I'm trying to write a program in Java that will digitally sign database entries prior to insertion. I would like for the program to be algorithm-independent - ideally, the user would specify the JCE provider and algorithm as arguments at runtime.
Is there a way to do this? I've been testing with the BouncyCastle provider, and the code runs fine when I dynamically register it:
Security.addProvider(new BouncyCastleProvider());
However, when I try to statically register the provider by adding the following lines to the end of my security/java.policy file, I get the error: java.security.NoSuchProviderException: no such provider: BC when I try to get an instance of a Security object using the provider.
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
Specifically, I added those lines to /etc/java-7-openjdk/security/java.policy (which is linked to $JAVA_HOME/jre/lib/security/java.policy). This is on Ubuntu 12.04. I also tried just adding the BouncyCastleProvider as the first entry and got the same error.
Am I configuring the static registration wrong or is what I am attempting impossible?
I think you are adding the static registration into the wrong file.
Use security.policy instead of java.policy within the same folder.
See: https://www.bouncycastle.org/wiki/display/JA1/Provider+Installation
Related
Java has a DualFormatJKS class that is managed by the JavaKeyStore SPI. It determines the type of keystore at runtime. However, the PAX SSLContextBuilder in pax-url-aether-2.6.10.jar never gets into that code. Instead, PAX goes down this path. Eventually, the method KeyStore.getInstance(String type) is executed. It throws an exception because type is "" and it is expecting "jks" or "pkcs12".
The exception is
java.security.NoSuchAlgorithmException: KeyStore not available
I can't figure out how marry the PAX code to the Java code that reads the file to determine the type of keystore it's working with. I get lost in the TrustStoreManager class. Has anyone has a similar issue or know how to solve it?
We are using the HSM(Hardware Security Module) for the signing and encryption from our java application.
We have plugged the HSM to our JVM using the java.security property file using the following entry
security.provider.11=sun.security.pkcs11.SunPKCS11 D:/security/safenet.cfg
It was working fine all these days and suddenly we encountered a error as follows.
java.security.SignatureException: RSASignature::engineSign sun.security.pkcs11.P11Key$P11PrivateKey cannot be cast to java.security.interfaces.RSAPrivateKey
We did the enough searching on google but not able to identify the root cause.
Appreciate any help
Thanks
We also encountered the same issue. Specify the provider name when getting the Signing instance. When code to sign using HSM is called, there may some other piece of code in your application adding another provider [Security.insertProvider] which implements the same signing algorithm.
When your sign, you pass a parameter of Private Key handler for PKCS11 but the provider is expecting different Key handler of RSA.
Resolution:
When you get the HSM signing instance, specify the Security provider along with the signing algorithm.
I have been attempting to encrypt a text file with the PGP encryptor in my Mule flow and have so far been unsuccessful. I am executing against the CloudHub Mule Runtime (Dec 2013) as I intend to deploy to CloudHub.
I have used GnuPG to generate the binary public key from the .asc file provided to me by my client and put the resulting .gpg file in my src/main/resources directory. Even though it doesn't seem like I should have to I generated my own secret gpg keyring and provided that in my application as well.
When I attempt to run my flow it keeps giving me an NPE:
Root Exception stack trace:
java.lang.NullPointerException
at org.mule.module.pgp.KeyBasedEncryptionStrategy.checkKeyExpirity(KeyBasedEncryptionStrategy.java:100)
at org.mule.module.pgp.KeyBasedEncryptionStrategy.safeGetCryptInfo(KeyBasedEncryptionStrategy.java:87)
at org.mule.module.pgp.KeyBasedEncryptionStrategy.encrypt(KeyBasedEncryptionStrategy.java:54)
I'm not sure what is causing this. Any ideas?
UPDATE:
I've updated to use the latest version of AnyPoint Studio with the 3.5.1 runtime and get the same error, on line 98 this time which is the same line of code.
UPDATE AND MY SOLUTION:
I got it to work. It was an error on my part. I had a principal in the Encryption element that was overriding the principal from the Global element. I had placed this principal in the configuration to overcome an initial error telling me it was required. Removing this principal seems to have resolved all of my problems.
ANOTHER UPDATE
I can successfully encrypt using the pub and sec keys provided in a Mule blog post, however, attempting to use the gpg file that I exported from the public key (.asc file) that my client provided but I again get the NPE mentioned above. I have followed all the steps I can find for importing their key into my keyring and exporting it as a binary. I'm stumped.
FINAL UPDATE
So it turns out the success with the keys from the Mule blog were giving me a success that I didn't completely understand. Turns out that I was not properly setting the Principal value. I was setting the principal according to what I thought it should be for the secret keyring, when, as I found out, it is actually for the public key ring. All seems to be working now.
I have been able to run decryption and encryption locally using the bouncycastle jars. I have generated keys that I want to put the public key a client (Java and Android) and the private key in a web service. I have been able to encrypt and encoded a message and send the encrypted message to the webservice (on a hosted service by Lunarpages), but the webservice decryption fails with a FileNotFoundException on the line
BouncyCastleProvider bc = new BouncyCastleProvider();
or
Security.addProvider(new BouncyCastleProvider());
The bcprov-ext-jdk14-146.jar and the bcprov-jdk14-146.jar is included in the web-inf lib directory.
Is there something I can do programmatic to enable this or does Lunarpages have to do something?
I couldnt even get a stacktrace to print for me and so I thought I might attempt a different provider to see if I get a better response - the SunJCE.
access denied (java.security.SecurityPermission insertProvider.SunJCE)
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
java.security.AccessController.checkPermission(AccessController.java:401)
java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1673)
java.security.Security.check(Security.java:1307)
java.security.Security.insertProviderAt(Security.java:697)
java.security.Security.addProvider(Security.java:757)
net.wpstudios.tcws.pgp.RSAEncrypt.generateKeys(RSAEncrypt.java:81)
javax.servlet.http.HttpServlet.service(HttpServlet.java:165)
javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
com.caucho.server.http.Invocation.service(Invocation.java:315)
com.caucho.server.http.CacheInvocation.service(CacheInvocation.java:135)
com.caucho.server.http.RunnerRequest.handleRequest(RunnerRequest.java:346)
com.caucho.server.http.RunnerRequest.handleConnection(RunnerRequest.java:274)
com.caucho.server.TcpConnection.run(TcpConnection.java:139)
java.lang.Thread.run(Thread.java:534)
Does the FileNotFound exception matter? Obviously the caucho server setup is using access restrictions on adding providers. Never mind that, if you want to develop some application level encryption/decryption you can simply use the bouncy castle crypto API directly. It's not as friendly as the JCE but it is useable enough. This might not work if you want to use a library that in its turn uses the JCA/JCE framework though.
Lunarpages is to change the permissions or add providers manually (using resin.conf, it seems), but it might be hard to change them just for you, unless you are the only one using the Java application server. It never hurts to ask I suppose.
I created an application which is currently on Android market. The key used to sign the application was made using jarsigner. How do I sign using the .key file originally generated?
You will need the original private key that you used to sign the first version.
Full information is available here, but here is the excerpt it sounds like you need:
Application upgrade – As you release
updates to your application, you will
want to continue to sign the updates
with the same certificate or set of
certificates, if you want users to
upgrade seamlessly to the new version.
When the system is installing an
update to an application, it compares
the certificate(s) in the new version
with those in the existing version. If
the certificates match exactly,
including both the certificate data
and order, then the system allows the
update. If you sign the new version
without using matching certificates,
you will also need to assign a
different package name to the
application — in this case, the user
installs the new version as a
completely new application.
AFAIK, .key is not a standard (conventional) file ending. Most of the time you are working with a .keystore file. The keystore contains the key. The keystore and the key both have passwords and separate security measures for safety.
If you generated your ".key" file using jarsigner and one of the commands listed here, then you likely created a keystore file and happened to give it the ending ".key" If this is the case, then just compile your application into release mode, sign the application using the jarsigner tool, and use zipalign (not sure what this is for, compression perhaps?).
If you don't have the original keystore and key file, then you're boned. Sorry :/ Tons of other info can be found on the Signing Your Application page
HTH,
Hamy