Java.security.Signature and PKCS #7

Similar Messages

• HT1338 There is a lot of talk about the Java security issues and the ability to download a patch fix, do i need to do this or will software update pick this up for me?

  There is a lot of talk about the Java security issues and the ability to download an apple patch fix, do i need to do this or will software update pick this up for me?

  Thanks for that, how do I establish if I have Java installed as on Safari preferences it indicates the following
  Web content - Enable Java
                      - Enable JavaScript

• Update JDK:Java Security alerts and CPU patching

  what should we do if we already have updated the JDK in various oracle database homes? Should we revert / downgrade to JDK back to the original version or let stay with updated versions per previous Java Security alerts and CPU patch availabiltiy notes? as in MOD doc id:1449674.1

  CPU is a quarterly update containing all (security) patches that are important but do not need immediate implementation. Other alert patches are more important and should be immediatly implemented.

• Java 1.5 and SmartCard Signature.

  Hi there!!
  I developed an applet that signs a document using a private key
  stored in a smart card device. Everything works ok in java 1.4 using
  IAIK's classes (and pkcs11wrapper.dll native library) Now I need to do
  something similar with JAVA 1.5. but the code always ends with
  exception:
  1) Using "Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");"
  java.security.InvalidKeyException:
  Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
  at sun.security.rsa.RSAKeyFactory.translatePrivateKey(Unknown Source)
  at sun.security.rsa.RSAKeyFactory.engineTranslateKey(Unknown Source)
  at sun.security.rsa.RSAKeyFactory.toRSAKey(Unknown Source)
  at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
  at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
  at java.security.Signature$Delegate.init(Unknown Source)
  at java.security.Signature$Delegate.chooseProvider(Unknown Source)
  at java.security.Signature$Delegate.engineInitSign(Unknown Source)
  at java.security.Signature.initSign(Unknown Source)
  at PatoFirma.go(PatoFirma.java:55)
  at PatoFirma.main(PatoFirma.java:14)
  2) Using Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA", pkcs11Provider);
  java.security.ProviderException: Initialization failed
  at sun.security.pkcs11.P11Signature.initialize(P11Signature.java:249)
  at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:27)
  at java.security.Signature$Delegate.engineInitSign(Unknown Source)
  at java.security.Signature.initSign(Unknown Source)
  at PatoFirma.go(PatoFirma.java:55)
  at PatoFirma.main(PatoFirma.java:14)
  Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_MECHANISM_INVALID
  at sun.security.pkcs11.wrapper.PKCS11.C_SignInit(Native Method)
  at sun.security.pkcs11.P11Signature.initialize(P11Signature.java:241)
  ... 5 more
  What's wrong?
  Many thanks in advance!!!:
  The full code is here:
  import java.io.*;
  import java.util.*;
  import java.security.*;
  import java.security.cert.*;
  import java.lang.reflect.Constructor;
  public class PatoFirma {
      public static void main (String args[]) {
          try {
              PatoFirma pf=new PatoFirma ();
              pf.go();
          catch (Exception ex) {
              ex.printStackTrace();
      public void go () throws Exception {
          // Build smart card configuration
          // In the applet these information is created as String
          // instead of a file (like others PKSC11 examples)
          StringBuffer cardConfig=new StringBuffer();
          cardConfig.append ("slot=1 \n");
          cardConfig.append ("name=SmartCard \n");
          cardConfig.append ("library=c:/WINDOWS/system32/gclib.dll \n");
          ByteArrayInputStream confStream = new ByteArrayInputStream(cardConfig.toString().getBytes());
          // Create the provider
          Class sunPkcs11Class = Class.forName("sun.security.pkcs11.SunPKCS11");
          Constructor pkcs11Constr = sunPkcs11Class.getConstructor(java.io.InputStream.class);
          Provider pkcs11Provider = (Provider) pkcs11Constr.newInstance(confStream);
          // Read the keystore from the smart card
          char[] pin = "1234".toCharArray();
          KeyStore keyStore = KeyStore.getInstance("PKCS11", pkcs11Provider);
          keyStore.load(null, pin);
          // Get the first private key in the keystore:
          PrivateKey privateKey;
          Enumeration aliasesEnum = keyStore.aliases();
          if (aliasesEnum.hasMoreElements()) {
              String alias = (String) aliasesEnum.nextElement();
              privateKey = (PrivateKey) keyStore.getKey(alias, null);
              X509Certificate certificate=(X509Certificate)keyStore.getCertificate(alias);
              System.out.println ("Using the following certificate: "+certificate.getSubjectDN().getName());
          else {
              throw new Exception("EMPTY!!");
          // Sign a sample string:
          Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA", pkcs11Provider);
          signatureAlgorithm.initSign(privateKey);
          // these lines never will be executed :(
          signatureAlgorithm.update("pato cadena".getBytes());
          byte[] digitalSignature = signatureAlgorithm.sign();
  }

  Just read the New Features and Enhancements in the docs that came with each version of the JDK ...

• X.509 and PKCS#11 provider

  Sorry if I'm asking the stupid question, but there is something in JCE PKCS#11 provider architecture that I'm missing.
  Let's say I have some hardware crypto module (e.g. SUN SCA-6000) and want to be sure that all crypto work is done in it. So I would configure PKCS#11 provider as the 1st (highest priority) entry in java.security file (and configure PKCS#11 to use my hardware crypto module).
  Now, let's say I need to work with some X.509 certificate. When I check the supported algorithms of PKCS#11 and SUN providers, it looks like CertificateFactory.X509 algorithm is supported only by SUN provider, and not by PKCS#11 provider.
  http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG
  http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SUNProvider
  So I wonder what does this essentially mean? Does it mean that even though I configured my HCM PKCS#11 provider, some crypto work is still done in other software modules (e.g. SUN provider)? Or may be SUN provider just "decomposes" these "high-level" algorithms to more "primitive" ones (e.g. Signature.SHA1withRSA) and essentially "proxies" all work to whatever provider supports these "primitive" algorithms - i.e. essentially to my HCM PKCS#11 provider?
  Regards,
  Alex

  This is not a stupid question. Any question involving cryptography isn't stupid IMO, and one that includes hardware security modules (HSM) is even less stupid. :-)
  That said, sabre150 has provided some information, and I'll try to add a little more from my experience.
  HSM's are used primarily to perform "raw" cryptographic operations in highly constrained environments for security reasons - the goal is to ensure that symmetric keys (DES, 3DES, AES) or the private-keys of asymmetric key-pairs (RSA, DSA, EC) do not come out of the HSM into the main memory of the computer. This ensure that attackers cannot snoop the secrets from main memory.
  So, the CertificateFactory in JCE is primarily used to do cryptographic operations with the digital certificate; however any operation involving just the digital certificate - and not its corresponding private-key - involves just the public-key in the certificate, the certificate attributes or certificate extensions. Since ALL information in a digital certificate is public information, there is no reason to waste HSM resources to perform X509 operations inside the security module. Not only is there nothing to protect in those operations, but as sabre150 pointed out, some old HSM's may not be able to handle them very well.
  However, some HSM's are not just for security, but they also perform crypto-acceleration. This means that they can speed up raw cryptographic processing, and there is a benefit from having them perform even the public-key operations inside the HSM. However, the PKCS11 libraries will typically send in only the "raw" crypto operation into the HSM, leaving all the certificate-parsing work outside.
  One final point: in order to make sure that you are definitely performing all secret operations inside an HSM, make sure you explicitly name the specific HSM provider for your crypto operations, otherwise the JVM may silently use a software module to perform the operation (if possible) and expose your secret in main memory.
  Hope that helps.

• Java security error after 8u31 (Timestamped Jarsigned Applet within valid period of Code Signing certificate)

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

• Java Not Working, And Still No Answers. What Gives?

  Okay, decided to start this topic anew, since the only response I got to the other one was a post calling me "rude and impatient" (I guess that's what they're calling "persistence" nowadays..) , instead of...well...ignoring my admittedly pushy and harsh tone and actually being helpful. However, for the sake of it, I do apologize for my attitude in my last topic.
  But I digress, let's start off on a new foot, eh? On to the problem that is STILL at hand(in other words, "patience" hasn't gotten me jack, not even a "we don't know yet"):
  So last night (10 PM January 20th), the Firefox Plugin Checker said that my Java version was outdated. I also got a pop-up saying that my current version of Java at the time (Java 7 update 10) had vulnerabilities. So to try and fix this, I went to the Java page and downloaded the update (Java 7 update 11).
  To check and see if my update was working, I went to Java's check page, as well as another page I use. And here I discovered a problem. I got a notification that an old version of Java had been detected, and another prompt to download the current version (which I had already done). So I erased all versions of Java from my control panel, and tried to check it again. And when I did, I got this: http://oi50.tinypic.com/35b6xx2.jpg and http://oi47.tinypic.com/15fg37p.jpg.
  As you can see, both pages tell me that I need to install a missing plugin of some sort. So, thinking this would resolve the issue, I clicked the Install Missing Plugin button. This is what it told me was missing: http://oi45.tinypic.com/302uwbl.jpg. So I clicked next to install it.... and got this: http://oi45.tinypic.com/2cici0x.jpg, which I assume means that the plugin did not install. So I pressed Manual Install... and was lead/linked right back to the Java download page (where it all began, and what doesn't seem to be working in the first place)
  I go to check my plugins again (Just to make sure and also for extra information), and it appears to say that my Java version is current (is that what "Java Deployment Toolkit 7.0.110.21" is? I don't know, I am not good at technology at all. Either way, here is what it looks like: http://oi48.tinypic.com/4kxzz4.jpg). So...if it is current, why is it not working (i.e. I am unable to play games, DO MY COLLEGE CLASSWORK, or play Java-based games)?
  If it helps anything, here is what my control panel looks like in regards to Java right now: http://oi45.tinypic.com/2qlxu9t.jpg Am I missing anything that would make Java work?
  And before anyone says that Java is not essential: It may be that way to you, but I need Java to do classwork for college. Veterinary college.
  So, in short, what is going on with Java, and how can I fix it?
  EDITEDITEDIT: I Have found that I can do my classwork without Java. HOWEVER, this DOES NOT mean that the problem is solved or over with. I STILL WANT TO KNOW HOW TO FIX THIS PROBLEM AND GET JAVA TO WORK. Even if I never actually need it, I would still like to have a (working!!!) Java version because of two reasons: 1) I would rather have such a program and not need it, than need such a program and not have it, and 2) aesthetics. Sorry to say, but I am very particular about how things look when it comes to my belongings, and the fact that Java is messing up is making me actually stressed. In short, I still want the above issue solved, even if it's just purely for the sake of Peace Of Mind.
  Another note: I would (please!) appreciate a timely response on this matter. Even if the response is a "We don't know what the issue is and/or we are working to solve this issue.", that would satisfy me for the time being. I would just like a semi-timely response that would let me know that FF/contributors here have read the above and actually give a semblance of a care about their userbase.
  Thank You.

  '''ponyparty, '''
  The first prompt you see in Firefox to activate Java is because Java is currently on the Mozilla blocklist ( the "Hot Topic" article [[How to use Java if it's been blocked]] explains the reason for block and how to activate Java, including how to bypass the plugin activation prompt for trusted sites).
  cor-el is right about why you are seeing a second [http://oi48.tinypic.com/de8f8y.jpg Java "Security Warning"] when trying to view Java applets, that you have to click to run. This is a ''' Java''' security feature and not anything Firefox does.
  Try the same Java sites in Internet Explorer .... don't you also see the Java "Security Warning?" If you want to lower your Java security back to "Medium" in the Java Control Panel, see http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp.html#security for details. That's up to you but I would leave it on "High " since Java 7 is still basically insecure, according to the reports I've seen and [https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/ this "Protecting Users Against Java Vulnerability]" Mozilla blog post.
  If the second Java prompt is your only remaining issue then your problem is really solved, since it is a new Java security feature and not anything in Firefox.
  Some background:<br>
  At the time I was helping you in the [https://support.mozilla.org/en-US/questions/944267 older thread you started] (now locked because you started this one) the solution to uninstall JavaFX wasn't known. On Dec 13th I wrote, ''There may be problems with Java 7 Update 10 since a number of Windows users have reported that Firefox is not detecting the plugin'' and I linked to a couple of related threads, including [http://forums.mozillazine.org/viewtopic.php?f=38&t=2628935 this MozillaZine thread], in which uninstalling JavaFX as a solution was posted 22 Dec 2012. On 25 Dec 2012 in the same MozillaZine thread, I posted a link to [https://bugzilla.mozilla.org/show_bug.cgi?id=820759#c12 this Dec 24th bugzilla comment] by an Oracle employee, who posted that uninstalling JavaFX was a solution for '''Oracle's''' Java 7 detection bug. Oracle has been working on the bug (to be fixed in an upcoming Java 7 release) and they created [https://www.java.com/en/download/help/firefox_java.xml this java.com help page], which is now included in the related MozillaZine and Mozilla Support articles on Java that I posted above.

• Best place to ask java security questions?

  I know this is a weird question to ask here but every java security forum I've found is very sparsely populated. There are almost no very-knowledgeable people in those forums and it's hard to get answers, let alone timely ones. So I was wondering where everyone here thinks is the best, most populated java security forum, blog, or whatever to get java security info and questions answered.

  You might try the J2EE ("Java EE") however security is seldom a general purpose category.
  Setting up tomcat securely is significantly different than using SSL with sockets. Both are security issues but significantly different.
  And java developers as a group are seldom going to be that knowledgable anyways. Someone might spend a year writing GUIs but only spend a week figuring out how to make the server secure. I would be very surprised to find anyone that spends time here and yet spends a significant amount of their work time dealing with different security issues and varying setups.

• Java SSF for Digital Signatures and Document Encryption

  Hello,
  I have read in "SAP Help - Java Development Manual" that there is a Java SSF library for Digital Signatures and Document Encryption API.
  http://help.sap.com/saphelp_nw04s/helpdata/en/4f/65c3b32107964996a56e4165077e24/frameset.htm
  I am trying to develop an example application in NWDS using Interfaces/classes (ISsfData, SsfDataXml...), but NWDS does not find this classes in any library.
  I have searched for Javadocs in NWDS plugins directory and this classes and interfaces should be in JAR com.sap.security.api.jar, but they aren't there.
  Our WAS version is: NW04s WAS 7.0 SP11 and he have downloaded Java Crypto Library (IAIK) and also SAP XML Toolkit.
  Does anyone know how to find or obtain this library?
  Thanks in advance,
  Jorge Linares

  Hello Francesco,
  I want to  generate a digital signature (PKCS#7,XML) using SAP SSF API as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/65c3b32107964996a56e4165077e24/content.htm and in Amol Joshi's reply in
  Digital Signatures and Document Encryption api
  so my question  is From which PI/XI version and its SPS this SAP SSF LIBRARY is supported ?
  Kind Regards,
  Kubra fatima.

• Digital Signatures and Security Policies

  Is there a way to combine a digital signature and a Security Policy. We have a need to digitally sign a document, but not allow that signature to be removed and to not allow any further editing of the document?

  Hello Francesco,
  I want to  generate a digital signature (PKCS#7,XML) using SAP SSF API as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/65c3b32107964996a56e4165077e24/content.htm and in Amol Joshi's reply in
  Digital Signatures and Document Encryption api
  so my question  is From which PI/XI version and its SPS this SAP SSF LIBRARY is supported ?
  Kind Regards,
  Kubra fatima.

• Java JCE and PKCS standards

  I'd like to know if the Sun JDK supports PKCS standards. In particulary, I am interested in PKCS#7 standard.
  1) Is it possible with java to sign a document and store the signature in a pkcs#7 file format.
  For example, I have signed data, the public key, the signature itself, etc.
  2) Is there in java a possibility to generate a PKCS#7 file format given these parameters ?
  Until here, I use bouncy castle but I would prefer to use JDK of course (better portability) .... at least for question 1. But for question 2, does BC still afford to do that point ?
  Thanks

  I don't believe JDK supports any instance of PKCS#7. At least for JDK1.5 and below -- I'm not familiar with 1.6. Actually, it might support the PKCS#7 format for storing certificate chains somewhere. CMS and S/MIME are essentially based on PKCS#7. See RFC3852. One of the formats includes the message, the message signature, and the certificate containing the public key, all bundled together in one message. All these are provided by the bouncycastle mail package.

• SecureSocketListener: Could not setup context and create a secure socket on 142.182.112.123:5555 : java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. java.security.cert.Certifica

  HI Team,
  while starting the node manager in wls 8.1 and java1.4
  we are facing this issue plz help on this immediately.
  + CLASSPATH=/srvrs/bdv/patches/CR210310_81sp4.jar:/usr/java14/lib/tools.jar:/srvrs/bdv/bea/weblogic81/server/lib/weblogic_sp.jar:/srvrs/bdv/bea/weblogic81/server/lib/weblogic.jar::/srvrs/bdv/bea
  + export CLASSPATH
  + export PATH
  + set -x
  + [ 5555 !=  ]
  + [ 142.182.112.123 !=  ]
  + /usr/java14/bin/java -Xms32m -Xmx32m -Dweblogic.security.SSL.enforceConstraints=off -Djava.security.policy=/srvrs/bdv/bea/weblogic81/server/lib/weblogic.policy -Dweblogic.nodemanager.javaHome=/usr/java14 -DListenAddress=142.182.112.123 -DListenPort=5555 weblogic.NodeManager
  <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <NodeManager: for information on command line options,  try "java weblogic.NodeManager -h">
  <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Starting NodeManager >
  <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Setting listenAddress to 142.182.112.123..>
  <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Setting listenPort to 5,555..>
  <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Setting java home to '/usr/java14'>
  <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Effective values of properties :
          ListenAddress=142.182.112.123
          ListenPort=5555
          ListenerType=secureSocket
          SavedLogsDirectory=NodeManagerLogs
          NativeVersionEnabled=true
          TrustedHosts=nodemanager.hosts
          StartTemplate=../../server/lib/unix/nodemanager.sh
          ReverseDnsEnabled=false
          ScavangerDelaySeconds=180
          PIDFileReadRetryCount=0
          WeblogicHome=null
          bea.home=null
          JavaHome=/usr/java14
          PropertiesVersion=8.1
  >
  <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Saving logs in'NodeManagerLogs'>
  <Sep 15, 2013 7:35:31 AM EDT> <Info> <[email protected]:5555> <Reading private key and certificate chain from the keystore /srvrs/bdv/bea/weblogic81/server/lib/DemoIdentity.jks. KeyStore type = jks, Using keystore passphrase = true, Alias = DemoIdentity>
  <Sep 15, 2013 7:35:31 AM EDT> <Info> <[email protected]:5555> <Reading trusted CAs from the keystore /srvrs/bdv/bea/weblogic81/server/lib/DemoTrust.jks. KeyStore type = jks, Using keystore passphrase = true>
  <Sep 15, 2013 7:35:31 AM EDT> <Info> <[email protected]:5555> <Reading trusted CAs from the keystore /usr/java14/jre/lib/security/cacerts. KeyStore type = jks, Using keystore passphrase = false>
  SecureSocketListener: Could not setup context and create a secure socket on 142.182.112.123:5555 : java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
  java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
          at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
          at com.certicom.tls.interfaceimpl.CertificateSupport.addTrustedCertificate(Unknown Source)
          at com.certicom.net.ssl.SSLContext.addTrustedCertificate(Unknown Source)
          at com.bea.sslplus.CerticomSSLContext.addTrustedCA(Unknown Source)
          at weblogic.security.utils.SSLContextWrapper.addTrustedCA(SSLContextWrapper.java:52)
          at weblogic.nodemanager.internal.SecureSocketListener.run(SecureSocketListener.java:57)
          at weblogic.nodemanager.internal.GenericListener.startListener(GenericListener.java:16)
          at weblogic.nodemanager.NodeManager.startSecureSocketListener(NodeManager.java:461)
          at weblogic.nodemanager.NodeManager.init(NodeManager.java:305)
          at weblogic.nodemanager.NodeManager.run(NodeManager.java:511)
          at weblogic.NodeManager.main(NodeManager.java:31)
  Thanks,
  Eswar

  Hi,
  Did you find a solution to this? We are running into the same issue since upgrading to Weblogic 9.2.3 for WebCT Vista 8.0.4.
  Thanks,
  Ron

• Java update (3 days ago) won't let me play yahoo games anymore.  I've tried moving java security to Medium and adding web address as "permissive use".  Still nothing.  I'd really like a fix.   Really, apple?  What's your beef with yahoo games?

  Installed Java update three days ago.  Now, can't play yahoo games as it's now blocked by security settings.  Already have tried moving Java security to Medium and adding yahoo.games.com (including web address of game) as a "Permissive exception".   Also tried removing java and installing older version.  Still nothing.  Really Apple?!?  What's your beef with yahoo games? 

  csnorth,
  all of the older update versions of Java SE 7 can be found here. If 7u45 also didn’t work with your Yahoo! games, you can choose from any of the even older versions there as well.

• Applet and data base error.    java.security.AccessControlException:

  Hi All
  I am new to java.
  I am trying to access data base SQL 7.0 thru an applet but its giving an error "java.security.AccessControlException:"
  Can any one help me plz!!!!
  Thx in advance
  Vipin

  Is a Applet Application so, u have to sign the application using jarsigner tool
  visit :
  http://java.sun.com/j2se/1.3/docs/tooldocs/win32/jarsigner.html
  http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
  If NOT/before
  Create a file name called ".java.policy" and placed/saved it in user home directory.
  All the best
  Edward.I

• MII Workbench and java security Issue for jdk7

  Hello all,
  I am using MII version 12.2.2 Build(234) and java version jdk7.
  Now,I am not able to open or create a transaction in workbench.
  In java console, an error is shown below:
  AWT-EventQueue-0 [ERROR] - java.lang.ExceptionInInitializerError
       at com.sap.lhcommon.expressioneval.ExpressionLoader.<clinit>(ExpressionLoader.java:282)
       at com.sap.xmii.bls.expressioneval.TransactionFunctions.<clinit>(TransactionFunctions.java:27)
       at com.sap.xmii.xacute.editors.common.FunctionsComboBox.createBox(FunctionsComboBox.java:45)
       at com.sap.xmii.xacute.editors.common.FunctionsComboBox.<init>(FunctionsComboBox.java:39)
       at com.sap.xmii.xacute.editors.transaction.dialogs.linkeditor.LinkEditorPanel.createExpressionEditorPanel(LinkEditorPanel.java:1033)
       at com.sap.xmii.xacute.editors.transaction.dialogs.linkeditor.LinkEditorPanel.initialize(LinkEditorPanel.java:316)
       at com.sap.xmii.xacute.editors.transaction.dialogs.linkeditor.LinkEditorPanel.<init>(LinkEditorPanel.java:198)
       at com.sap.xmii.xacute.editors.transaction.dialogs.linkeditor.LinkEditorBottomPanel.<clinit>(LinkEditorBottomPanel.java:28)
       at com.sap.xmii.Illuminator.gui.workbench.core.TransactionInfo.initDisplay(TransactionInfo.java:353)
       at com.sap.xmii.Illuminator.gui.workbench.core.TransactionInfo.createNewFile(TransactionInfo.java:149)
       at com.sap.xmii.Illuminator.gui.workbench.components.actions.actions.NewAction.createFileInfoObject(NewAction.java:194)
       at com.sap.xmii.Illuminator.gui.workbench.components.actions.actions.NewAction$1.construct(NewAction.java:115)
       at com.sap.lhcommon.gui.ThreadCreator$2.run(ThreadCreator.java:96)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.security.action")
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
       at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at com.sun.jnlp.JNLPPreverifyClassLoader.loadClass0(Unknown Source)
       at com.sun.jnlp.JNLPPreverifyClassLoader.loadClass(Unknown Source)
       at com.sun.jnlp.JNLPPreverifyClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at com.sap.lhcommon.expressioneval.functions.DecodeFunction.<clinit>(DecodeFunction.java:83)
       ... 14 more
  I also modified the 'java.policy' file. But it did not work. I am still getting the same error.
  Kindly advise..
  Thanks,
  Ritwika.

  I do not yet know the security implications of doing what I did to fix this issue, but here is my solution.
  I added the following to the jre7 java.policy file in the section "grant {":
  permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action";