Comments (13)
May I request that this issue be raised above Medium. This is the most
important issue for us at the moment.
Original comment by [email protected]
on 14 Nov 2011 at 8:01
from xades4j.
I have attached a sample application that reproduces this problem. If you call
the batch file doit.cmd without an argument, it will run the class without a
provider and the signature will be created correctly. If you run the batch file
with an argument like this: doit.cmd BC, it will create the KeyStores and
CertStores with that JCE provider and the signature will fail. You will need to
download the BouncyCastle jar from
http://www.bouncycastle.org/latest_releases.html
Original comment by [email protected]
on 6 Dec 2011 at 5:02
Attachments:
from xades4j.
When running your app with the BC provider I'm getting an InvalidKeyException
(illegal key size). Here's the stack trace:
Exception in thread "main" java.io.IOException: exception unwrapping private
key - java.security.InvalidKeyException: Illegal key size
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.unwrapKey(Unknown Source)
at org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1185)
at Issue16.main(Issue16.java:55)
Do you have any quick hint on this? Some problem with the .p12 keystore? I'll
look into it later, and possibly create a test for this scenario (using the BC
provider).
Original comment by luis.fgoncalv
on 7 Feb 2012 at 10:05
from xades4j.
Did you install the Unlimited Strength Jurisdiction Policy Files?
Original comment by [email protected]
on 8 Feb 2012 at 9:28
from xades4j.
I hadn't installed the files, thanks! It now behaves as you described.
Original comment by luis.fgoncalv
on 8 Feb 2012 at 11:03
- Changed state: Started
from xades4j.
Original comment by luis.fgoncalv
on 8 Feb 2012 at 11:03
from xades4j.
I made some tests and couldn't figure out the requirements in terms of
providers yet. I tried different combinations of providers (on the different
JCE components in use) and the problem only seems to come up when the provider
of the CertificateFactory (for the CRL's) is BC and the cert path builder is
SUN's. If BC's cert path builder is used, the problem never comes up, even if
everything else is using SUN's provider. I can't really tell that whether it's
working because of the BC provider.. I need to go further on the cert path
building steps.
You mentioned Signature.getInstance(alg, null)..you're referring to somewhere
in the PKIXCertPathBuilder code?
Original comment by luis.fgoncalv
on 12 Feb 2012 at 9:12
from xades4j.
You can put a breakpoint on Signature.getInstance to see where it is being
called. My guess is it will be called by the CertPathBuilder when verifying the
Issuer signature in a certificate.
Have you tried hard-coding the Signature provider in the PKIX parameters just
to see if that makes it work with the SUN CertPathBuilder?
This bug is not asking you to debug why the Sun cert path builder is not
working with BC. I believe all you have to do is expose a parameter for the
Signature provider. You should also show how users could choose the
CertPathBuilder provider. This way a user could choose to use BC everywhere and
have a consistent environment.
Original comment by [email protected]
on 15 Feb 2012 at 4:11
from xades4j.
I was looking into provider combinations to try to figure out if I could use
some of the supplied providers (e.g. from the trust anchors key store) to get
the CertPathBuilder. But the best solution probably is to just allow the
provider configuration, as you suggested.
Original comment by luis.fgoncalv
on 16 Feb 2012 at 9:49
from xades4j.
You mentioned the CertPathBuilder provider.. do you suggest adding another
parameter for this?
I'm starting to wonder if a more centralized way to define providers would be
useful, also considering issue 19. Maybe something per engine class. But it
seems overkill and might not be easy to make that config available on xades4j
providers such as PKIXCertificateValidationProvider.
Original comment by luis.fgoncalv
on 24 Feb 2012 at 8:33
from xades4j.
Just for reference, the problem seems to be that SUN's X509CRL implementation
checks for null provider argument on verify(PublicKey k, String sigProvider)
and calls the appropriate Signature.getInstance overload, while BC's doesn't.
Original comment by luis.fgoncalv
on 25 Feb 2012 at 11:27
from xades4j.
On Feb 29 2012, I sent an email on the BouncyCastle mailing list to report the
bug in X509CRLObject.verify() when it calls
Signature.getInstance(String,String) with null in the second argument. It
should improve things if they fix their bug, though it is still important to
allow the configuration of the JCE provider in XAdES4J.
Original comment by [email protected]
on 29 Feb 2012 at 9:45
from xades4j.
I agree. The XAdES4j providers that use JCE have been updated to include
constructor arguments to specify the JCE provider. Maybe in the future a wider
configuration of JCE providers could be considered.
Original comment by luis.fgoncalv
on 29 Feb 2012 at 10:46
- Changed state: Fixed
from xades4j.
Related Issues (20)
- FileSystemKeyStoreKeyingDataProvider pass certificate as String/Bytes HOT 5
- How to use XpathTransform HOT 10
- Add Compatibility to Java17 HOT 13
- Error generating signature with .pfx certificate DIAN Colombia HOT 11
- Problems with signature validation HOT 2
- On verify TBES signature the excepion "invalid token signature" is thrown HOT 1
- Problem validating sign in https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation HOT 5
- NoClassDefFoundError with XadesSigningProfile HOT 2
- Have you installed xades4j's dependencies? The missing class is from Guice, a library used by xades4j. Is Guice available in the classpath of your application? The same applies to Apache XML Security and Bouncy Castle.
- Edit and add attributes in nodes of xadesBES according to especific format HOT 8
- Key store has more than one private key entry HOT 1
- Bump xmlsec to at least 2.3.0 HOT 3
- JAXBException with newSigner method HOT 11
- signature invalid HOT 2
- BindingSourceRestriction uses some methods missing in Java implementation for Android HOT 4
- SignatureAppendingStrategy issue with XPath transform HOT 2
- Invalid hash when signing HOT 27
- Invalid Signature produced by Xades4j HOT 10
- Migrating from Xades4j 1.7.0 to Xades4j 2.2.0 HOT 1
- Transform nodes in a Signature Policy HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xades4j.