PKCS#7... PKCS#12... X.509... JKS... Oh my God !!!

Hi guys.
I've developped a S/MIME application using BouncyCastle API's. Could anybody tell me what is the difference between PKCS#7, PKCS#12, X.509 and JKS standards ? What ones are adopted by S/MIME standard ?
Thanks in advance.

look here
http://www.rsasecurity.com/solutions/standards/index.html
-Michael

Similar Messages

Java 6 PBE Example from JCA

Hi All,
I'm new to Java, so forgive my ignorance. A google search was not fruitful. I'm using Java 6 with the NetBeans 6.0.1 Editor. I'm attempting to derive a secret key from a password as follows shown below. The code is based on the JCA [1] password based encryption example [2]. I have two issues.
== One ==
symmetricKey = key.getEncoded() returns a byte array consisting of 1,2,3,4. According to PBEKeySpec this should return the primary encoding. This begs the question: if the bytes corrsponding to the pbe params are not the primary encoding, how does one retrieve the derived key?
== Two ==
If I attempt to use a different specification (such as PBEKeySpec spec = new PBEWithSHA1AndRC2_40(...)), the IDE imports com.sun.crypto.provider.PKCS12PBECipherCore.PBEWithSHA1AndRC2_40, which does not exist. I have installed the 'Strong Policy(?)' (I'm not sure if that is an issue). Where is the IDE picking up the import, and where do I download it?
Any help is apreciated,
Jeff
==== Code ====
char[] password = { '1', '2', '3', '4' };
byte[] salt = { (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF };
int iterations = 16;
PBEKeySpec spec = new PBEKeySpec(password, salt, iterations);
SecretKeyFactory factory =
SecretKeyFactory.getInstance(("PBEWithMD5AndDES"));
SecretKey key = factory.generateSecret(spec);
byte[] symmetricKey = key.getEncoded();
==== References ====
[1] http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
[2] http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx
[3] http://java.sun.com/javase/6/docs/api/javax/crypto/spec/PBEKeySpec.html

Jeff, my first stab at tidying your code.
import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
* @author jeffrey walton
public class Main
    public static void main(String[] args) throws Exception
        final String PRIVATE_KEY_FILE = "private.rsa.java.key";
        final String PUBLIC_KEY_FILE = "public.rsa.java.key";
        // http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        // Initialize
        kpg.initialize(1024, new SecureRandom());
        KeyPair keys = kpg.generateKeyPair();
        RSAPrivateKey privateKey = (RSAPrivateKey) keys.getPrivate();
        RSAPublicKey publicKey = (RSAPublicKey) keys.getPublic();
        // Print Parameters
        PrintPrivateKey(privateKey);
        PrintPublicKey(publicKey);
        // Serialize Keys
        SaveEncodedKey(PRIVATE_KEY_FILE, privateKey);
        SaveEncodedKey(PUBLIC_KEY_FILE, publicKey);
        // PrivateKey privateKey = LoadPrivateKey("private.java.key");
        privateKey = LoadPrivateKey(PRIVATE_KEY_FILE);
        PrintPrivateKey(privateKey);
        // PublicKey publicKey = LoadPublicKey("public.java.key");
        publicKey = LoadPublicKey(PUBLIC_KEY_FILE);
        PrintPublicKey(publicKey);
    static void SaveEncodedKey(String filename, Key key) throws IOException
        if (null == key)
            throw new IllegalArgumentException("key is null.");
        FileOutputStream fos = new FileOutputStream(filename);
        // PKCS #8 for Private, X.509 for Public
        // File will contain OID 1.2.840.11359.1.1.1 (RSA)
        // http://java.sun.com/j2se/1.4.2/docs/api/java/security/Key.html
        fos.write(key.getEncoded());
        fos.close();
    static RSAPrivateKey LoadPrivateKey(String filename) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException
        File file = new File(filename);
        byte[] b = fullyReadFile(file);
        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(b);
        KeyFactory factory = KeyFactory.getInstance("RSA");
        return (RSAPrivateKey) factory.generatePrivate(spec);
    static RSAPublicKey LoadPublicKey(String filename) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException
        File file = new File(filename);
        byte[] b = fullyReadFile(file);
        X509EncodedKeySpec spec = new X509EncodedKeySpec(b);
        KeyFactory factory = KeyFactory.getInstance("RSA");
        return (RSAPublicKey) factory.generatePublic(spec);
    private static byte[] fullyReadFile(File file) throws IOException
        DataInputStream dis = new DataInputStream(new FileInputStream(file));
        byte[] bytesOfFile = new byte[(int) file.length()];
        dis.readFully(bytesOfFile);
        dis.close();
        return bytesOfFile;
    static void PrintPrivateKey(RSAPrivateKey key)
        if (null == key)
            throw new IllegalArgumentException("key is null.");
        System.out.print("Private Key ");
        System.out.println("(" + key.getFormat() + ")");
        System.out.println(" d: " + key.getPrivateExponent());
        System.out.println(" n: " + key.getModulus());
        System.out.println();
    static void PrintPublicKey(RSAPublicKey key)
        if (null == key)
            throw new IllegalArgumentException("key is null.");
        System.out.print("Public Key ");
        System.out.println("(" + key.getFormat() + ")");
        System.out.println(" e: " + key.getPublicExponent());
        System.out.println(" n: " + key.getModulus());
        System.out.println();
}There was one silly type error in your code privateKey = LoadPrivateKey("public.rsa.cpp.key");
The only real errors (standard new to Java IO errors) are in the use of available() get the file size(it doesn't guarantee this) and your relying on read() to fully read all the bytes of the array (it doesn't guarantee this). You could just modify these two parts but I have made several other less important changes.
I do feel your exception handling left something to be desired so I have modified it. I would normally handle exceptions very differently but this clutters the code detracts from readability in code examples.
Though your code for getting the exponent and modulus from the RSA keys works, there is significant redundancy so I have simplified it.
I have modified your precondition checking of your key being null to use the standard IllegalArgumentException rather than just Exception. Since you are only doing some of the precondition checking it might be worth while checking ALL preconditions or NO preconditions. I'm always split on this when presenting example code. Although I use precondition checking extensively in production code, once again I find it detracts from the readability in example code.
Your method naming convention is at odds with the standard Java coding standards in that you have capitalized the first letter of method names but I don't feel this is much of a problem so I have not modified it.
The lights are about to go out!
Edited by: sabre150 on Apr 29, 2008 8:09 AM

Import an SSL Private Key

Hello. Is it possible to export the Private Key from, say, my J2EE engine (I'm running a dual stack) and import it into my ABAP instance so that both systems use the same Private Key? They both have the same host name.

I guess its possible. Please correct me if i am wrong.
Please keep in mind, that simply importing a certificate as a certificate response won't work in this situation, since the public key from your CA and the public key in the individual PSEs already existing on the respective servers won't match.
following steps all the key pairs and certificates that are currently stored in the SSL Server PSEs on the target systems will be removed. If you want to keep them, you'll need to export them to a safe place.
Step 1: import the key pair into a PSE
Since pl.16 of SAPCRYPTOLIB, key pairs given in the format PKCS#12 can be imported into a PSE (note 745063). Since pl.24 of SAPCRYPTOLIB, also the import of key pairs given as PKCS#5, PKCS#8 or OpenSSL-PEM is supported (note 1159829).
Step 2: import the PSE resulting from Step 1) into the system's database All PSEs that are known to transaction STRUST will be exported from the database and distributed to the application servers at system startup. The related PSE files will be overwritten. So, the PSE resulting from the key pair import in step 1) needs to be imported into the database.
You'll need to go through a procedure similar to the one described in note 1178155, step 3.
- Copy the PSE from step 1) to your workstation/PC
- Start transaction STRUST
- Doubleclick the "FILE" icon in the navigation area (left hand side)
- Select the PSE on your workstation/PC
- Execute the menu item "PSE --> save as..." and choose the SSL Server
PSE as target. This will save the PSE from step 1 as SSL Server
standard PSE.
- The following step is a modification from note 1178155 which is
only applicable in your special situation: right mouse button click
on the SSL Server PSE entry in the navigation area. From the context
menu appearing, select "Change".
- Remove the distinguished names from all application server specific
PSEs in the list. Pressing the green tick mark ('save') will remove
all application server specific SSL Server PSEs, so the system is
forced to use the SS Server standard PSE instead.
Don't forget to restart the ICM in order to make your changes become effective.
Regards,
Jazz

SSF configuration for external Smartcard Readers

Hello colleagues,
I 'm working at a customer who is implementing a SAP project (R/3 4.6C SR2), in which is involved the goverment.
The goverment is forcing to the customer to implement digital signature in some steps of his business process, one of this steps is running on SAP R/3 system. The digital signature will be used with digital signature in order to "package" some critical data like "billing amount", for instance.
The goverment is imposing the smartcard encryption solution, that is hardware encryption.
I have been looking for information about it, so I understood the following:
1._ Some smartcards vendors are compliance with SAP.
2._ I need to install in the server running SAP the smartcard and the smartreader in order to manipulate and to access the encryption functionality.
3._ The smartcard is configured in SAP by transaction SSFA and other reports.
4._ The encryption functionality is accessed by SSF function group.
I downloaded the documents "SSF user guide", "security quick guide: digital signature" and "digital signature in FI".
I've found into a paper called "Digital Signatures
in SAP Applications - Web App.Server 6.40" the following:
1.3.1. SSF for the ABAP Stack
The SSF Library for the ABAP Stack is used in applications that are written in ABAP. It supports the functions for creating and verifying digital signatures (PKCS#7), and functions for encrypting and decrypting documents.
SSF requires an external security product to provide these functions. The SAP Security Library (SAPSECULIB) is delivered with the SAP system as the default product. However, the SAP Security Library only supports digital signatures without cryptographic hardware (SmartCards, SmartTokens, Cryptoboards). Instead of the SAPSECULIB, customers can also use the SAPCRYPTOLIB, which can be downloaded from the SAP Service Marketplace. The SAPSECULIB supports the DSA (Digital Signature Algorithm) algorithm, and the SAPCRYPTOLIB supports both the DSA and the RSA algorithms. The algorithm that you must use in your signature process depends on the CA that issues the certificate. Most CAs use the RSA algorithm. Note that country-specific export guidelines apply in the case of the SAPCRYPTOLIB. For more information, see SAP Note 397175.
For support for encrypting and decrypting documents, and for generating digital signatures using cryptographic hardware, an external security products from our partners is required. These security products use SAPs SSF interface and are certified for this by SAP. For a list of the certified products, see the SAP Service Marketplace under http://service.sap.com/securitypartners, and then choose the link Partner for Secure Store and Forward, digital signatures (SSF).
The SSF Library for the ABAP stack is available as of SAP Basis 4.0.
I don't undertand how is the relationship between SAPCRYPTOLIB and the SmartReader Card established/configured.
We think about the "Government of Chile" will deliver the customer a SmartCard Reader from Schlumberger (Cryptoflex 16K Card).
Should be great if you can provide me with any useful information in order to understand how to implement this configuration.
Best regards, Carlos
Message was edited by: Carlos Guevara
Message was edited by: Carlos Guevara
Message was edited by: Carlos Guevara

Hi,
Thanks a lot for your answer. I have more questions:
As I mentioned before, the Government office will provide a SmartCard reader to the customer: it's "Cryptoflex 16K card from Schlumberger". You can take a look to its features here:
http://www.cryptoflex.com/Products/Cryptoflex_Features/cryptoflex_features.html#
There, you can see the following:
Supported Applications and Platforms
Integrates with PC/SC
Integrates with PKSC#11 >>> (*)
Entrust Ready
Plug & Play with Windows 2000 and Windows XP
Axalto SDK
In the document about Digital Signatures "DigSig_Netweaver_BestPractices_en.doc", you can see the following:
1.2.1 PKCS#7
PKCS#7 stands for Public-Key Cryptography Standard # 7. The PKCS standards are specifications that were developed by RSA Security for secure information exchange using the Internet. PKCS#7 is currently a format established in the market. It describes a wrapper format, meaning that the output format does not correspond to the input format. If, for example, a PKCS#7 signature is attached to a PDF document, the document is then in PKCS#7 format. This format is a binary format, which in turn means that direct display is not very good, and is not suitable for a user. A special tool (viewer) must therefore be used for display. Unfortunately, usable PKCS#7 viewers are not currently available on the market. This format is very suitable for purely automatic processing (without a display component for the user).
SAP offers the PKCS#7 signature on the ABAP platform (as of SAP Basis 4.0B) and on the Java platform (as of SAP Web AS 6.30).
So here are my questions:
1) From above, can you tell me if I'm wrong, or this SmartCard ("Cryptoflex 16K card from Schlumberger") is incompatible with SAP Digital Signature implementation (the Smartcard uses PKCS#11 -see (*) above- and SAP uses PKCS#7)?
2) I didn't find to Schlumberger as a certified partner into the SAP link for Certified Partners for Digital Signatures:
http://www50.sap.com/softwarepartnerdir/products/certify/prod_def.asp?DescID=259&ProdDesc=Digital%20Signatures%2C%20Encryption%20and%20SSF
Does it mean that this partner can't provide SSF compatibility?
3) Can you provide me any kind of documentation in order to understand what are the whole configurations that need to be done from the "basis" side (if questions 1 and 2 are false) in order to configure this arquitecture?
4) Can you explain a little bit how the SAPCRYPTOLIB is used in this context? I mean, should we need it in order to encrypt/decrypt digital signatures/envelopes?
Best Regards, Carlos

Saving an iBot in OBI EE

Hi All,
Your suggestions are highly appreciated.
I was trying to save the iBot, then i am i am getting the error "Authentication Failed"
Below are the steps that i have followed:
1). Taken the backup of the existing Credentialstore.XML & Instanceconfig.XML.
2). Then i ran the below in the command prompt:
cryptotools credstore -add -infile C:/OracleBIData/web/config/credentialstore.xml
Credential Alias: Administrator
Username: Administrator
Password: Administrator
Do you want to encrypt the password? y/n (y): y
Passphrase for encryption: Administrator
Do you want to write the passphrase to the xml? y/n (n): y
File "OracleBIData_HOME/web/config/credentialstore.xml" exists. Do you want tooverwrite it? y/n (y): y
3). Once i ran the step no:2 through command prompt, then below tag has been updated in the Credetialstore.xml file:
<sawcs:credential type="usernamePassword" alias="Administrator">
<sawcs:username>Administrator</sawcs:username>
<sawcs:password>
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>heS8LZvLnmJTayBsQiDWEcE2hW2ySico</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>
</sawcs:credentialStore>
4). After the step no:2 is completed then i have updated the below tag in the Instanceconfig.xml file:
<CredentialStore>
<CredentialStorage type="file" path="C:\OracleBIData\web\config\credentialstore.xml"
</CredentialStore>
5). The Admin tool username: Administrator Password: Administrator
After applied the above steps, then i was able to restart the services for Oracle BI Server & Oracle BI Scheduler_
but i was not able to start the Oracle BI Presentation Services & Oracle BI Java Host._
Thanks in Advance
Siva

When you run the credential tool, the alias must be Admin and not Administrator
Tip: delete the file credentialstore.xml file before you made again the operation.
Cd C:\OracleBI\web\bin cryptotools credstore -add -infile C:\OracleBIData\web\config\credentialstore.xml
Credential Alias: Admin
Username: Administrator
Password: Administrator
Do you want to encrypt the password? y/n (y):
Passphrase for encryption: Administrator
Do you want to write the passphrase to the xml? y/n (n):
File "OracleBIData_HOME/web/config/credentialstore.xml" exists. Do you want tooverwrite it? y/n (y):And if you enter a passphrase for encryption, you must set it in the instanceconfig file such as
<CredentialStore>
<CredentialStorage type="file" path="C:\OracleBIData\web\config\credentialstore.xml" passphrase="Administrator"/>
</CredentialStore>Cheers
Nico

Upgrade Analytics 7.8 - OBIEE 10.1.3.3.2 - Scheduler configuration

Hi,
I have upgraded the analytics environment 7.8 to OBIEE 10.1.3.3.2.
I have configured the OBI Presentation Services to identify the credential store :
extract from instanceconfig.xml :
<CredentialStore>
<CredentialStorage type="file" path="F:\sas78evolData\Web\config\credentialstore.xml" passphrase="password"/>
</CredentialStore>
The I have added the Scheduler administrator credentials to the OBI credential store using the cryptotools utility (in my case Administrator is the scheduler administrator) :
extract from credentialstore.xml :
<sawcs:credential type="usernamePassword" alias="admin">
<sawcs:username>Administrator</sawcs:username>
<sawcs:password passphrase="password">
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>PPrajfxPlFuEbWiXwtvUtg==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>
Presentation and Scheduler services start up but when I try to connect to Answers, I get the following error message :
Unable to contact server.
An encrypted password was found in the credential 'admin', but no decryption passphrase has been specified. Please ensure that a decryption passphrase is specified in configuration. See documentation for details on how to configure the credential store.
Error Codes: WUDC2HWW
Thanks for your help,
Best regards
Hervé

Yes I have solved it by rerunning cryptotools utility , and don't encrypt the password. It seems there is a bug in the process of encrypting the pwd. Now it works fine
Rgds

IBot Creation in OBIEE 10G

Hi All,
I have OBIEE 10G installed in a unix server and BI client in windows XP. Now when I configure the scheduler via BI client, under the general tab in which format can i mention the unix server path for the scheduler script, default script and temporary file path. As these paths are defaulted to my local machice D: drive.
Actually my problem is, I was able to login to Delivers using Administrator but unable to save a iBot. It says Authentication failed.
Please help.
Thanks

Please find my config values below. I guess something is wrong and hence I am still unable to save an iBot. Please help
instanceconfig.xml - (Already present)
<CredentialStore>
<CredentialStorage type="file" path="/u00/webadmin/product/10.1.3_OBI/OracleBI_1/web/config/credentialstore.xml" passphrase="obiee"/>
</CredentialStore>
Credentialstore.xml - (Newly added)
<sawcs:credential type="usernamePassword" alias="admin">
<sawcs:username>Administrator</sawcs:username>
<sawcs:password passphrase="PMADMIN">
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>t/kuivSpJztX3qINS9v/VA==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>
Sceduler Config via BI client - (Manage ->Jobs-> Configuration Options->General)
Schedular Script path - /u00/webadmin/product/10.1.3_OBI/OracleBI_1/server/Scripts/Scheduler
Default Script Path - /u00/webadmin/product/10.1.3_OBI/OracleBI_1/server/Scripts/Common
Temporary file path - /u00/webadmin/product/10.1.3_OBI/OracleBIData_1/tmp
Administrator Name: Administrator
Password: XXXXXX
Note:
I have Doubt in the format of the script paths. Please note that the password for Administrator in both Shconfig and Credential store is same.
Please help.
Regards
GJ

RSA PSS Signature scheme

Hi,
I am working on digital signatures RSA. I have two issues/doubts :-D
1) In Java 1.5, the crypto specification talks abt API support for RSA PKCS using PKCS #1 v2.1 thru the PSS padding scheme for signatures - java.security.spec.PPSParameterSpec. So, how i understood it was, after i create signature object for RSA i have to use setParameter to set these PSSParameterSpec to my signature object. But when i run my code, i get the UnSupportedOperationException. Please help me in this regard.
The Exception message is
java.lang.UnsupportedOperationException
at java.security.SignatureSpi.engineSetParameter(SignatureSpi.java:306)
at java.security.Signature$Delegate.engineSetParameter(Signature.java:11
61)
at java.security.Signature.setParameter(Signature.java:794)
at rsapsSigning.main(rsapsSigning.java:22)
My source code for the same is:
public class rsapsSigning
     public static void main(String a[])
          try
               String datafile = "C:\\old.txt";
               PSSParameterSpec pss = PSSParameterSpec.DEFAULT;
               Signature s = Signature.getInstance("SHA1withRSA");
               /*initialise sugnature object with pss parameter for RSA*/
               s.setParameter((AlgorithmParameterSpec)pss); //exception gets thrown at this point
               KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
               kpg.initialize(128); // 128 is the keysize.
          KeyPair kp = kpg.generateKeyPair();
          PublicKey pubk = kp.getPublic();
          PrivateKey prvk = kp.getPrivate();
               s.initSign(prvk);
               FileInputStream fis = new FileInputStream(datafile);
          byte[] dataBytes = new byte[1024];
          int nread = fis.read(dataBytes);
          while (nread > 0) {
          s.update(dataBytes, 0, nread);
          nread = fis.read(dataBytes);
          byte[] sig = s.sign();
          for(int i = 0;i <sig.length;i++)
               System.out.println(sig);
     }catch(Exception e)
          e.printStackTrace();
2) One other method that i tried was, instead of using PSSParameterSpec class, while creating Signature object, crypto Spec of 1.5 talks abt the usage of "<digest>with<encryptionalgo>and<mgf>" in the getInstance() of Signature class. So going on these lines, i can as well give "SHA1withRSAandMGF1" which is precisely what has been described as the default value for RSA PSS. But when i give so directly, I get "NoSuchAlgorithmException". In fact, for a trial basis when i tried "MD5withSHA1andMGF1" (the example given in the crypto spec of 1.5) also, i get the same exception :-( :-(
java.security.NoSuchAlgorithmException: SHA1withRSAandMGF1 Signature not availab
le
at java.security.Signature.getInstance(Signature.java:208)
at pp.main(pp.java:18)
My code for this is:
public class pp
     public static void main(String a[])
          try
               String datafile = "C:\\new.txt";
               Signature s = Signature.getInstance("SHA1withRSAandMGF1"); //exception gets thrown here
               System.out.println("SHA1withRSAandMGF1");
catch(Exception e)
e.printStackTrace();
I am sorry that my query seems so long. But i was just trying to tell all the cases that I have tried.
I would be grateful to any suggestions.
Best Rgds

Hi Stark,
Exactly....Even my list of signatures does not return anything with PSS. Like how you said may be there is no engine support. But is there any workaround for this??? How can i use PSS with RSA in Java 1.5??? Any idea??
And also in the JCE Crypto Spec, it is given that "For the new signature schemes defined in PKCS #1 v 2.0, for which the <digest>with<encryption> form is insufficient, <digest>with<encryption>and<mgf> can be used to form a name. Here, <mgf> should be replaced by a mask generation function such as MGF1. Example: MD5withRSAandMGF1. " but this also is not displayed in the list of signatures. Am I wrong in my understanding or over looking something or is it that java 5 has not yet started supporting if signature algos are given in this format. Any idea here too ??

Problem regarding saving ibots

hi...good evening...
I am setting up ibots for BI Analytics in solaris server..
I have successfully ran all the steps...
1)createing S_NQ tables 2)configuring the job manager 3)configuring the scheduler etc etc.
also i have ran the cryptotools and also changed the instanceconfig.xml.
But when i am trying to save an ibot ,it is throwing error..
Oracle BI Scheduler Error: [nQSError: 68019] Authentication Failed.
Error Details
Error Codes: GYFPI8RN
plss help...
(one thing i can mention: while running the cryptotools i.e updating the credentialstore.xml file, it didnt ask me for file already exists.do you want to overwrite it? y/n(y): )

I had a similar problem when configuring the scheduler, but without a bit more detail I cant advise.
You should have at least changes in the following:
web/config/instanceconfig.xml
web/config/credentialstore.xml
In the credential store, the alias MUST be "admin" all lower case. my entry looks like:
<sawcs:credential type="usernamePassword" alias="admin">
<sawcs:username>Administrator</sawcs:username>
<sawcs:password passphrase="{snipped}">
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>{snipped}</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>
In the web/instanceconfig.xml you need to ensure you have entries similar to:
<Alerts>
<ScheduleServer>localhost</ScheduleServer>
</Alerts>
<CredentialStore>
<CredentialStorage type="file" path="{bi home}/OracleBIData/web/config/credentialstore.xml" passphrase="{snipped}"/>
</CredentialStore>
Hope this helps you

Can't connect after changing BI Publisher Administrator password

I have a single machine instance of OBIEE 10.1.3 on Windows. All elements have been working fine and I have been able to successfully sign on to:
1) BI Publisher
2) Dashboards/Answers
3) BI Administrator
However, today I decided to change my 'Administrator' password in BI Publisher for good order's sake. And now after making that change I get an error reading:
{color:#0000ff}*'The server can not be used due to a configuration error, please contact the administrator. If you are the administrator, please consult BI Publisher user guide for proper configuration'*{color}
With 'error detail' reading: oracle.apps.xdo.security.ValidateException
Using the old BI Publisher password also returns an error (invalid user/password). I also stopped and started OC4J service all Oracle BI products. My BI Administrator signon still works fine.
I've read several posts about failed connections like this and ran across one that implied that characters in the new password such as *, #, $ will create problems. Unfortunately my new password does contain some of these characters {:>0 and I suspect this may be the issue My question: What is the least complicated way to back out of this situation and simply restore my sign on? I'm totally focused on data architecture and reports on this single user system right now. Thanks

Madan,
Thanks for your help.
The password in xmlp-server-config.xml is encrypted. It looks (similar) to this:
<property name="BI_SERVER_SECURITY_ADMIN_PASSWORD_ENC" value="C14CD2495C033BB8E816E10BCDC25372" />
<property name="BI_SERVER_SECURITY_ADMIN_USERNAME" value="Administrator" />
I tried changing the encrypted password to my password but got a java sign on error.
I then modified the last block in CredentialStore.xml and restarted the BI Server and OC4J but I still get the 'oracle.apps.xdo.Security.ValidateException' error when signing on to BI Publisher. Here's the entry with the (dummy) password which
I tried with the first change above and without the first change above.

<sawcs:credential type="usernamePassword" alias="bipublisheradmin">
<sawcs:username>Administrator</sawcs:username>
<sawcs:password passphrase="Buffalo">
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>w39PaFUeq3zbMiB3clljRQ</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>
-->
</sawcs:credentialStore>
Thanks for any additional comments. John

X.509 and PKCS#11 provider

Sorry if I'm asking the stupid question, but there is something in JCE PKCS#11 provider architecture that I'm missing.
Let's say I have some hardware crypto module (e.g. SUN SCA-6000) and want to be sure that all crypto work is done in it. So I would configure PKCS#11 provider as the 1st (highest priority) entry in java.security file (and configure PKCS#11 to use my hardware crypto module).
Now, let's say I need to work with some X.509 certificate. When I check the supported algorithms of PKCS#11 and SUN providers, it looks like CertificateFactory.X509 algorithm is supported only by SUN provider, and not by PKCS#11 provider.
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG
http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SUNProvider
So I wonder what does this essentially mean? Does it mean that even though I configured my HCM PKCS#11 provider, some crypto work is still done in other software modules (e.g. SUN provider)? Or may be SUN provider just "decomposes" these "high-level" algorithms to more "primitive" ones (e.g. Signature.SHA1withRSA) and essentially "proxies" all work to whatever provider supports these "primitive" algorithms - i.e. essentially to my HCM PKCS#11 provider?
Regards,
Alex

This is not a stupid question. Any question involving cryptography isn't stupid IMO, and one that includes hardware security modules (HSM) is even less stupid. :-)
That said, sabre150 has provided some information, and I'll try to add a little more from my experience.
HSM's are used primarily to perform "raw" cryptographic operations in highly constrained environments for security reasons - the goal is to ensure that symmetric keys (DES, 3DES, AES) or the private-keys of asymmetric key-pairs (RSA, DSA, EC) do not come out of the HSM into the main memory of the computer. This ensure that attackers cannot snoop the secrets from main memory.
So, the CertificateFactory in JCE is primarily used to do cryptographic operations with the digital certificate; however any operation involving just the digital certificate - and not its corresponding private-key - involves just the public-key in the certificate, the certificate attributes or certificate extensions. Since ALL information in a digital certificate is public information, there is no reason to waste HSM resources to perform X509 operations inside the security module. Not only is there nothing to protect in those operations, but as sabre150 pointed out, some old HSM's may not be able to handle them very well.
However, some HSM's are not just for security, but they also perform crypto-acceleration. This means that they can speed up raw cryptographic processing, and there is a benefit from having them perform even the public-key operations inside the HSM. However, the PKCS11 libraries will typically send in only the "raw" crypto operation into the HSM, leaving all the certificate-parsing work outside.
One final point: in order to make sure that you are definitely performing all secret operations inside an HSM, make sure you explicitly name the specific HSM provider for your crypto operations, otherwise the JVM may silently use a software module to perform the operation (if possible) and expose your secret in main memory.
Hope that helps.

Configure .p7b(PKCS #7 Certificates) in SOA Suite 11g - Enterprise Manager

Hi,
currently configured .jks file in em - weblogic domain - security - security provider configuration which is used by owsm policy to validate my incoming signed soap message.
(incoming message is signed with the same jks file). so it is working fine.
Now I got .p7b(PKCS #7 Certificates) file from customer, so I need to replace this with my existing .jks file. How can I do this?
Appreciate your quick inputs.
Thanks

customer site is invoking my soa suite application,public portion of the certificate which I got from them I configured at my end(.p7b converted in to jks). with the private key (which I do not have with me) the customer site is signing the soap request and hitting my soa suite.
Getting following error in my soa suite side(soa_server1-diagnosis):
X509 Certificate will not be advertised due to underlying exception "oracle.wsm.security.SecurityException: WSM-00057 : The certificate, abc.org, is not retrieved. The following aliases are found in the keystore:- [defnet.org, klmca.org, abc.org, ]".
while converting in to jks I gave alias, I do not know what value should I give. I found
subject: CN=abc.org... in .p7b file, used the same name as alias.
converted .p7b file in to .cer as suggested by anuj, .p7b file contains 3 certificates,so imported 3 times in to same key store file like this
keytool -import -alias abc.org -file xyz.public.cer -keystore xyz-keystore.jks
keytool -import -alias klmca.org -file klmca.public.cer -keystore xyz-keystore.jks
keytool -import -alias defnet.org -file defnet.public.cer -keystore xyz-keystore.jks
Where I am doing wrong here?
Can I configure directly .p7b(PKCS #7 Certificates) file in enterprise manager (soa suite 11g ps3.). I converted in to jks file and configured but it is not working.
Please suggest. This is urgent. Appreciate your quick help.
Edited by: 798585 on May 20, 2011 12:00 AM

Is PKCS#7 format supported by Mac OS X 10.6 server or above?

Couple of questions on Mac OS X 10.6 server or above.
1) Can a Mac OS X 10.6 server or above version supports PKCS#7 format for SSL certificate installation?
2) If PKCS#7 format is supported, is the file extension .p7b file?
Thank you!
J

Try it. Unfortunately, sometimes certificates can be mis-generated or can become corrupted.
X.509 is the overarching standard, and comprises various formats including PKCS7. I'd usually want a PEM format certificate file, though OS X 10.6 does support various formats. Including PKCS7.
Depending on exactly what you're up to here with OS X and OS X Server and these certificates, there might be Server Admin.app or Server.app service-specific steps required; additional general info here here or here.
If these are your own servers, clients and your own family and friends accessing these systems, then there's no need for a purchased certificate. Self-generated certificates work just as well and are just as secure as purchased certificates (if you have a trusted and secure way to perform the initial load), and — if you're inclined, and want to learn a little about OS X and certificates — you can set up your own certificate authority and load your own root certificate, and then your own client certificates are automatically honored.

PKCS#11 with NSS

Hello to ALL Saviours,
From past 5 days i am struggling with cryptography problem. Let me explain my problem statement.
I have to test Intel AES-NI feature on Westmere EP series processor with a JAVA Application.
My Environment Setup:-
Application server: Apache Tomcat 6.0.33
Database: Derby
Application: JPetStore
JAVA: jdk1.6.0_23
Network Security Services(NSS): 3.12.10
OS: CentOS 6.0 x86-64
Steps i have followed to make it work.
1. Setup the application running perfectly fine on 8443 port. Created a key using "keytool -genkey -alias tomcat -keyalg RSA".
2. Checked the property of page of my application. Output is "TLS 1.0, AES with 128 bit encryption (High); RSA with 1024 bit exchange".
3. I have compiled the NSS and put all *.so files into the existing JDK ($JAVA_HOME/jre/lib/amd64).
4. Update jre/lib/security/java.security AS "security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"
5. put nss.cfg to ($JAVA_HOME/jre/lib/security).
#Content of nss.cfg
name=NSS
nssLibraryDirectory=${java.home}/lib/amd64
nssDbMode=noDb
attributes=compatibility
6. Started the Application again. Application running fine without any error in CATALINA.out.
Problem Statement:-
I have generated a load of 20 virtual users and collected the Throughput. In both the cases (With and Without PKCS#11-NSS Implemented) i am getting same Results.
I am not sure whether i am missing some steps or done something mis-configuration.
Help is appreciated because i am in need of it badly.
Please suggest your views.

handat wrote:
NSS doesn't use the JKS store file but instead uses either a hardware token or its own softstore (cert8.db & key3.db). You need to generate the certificate using the certutil tool and update Tomcat server.xml config and set keystoreType.
Edited by: handat on Nov 18, 2011 1:13 PM
Edited by: handat on Nov 18, 2011 1:24 PMI am using keytool to generate the PKCS11 keystore, but it is giving some error "keytool error: java.security.KeyStoreException: token write-protected".
I have used nssDbMode=noDb option in nss.cfg file. so do i have to still generate the db file.
Can you please give me snapshot of server.xml file in tomcat.
I have configured it as:-
<Connector port="8443"
minSpareThreads="5"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
keystoreType="PKCS11"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
/>
Appreciate for the response.

WLS8.1sp2 - PKCS#11 Provider for WebCertificates error

I'm trying to startup a WLS Server, which has his web certificates stored in a
HW Devices. Der CryptoProvider read via PKCS#11 the certificates out of the HW
Module. Unfortunatly the possibile operation via PKCS#11 are not the same as via
a PKCS#12 (basically: you can not read a PrivateKey out of a PKCS#11 as you do
out of Sun JKS implementation).
I got following error:
<29.04.2004 13.55 Uhr CEST> <Notice> <Security> <BEA-090170> <Loading the private
key stored under the alias Wxxxxxx.csintra.net from the CS_PKI keystore file C:\apps\Tip300\cs\pki\pki420\api\config\pkiapi_Websrv_etit.properties.>
<29.04.2004 13.55 Uhr CEST> <Notice> <Security> <BEA-090171> <Loading the identity
certificate stored under the alias Wxxxxxx.csintra.net from the CS_PKI keystore
file C:\apps\Tip300\cs\pki\pki420\api\config\pkiapi_Websrv_etit.properties.>
<29.04.2004 13.55 Uhr CEST> <Error> <WebLogicServer> <BEA-000297> <Inconsistent
security configuration, java.lang.Exception: The public key from the configured
server certificate and the configured server private key do not match.>
<29.04.2004 13.55 Uhr CEST> <Emergency> <Security> <BEA-090034> <Not listening
for SSL, java.io.IOException: Inconsistent security configuration, The public
key from the configured server certificate and the configured server private key
do not match..>
<29.04.2004 13.55 Uhr CEST> <Notice> <WebLogicServer> <BEA-000329> <Started WebLogic
Admin Server "myserver" for domain"cfwdomain" running in Production Mode>
<29.04.2004 13.55 Uhr CEST> <Notice> <WebLogicServer> <BEA-000360> <Server started
in RUNNING mode>
<29.04.2004 13.55 Uhr CEST> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default"
listening on port 7770, ip address *.*>
Is anyone already sperimenting with PKCS#11 and WLS8.1sp2?
Has anyone had the same problem or does it depend from the crypto provider we
are using?
Best Regards
carlo

The error happened when the ssl implementation tried to test the keys. To check
whether they match it obtained raw RSA Cipher (RSA/ECB/NoPadding) and tried to
encrypt some text with the private key and decrypt it with the public key. Since
the private key is not a real key it failed. So if you had an RSA cipher provider
installed that could work with your hw accelerator to encrypt with that private
key you could work around this problem.
In 8.1 we support nCipher HW accelerator, and we had to work around several issues
to make it work. One of the workarounds was to ignore the KeyManagementException
that happens during this key match check when nCipher is installed. Apparently
in your case this exception does not happen and this check executes normally,
but returns the negative result.
Pavel.
"Carlo de Rossi" <[email protected]> wrote:
>
I'm trying to startup a WLS Server, which has his web certificates stored
in a
HW Devices. Der CryptoProvider read via PKCS#11 the certificates out
of the HW
Module. Unfortunatly the possibile operation via PKCS#11 are not the
same as via
a PKCS#12 (basically: you can not read a PrivateKey out of a PKCS#11
as you do
out of Sun JKS implementation).
I got following error:
<29.04.2004 13.55 Uhr CEST> <Notice> <Security> <BEA-090170> <Loading
the private
key stored under the alias Wxxxxxx.csintra.net from the CS_PKI keystore
file C:\apps\Tip300\cs\pki\pki420\api\config\pkiapi_Websrv_etit.properties.>
<29.04.2004 13.55 Uhr CEST> <Notice> <Security> <BEA-090171> <Loading
the identity
certificate stored under the alias Wxxxxxx.csintra.net from the CS_PKI
keystore
file C:\apps\Tip300\cs\pki\pki420\api\config\pkiapi_Websrv_etit.properties.>
<29.04.2004 13.55 Uhr CEST> <Error> <WebLogicServer> <BEA-000297> <Inconsistent
security configuration, java.lang.Exception: The public key from the
configured
server certificate and the configured server private key do not match.>
<29.04.2004 13.55 Uhr CEST> <Emergency> <Security> <BEA-090034> <Not
listening
for SSL, java.io.IOException: Inconsistent security configuration, The
public
key from the configured server certificate and the configured server
private key
do not match..>
<29.04.2004 13.55 Uhr CEST> <Notice> <WebLogicServer> <BEA-000329> <Started
WebLogic
Admin Server "myserver" for domain"cfwdomain" running in Production Mode>
<29.04.2004 13.55 Uhr CEST> <Notice> <WebLogicServer> <BEA-000360> <Server
started
in RUNNING mode>
<29.04.2004 13.55 Uhr CEST> <Notice> <WebLogicServer> <BEA-000355> <Thread
"ListenThread.Default"
listening on port 7770, ip address *.*>
Is anyone already sperimenting with PKCS#11 and WLS8.1sp2?
Has anyone had the same problem or does it depend from the crypto provider
we
are using?
Best Regards
carlo

PKCS#7... PKCS#12... X.509... JKS... Oh my God !!!

Similar Messages

Maybe you are looking for