSODSigner.processData(MRTDSODSigner.java:234)
> 
>                 ... 77 more
> 
>  
> 
> Best Regards,
> 
> Goran
> 
>  
> 
> *From:*Markus Kilås [mailto:ejb...@pr...]
> *Sent:* Thursday, June 13, 2013 5:20 PM
> *To:* Goran Šurina
> *Cc:* sig...@li...
> *Subject:* Re: [SignServer-develop] using IAIK PKCS11 provider with
> SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.
> 
>  
> 
> Hi Goran,
> 
> (Repeating some of the answers for those not following DSS-642)
> 
> Usage of other PKCS11 providers than the SunPKCS11 one is not supported
> in SignServer that was why you would have to make that changes.
> 
> We usually patch the SunPKCS11 provider to add support for the
> RSASSA-PSS signature algorithm.
> 
> What stacktrace do you get from the SOD verification error, maybe that
> could tell something about the reason?
> 
> 
> Best regards,
> Markus
> 
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se
> <http://www.primekey.se> or contact in...@pr...
> <mailto:in...@pr...> for more information. 
> http://www.primekey.se/Services/Support/
> http://www.primekey.se/Services/Training/
> 
> 
> On 2013-06-13 16:48, Goran Šurina wrote:
> 
>     SignServer 3.3.0
> 
>     I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not
>     support SHA256WithRSAAndMGF1. I am testing the SOD signature with
>     SHA256WithRSAAndMGF1.
> 
>      
> 
>     Conclusion:
> 
>     Signing and verification with standard SHA256WithRSA and
>     SHA256WithRSAAndMGF1 using IAIK does not work until I make some
>     changes in source kod ().
>     The change I make to get IAIK to work are:
>     In class PKCS11CAToken.java we have put setJCAProvider(provider);
>     line 92, before
>      if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11")
>     ); line 87.
>     After that change in the source code, we have succesfully activate
>     ca token with IAIK.
> 
>      
> 
>     But after I get :
> 
>     SignServerException calling signer with id 1 : SOD verification
>     failure.
>     When disabling Verifcation method in source code, we have tested the
>     SOD object with external application and get SOD verification error.
>     Error occured on 2 different HSM devices(Luna SA, nCipher).
> 
>     Lp,
> 
>      
> 
>     *Goran Šurina*
> 
>     Tel:   + 385 1 3657 735
> 
>     Mob:  + 385 99 257 1259
> 
>     E-mail: _go...@ak... <mailto:gor...@ak...>_
> 
>      
> 
>     cid:image004.jpg@01CB97DF.80F59370
>     Savska cesta 31, 10 000 Zagreb, Croatia
> 
>     Web: www.akd.hr <http://www.akd.hr/>
> 
>      
> 
>     ------------------------------------------------------------------------
> 
>     Ova poruka elektronicke poste i njezini privici namijenjeni su
>     iskljucivo primatelju i sadrze informacije povjerljive prirode. U
>     slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
>     privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
>     osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
>     posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
>     misljenja i zakljucci koji se ne odnose na posao posiljateljeva
>     poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
> 
>     ------------------------------------------------------------------------
> 
>     This e-mail is intended solely for the addressee(s) and may contain
>     privileged and/or confidential information. If you have  received
>     this e-mail in error or are not the intended recipient you may not
>     open it, read it (or its attachment(s)), copy it and disseminate or
>     distribute it to others. Please delete it immediately from your
>     system and notify the sender promptly by e-mail that you have done
>     so. All information within this e-mail, opinions and conclusions
>     that do not refer to the business matter of the sender’s employer
>     shall be treated as sender’s personal views, and not as the
>     employer’s policy.
> 
> 
> 
>     ------------------------------------------------------------------------------
> 
>     This SF.net email is sponsored by Windows:
> 
>      
> 
>     Build for Windows Store.
> 
>      
> 
>     http://p.sf.net/sfu/windows-dev2dev
> 
> 
> 
> 
>     _______________________________________________
> 
>     SignServer-develop mailing list
> 
>     Sig...@li... <mailto:Sig...@li...>
> 
>     https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 
> 
> 
> 
> -- 
> 
>  
> 
> PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se <http://www.primekey.se> or contact in...@pr... <mailto:in...@pr...> for more information.
> 
> http://www.primekey.se/Services/Support/
> 
> http://www.primekey.se/Services/Training/
> 
> ------------------------------------------------------------------------
> Ova poruka elektronicke poste i njezini privici namijenjeni su
> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate privitke,
> ne kopirate poruku i ne otkrivate njezin sadrzaj drugim osobama.
> Izbrisite je iz svojega racunalnog sustava te obavijestite posiljatelja
> da ste to ucinili. Sve informacije unutar ove poruke, misljenja i
> zakljucci koji se ne odnose na posao posiljateljeva poslodavca tretiraju
> se kao osobni stavovi, a ne stavovi poslodavca.
> ------------------------------------------------------------------------
> This e-mail is intended solely for the addressee(s) and may contain
> privileged and/or confidential information. If you have  received this
> e-mail in error or are not the intended recipient you may not open it,
> read it (or its attachment(s)), copy it and disseminate or distribute it
> to others. Please delete it immediately from your system and notify the
> sender promptly by e-mail that you have done so. All information within
> this e-mail, opinions and conclusions that do not refer to the business
> matter of the sender’s employer shall be treated as sender’s personal
> views, and not as the employer’s policy.
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> 
> 
> 
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] SHA256withRSAandMGF1

[Markus K. <ma...@pr...>]

Hi Goran,

The DSS-343 issue added general support for using the algorithm in the
MRTDSODSigner. For soft keystores using that algorithm works out of the
box but if you are using an PKCS#11 HSM you will need to get the
SunPKCS11 wrapper patched with support for it.


Best regards,
Markus


On 2013-06-13 17:11, Goran Šurina wrote:
>
> Question:
>
> Is it possible tu use SHA256withRSAandMGF1 in MRTDSODSigner with
> SUNpkcs11 provider.
>
> I have found in relese notes:
>
> SignServer 3.2.0, 2011-06-30 ** New Feature    * [DSS-343] - Add
> support for SHA256withRSAandMGF1 in MRTDSODSigner
>
>  
>
> Thanx,
>
> *Goran Šurina*
>
> Tel:   + 385 1 3657 735
>
> Mob:  + 385 99 257 1259
>
> E-mail: _go...@ak... <mailto:gor...@ak...>_
>
>  
>
> cid:image004.jpg@01CB97DF.80F59370
> Savska cesta 31, 10 000 Zagreb, Croatia
>
> Web: www.akd.hr <http://www.akd.hr/>
>
>  
>
> ------------------------------------------------------------------------
> Ova poruka elektronicke poste i njezini privici namijenjeni su
> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
> privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
> osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
> posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
> misljenja i zakljucci koji se ne odnose na posao posiljateljeva
> poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
> ------------------------------------------------------------------------
> This e-mail is intended solely for the addressee(s) and may contain
> privileged and/or confidential information. If you have  received this
> e-mail in error or are not the intended recipient you may not open it,
> read it (or its attachment(s)), copy it and disseminate or distribute
> it to others. Please delete it immediately from your system and notify
> the sender promptly by e-mail that you have done so. All information
> within this e-mail, opinions and conclusions that do not refer to the
> business matter of the sender’s employer shall be treated as sender’s
> personal views, and not as the employer’s policy.
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
>
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop


-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Anderstorpsv. 16
171 54 Solna
Sweden

Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...

www.primekey.se

Re: [SignServer-develop] using IAIK PKCS11 provider with SHA256WithRSAAndMGF1 alg. Faild to initialize PKCS11 provider.

[Markus K. <ejb...@pr...>]

Hi Goran,

(Repeating some of the answers for those not following DSS-642)

Usage of other PKCS11 providers than the SunPKCS11 one is not supported
in SignServer that was why you would have to make that changes.

We usually patch the SunPKCS11 provider to add support for the
RSASSA-PSS signature algorithm.

What stacktrace do you get from the SOD verification error, maybe that
could tell something about the reason?


Best regards,
Markus

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information. 
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/


On 2013-06-13 16:48, Goran Šurina wrote:
>
> SignServer 3.3.0
>
> I tryed to use IAIK pkcs11 provider becouse SUNPKCS11 does not support
> SHA256WithRSAAndMGF1. I am testing the SOD signature with
> SHA256WithRSAAndMGF1.
>
>  
>
> Conclusion:
>
> Signing and verification with standard SHA256WithRSA and
> SHA256WithRSAAndMGF1 using IAIK does not work until I make some
> changes in source kod ().
> The change I make to get IAIK to work are:
> In class PKCS11CAToken.java we have put setJCAProvider(provider); line
> 92, before
>  if(provider.getClass().getName().equals("iaik.pkcs.pkcs11.provider.IAIKPkcs11")
> ); line 87.
> After that change in the source code, we have succesfully activate ca
> token with IAIK.
>
>  
>
> But after I get :
>
> SignServerException calling signer with id 1 : SOD verification failure.
> When disabling Verifcation method in source code, we have tested the
> SOD object with external application and get SOD verification error.
> Error occured on 2 different HSM devices(Luna SA, nCipher).
>
> Lp,
>
>  
>
> *Goran Šurina*
>
> Tel:   + 385 1 3657 735
>
> Mob:  + 385 99 257 1259
>
> E-mail: _go...@ak... <mailto:gor...@ak...>_
>
>  
>
> cid:image004.jpg@01CB97DF.80F59370
> Savska cesta 31, 10 000 Zagreb, Croatia
>
> Web: www.akd.hr <http://www.akd.hr/>
>
>  
>
> ------------------------------------------------------------------------
> Ova poruka elektronicke poste i njezini privici namijenjeni su
> iskljucivo primatelju i sadrze informacije povjerljive prirode. U
> slucaju da ste je primili pogreskom, molimo Vas da ne otvarate
> privitke, ne kopirate poruku i ne otkrivate njezin sadrzaj drugim
> osobama. Izbrisite je iz svojega racunalnog sustava te obavijestite
> posiljatelja da ste to ucinili. Sve informacije unutar ove poruke,
> misljenja i zakljucci koji se ne odnose na posao posiljateljeva
> poslodavca tretiraju se kao osobni stavovi, a ne stavovi poslodavca.
> ------------------------------------------------------------------------
> This e-mail is intended solely for the addressee(s) and may contain
> privileged and/or confidential information. If you have  received this
> e-mail in error or are not the intended recipient you may not open it,
> read it (or its attachment(s)), copy it and disseminate or distribute
> it to others. Please delete it immediately from your system and notify
> the sender promptly by e-mail that you have done so. All information
> within this e-mail, opinions and conclusions that do not refer to the
> business matter of the sender’s employer shall be treated as sender’s
> personal views, and not as the employer’s policy.
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
>
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop


-- 

PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

[SignServer-develop] SignServer 3.4.1 released

[Marcus L. <mar...@pr...>]

The PrimeKey SignServer team is happy to announce that SignServer 3.4.1
has been released!

This is a maintenance release - in total 19 features, options, bugs and
stabilizations have been fixed or added.

Development continues beyond this version and all requests from the
community are scheduled for SignServer 3.4.2 or later releases.

More information is available at the project web site and the complete
changelog can be viewed in the issue tracker.

The most noteworthy changes can be seen below.

New features and improvements:
 - Added support for IPv6 and multiple proxies in
ListBasedAddressAuthorizer.
 - Support for specifying the signature algorithm in CMS signer.
 - Support for the signerCertificte attribute in the MS Authenticode
time stamp signer.
 - Support for generating CSR with EDSA explicit parameters in the admin
GUI and the RenewalWorker.
 - Log worker name in the worker log.
 - Allow to import serial number and issuer DN from a certificate file
when adding administrator rules in the admin GUI.
 - Added an option to set the correct TSA name from the subject DN
automatically for the time stamp signer.
 - All workers report themselves as offline when misconfigured.
 - Added health check rate limiter.
 - Added database setup scripts for PostgreSQL.

Bug fixes:
 - ContentInfo contained a double encoded octet string in the MS
Authenticode time stamp signer.
 - Unauthorized health check queries incorrectly logged.

Read the full changelog for details
(https://jira.primekey.se/browse/DSS?report=com.atlassian.jira.plugin.system.project:changelog-panel#selectedTab=com.atlassian.jira.plugin.system.project%3Achangelog-panel).

Regards,
The PrimeKey SignServer team