Cipher question

Does getInstance(...) return a new object or does it return a reference to an existing object?
With other word, is a new cipher object created for every method call in the example below?
public void method()
Cipher cipher = Cipher.getInstance( Cipher.ALG_DES_CBC_NOPAD, true);
}

The Cipher.getInstance() creates a new object each time it is invoked.
The javadoc is quite clear about this:
Creates a Cipher object instance of the selected algorithm."Create" means "new".

Similar Messages

Keytool / Cipher question

It appears from the reading and experimenting that I have been doing, that keytool cannot be used to generate keys that are usable by a Cipher object for encryption.
Apparently keytool generates only RSA or DSA keys and according to the docs for the JCE those algorithms are not supported for encryption.
Is this correct?

I think it's correct because, RSA and DSA are used
for authentication not for encryption.RSA is an asymetic encryption algorithm and DSA is an asymetric signing algorithm. Both can be used for encryption though DSA is not normally used for encryption. It is normal to use RSA encryption to encrypt symetric algorithm session keys because RSA is a relatively slow operation not suited to bulk encryption.
One can use a keystore type of JCEKS to store symetric keys e.g.
KeyStore ks = KeyStore.getInstance("JCEKS");

Ask help for a question about Caesar cipher

"Caesar ciphers are among the simplest devised, and rely solely on remapping characters to others in the alphabet using a constant shift modulo the size of the alphabet. The amount shifted is the key used to encipher, or decipher, the message. This remapping is usually restricted to letters, so that with a key of 2, `A' is replaced by `C', `B' by `D', ..., `X' by `Z', `Y' by `A', and `Z' by `B'. Lower case letters are mapped in an identical way to give their lower case replacements. Thus here the key is an integer in the range 1 to 25 (not 0 to 25, as there is no point replacing every `A' by an `A' etc.).
Straightforward Caesar ciphers are rather too easy to recognise however. In an attempt to maintain the basic idea, but complicate the result, what we will do is systemmatically jumble up the letters. Treating `I' and `J' as one letter from the start (so now there are only 24 different keys, assuming we still exclude mapping `A' to `A'), the 25 letters will be written to a 5 by 5 grid, by rows, and read back by columns. So, for example, with a key of 10, `A' is mapped into `L', and the grid produced is:
L M N O P
Q R S T U
V W X Y Z
A B C D E
F G H I K
and the uppercase alphabet upon encryption becomes: LQVAFMRWBBGNSXCHOTYDIPUZEK Note that here the `B' is doubled up because it represents both `I' and `J'. Thus, with this key of 10, the following line is enciphered to the one after it.
Caesar ciphers are child's play.
Vlfylt vbhwfty ltf vwbna'y hnle.
An acceptable drawback of the treatment of `I' and `J' in the grid is that a decoded message will have all `J's mapped to `I's, and all `j's to `i's"
this is a part of requirement in the whole program,I almost finished it, but I do not know thata how to make" a decoded message will have all `J's mapped to `I's, and all `j's to `i's". "Treating `I' and `J' as one letter from the start"?what does that mean?
this is my code about the part:
public static char encode(char ch,int n) {
while (!Character.isLetter(ch))
return ch;
if(ch>='A'&&ch<='Z')
return (char)('A'+(ch-'A'+n)%26);
if(ch>='a'&&ch<='z')
return (char)('a'+(ch-'a'+n)%26);
return ch;
public static char decode(char ch,int n) {
while (!Character.isLetter(ch))
return ch;
if(ch>='A'&&ch<='Z')
return (char)('A'+(ch-'A'-n)%26);
if(ch>='a'&&ch<='z')
return (char)('a'+(ch-'a'-n)%26);
return ch;
}but
how to make" a decoded message will have all `J's mapped to `I's, and all `j's to `i's". "Treating `I' and `J' as one letter from the start"?

Your teacher/instructor/professor would obviously be the final authority on this, but I think all it's saying is that when you encode, treat each 'j' you come across as an 'i', and therefore, when you decode, because you've lost information that it was a 'j' to start with, it will be mapped back to an 'i'.
One easy way to accomplish this (that would save special cases later in your for-loop) would simply be a:
String toEncode = "Djibouti"
toEncode = toEncode.replaceAll("j","i"); //obviously handle both cases instead
String encoded = encode(toEncode);
String decoded = decode(encoded);
System.out.println(decoded); //this would print "Diibouti"The other way is to simply add a special case to your encode/decode (char) methods.
Edited by: endasil on 28-Sep-2009 9:35 AM

How Redirect browser(client) based on non-negotiable SSL/TLS protocol or cipher

Hi guys,
we have a security requirement wherein we have to force the browsers accessing our asp.net application hosted on windows server 2012 to have atleast tsl 1.1 , but we don't want to simply block the request, instead we would like to redirect the request
to a unsecured static html page with the instructions on how to get them onto tsl.
can any one help me here?>? actually i found a similar and exactly same thread on stackoverflow but i think that is probably directed towards linux family. http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher
please help me guys..
ps: i have posted the same question on IIS forum (http://forums.iis.net/t/1223352.aspx?How+Redirect+browser+client+based+on+non+negotiable+SSL+TLS+protocol+or+cipher+from+IIS)
and got a reply saying that it can be done at windows kernel level(possibly).

Hi,
As far as I know, once SSL handshake fails, no subsequent communication would occur between the server and client.
Therefore, as the way I see it, the goal cannot be achieved.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

Cipher program.. in need of a little guidance

I understand I posted many messages about this subject. But I just wanted to start a new thread on this as a whole. I apologize for that. Anyways I can't get this thing going right... I want to take a repeating key and encode words with it. This program takes text files and the first line is all ints (the repeating keys) and the next lines are ones to be encoded and decoded.
I left a big comment on what I need to do and also if you see any obvious problems please let me know. I really appreciate it. Thanks.
import java.io.*;
import java.util.*;
public class RepeatingKeyCipher<E>
   public static void main(String[] args) throws IOException
        RepeatingKeyCipher obj = new RepeatingKeyCipher();
        File file = new File("in.dat");
        PrintWriter outFile = new PrintWriter(new FileWriter("out.dat"));
          Scanner fileIn = new Scanner(file);
          Queue<Integer> keyNumbers = new LinkedList<Integer>();
          Queue<String> plainText = new LinkedList<String>();
          int keyLine;
          while(fileIn.hasNextInt())
               keyLine = fileIn.nextInt();
               plainText.offer(keyLine);
          keyNumbers.offer(plainText.poll());
          Queue<String> cipher = new LinkedList<String>();
          cipher = obj.encode(keyNumbers, plainText);
          //for(int i = 0; i < message.length; i++) {
     private int front;
     private int rear;
     private int size;
     private char newLetter;
     private String alpha = "abcdefghijklmnopqrstuvwxyz";
     public char encode (Queue<E> key, Queue<E> plain)
     {//returns new letter
        /* From here on you just find a way to seperate the key element.
             Then you seperate the first character from the plain queue.
               Then use the nested loops to convert and add back to a third
               queue. */
        Queue<String> encodedText = new LinkedList<String>;
          StringTokenizer st = new StringTokenizer(message);
          while(st.hasMoreTokens())
               String word = st.nextToken();
               int wordLength = word.length();
               for (int i = 0; i < wordLength; i++)
                     newLetter = alpha.charAt(i + key);
                     if (newLetter > alpha.length())
                         newLetter =alpha.charAt((i + key) - 25);
                         return newLetter;
}

Most of those question will have to be answered by your O2 UK customer service, as they will know their data plans.
But for the BlackBerry, you will need a BlackBerry specific data plan.
Just a generic internet access plan usually will not suffice.
So when you speak to them, make sure you get specific BlackBerry data plan information, add-on or bolt-on or whatever the call it.
1. If any post helps you please click the below the post(s) that helped you.
2. Please resolve your thread by marking the post "Solution?" which solved it for you!
3. Install free BlackBerry Protect today for backups of contacts and data.
4. Guide to Unlocking your BlackBerry & Unlock Codes
Join our BBM Channels (Beta)
BlackBerry Support Forums Channel
PIN: C0001B7B4   Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA   Display/Scan Bar Code

Two theoretical questions

Hi there!
I'm designing an authentication system. Two theoretical questions have evolved. I am not so sure about it. Hope you can help me out =)
1. First sign or first cipher?
What is best practice here? Is it a risk to a symmetrical cryptosystem, if there's also a hash of the plaintext available? Or should the cipher text be signed? I am afraid that this might cause a security risk for the hash: The ciphertext's entropy should be lower than the plaintext's, which might cause lower entropy of the hash value that makes it more likely to find possible collusions.
2. Challenge Response Authentication
This is an hypotectical one: Is it of matter, if a (one-side) Challenge Response Authentication is done reverse: Bob sends Alice f(RAND), Alice deciphers it and sends RAND back to Bob.
Thanks for your help!

ManuelBreu wrote:
I'm sorry, my questions were not precise: By entropy I meant the ciphertext's nature that 0 and 1 will have (almost) the same likeliness, which is not the case in the plaintext. This depends very much on the nature of the cleartext. If your cleartext is alpha numeric ASCII then it is certain that the most significant bit of any byte will be a zero with some bias in the other bits (I have never looked at it so I don't know to what extent).
But you are right: I am affraid, that the uncertainty of the key might be negatively affected by fact, that there is also a hashvalue of the plaintext available.The extra information in the form of the hash means that there is less uncertainty but I would take the resultant entropy as near to the minimum of(hash entropy, key entropy, cleartext entropy).

"Cipher not initialized" when trying to invoke CRM On Demand web service

Hi,
I'm try to invoke CRM On Demand web service for which there is a pre-req to get a session ID by making an https request. I've the below java embedded code which does that. It works fine if I run the below code in my desktop as a java program, but when I deploy it on SOA 11g I get "Caused by: java.lang.IllegalStateException: Cipher not initialized" error (find below the stack trace). Please let me know what's going wrong here?
String sessionString = "FAIL";
String wsLocation =
"https://secure-********.crmondemand.com/Services/Integration";
String headerName;
try {
// create an HTTPS connection to the OnDemand webservices
java.net.URL wsURL =
new java.net.URL(wsLocation + "?command=login");
java.net.HttpURLConnection wsConnection =
(java.net.HttpURLConnection)wsURL.openConnection();
// disable caching
wsConnection.setUseCaches(false);
// set some http headers to indicate the username and password we are using to logon
wsConnection.setRequestProperty("UserName",
wsConnection.setRequestProperty("Password", "***********");
wsConnection.setRequestMethod("GET");
// see if we got a successful response
if (wsConnection.getResponseCode() ==
java.net.HttpURLConnection.HTTP_OK) {
// get the session id from the cookie setting
for (int i = 0; ; i++) {
headerName = wsConnection.getHeaderFieldKey(i);
if (headerName != null &&
headerName.equals("Set-Cookie")) {
// found the Set-Cookie header (code assumes only one cookie is being set)
sessionString = wsConnection.getHeaderField(i);
if (sessionString != null ||
sessionString.startsWith("JSESSIONID")) {
break;
String formattedID =
sessionString.substring(sessionString.indexOf("=") + 1,
sessionString.indexOf(";"));
setVariableData("SessionID", formattedID);
//System.out.println("Session ID: " + sessionString);
} catch (Exception e) {
e.printStackTrace();
setVariableData("SessionID", e.getMessage());
System.out.println("Logon Exception generated :: " + e);
throw new RuntimeException(e);
Caused by: java.lang.IllegalStateException: Cipher not initialized
at javax.crypto.Cipher.c(DashoA13*..)
at javax.crypto.Cipher.update(DashoA13*..)
at com.certicom.tls.provider.Cipher.update(Unknown Source)
at com.certicom.tls.record.MessageEncryptor.compressEncryptSend(Unknown Source)
at com.certicom.tls.record.MessageEncryptor.compressEncryptSend(Unknown Source)
at com.certicom.tls.record.MessageFragmentor.write(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:158)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:363)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:952)
at orabpel.productquerybpelprocess.ExecLetBxExe0.execute(ExecLetBxExe0.java:93)
Thanks!

Same question...did you ever got this resolved...for me, even the simple java program, when run on JDev 11g is ALSO not working. I am getting this.
Using JDev 10g on the same machine (or for that matter SOA 10g) works perfectly.
Have posted this thread too - Getting SSLHandshakeException when trying to login to OCOD using Jdev 11g
Thanks,
Amit

Handshake_failure (no cipher suites in common) error

Requirement
1. Login to a HTTPS site with the given site username and password through a proxy server (Proxy server doesn't require authentication)
2. Then upload a document in the site
Jars used
jsse.jar
Jcert.jar
Jnet.jar
Environment
Unix \ Weblogic
Code
import java.io.*;
import java.net.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
String loginURL = config.getProperty("LoginURL");
String putURL = config.getProperty("PutURL");
// This is where we have stored the certificate from the server using keytool
//keytool -import -alias ca -file xxx.cer -trustcacerts -v -keystore "cacerts"
//Stored the certificate by viewing the site throw the browser and save it locally
String certFile = config.getProperty("GetCertpath");
// Set proxy
System.setProperty("https.proxyHost", config.getProperty("Proxy"));
System.setProperty("https.proxyPort", config.getProperty("ProxyPort"));
Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider() );
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
// We are overriding the system default trust store
System.setProperty( "javax.net.ssl.trustStore", certFile);
URL dataURL = new URL(null, loginURL, new com.sun.net.ssl.internal.www.protocol.https.Handler());
com.sun.net.ssl.HttpsURLConnection connection = (com.sun.net.ssl.HttpsURLConnection) dataURL.openConnection();
connection.setHostnameVerifier(new HostnameVerifierImpl());
connection.setInstanceFollowRedirects(true); // Follow redirects by host
// Create login header
String hostlogin = config.getProperty("userID") + ":" + config.getProperty("password");
String encodedHostLogin = Base64Converter.encode(hostlogin.getBytes());
connection.setRequestProperty("Authorization", "Basic " + encodedHostLogin);
// Get the cookie. We'll need it to maintain the session
cookie = connection.getHeaderField("Set-Cookie");
// Read the host's reply, and dump
BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream())); //ERROR at this point
//System.out.print("## INFO: Host Replied...");
String line = null;
while((line = in.readLine()) != null)
//System.out.println(line);
in.close();
Error Dump
Exception occured Received fatal alert: handshake_failure (no cipher suites in common)
javax.net.ssl.SSLException: Received fatal alert: handshake_failure (no cipher suites in common)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:56)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
Questions
1. The client (we\our application) does not have any certificates. We just have to login to the site with the id and password and upload a file. What extra we should do to avoid this error?

This is the full debug info
*** ClientHello, v3.1
RandomCookie: GMT: 1061973650 bytes = { 66, 125, 28, 182, 32, 174, 11, 166, 105, 30, 208, 142, 122, 250, 76, 48, 46, 41, 230, 73, 229, 20, 7, 5, 25, 218, 181, 43 }
Session ID: {}
Cipher Suites: { 0, 3, 0, 17 }
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 47
0000: 01 00 00 2B 03 01 3F 4C 6F 92 42 7D 1C B6 20 AE ...+..?Lo.B... .
0010: 0B A6 69 1E D0 8E 7A FA 4C 30 2E 29 E6 49 E5 14 ..i...z.L0.).I..
0020: 07 05 19 DA B5 2B 00 00 04 00 03 00 11 01 00 .....+.........
main, WRITE: SSL v3.1 Handshake, length = 47
[write] MD5 and SHA1 hashes: len = 50
0000: 01 03 01 00 09 00 00 00 20 00 00 03 02 00 80 00 ........ .......
0010: 00 11 3F 4C 6F 92 42 7D 1C B6 20 AE 0B A6 69 1E ..?Lo.B... ...i.
0020: D0 8E 7A FA 4C 30 2E 29 E6 49 E5 14 07 05 19 DA ..z.L0.).I......
0030: B5 2B .+
main, WRITE: SSL v2, contentType = 22, translated length = 16337
main, READ: SSL v3.1 Alert, length = 2
main, RECV SSLv3 ALERT: fatal, handshake_failure
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 1061973650 bytes = { 2, 6, 51, 93, 63, 135, 69, 177, 206, 97, 223, 48, 244, 40, 179, 108, 54, 67, 148, 76, 251, 197, 152, 112, 73, 142, 206, 13 }
Session ID: {}
Cipher Suites: { 0, 3, 0, 17 }
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 47
0000: 01 00 00 2B 03 01 3F 4C 6F 92 02 06 33 5D 3F 87 ...+..?Lo...3]?.
0010: 45 B1 CE 61 DF 30 F4 28 B3 6C 36 43 94 4C FB C5 E..a.0.(.l6C.L..
0020: 98 70 49 8E CE 0D 00 00 04 00 03 00 11 01 00 .pI............
main, WRITE: SSL v3.1 Handshake, length = 47
[write] MD5 and SHA1 hashes: len = 50
0000: 01 03 01 00 09 00 00 00 20 00 00 03 02 00 80 00 ........ .......
0010: 00 11 3F 4C 6F 92 02 06 33 5D 3F 87 45 B1 CE 61 ..?Lo...3]?.E..a
0020: DF 30 F4 28 B3 6C 36 43 94 4C FB C5 98 70 49 8E .0.(.l6C.L...pI.
0030: CE 0D ..
main, WRITE: SSL v2, contentType = 22, translated length = 16337
main, READ: SSL v3.1 Alert, length = 2
main, RECV SSLv3 ALERT: fatal, handshake_failure
Exception in thread "main" javax.net.ssl.SSLException: Received fatal alert: handshake_failure (no cipher suites in common)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:56)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
Apart from this,
1. When we run the same code in the Windows 2000 environment it works.
2. We want the code to run in the unix box.
3. We have also placed jsse.jar, jcert.jar and jnet.jar in the jre/lib/ext folder
4.Took the following existing file "cacerts" from jre/lib/security folder
5. Saved the certificate from the site through the browser as xxx.cer
6. Put both the files cacerts and xxx.cer in a directory
7. Added the xxx.cer to the cacerts using the following command
keytool -import -alias ca -file xxx.cer -trustcacerts -v -keystore "cacerts"
8. In the java code set the following property,
System.setProperty( "javax.net.ssl.trustStore", path to the cacerts file);

WSMAN CredSSP TLS 1.2 support and cipher suites

Hi all,
The protocol document [MS-CSSP] explains the first base64 encoded token send in the authenticate from the client to the server is a TLS Client Hello. The response is a ServerHello.
The diagram in section 4 'Protocol Examples' of the document indicates the ServerHello has a cipher suite of TLS_RSA_WITH_RC_128_SHA. The TLS version and cipher suites are not mentioned anywhere else in the document.
So lets take a look a network packet capture of a CredSSP authentication between a winrm.exe client and a Windows 2008 R2 server. I have base64 decoded the contents of the CredSSP Authorization headers,
The ClientHello bytes (without the extensions) send by my client are:
16 03 01 00 6B 01 00 00 67 03 01 54 DB 64 77 22
A2 1C A3 23 93 61 3B 00 1B DE 1C 6D 42 34 94 8D
1D 44 2C 64 8B 42 AC 41 B4 E2 DE 00 00 14 00 2F
00 35 00 0A C0 13 C0 14 C0 09 C0 0A 00 32 00 38
00 13 01 00 00 2A FF 01 00 01 00 00 00 00 11 00
0F 00 00 0C
Decoding this we can see that this is TLS 1.0 {03, 01}, taking a look at the ciphers we have:
TLS_RSA_WITH_AES_128_CBC_SHA 0x00 0x2F
TLS_RSA_WITH_AES_256_CBC_SHA 0x00 0x35
TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00,0x0A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0,0x13
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0,0x14
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC0,0x09
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC0,0x0A
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x00,0x32
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x00,0x38
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x00,0x13
Now lets look at the ServerHello (without the extensions)
16 03 01 02 3C 02 00 00 4D 03 01 54 DB 64 78 73
92 C6 86 A3 F8 FF 3D D4 36 77 C0 FC 80 61 3F 4D
8C BC 60 CD BC 4D B1 1C 4A CF 0A 20 DA 14 00 00
38 11 DB C9 1C D0 8C 76 E7 A0 B9 F7 A5 D4 94 DF
8B 83 38 B3 FF EB AA 65 EB 23 03 0A 00 2F 00 00
05 FF 01 00 01 00 0B 00 01 E3 00 01 E0 00 01 DD
30 82 01 D9 30 82 01 42 A0 03 02 01 02 02 10 44
56 23 69 44 ED 93 85 43 DF B8 DF E3 75 DC A7 30
0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 2B
31 29 30 27 06 03 55 04 03 13 20
The server responds with TLS 1.0 and selected cipher (0x00 0x2F)
TLS_RSA_WITH_AES_128_CBC_SHA
Based on this I created a WSMan CredSSP client using Python and OpenSSL and configured it to use TLS 1.2. I found the Windows server always responded with TLS 1.0. So, I configured my OpenSSL client for TLS 1.0 and set the cipherlist to AES128-SHA (like winrs.exe).
The CredSSP TLS handshake completes, but the first ASN.1 encoded TSRequest token (containing an NTLM negotiate token) is rejected. However, if my openssl cipherlist is set to RC4, the TSRequest token is accepted and authentication is successful.
This raises several questions:
1. Despite sending a TLS 1.2 ClientHello the WSMan CredSSP Server always responded with TLS 1.0 ServerHello. A number of security experts consider this version effectivly broken. Does CredSSP support TLS 1.2?
2. I can authenticate with CredSSP using openssl 'RC4' cipher suites - but not with AES128-SHA suites. Are suites besides RC4 supported (winrs.exe appears to use AES).
Thanks
Ian

Forum Update:
I can now answer my 2nd question. The reason CredSSP is rejecting my TSRequest token when using AES128-SHA is because this ciphersuite is using CBC.
Some years ago OpenSSL added empty fragments to SSLv3 and TLS 1.0 packets to address a potential security vulnerability. These empty fragments are not compatible with Microsofts SChannel implementation so Windows is unable to decrypt the data. OpenSSL added
a compatibility flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (0x00000800L) that must be set in the openssl client's context options to address this issue with Microsofts implementation. Once I set this option my python openssl client successfully authenticated
with a Windows 2012 R2 server using ECDHE-RSA-AES256-SHA - much better.
Question 1 is still unanswered. Is TLS 1.2 with CredSSP supported?

Setting cipher suites for ssl sockets

Hi
While setting cipher suites for ssl serversocket and socket, there may be lot of stream ciphers and block ciphers in the list. (also there may or may not be anonymous cipher suites).
How does the ssl socket decide which cipher suite to use?
Sorry for this newbie question.
Thank you.

Have you read the JSSE Reference Guide? It has a really good description of how the SSL handshake works. Part of the "Client Hello" step includes sending all the cipher-suites the client has enabled. The server picks the "best" of that set, that the server also supports, and sends it back as part of the "Server Hello". Both sides switch to that set.
Now, what "best" means isn't defined. I'm not sure what criteria the server uses to determine that. Maybe someone else reading the thread can chime in.
Grant

My SDK doesn't implement Cipher, course of action

Hi, all. First of all let me tell you that I've checked the forum for this topic. Found 44 threads when searching for "Cipher". I've pretty clear that due to restrictions from the U.S. Goverment, the Sun JC kit doesn't implement the Cipher class. That's understood.
Now, my SmartCard Vendor (DataCard Aptura) doesn't implement it neither the Cipher class on it's sdk. I've asked for support and they have told me that they won't add that Class. So I can't count on them.
So, the purpose of this post is to find out the course of action. I've just two options, either I implement the class by myself or I get it (buy it, if it's possible) somewhere else. I don't want you to do my work, I just need some light because I'm new to this cryptography over smartCard thing.
So I've this questions which require short answer (hope so):
1.) According to your experience, should we implement it by ourselves? Or should we look for some vendor that has already implemented it?
2.) I that were the case (that we should implement it by our own) could you estimate the amount of time (or resources) needed, considering just one programmer.
3.) Are there some special considerations that I should take in order to save memory. Please notice that the current version of Aptura prohibits the use of transient arrays on the card, due to a bug inside the core of the VM. It doesn?t reclaim the space after it?s been used, for instance after a reset, it won?t reclaim the all the transient space used.
4.) If it would take a considerable amount of time to implement the Cipher class by our own, do you know some vendor that has already implemented and can save us that time?
Any other light or aspect that you might think it's important and I've missed here, would be appreciated.
Many Thanks in advance.
CL

Well no. All I want is to have cryptography on my card (that I didn't choose for the project I just received like "this is the card"). And this vendor doesn't have an implementation of the Cipher class.
As a parenthesis () there is not Int as you properly mentioned, but I implemented by hand, unsing Zhiqun Chen proposal (on her book JavaCard Technology for SmartCards). I know that approach is not quite efficient, but it works (considering that for financial purposes a short is not enough).
Well, back to our business. Also I'm concious that the approach of implementing the cryptography by myself would not win the efficiency award for Smart Card, but I need to do something and trying to change the card at this point (I didn't choose it, as I told you) would not be the first solution, due to the fact that the production cards are already ordered. So that's the actual situation.
So, I'm pretty sure the problem is on the side of my vendor. Is not that I'm washing my hands on him, it's just the fact. Here you'll find my little test I'm trying to run. It crashes after the following line on the process (APDU apdu) method:
cipher.doFinal(data, START, (short) data.length, cipherText, START);
And here's my code:
//CVS Tests
package com.datacode.bi.Purse;
import javacard.framework.*;
import javacardx.crypto.*;
import javacard.security.*;
public class Purse extends Applet
public static final byte START = (byte) 0x00;
private DESKey desKey;
private Cipher cipher;
private byte [] cipherText;
protected Purse(byte[] bArray, short bOffset, byte bLength)
cipherText = new byte [100];
try {
desKey = (DESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_DES, KeyBuilder.LENGTH_DES, false);
desKey.setKey( keyData, START);
cipher = Cipher.getInstance(Cipher.ALG_DES_ECB_ISO9797_M1, false);
cipher.init(desKey, Cipher.MODE_ENCRYPT);
catch (CryptoException e) {
register();
* Installs Java Purse applet.
* @param bArray to pass to register() method.
* @param bOffset to pass to register() method.
* @param bLength to pass to register() method.
     public static void install( byte[] bArray, short bOffset, byte bLength )
byte instanceLength = (byte) bArray[bOffset];
short instanceOffset = (short)(bOffset + 1);
          new Purse(bArray, instanceOffset, instanceLength);
* Performs the session finalization.
     public void deselect()
* Dispatches APDU commands.
* @param apdu APDU object
     public void process(APDU apdu)
byte[] buffer = apdu.getBuffer();
try {
//ISOException.throwIt(
cipher.doFinal(data, START, (short) data.length, cipherText, START);
//ISOException.throwIt(DEBUG_CODE);
apdu.setOutgoing();
apdu.setOutgoingLength((short) cipherText.length);
apdu.sendBytesLong(cipherText, START, (short) cipherText.length);
catch (APDUException e) {
catch (CryptoException e) {
private final static byte [] keyData = {    (byte) 'C',
(byte) 'a',
(byte) 'r',
(byte) 'p',
(byte) 'e',
(byte) ' ',
(byte) 'D',
(byte) 'i'
private static final byte [] data = { (byte) 68,
(byte) 111,
(byte) 32,
(byte) 121,
(byte) 111,
(byte) 117,
(byte) 32,
(byte) 98,
(byte) 121,
(byte) 116,
(byte) 101,
(byte) 44,
(byte) 32,
(byte) 119,
(byte) 104,
(byte) 101,
(byte) 110,
(byte) 32,
(byte) 73,
(byte) 32,
(byte) 107,
(byte) 110,
(byte) 111,
(byte) 99,
(byte) 63,
(byte) 65
private static final short DEBUG_CODE = (short) 0x9999;
>
Aptura prohibits the use of transient arrays on the
card,based on that I would try other vendors, IBM
JCOP, Datakey, G&D Sm@rtCafe, Gem+ GemXpress RAD, and
SLB all implement the javacard.security,
javacard.crypto classes and the transient arrays are
COD/COR.

Question about java 5.0 & j2me & wireless toolkit

Hi,
I maybe have a dumb question, but to me it's not totally clear. I am currently developing an application (for J2ME and J2SE) which uses RSA encryption. So I found out that before Java 5.0 RSA encryption wasn't supported, but starting from Java 5.0 it is. So my question now is. If I use the RSA encryption from Java 5.0, can I still use it in my cell phone? And which Java version runs in my cell phone?
It not clear to me, but maybe someone will be so nice to respond...
Can my/any cellphone run Java 5.0 code? So what if I use the mentioned RSA-cipher... or generics...enumerations... On what does it depend whether I can use it for my cell phone or not?
Does it just depend on the compiler? the JVM on my phone? or even the wireless toolkit?
Thank you very much in advance.
Sincerely.

bump...
anyone?

PKCS12 question

I have one PKCS12 store .
When I use this store with Server(server authendication) it works fine.
When I use the same PKCS12 store on the client side it doesnt work.
The client is not returning the certificate to server, and the server throws
javax.net.ssl.SSLHandshakeException: null cert chain IOException occurred when processing request.
Any idea why this is happening??
I have another PKCS12 store which works fine with both server and client.
What is the problem with my 1st PKCS12 store??
Below is my server and client code and ssl trace
---------Client----------
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(KEYSTORE), KEYSTOREPW);
kmf.init(keystore, KEYPW);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore truststore = KeyStore.getInstance("jks");
truststore.load(new FileInputStream(TRUSTSTORE), TRUSTSTOREPW);
tmf.init(truststore);
SSLContext sslc = SSLContext.getInstance("SSLv3");
sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLSocketFactory factory = sslc.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket("babu", 443);
-----Server---------
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
          System.setProperty("javax.net.debug", "all");
          KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
     KeyStore keystore = KeyStore.getInstance("PKCS12");
     keystore.load(new FileInputStream(KEYSTORE), KEYSTOREPW);
     kmf.init(keystore, KEYPW);
     TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
     KeyStore truststore = KeyStore.getInstance("jks");
     truststore.load(new FileInputStream(TRUSTSTORE), TRUSTSTOREPW);
     tmf.init(truststore);
     SSLContext sslc = SSLContext.getInstance("SSLv3");
     sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
     ServerSocketFactory ssf = sslc.getServerSocketFactory();
     SSLServerSocket serverSocket =(SSLServerSocket) ssf.createServerSocket(serverPort);
     serverSocket.setNeedClientAuth(requireClientAuthentication);
-------------SSL Server trace--------
SecureServer version 1.0
found key for : 1b171437ea2e3946aa536179d508b6eb_f9948e6e-6fdb-4f6e-b09e-613f60f00e41
chain [0] = [
Version: V3
Subject: CN=babu babu, [email protected], DNQ=12141726907, L=dubai, C=AE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 512 bits
modulus: 9683790188147953162795730790793527257397758989267819282372960853921863644980017792669595318858981940986671279705015616513809624780681913479305781592431811
public exponent: 65537
Validity: [From: Wed Nov 01 12:09:39 GST 2006,
               To: Fri Dec 01 12:09:38 GST 2006]
Issuer: CN=Comtrust Demo CA, OU=Comtrust eBusiness Services, O=Etisalat, C=AE
SerialNumber: [    0118]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 36 C0 C7 73 46 9E FB 0B C4 9E 93 48 B3 CA A5 .6..sF......H...
0010: 07 1A FD B5 ....
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: [email protected]]]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
0000: 30 66 30 64 A0 62 A0 60 86 5E 6C 64 61 70 3A 2F 0f0d.b.`.^ldap:/
0010: 2F 6C 64 61 70 2E 63 6F 6D 74 72 75 73 74 2E 63 /ldap.comtrust.c
0020: 6F 2E 61 65 2F 43 4E 3D 43 6F 6D 74 72 75 73 74 o.ae/CN=Comtrust
0030: 20 44 65 6D 6F 20 43 41 2C 20 4F 55 3D 43 6F 6D Demo CA, OU=Com
0040: 74 72 75 73 74 20 65 42 75 73 69 6E 65 73 73 20 trust eBusiness
0050: 53 65 72 76 69 63 65 73 2C 4F 3D 45 74 69 73 61 Services,O=Etisa
0060: 6C 61 74 2C 43 3D 41 45 lat,C=AE
Algorithm: [SHA1withRSA]
Signature:
0000: 41 AC BF FB 89 E2 5D C3 41 40 95 74 41 9B D4 4D A.....][email protected]
0010: 02 2D AE 92 85 CD 8B 55 5E 8A E9 CA 1F 20 36 2A .-.....U^.... 6*
0020: 36 89 8F 84 22 AB 4F 8B B3 8B 7A DD 88 B3 98 B1 6...".O...z.....
0030: EE D0 82 06 D2 75 2F DD 36 2E 30 C6 6D 92 0A 7D .....u/.6.0.m...
0040: 61 F1 90 71 00 FA 09 86 2E B7 76 00 EE 4B 85 90 a..q......v..K..
0050: CD A0 0A 20 F2 C7 0C 49 E4 A0 71 83 FB 9A 4A EF ... ...I..q...J.
0060: ED 4A E9 36 C5 00 59 A8 EF 28 66 1E CC 81 FC FA .J.6..Y..(f.....
0070: 75 B0 B5 B8 0E 5F BE 4E C6 D0 B3 BA 4E 4C 2C B9 u...._.N....NL,.
adding as trusted cert:
Subject: CN=babu babu, [email protected], DNQ=12141726907, L=dubai, C=AE
Issuer: CN=Comtrust Demo CA, OU=Comtrust eBusiness Services, O=Etisalat, C=AE
Algorithm: RSA; Serial number: 0x118
Valid from Wed Nov 01 12:09:39 GST 2006 until Fri Dec 01 12:09:38 GST 2006
trigger seeding of SecureRandom
done seeding SecureRandom
SecureServer is listening on port 443.
matching alias: 1b171437ea2e3946aa536179d508b6eb_f9948e6e-6fdb-4f6e-b09e-613f60f00e41
Accepted connection to 192.168.254.1 (192.168.254.1) on port 2879.
----------1-1-1-----
[Raw read]: length = 5
0000: 80 62 01 03 01 .b...
[Raw read]: length = 95
0000: 00 39 00 00 00 20 00 00 04 01 00 80 00 00 05 00 .9... ..........
0010: 00 2F 00 00 33 00 00 32 00 00 0A 07 00 C0 00 00 ./..3..2........
0020: 16 00 00 13 00 00 09 06 00 40 00 00 15 00 00 12 .........@......
0030: 00 00 03 02 00 80 00 00 08 00 00 14 00 00 11 45 ...............E
0040: 49 02 A0 AA 35 C2 92 48 CA FD 03 76 64 95 65 D6 I...5..H...vd.e.
0050: 97 8F 8C 88 86 FD 03 19 0E 10 B8 7E 68 8F 30 ............h.0
[read] MD5 and SHA1 hashes: len = 3
0000: 01 03 01 ...
[read] MD5 and SHA1 hashes: len = 95
0000: 00 39 00 00 00 20 00 00 04 01 00 80 00 00 05 00 .9... ..........
0010: 00 2F 00 00 33 00 00 32 00 00 0A 07 00 C0 00 00 ./..3..2........
0020: 16 00 00 13 00 00 09 06 00 40 00 00 15 00 00 12 .........@......
0030: 00 00 03 02 00 80 00 00 08 00 00 14 00 00 11 45 ...............E
0040: 49 02 A0 AA 35 C2 92 48 CA FD 03 76 64 95 65 D6 I...5..H...vd.e.
0050: 97 8F 8C 88 86 FD 03 19 0E 10 B8 7E 68 8F 30 ............h.0
Thread-0, READ: SSL v2, contentType = Handshake, translated length = 73
*** ClientHello, TLSv1
RandomCookie: GMT: 1162412448 bytes = { 170, 53, 194, 146, 72, 202, 253, 3, 118, 100, 149, 101, 214, 151, 143, 140, 136, 134, 253, 3, 25, 14, 16, 184, 126, 104, 143, 48 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1162412463 bytes = { 44, 156, 132, 21, 120, 87, 69, 229, 176, 58, 159, 137, 35, 145, 220, 129, 236, 8, 45, 127, 240, 221, 7, 210, 241, 52, 150, 138 }
Session ID: {69, 73, 2, 175, 117, 130, 69, 187, 79, 198, 111, 18, 143, 44, 89, 188, 221, 232, 110, 109, 149, 122, 194, 49, 150, 66, 164, 65, 72, 177, 218, 89}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=babu babu, [email protected], DNQ=12141726907, L=dubai, C=AE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 512 bits
modulus: 9683790188147953162795730790793527257397758989267819282372960853921863644980017792669595318858981940986671279705015616513809624780681913479305781592431811
public exponent: 65537
Validity: [From: Wed Nov 01 12:09:39 GST 2006,
               To: Fri Dec 01 12:09:38 GST 2006]
Issuer: CN=Comtrust Demo CA, OU=Comtrust eBusiness Services, O=Etisalat, C=AE
SerialNumber: [    0118]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 36 C0 C7 73 46 9E FB 0B C4 9E 93 48 B3 CA A5 .6..sF......H...
0010: 07 1A FD B5 ....
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: [email protected]]]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
0000: 30 66 30 64 A0 62 A0 60 86 5E 6C 64 61 70 3A 2F 0f0d.b.`.^ldap:/
0010: 2F 6C 64 61 70 2E 63 6F 6D 74 72 75 73 74 2E 63 /ldap.comtrust.c
0020: 6F 2E 61 65 2F 43 4E 3D 43 6F 6D 74 72 75 73 74 o.ae/CN=Comtrust
0030: 20 44 65 6D 6F 20 43 41 2C 20 4F 55 3D 43 6F 6D Demo CA, OU=Com
0040: 74 72 75 73 74 20 65 42 75 73 69 6E 65 73 73 20 trust eBusiness
0050: 53 65 72 76 69 63 65 73 2C 4F 3D 45 74 69 73 61 Services,O=Etisa
0060: 6C 61 74 2C 43 3D 41 45 lat,C=AE
Algorithm: [SHA1withRSA]
Signature:
0000: 41 AC BF FB 89 E2 5D C3 41 40 95 74 41 9B D4 4D A.....][email protected]
0010: 02 2D AE 92 85 CD 8B 55 5E 8A E9 CA 1F 20 36 2A .-.....U^.... 6*
0020: 36 89 8F 84 22 AB 4F 8B B3 8B 7A DD 88 B3 98 B1 6...".O...z.....
0030: EE D0 82 06 D2 75 2F DD 36 2E 30 C6 6D 92 0A 7D .....u/.6.0.m...
0040: 61 F1 90 71 00 FA 09 86 2E B7 76 00 EE 4B 85 90 a..q......v..K..
0050: CD A0 0A 20 F2 C7 0C 49 E4 A0 71 83 FB 9A 4A EF ... ...I..q...J.
0060: ED 4A E9 36 C5 00 59 A8 EF 28 66 1E CC 81 FC FA .J.6..Y..(f.....
0070: 75 B0 B5 B8 0E 5F BE 4E C6 D0 B3 BA 4E 4C 2C B9 u...._.N....NL,.
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=babu babu, [email protected], DNQ=12141726907, L=dubai, C=AE>
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 938
0000: 02 00 00 46 03 01 45 49 02 AF 2C 9C 84 15 78 57 ...F..EI..,...xW
0010: 45 E5 B0 3A 9F 89 23 91 DC 81 EC 08 2D 7F F0 DD E..:..#.....-...
0020: 07 D2 F1 34 96 8A 20 45 49 02 AF 75 82 45 BB 4F ...4.. EI..u.E.O
0030: C6 6F 12 8F 2C 59 BC DD E8 6E 6D 95 7A C2 31 96 .o..,Y...nm.z.1.
0040: 42 A4 41 48 B1 DA 59 00 04 00 0B 00 02 DD 00 02 B.AH..Y.........
0050: DA 00 02 D7 30 82 02 D3 30 82 02 3C A0 03 02 01 ....0...0..<....
0060: 02 02 02 01 18 30 0D 06 09 2A 86 48 86 F7 0D 01 .....0...*.H....
0070: 01 05 05 00 30 61 31 0B 30 09 06 03 55 04 06 13 ....0a1.0...U...
0080: 02 41 45 31 11 30 0F 06 03 55 04 0A 13 08 45 74 .AE1.0...U....Et
0090: 69 73 61 6C 61 74 31 24 30 22 06 03 55 04 0B 13 isalat1$0"..U...
00A0: 1B 43 6F 6D 74 72 75 73 74 20 65 42 75 73 69 6E .Comtrust eBusin
00B0: 65 73 73 20 53 65 72 76 69 63 65 73 31 19 30 17 ess Services1.0.
00C0: 06 03 55 04 03 13 10 43 6F 6D 74 72 75 73 74 20 ..U....Comtrust
00D0: 44 65 6D 6F 20 43 41 30 1E 17 0D 30 36 31 31 30 Demo CA0...06110
00E0: 31 30 38 30 39 33 39 5A 17 0D 30 36 31 32 30 31 1080939Z..061201
00F0: 30 38 30 39 33 38 5A 30 6E 31 0B 30 09 06 03 55 080938Z0n1.0...U
0100: 04 06 13 02 41 45 31 0E 30 0C 06 03 55 04 07 13 ....AE1.0...U...
0110: 05 64 75 62 61 69 31 14 30 12 06 03 55 04 2E 13 .dubai1.0...U...
0120: 0B 31 32 31 34 31 37 32 36 39 30 37 31 25 30 23 .121417269071%0#
0130: 06 09 2A 86 48 86 F7 0D 01 09 01 16 16 62 61 62 ..*.H........bab
0140: 75 65 40 65 6D 69 72 61 74 65 73 62 61 6E 6B 2E ue@nbdbank.
0150: 63 6F 6D 31 12 30 10 06 03 55 04 03 13 09 62 61 com1.0...U....ba
0160: 62 75 20 62 61 62 75 30 5C 30 0D 06 09 2A 86 48 bu babu0\0...*.H
0170: 86 F7 0D 01 01 01 05 00 03 4B 00 30 48 02 41 00 .........K.0H.A.
0180: B8 E5 61 65 47 4F AE 19 55 98 CE 56 A9 4F 73 33 ..aeGO..U..V.Os3
0190: 5E 73 FD 26 1B AD 63 C8 C9 91 53 7E 7E CB 15 18 ^s.&..c...S.....
01A0: EB 78 00 8A 23 DD 03 68 2E 1F AE 3D 5F 53 3D 64 .x..#..h...=_S=d
01B0: 76 2C 87 F5 12 07 F3 17 C6 7D 04 F1 21 DF 9C C3 v,..........!...
01C0: 02 03 01 00 01 A3 81 D0 30 81 CD 30 1F 06 03 55 ........0..0...U
01D0: 1D 23 04 18 30 16 80 14 7B 36 C0 C7 73 46 9E FB .#..0....6..sF..
01E0: 0B C4 9E 93 48 B3 CA A5 07 1A FD B5 30 09 06 03 ....H.......0...
01F0: 55 1D 13 04 02 30 00 30 0B 06 03 55 1D 0F 04 04 U....0.0...U....
0200: 03 02 05 A0 30 21 06 03 55 1D 11 04 1A 30 18 81 ....0!..U....0..
0210: 16 62 61 62 75 65 40 65 6D 69 72 61 74 65 73 62 .babue@nbdb
0220: 61 6E 6B 2E 63 6F 6D 30 6F 06 03 55 1D 1F 04 68 ank.com0o..U...h
0230: 30 66 30 64 A0 62 A0 60 86 5E 6C 64 61 70 3A 2F 0f0d.b.`.^ldap:/
0240: 2F 6C 64 61 70 2E 63 6F 6D 74 72 75 73 74 2E 63 /ldap.comtrust.c
0250: 6F 2E 61 65 2F 43 4E 3D 43 6F 6D 74 72 75 73 74 o.ae/CN=Comtrust
0260: 20 44 65 6D 6F 20 43 41 2C 20 4F 55 3D 43 6F 6D Demo CA, OU=Com
0270: 74 72 75 73 74 20 65 42 75 73 69 6E 65 73 73 20 trust eBusiness
0280: 53 65 72 76 69 63 65 73 2C 4F 3D 45 74 69 73 61 Services,O=Etisa
0290: 6C 61 74 2C 43 3D 41 45 30 0D 06 09 2A 86 48 86 lat,C=AE0...*.H.
02A0: F7 0D 01 01 05 05 00 03 81 81 00 41 AC BF FB 89 ...........A....
02B0: E2 5D C3 41 40 95 74 41 9B D4 4D 02 2D AE 92 85 .][email protected]...
02C0: CD 8B 55 5E 8A E9 CA 1F 20 36 2A 36 89 8F 84 22 ..U^.... 6*6..."
02D0: AB 4F 8B B3 8B 7A DD 88 B3 98 B1 EE D0 82 06 D2 .O...z..........
02E0: 75 2F DD 36 2E 30 C6 6D 92 0A 7D 61 F1 90 71 00 u/.6.0.m...a..q.
02F0: FA 09 86 2E B7 76 00 EE 4B 85 90 CD A0 0A 20 F2 .....v..K..... .
0300: C7 0C 49 E4 A0 71 83 FB 9A 4A EF ED 4A E9 36 C5 ..I..q...J..J.6.
0310: 00 59 A8 EF 28 66 1E CC 81 FC FA 75 B0 B5 B8 0E .Y..(f.....u....
0320: 5F BE 4E C6 D0 B3 BA 4E 4C 2C B9 0D 00 00 77 02 _.N....NL,....w.
0330: 01 02 00 72 00 70 30 6E 31 0B 30 09 06 03 55 04 ...r.p0n1.0...U.
0340: 06 13 02 41 45 31 0E 30 0C 06 03 55 04 07 13 05 ...AE1.0...U....
0350: 64 75 62 61 69 31 14 30 12 06 03 55 04 2E 13 0B dubai1.0...U....
0360: 31 32 31 34 31 37 32 36 39 30 37 31 25 30 23 06 121417269071%0#.
0370: 09 2A 86 48 86 F7 0D 01 09 01 16 16 62 61 62 75 .*.H........babu
0380: 65 40 65 6D 69 72 61 74 65 73 62 61 6E 6B 2E 63 [email protected]
0390: 6F 6D 31 12 30 10 06 03 55 04 03 13 09 62 61 62 om1.0...U....bab
03A0: 75 20 62 61 62 75 0E 00 00 00 u babu....
Thread-0, WRITE: TLSv1 Handshake, length = 938
[Raw write]: length = 943
0000: 16 03 01 03 AA 02 00 00 46 03 01 45 49 02 AF 2C ........F..EI..,
0010: 9C 84 15 78 57 45 E5 B0 3A 9F 89 23 91 DC 81 EC ...xWE..:..#....
0020: 08 2D 7F F0 DD 07 D2 F1 34 96 8A 20 45 49 02 AF .-......4.. EI..
0030: 75 82 45 BB 4F C6 6F 12 8F 2C 59 BC DD E8 6E 6D u.E.O.o..,Y...nm
0040: 95 7A C2 31 96 42 A4 41 48 B1 DA 59 00 04 00 0B .z.1.B.AH..Y....
0050: 00 02 DD 00 02 DA 00 02 D7 30 82 02 D3 30 82 02 .........0...0..
0060: 3C A0 03 02 01 02 02 02 01 18 30 0D 06 09 2A 86 <.........0...*.
0070: 48 86 F7 0D 01 01 05 05 00 30 61 31 0B 30 09 06 H........0a1.0..
0080: 03 55 04 06 13 02 41 45 31 11 30 0F 06 03 55 04 .U....AE1.0...U.
0090: 0A 13 08 45 74 69 73 61 6C 61 74 31 24 30 22 06 ...Etisalat1$0".
00A0: 03 55 04 0B 13 1B 43 6F 6D 74 72 75 73 74 20 65 .U....Comtrust e
00B0: 42 75 73 69 6E 65 73 73 20 53 65 72 76 69 63 65 Business Service
00C0: 73 31 19 30 17 06 03 55 04 03 13 10 43 6F 6D 74 s1.0...U....Comt
00D0: 72 75 73 74 20 44 65 6D 6F 20 43 41 30 1E 17 0D rust Demo CA0...
00E0: 30 36 31 31 30 31 30 38 30 39 33 39 5A 17 0D 30 061101080939Z..0
00F0: 36 31 32 30 31 30 38 30 39 33 38 5A 30 6E 31 0B 61201080938Z0n1.
0100: 30 09 06 03 55 04 06 13 02 41 45 31 0E 30 0C 06 0...U....AE1.0..
0110: 03 55 04 07 13 05 64 75 62 61 69 31 14 30 12 06 .U....dubai1.0..
0120: 03 55 04 2E 13 0B 31 32 31 34 31 37 32 36 39 30 .U....1214172690
0130: 37 31 25 30 23 06 09 2A 86 48 86 F7 0D 01 09 01 71%0#..*.H......
0140: 16 16 62 61 62 75 65 40 65 6D 69 72 61 74 65 73 ..babue@nbd
0150: 62 61 6E 6B 2E 63 6F 6D 31 12 30 10 06 03 55 04 bank.com1.0...U.
0160: 03 13 09 62 61 62 75 20 62 61 62 75 30 5C 30 0D ...babu babu0\0.
0170: 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00 ..*.H.........K.
0180: 30 48 02 41 00 B8 E5 61 65 47 4F AE 19 55 98 CE 0H.A...aeGO..U..
0190: 56 A9 4F 73 33 5E 73 FD 26 1B AD 63 C8 C9 91 53 V.Os3^s.&..c...S
01A0: 7E 7E CB 15 18 EB 78 00 8A 23 DD 03 68 2E 1F AE ......x..#..h...
01B0: 3D 5F 53 3D 64 76 2C 87 F5 12 07 F3 17 C6 7D 04 =_S=dv,.........
01C0: F1 21 DF 9C C3 02 03 01 00 01 A3 81 D0 30 81 CD .!...........0..
01D0: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 7B 36 C0 0...U.#..0....6.
01E0: C7 73 46 9E FB 0B C4 9E 93 48 B3 CA A5 07 1A FD .sF......H......
01F0: B5 30 09 06 03 55 1D 13 04 02 30 00 30 0B 06 03 .0...U....0.0...
0200: 55 1D 0F 04 04 03 02 05 A0 30 21 06 03 55 1D 11 U........0!..U..
0210: 04 1A 30 18 81 16 62 61 62 75 65 40 65 6D 69 72 ..0...babue@emir
0220: 61 74 65 73 62 61 6E 6B 2E 63 6F 6D 30 6F 06 03 atesbank.com0o..
0230: 55 1D 1F 04 68 30 66 30 64 A0 62 A0 60 86 5E 6C U...h0f0d.b.`.^l
0240: 64 61 70 3A 2F 2F 6C 64 61 70 2E 63 6F 6D 74 72 dap://ldap.comtr
0250: 75 73 74 2E 63 6F 2E 61 65 2F 43 4E 3D 43 6F 6D ust.co.ae/CN=Com
0260: 74 72 75 73 74 20 44 65 6D 6F 20 43 41 2C 20 4F trust Demo CA, O
0270: 55 3D 43 6F 6D 74 72 75 73 74 20 65 42 75 73 69 U=Comtrust eBusi
0280: 6E 65 73 73 20 53 65 72 76 69 63 65 73 2C 4F 3D ness Services,O=
0290: 45 74 69 73 61 6C 61 74 2C 43 3D 41 45 30 0D 06 Etisalat,C=AE0..
02A0: 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 .*.H............
02B0: 41 AC BF FB 89 E2 5D C3 41 40 95 74 41 9B D4 4D A.....][email protected]
02C0: 02 2D AE 92 85 CD 8B 55 5E 8A E9 CA 1F 20 36 2A .-.....U^.... 6*
02D0: 36 89 8F 84 22 AB 4F 8B B3 8B 7A DD 88 B3 98 B1 6...".O...z.....
02E0: EE D0 82 06 D2 75 2F DD 36 2E 30 C6 6D 92 0A 7D .....u/.6.0.m...
02F0: 61 F1 90 71 00 FA 09 86 2E B7 76 00 EE 4B 85 90 a..q......v..K..
0300: CD A0 0A 20 F2 C7 0C 49 E4 A0 71 83 FB 9A 4A EF ... ...I..q...J.
0310: ED 4A E9 36 C5 00 59 A8 EF 28 66 1E CC 81 FC FA .J.6..Y..(f.....
0320: 75 B0 B5 B8 0E 5F BE 4E C6 D0 B3 BA 4E 4C 2C B9 u...._.N....NL,.
0330: 0D 00 00 77 02 01 02 00 72 00 70 30 6E 31 0B 30 ...w....r.p0n1.0
0340: 09 06 03 55 04 06 13 02 41 45 31 0E 30 0C 06 03 ...U....AE1.0...
0350: 55 04 07 13 05 64 75 62 61 69 31 14 30 12 06 03 U....dubai1.0...
0360: 55 04 2E 13 0B 31 32 31 34 31 37 32 36 39 30 37 U....12141726907
0370: 31 25 30 23 06 09 2A 86 48 86 F7 0D 01 09 01 16 1%0#..*.H.......
0380: 16 62 61 62 75 65 40 65 6D 69 72 61 74 65 73 62 .babue@nbdb
0390: 61 6E 6B 2E 63 6F 6D 31 12 30 10 06 03 55 04 03 ank.com1.0...U..
03A0: 13 09 62 61 62 75 20 62 61 62 75 0E 00 00 00 ..babu babu....
[Raw read]: length = 5
0000: 16 03 01 00 4D ....M
[Raw read]: length = 77
0000: 0B 00 00 03 00 00 00 10 00 00 42 00 40 25 49 2D ..........B.@%I-
0010: 10 ED DE 8A 27 28 E1 F9 CD 1B 1C 51 E1 A0 C7 2E ....'(.....Q....
0020: CA 7C A0 1F 19 E2 88 C4 41 49 33 7A CD 1C EA D8 ........AI3z....
0030: 6A C9 EC 32 88 81 73 D1 42 A4 7D BE 17 32 E3 5B j..2..s.B....2.[
0040: EA A5 2C 5D EC 0D 8A 76 CB F6 1D 82 0B ..,]...v.....
Thread-0, READ: TLSv1 Handshake, length = 77
*** Certificate chain
Thread-0, SEND TLSv1 ALERT: fatal, description = bad_certificate
Thread-0, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2A ......*
Thread-0, called closeSocket()
Thread-0, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
IOException occurred when processing request.
Thread-0, called close()
Thread-0, called closeInternal(true)
Accepted connection to 192.168.254.1 (192.168.254.1) on port 2990.
----------1-1-1-----
[Raw read]: length = 5
0000: 80 62 01 03 01 .b...
[Raw read]: length = 95
0000: 00 39 00 00 00 20 00 00 04 01 00 80 00 00 05 00 .9... ..........
0010: 00 2F 00 00 33 00 00 32 00 00 0A 07 00 C0 00 00 ./..3..2........
0020: 16 00 00 13 00 00 09 06 00 40 00 00 15 00 00 12 .........@......
0030: 00 00 03 02 00 80 00 00 08 00 00 14 00 00 11 45 ...............E
0040: 49 06 56 DE 63 83 34 50 9F A8 B4 E3 30 2F C0 79 I.V.c.4P....0/.y
0050: 42 45 1A 6A A3 A4 20 2D 89 10 A0 25 AE 48 66 BE.j.. -...%.Hf
[read] MD5 and SHA1 hashes: len = 3
0000: 01 03 01 ...
[read] MD5 and SHA1 hashes: len = 95
0000: 00 39 00 00 00 20 00 00 04 01 00 80 00 00 05 00 .9... ..........
0010: 00 2F 00 00 33 00 00 32 00 00 0A 07 00 C0 00 00 ./..3..2........
0020: 16 00 00 13 00 00 09 06 00 40 00 00 15 00 00 12 .........@......
0030: 00 00 03 02 00 80 00 00 08 00 00 14 00 00 11 45 ...............E
0040: 49 06 56 DE 63 83 34 50 9F A8 B4 E3 30 2F C0 79 I.V.c.4P....0/.y
0050: 42 45 1A 6A A3 A4 20 2D 89 10 A0 25 AE 48 66 BE.j.. -...%.Hf
Thread-1, READ: SSL v2, contentType = Handshake, translated length = 73
*** ClientHello, TLSv1
RandomCookie: GMT: 1162413654 bytes = { 222, 99, 131, 52, 80, 159, 168, 180, 227, 48, 47, 192, 121, 66, 69, 26, 106, 163, 164, 32, 45, 137, 16, 160, 37, 174, 72, 102 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1162413669 bytes = { 30, 208, 109, 78, 140, 101, 21, 219, 26, 140, 158, 150, 32, 100, 190, 23, 140, 102, 8, 144, 137, 86, 160, 236, 214, 245, 33, 94 }
Session ID: {69, 73, 6, 101, 151, 179, 48, 160, 233, 21, 49, 37, 62, 184, 27, 54, 134, 50, 218, 49, 149, 61, 139, 27, 93, 80, 81, 120, 238, 184, 24, 110}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=babu babu, [email protected], DNQ=12141726907, L=dubai, C=AE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 512 bits
modulus: 9683790188147953162795730790793527257397758989267819282372960853921863644980017792669595318858981940986671279705015616513809624780681913479305781592431811
public exponent: 65537
Validity: [From: Wed Nov 01 12:09:39 GST 2006,
               To: Fri Dec 01 12:09:38 GST 2006]
Issuer: CN=Comtrust Demo CA, OU=Comtrust eBusiness Services, O=Etisalat, C=AE
SerialNumber: [    0118]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 36 C0 C7 73 46 9E FB 0B C4 9E 93 48 B3 CA A5 .6..sF......H...
0010: 07 1A FD B5 ....
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: [email protected]]]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
0000: 30 66 30 64 A0 62 A0 60 86 5E 6C 64 61 70 3A 2F 0f0d.b.`.^ldap:/
0010: 2F 6C 64 61 70 2E 63 6F 6D 74 72 75 73 74 2E 63 /ldap.comtrust.c
0020: 6F 2E 61 65 2F 43 4E 3D 43 6F 6D 74 72 75 73 74 o.ae/CN=Comtrust
0030: 20 44 65 6D 6F 20 43 41 2C 20 4F 55 3D 43 6F 6D Demo CA, OU=Com
0040: 74 72 75 73 74 20 65 42 75 73 69 6E 65 73 73 20 trust eBusiness
0050: 53 65 72 76 69 63 65 73 2C 4F 3D 45 74 69 73 61 Services,O=Etisa
0060: 6C 61 74 2C 43 3D 41 45 lat,C=AE
Algorithm: [SHA1withRSA]
Signature:
0000: 41 AC BF FB 89 E2 5D C3 41 40 95 74 41 9B D4 4D A.....][email protected]
0010: 02 2D AE 92 85 CD 8B 55 5E 8A E9 CA 1F 20 36 2A .-.....U^.... 6*
0020: 36 89 8F 84 22 AB 4F 8B B3 8B 7A DD 88 B3 98 B1 6...".O...z.....
0030: EE D0 82 06 D2 75 2F DD 36 2E 30 C6 6D 92 0A 7D .....u/.6.0.m...
0040: 61 F1 90 71 00 FA 09 86 2E B7 76 00 EE 4B 85 90 a..q......v..K..
0050: CD A0 0A 20 F2 C7 0C 49 E4 A0 71 83 FB 9A 4A EF ... ...I..q...J.
0060: ED 4A E9 36 C5 00 59 A8 EF 28 66 1E CC 81 FC FA .J.6..Y..(f.....
0070: 75 B0 B5 B8 0E 5F BE 4E C6 D0 B3 BA 4E 4C 2C B9 u...._.N....NL,.
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=babu babu, [email protected], DNQ=12141726907, L=dubai, C=AE>
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 938
0000: 02 00 00 46 03 01 45 49 06 65 1E D0 6D 4E 8C 65 ...F..EI.e..mN.e
0010: 15 DB 1A 8C 9E 96 20 64 BE 17 8C 66 08 90 89 56 ...... d...f...V
0020: A0 EC D6 F5 21 5E 20 45 49 06 65 97 B3 30 A0 E9 ....!^ EI.e..0..
0030: 15 31 25 3E B8 1B 36 86 32 DA 31 95 3D 8B 1B 5D .1%>..6.2.1.=..]
0040: 50 51 78 EE B8 18 6E 00 04 00 0B 00 02 DD 00 02 PQx...n.........
0050: DA 00 02 D7 30 82 02 D3 30 82 02 3C A0 03 02 01 ....0...0..<....
0060: 02 02 02 01 18 30 0D 06 09 2A 86 48 86 F7 0D 01 .....0...*.H....
0070: 01 05 05 00 30 61 31 0B 30 09 06 03 55 04 06 13 ....0a1.0...U...
0080: 02 41 45 31 11 30 0F 06 03 55 04 0A 13 08 45 74 .AE1.0...U....Et
0090: 69 73 61 6C 61 74 31 24 30 22 06 03 55 04 0B 13 isalat1$0"..U...
00A0: 1B 43 6F 6D 74 72 75 73 74 20 65 42 75 73 69 6E .Comtrust eBusin
00B0: 65 73 73 20 53 65 72 76 69 63 65 73 31 19 30 17 ess Services1.0.
00C0: 06 03 55 04 03 13 10 43 6F 6D 74 72 75 73 74 20 ..U....Comtrust
00D0: 44 65 6D 6F 20 43 41 30 1E 17 0D 30 36 31 31 30 Demo CA0...06110
00E0: 31 30 38 30 39 33 39 5A 17 0D 30 36 31 32 30 31 1080939Z..061201
00F0: 30 38 30 39 33 38 5A 30 6E 31 0B 30 09 06 03 55 080938Z0n1.0...U
0100: 04 06 13 02 41 45 31 0E 30 0C 06 03 55 04 07 13 ....AE1.0...U...
0110: 05 64 75 62 61 69 31 14 30 12 06 03 55 04 2E 13 .dubai1.0...U...
0120: 0B 31 32 31 34 31 37 32 36 39 30 37 31 25 30 23 .121417269071%0#
0130: 06 09 2A 86 48 86 F7 0D 01 09 01 16 16 62 61 62 ..*.H........bab
0140: 75 65 40 65 6D 69 72 61 74 65 73 62 61 6E 6B 2E ue@nbdbank.
0150: 63 6F 6D 31 12 30 10 06 03 55 04 03 13 09 62 61 com1.0...U....ba
0160: 62 75 20 62 61 62 75 30 5C 30 0D 06 09 2A 86 48 bu babu0\0...*.H
0170: 86 F7 0D 01 01 01 05 00 03 4B 00 30 48 02 41 00 .........K.0H.A.
0180: B8 E5 61 65 47 4F AE 19 55 98 CE 56 A9 4F 73 33 ..aeGO..U..V.Os3
0190: 5E 73 FD 26 1B AD 63 C8 C9 91 53 7E 7E CB 15 18 ^s.&..c...S.....
01A0: EB 78 00 8A 23 DD 03 68 2E 1F AE 3D 5F 53 3D 64 .x..#..h...=_S=d
01B0: 76 2C 87 F5 12 07 F3 17 C6 7D 04 F1 21 DF 9C C3 v,..........!...
01C0: 02 03 01 00 01 A3 81 D0 30 81 CD 30 1F 06 03 55 ........0..0...U
01D0: 1D 23 04 18 30 16 80 14 7B 36 C0 C7 73 46 9E FB .#..0....6..sF..
01E0: 0B C4 9E 93 48 B3 CA A5 07 1A FD B5 30 09 06 03 ....H.......0...
01F0: 55 1D 13 04 02 30 00 30 0B 06 03 55 1D 0F 04 04 U....0.0...U....
0200: 03 02 05 A0 30 21 06 03 55 1D 11 04 1A 30 18 81 ....0!..U....0..
0210: 16 62 61 62 75 65 40 65 6D 69 72 61 74 65 73 62 .babue@nbdb
0220: 61 6E 6B 2E 63 6F 6D 30 6F 06 03 55 1D 1F 04 68 ank.com0o..U...h
0230: 30 66 30 64 A0 62 A0 60 86 5E 6C 64 61 70 3A 2F 0f0d.b.`.^ldap:/
0240: 2F 6C 64 61 70 2E 63 6F 6D 74 72 75 73 74 2E 63 /ldap.comtrust.c
0250: 6F 2E 61 65 2F 43 4E 3D 43 6F 6D 74 72 75 73 74 o.ae/CN=Comtrust
0260: 20 44 65 6D 6F 20 43 41 2C 20 4F 55 3D 43 6F 6D Demo CA, OU=Com
0270: 74 72 75 73 74 20 65 42 75 73 69 6E 65 73 73 20 trust eBusiness
0280: 53 65 72 76 69 63 65 73 2C 4F 3D 45 74 69 73 61 Services,O=Etisa
0290: 6C 61 74 2C 43 3D 41 45 30 0D 06 09 2A 86 48 86 lat,C=AE0...*.H.
02A0: F7 0D 01 01 05 05 00 03 81 81 00 41 AC BF FB 89 ...........A....
02B0: E2 5D C3 41 40 95 74 41 9B D4 4D 02 2D AE 92 85 .][email protected]...
02C0: CD 8B 55 5E 8A E9 CA 1F 20 36 2A 36 89 8F 84 22 ..U^.... 6*6..."
02D0: AB 4F 8B B3 8B 7A DD 88 B3 98 B1 EE D0 82 06 D2 .O...z..........
02E0: 75 2F DD 36 2E 30 C6 6D 92 0A 7D 61 F1 90 71 00 u/.6.0.m...a..q.
02F0: FA 09 86 2E B7 76 00 EE 4B 85 90 CD A0 0A 20 F2 .....v..K..... .
0300: C7 0C 49 E4 A0 71 83 FB 9A 4A EF ED 4A E9 36 C5 ..I..q...J..J.6.
0310: 00 59 A8 EF 28 66 1E CC 81 FC FA 75 B0 B5 B8 0E .Y..(f.....u....
0320: 5F BE 4E C6 D0 B3 BA 4E 4C 2C B9 0D 00 00 77 02 _.N....NL,....w.
0330: 01 02 00 72 00 70 30 6E 31 0B 30 09 06 03 55 04 ...r.p0n1.0...U.
0340: 06 13 02 41 45 31 0E 30 0C 06 03 55 04 07 13 05 ...AE1.0...U....
0350: 64 75 62 61 69 31 14 30 12 06 03 55 04 2E 13 0B dubai1.0...U....
0360: 31 32 31 34 31 37 32 36 39 30 37 31 25 30 23 06 121417269071%0#.
0370: 09 2A 86 48 86 F7 0D 01 09 01 16 16 62 61 62 75 .*.H........babu
0380: 65 40 65 6D 69 72 61 74 65 73 62 61 6E 6B 2E 63 [email protected]
0390: 6F 6D 31 12 30 10 06 03 55 04 03 13 09 62 61 62 om1.0...U....bab
03A0: 75 20 62 61 62 75 0E 00 00 00 u babu....
Thread-1, WRITE: TLSv1 Handshake, length = 938
[Raw write]: length = 943
0000: 16 03 01 03 AA 02 00 00 46 03 01 45 49 06 65 1E ........F..EI.e.
0010: D0 6D 4E 8C 65 15 DB 1A 8C 9E 96 20 64 BE 17 8C .mN.e...... d...
0020: 66 08 90 89 56 A0 EC D6 F5 21 5E 20 45 49 06 65 f...V....!^ EI.e
0030: 97 B3 30 A0 E9 15 31 25 3E B8 1B 36 86 32 DA 31 ..0...1%>..6.2.1
0040: 95 3D 8B 1B 5D 50 51 78

Few questions for you, before I go off in a completely
different direction than you're after...
Are you using a third party Crypto Provider?
Do you need to be able to read these files into Java
often, or is this a one-time-only type conversion?Hi,
I got these files from a third party as part of a small project. They used openssl to generate the private keys, and the corresponding certificates. They dont have a file such as keyfile or anything similar so that I could generate a keystore. But I know the passwords which was used to generate the key.
The private keys are in pem (they've used pkcs12) and stored as:
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
I don't know how to read the private keys. I've managed to read the certificates by doing:
FileInputStream in = new FileInputStream(filename);
CertificateFactory cf = CertificateFactory.getInstance("X509");
cert = (X509Certificate) cf.generateCertificate(in);
in.close();
I am using Bouncy Castle Crypto, and yes I will need to read these files often.
Thanks

Some questions about javacard 2.1.1 and smartcardio

Hello i have some question about java card 2.1.1 and the smartcardio package.
1.) I want to sign a message with the Signature.ALG_RSA_SHA_PKCS1 algorithm. I use the following code in the applet to sign the message:
final static byte P1_CREATION_MODE = (byte) 0x01;
final static byte INS_SIGN_MODE = (byte) 0x60;
final static byte SmartCard_CLA = (byte) 0xB0;
private void signMessage(APDU apdu) {
        byte[] buffer = apdu.getBuffer();
        byte byteRead = (byte) (apdu.setIncomingAndReceive());
        signature.init(privateKey, Signature.MODE_SIGN);
        short length = signature.sign(buffer, ISO7816.OFFSET_CDATA, byteRead, buffer, (short) 0);
        apdu.setOutgoingLength((short) length);
        apdu.sendBytesLong(buffer, (short) ISO7816.OFFSET_CDATA, (short) length);
        apdu.setOutgoing();
    }On the host side I use the following code to connect to the card and to send the sign apdu:
if (TerminalFactory.getDefault().terminals().list().size() == 0) {
            LOGGER.log(Level.SEVERE, "No reader present");
            throw new NoSuchCardReader();
        /* Select the first terminal*/
        CardTerminal terminal = TerminalFactory.getDefault().terminals().list().get(0);
        /* Is a card present? */
        if (!terminal.isCardPresent()) {
            LOGGER.log(Level.SEVERE, "No Card present!");
            throw new NoSuchCard();
        /* Set the card protocol */
     Card card = terminal.connect("*");
        ATR atr = card.getATR();
        LOGGER.fine(getHexString(atr.getBytes()));
        LOGGER.fine(getHexString(atr.getHistoricalBytes()));
        CardChannel channel = card.getBasicChannel();
        CommandAPDU cmd = new CommandAPDU((byte) 0xb0, (byte) 0x60, (byte) 0x01, (byte) 0x00, new String("datadatdatadata").getBytes(), (byte) 0x40);
     ResponseAPDU response = channel.transmit(cmd);
        card.disconnect(false);But this does not work and i got the following error
javax.smartcardio.CardException: sun.security.smartcardio.PCSCException: Unknown error 0x8010002f
        at sun.security.smartcardio.ChannelImpl.doTransmit(ChannelImpl.java:202)
        at sun.security.smartcardio.ChannelImpl.transmit(ChannelImpl.java:73)
        at de.upb.client.smartmeter.SmartMeter.initSmartCardApplet(SmartMeter.java:114)
        at de.upb.client.smartmeter.SmartMeterApplikation.main(SmartMeterApplikation.java:39)
Caused by: sun.security.smartcardio.PCSCException: Unknown error 0x8010002f
        at sun.security.smartcardio.PCSC.SCardTransmit(Native Method)
        at sun.security.smartcardio.ChannelImpl.doTransmit(ChannelImpl.java:171)
        ... 3 more2.) 3Des encryption
I want to use the 3Des algorithm to encrypt my data. I use
keyDES = (DESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_DES,
                    KeyBuilder.LENGTH_DES3_2KEY, false);
cipherDES = Cipher.getInstance(Cipher.ALG_DES_CBC_ISO9797_M2, false);But i do not know what is the aquivalent on the host side??
3.) Another problem is that i am not able to send the modulus of a public key from the host applikation to the smard card
new CommandAPDU((byte) 0xb0, (byte) 0x20, (byte) 0x01, (byte) 0x00, modulus.toByteArray()); // create the apdu
// the method in the applet
private void setServerKeyMod(APDU apdu) {
        byte[] buffer = apdu.getBuffer();
        try {
            byte byteRead = (byte) (apdu.setIncomingAndReceive());
            short off = ISO7816.OFFSET_CDATA;
            // strip of any integer padding
            if (buffer[off] == 0) {
                off++;
                byteRead--;
            publicKeyServer.setModulus(buffer, off, byteRead);
        } catch (APDUException ex) {
            ISOException.throwIt((short) (SW_APDU_EXCEPTION + ex.getReason()));
    }The error code is 6700
4.) My last problem ist, that i am not able to use a value bigger than 0x7F as the ne field in the apducommand, because i get the following error
CommandAPDU((byte) 0xb0, (byte) 0x60, (byte) 0x01, (byte) 0x00, data, (byte) 0xff);
java.lang.IllegalArgumentException: ne must not be negative
        at javax.smartcardio.CommandAPDU.<init>(CommandAPDU.java:371)
        at javax.smartcardio.CommandAPDU.<init>(CommandAPDU.java:252)I thought that it this should be possible in order to use all the bytes of the response apdu.
If you need more code to help please let me know.
Cheers
Edited by: 858145 on 06.07.2011 08:23

2) What is PKCS? what is the difference between
PKCS#11 and PKCS#15??PKCS is the abbreviation of "Public-Key Cryptography Standards"
PKCS #11: Cryptographic Token Interface Standard
See http://www.rsasecurity.com/rsalabs/node.asp?id=2133
PKCS #15: Cryptographic Token Information Format Standard
http://www.rsasecurity.com/rsalabs/node.asp?id=2141
If you want to use yor smartcard as secure token it doesn't have to be a JavaCard.
BTW: I don't remember a way to access PKCS#15 tokens on a JavaCard from within an oncard JavaCard program. If you want to use keys in your oncard program, you have to transfer it onto the card or generate it oncard and export the public key by your own oncard/offcard code.
Jan

Cipher in multihreaded environments

Hi,
I have short question because I didn't find an anwser yet.
Is the Cipher I use to encrypt/decrypt multithreading-safe?
I ask this because I want to use it in a web-environment.
I have something like this:
public class Whatever {
     // Are these to fields Thread safe?
     private static Cipher cipherEncrypt;
     private static Cipher cipherDecrypt;
     private static Key key = new SecretKeySpec("donttell".getBytes(), "DES");
     private static boolean initialised = false;
     private void initialise() {
          if (!initialised) {
               synchronized (ImmonetCookie.class) {
                    if (!initialised) {
                         try {
                              cipherEncrypt = Cipher.getInstance("DES"); // This one is very expensive, so we try to avoid it for every user
                              cipherEncrypt.init(Cipher.ENCRYPT_MODE, key);
                              cipherDecrypt = Cipher.getInstance("DES");
                              cipherDecrypt.init(Cipher.DECRYPT_MODE, key);
                         catch (Exception ex) {
                              logger.error("..", ex);
                         initialised = true;
     protected String encryptValue(String value) {
          ByteArrayOutputStream output = new ByteArrayOutputStream();
          // Here we use the cipher ..
          CipherOutputStream cos = new CipherOutputStream(output, cipherEncrypt);
          try {
               cos.write(value.getBytes());
               cos.close();
          catch (IOException e) {
               logger.error("..", e);
               return null;
          return new String(Base64.encodeBase64(output.toByteArray()));
     protected String decryptValue(String value) {
          ByteArrayInputStream input = new ByteArrayInputStream(Base64.decodeBase64(value.getBytes()));
          // .. and here we use the cipher
          CipherInputStream cis = new CipherInputStream(input, cipherDecrypt);
          BufferedReader reader = new BufferedReader(new InputStreamReader(cis));
          try {
               StringBuffer buffer = new StringBuffer();
               String next = reader.readLine();
               while (next != null) {
                    buffer.append(next);
                    next = reader.readLine();
               reader.close();
               return buffer.toString();
          catch (IOException e) {
               logger.error("..", e);
          return null;
}

Cipher keeps internal state between init, update, and doFinal time. I suspect that what you're doing here will fail horribly.
And why do you think that Cipher.getInstance("DES") is so awful? The very first time you do it, ever, I suspect it will be,
because I think that's when SecureRandom gets initialized. After that, though, Cipher.getInstance() isn't a big deal.Thanks Grant, this are the information I was searching for. You're right, the getInstance was just the first time very slow,
(Also, if you throw an exception trying to initialize your Ciphers, you -still- set "initialised" to true. This will break the rest of your app, because it will keep trying to use null Ciphers.)
(Your key, btw, is pretty dismal. There are ways of generating reasonable keys from human-readable passwords - a straight getBytes() isn't one of them.)
(And why are you using DES? Ew. AES is actually secure - nowadays, DES is considered so broken that you might almost just as well use plaintext.)Also thanks a lot for your additional useful information, I will dig into it and take it to heart.
Regards
Daniel

Cipher question

Similar Messages

Maybe you are looking for