RSA PSS Signature scheme

Hi,
I am working on digital signatures RSA. I have two issues/doubts :-D
1) In Java 1.5, the crypto specification talks abt API support for RSA PKCS using PKCS #1 v2.1 thru the PSS padding scheme for signatures - java.security.spec.PPSParameterSpec. So, how i understood it was, after i create signature object for RSA i have to use setParameter to set these PSSParameterSpec to my signature object. But when i run my code, i get the UnSupportedOperationException. Please help me in this regard.
The Exception message is
java.lang.UnsupportedOperationException
at java.security.SignatureSpi.engineSetParameter(SignatureSpi.java:306)
at java.security.Signature$Delegate.engineSetParameter(Signature.java:11
61)
at java.security.Signature.setParameter(Signature.java:794)
at rsapsSigning.main(rsapsSigning.java:22)
My source code for the same is:
public class rsapsSigning
     public static void main(String a[])
          try
               String datafile = "C:\\old.txt";
               PSSParameterSpec pss = PSSParameterSpec.DEFAULT;
               Signature s = Signature.getInstance("SHA1withRSA");
               /*initialise sugnature object with pss parameter for RSA*/
               s.setParameter((AlgorithmParameterSpec)pss); //exception gets thrown at this point
               KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
               kpg.initialize(128); // 128 is the keysize.
          KeyPair kp = kpg.generateKeyPair();
          PublicKey pubk = kp.getPublic();
          PrivateKey prvk = kp.getPrivate();
               s.initSign(prvk);
               FileInputStream fis = new FileInputStream(datafile);
          byte[] dataBytes = new byte[1024];
          int nread = fis.read(dataBytes);
          while (nread > 0) {
          s.update(dataBytes, 0, nread);
          nread = fis.read(dataBytes);
          byte[] sig = s.sign();
          for(int i = 0;i <sig.length;i++)
               System.out.println(sig);
     }catch(Exception e)
          e.printStackTrace();
2) One other method that i tried was, instead of using PSSParameterSpec class, while creating Signature object, crypto Spec of 1.5 talks abt the usage of "<digest>with<encryptionalgo>and<mgf>" in the getInstance() of Signature class. So going on these lines, i can as well give "SHA1withRSAandMGF1" which is precisely what has been described as the default value for RSA PSS. But when i give so directly, I get "NoSuchAlgorithmException". In fact, for a trial basis when i tried "MD5withSHA1andMGF1" (the example given in the crypto spec of 1.5) also, i get the same exception :-( :-(
java.security.NoSuchAlgorithmException: SHA1withRSAandMGF1 Signature not availab
le
at java.security.Signature.getInstance(Signature.java:208)
at pp.main(pp.java:18)
My code for this is:
public class pp
     public static void main(String a[])
          try
               String datafile = "C:\\new.txt";
               Signature s = Signature.getInstance("SHA1withRSAandMGF1"); //exception gets thrown here
               System.out.println("SHA1withRSAandMGF1");
catch(Exception e)
e.printStackTrace();
I am sorry that my query seems so long. But i was just trying to tell all the cases that I have tried.
I would be grateful to any suggestions.
Best Rgds

Hi Stark,
Exactly....Even my list of signatures does not return anything with PSS. Like how you said may be there is no engine support. But is there any workaround for this??? How can i use PSS with RSA in Java 1.5??? Any idea??
And also in the JCE Crypto Spec, it is given that "For the new signature schemes defined in PKCS #1 v 2.0, for which the <digest>with<encryption> form is insufficient, <digest>with<encryption>and<mgf> can be used to form a name. Here, <mgf> should be replaced by a mask generation function such as MGF1. Example: MD5withRSAandMGF1. " but this also is not displayed in the list of signatures. Am I wrong in my understanding or over looking something or is it that java 5 has not yet started supporting if signature algos are given in this format. Any idea here too ??

Similar Messages

Signature Schemas/Status values with Signature schemas need to be locked?

I am tying to assign a signature schema to multiple values in a single status schema. If I assign a signature schema to a status it automaticaly locks the document into that status so that no further changes to status can be made. I need to have a signature schema assigned to mutliple status values in the same status schema so I cant have A approved be locked because I still need the document to be B approved as well.
Does anyone know how I can adjust the setting so the status values with sig. schemas attached will not automatically be locked.
Status Schema:
Not Started
A Approved X signature schema
B Approved y signature schema

Hello James,
this is not possible. As I do not quite understand why you want to set up your status schema like that, it is difficult to propose another solution.
If you want to stay with the schema you have mentioned, you will have to unlock a document which has been approved by A on the attribute dialog and set the new status "B Approved" there. But this means that the person who is doing that has to sign the document as first signee of the second signature process.
Best regards
Jürgen

Extending XML Signature Schemes

Hello,
currently I am doing some research in the area of signatures.
However, I want to do an performance evaluation using the JCA with some not yet implemented algorithms.
My question is if there is a tutorial or how-to which explains how the JCA framework can be extended to support new Hash-Functions & Signatureschemes or even better some sample code?
Greetings,
Kai

XML Signature defines an XML syntax for digital signatures.
Depending upon your OWSM policy your XML signature may change.

X.509 certificate signed by RSA-PSS

I am writing a parser for x.509 certificate.
Can someone be so kind and send me a X.509 certificate signed by this scheme. it could be a self singed certificate.
I need it for testing.
Thanks alot,
majorsoul

I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication, you will not see anything in the receiver agreement.

Signature with PSS scheme

Hi,
iam trying to sign a message with the following Siganture:
Signature sig = Signature.getInstance(Signature.ALG_RSA_SHA_256_PKCS1_PSS, false);now iam getting a NO_SUCH_ALGORITHM exception.
iam using JavaCard 3.0.1 and as far as i know this Signature is supported.
this one works fine:
Signature sig = Signature.getInstance(Signature.ALG_RSA_SHA_256_PKCS1, false);so the problem seems to be the PSS scheme.
anyone can help me ? iam not sure wheres my problem is.

JavaCard 3.0.1 supports several RSA-PSS signature types but the card hardware might not support the particular one you want. More generally, there is no guarantee that any card vendor will implement any given cryptographic mechanism supported by JavaCard since such a requirement is not (yet) mandated.
You could test ALG_RSA_MD5_PKCS1_PSS, ALG_RSA_RIPEMD160_PKCS1_PSS, and ALG_RSA_SHA_224_PKCS1_PSS.
Adriaan

Help diagnosing "The selected certificate has errors: Invalid Signature"

I am unable to sign a PDF using a new certificate I have received. I have tried Acrobat X and XI. I have also tried importing both the root and issuing CAs as trust anchors. Those certs seem to verify fine. This issue appears to be with the signature on my cert.
My suspicion is that the issue stems from the issuing CA's use of the "AlternateSignatureAlgorithm", 1.2.840.113549.1.1.10 RSASSA-PSS, for my user cert. Acrobat does not seem to recognize this algorithm. It simply lists the OID value when I look at the signature algorithm under details.
The certificate is validated fine using certutil.exe and works fine when I use it for client SSL authentication. I am using Windows 7 and have tried both 32 and 64 bit PCs.
Has anyone experienced this before?
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
X509 Certificate:
Version: 3
Serial Number: 100000
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=xyz QA CA
    O=xyz Technical Resources Ltd
    C=US
NotBefore: 11/15/2012 2:14 PM
NotAfter: 11/16/2022 2:14 PM
Subject:
    CN=xyz Issuing CA
Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000 30 82 01 0a 02 82 01 01 00 e3 0b d4 99 e6 01 f1
    0010 0e a4 e1 82 8a 8c 39 27 62 7a 03 23 fe 03 3f b5
    0020 0d b6 fa c2 1b 86 44 d6 2f 76 65 b0 02 ff 83 69
    0030 b7 6a 8d b2 d7 22 74 e3 04 9a 01 ec 4c 0f de ff
    0040 c3 db 8f b5 c1 d3 7d 80 f5 ca cc ca 6d ef df 2a
    0050 31 25 18 0b 92 1b 4b 1f 41 c0 5f b6 b2 7e f4 43
    0060 99 43 01 cf c2 60 de 79 75 ec dc 61 11 ea 87 d0
    0070 76 56 a6 4f 00 4a 31 94 37 a5 37 7b 0d 61 49 74
    0080 67 88 31 df 81 16 a2 ed 5c 77 6b 23 6b 92 35 c8
    0090 b3 05 cc 5a 06 3c a3 b3 6c d8 ad 1e 66 28 4e 90
    00a0 3f ad 66 db 6d 13 dd c8 44 29 a0 4f 62 9c f5 5a
    00b0 c1 7e 84 fc e6 24 57 c2 bd ce f1 80 b7 bd 13 b8
    00c0 9f d1 8a bb 41 43 67 9f 68 25 f6 a6 a2 be 44 89
    00d0 11 4f 12 3d 2d d3 85 be 38 f9 97 bd e1 ce 5c 8c
    00e0 4e d4 ce be 19 0b a7 91 5d ee 1e c1 84 2c 2a 5e
    00f0 bb e5 4a fb 7f 2a f4 b8 06 2b 63 1f d9 c3 d9 d3
    0100 5a 13 2d ea 19 63 dd 7c e5 02 03 01 00 01
Certificate Extensions: 9
    2.5.29.19: Flags = 1(Critical), Length = 5
    Basic Constraints
        Subject Type=CA
        Path Length Constraint=None
    2.5.29.14: Flags = 1(Critical), Length = 16
    Subject Key Identifier
        8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Certificate Signing, Off-line CRL Signing, CRL Signing (06)
    2.5.29.35: Flags = 1(Critical), Length = 7e
    Authority Key Identifier
        KeyID=c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
        Certificate Issuer:
             Directory Address:
                  CN=xyz QA CA
                  O=xyz Technical Resources Ltd
                  C=US
        Certificate SerialNumber=00 96 b6 de 15 a7 4b 97 ac
    2.5.29.31: Flags = 0, Length = 36
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=http://pki.xyzre.qa1/crls/root-ca.crl
    1.3.6.1.5.5.7.1.1: Flags = 0, Length = 37
    Authority Information Access
        [1]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=http://pki.xyzre.qa1/root-ca.cer
    2.5.29.32: Flags = 0, Length = 6e
    Certificate Policies
        [1]Certificate Policy:
             Policy Identifier=2.16.840.1.101.3.2.1.48
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/documents/test_policy.pdf
    1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
    CA Version
        V0.0
    1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
    Certificate Template Name (Certificate Type)
        SubCA
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000 41 a4 3f 79 99 d2 aa fa f9 4b 88 0c a6 be 6f 40
    0010 0b df 10 93 f5 bb 48 c7 1f 89 73 73 09 58 b4 22
    0020 f2 b8 0f 78 b1 da 16 81 cd 2d 86 5a 22 90 67 cd
    0030 22 03 56 d5 c2 f4 df 79 b2 2a 82 e0 2e 5a 9a c3
    0040 92 b5 4d f2 fe 3d 6b f0 97 b0 b7 85 b6 e9 99 4c
    0050 f5 87 34 81 bc 27 f0 77 a1 c6 b2 50 b1 c8 b6 2f
    0060 6f 01 61 0d 1d bc cd 3b 07 2d 18 71 d3 f1 f2 03
    0070 78 e6 82 24 27 b1 65 d5 4b be 6c 20 f7 60 30 4c
    0080 49 42 07 4c 13 d9 7d 77 7f 10 a4 32 bc 30 d4 82
    0090 bf 40 06 0f 84 32 43 65 67 47 d0 19 59 0e e7 c2
    00a0 d9 c1 10 0a 5e df a2 18 04 86 e5 e4 09 80 99 75
    00b0 fd 21 ad 86 5f 77 ab 5d aa 79 74 ed eb ba c4 e8
    00c0 f1 fb b2 ae 6a dd 07 5c cc 3d 93 99 ff 45 e6 f6
    00d0 c6 d6 d3 22 69 c3 43 50 c0 69 e4 7f 3e 73 df 76
    00e0 6f 9d fc 73 ed 54 0b 49 3b 6f c8 99 32 b1 9b d5
    00f0 15 bd 5f 40 07 a2 f2 92 0e 74 2b f2 01 39 52 b0
Non-root Certificate
Key Id Hash(rfc-sha1): 8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
Key Id Hash(sha1): e7 a5 38 8b 64 5e bd 6e ee 7b 3f 61 bb 8a ed 2c cc 4b 2c 2f
Cert Hash(md5): 69 84 7c 7c d8 2a 35 12 e9 6b e8 6a fd ca be 92
Cert Hash(sha1): eb 2f 11 1b b0 c2 92 a0 14 74 50 42 50 1e de c5 53 de d7 df
---------------- End Nesting Level 1 ----------------
CERT_MD5_HASH_PROP_ID(4):
    69 84 7c 7c d8 2a 35 12 e9 6b e8 6a fd ca be 92
CERT_SHA1_HASH_PROP_ID(3):
    eb 2f 11 1b b0 c2 92 a0 14 74 50 42 50 1e de c5 53 de d7 df
CERT_KEY_IDENTIFIER_PROP_ID(20):
    8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
Cannot find the certificate and private key for decryption.
================ Certificate 1 ================
================ Begin Nesting Level 1 ================
X509 Certificate:
Version: 3
Serial Number: 96b6de15a74b97ac
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=xyz QA CA
    O=xyz Technical Resources Ltd
    C=US
NotBefore: 11/13/2012 3:35 PM
NotAfter: 11/13/2032 3:35 PM
Subject:
    CN=xyz QA CA
    O=xyz Technical Resources Ltd
    C=US
Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000 30 82 01 0a 02 82 01 01 00 d2 5f 7d c0 c5 25 7f
    0010 2c 4c a2 4a 9b 6f e7 7a 35 cd 9a 2a 88 30 36 9b
    0020 f8 a4 d8 31 64 72 36 1c 1b 2c dc 73 11 d6 57 a2
    0030 97 91 6d bb d0 3c 13 65 28 4d 78 4e e1 c7 06 ac
    0040 16 c1 2a 62 39 ba 39 f9 a1 b9 4a 14 39 28 58 0d
    0050 f4 97 83 d5 ee 45 91 4a 41 06 e5 b9 60 40 20 48
    0060 85 f4 2d 8e 04 7f 81 12 3a 26 e1 0f 21 32 49 bc
    0070 20 ef 12 69 5a 20 a4 51 65 6d 85 4c 0f 4c 91 4c
    0080 26 47 27 a7 9e 49 e0 f7 56 08 fc 90 47 11 6c a9
    0090 b8 81 c6 83 c8 b2 2d e8 c4 ba 8b 45 32 c5 dd a0
    00a0 d9 1c 85 10 d6 6b 42 50 9a 42 d6 e4 51 32 73 59
    00b0 92 5b d1 44 82 dc be 75 65 94 e7 4a 79 15 ed 23
    00c0 f8 a3 3e 28 92 31 75 5c fa b9 1b 6d e0 c3 d0 24
    00d0 7a 09 86 d0 2d c7 42 eb 6b fc 95 ed 62 13 21 35
    00e0 2f 0e b6 cd c2 c3 66 d4 a6 1b 53 15 49 64 ac 34
    00f0 11 20 8b e4 46 bc 60 68 3e 1b cb 5c b8 05 f4 a8
    0100 0a a3 53 d0 37 2a 2d 73 01 02 03 01 00 01
Certificate Extensions: 7
    2.5.29.19: Flags = 1(Critical), Length = 5
    Basic Constraints
        Subject Type=CA
        Path Length Constraint=None
    2.5.29.14: Flags = 1(Critical), Length = 16
    Subject Key Identifier
        c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Certificate Signing, Off-line CRL Signing, CRL Signing (06)
    2.5.29.35: Flags = 1(Critical), Length = 7e
    Authority Key Identifier
        KeyID=c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
        Certificate Issuer:
             Directory Address:
                  CN=xyz QA CA
                  O=xyz Technical Resources Ltd
                  C=US
        Certificate SerialNumber=00 96 b6 de 15 a7 4b 97 ac
    2.5.29.31: Flags = 0, Length = 36
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=http://pki.xyzre.qa1/crls/root-ca.crl
    1.3.6.1.5.5.7.1.1: Flags = 0, Length = 37
    Authority Information Access
        [1]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=http://pki.xyzre.qa1/root-ca.cer
    2.5.29.32: Flags = 0, Length = 6e
    Certificate Policies
        [1]Certificate Policy:
             Policy Identifier=2.16.840.1.101.3.2.1.48
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/documents/test_policy.pdf
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000 69 25 3a 36 f1 13 25 88 73 94 eb cf 5b 70 2e 86
    0010 8c 0d 7a 8f 3a 49 0e 42 18 da c9 00 26 68 ea 42
    0020 cd 2a 24 43 0d ec 6b 15 73 14 33 69 c2 60 3d 40
    0030 1c 4d 59 12 7a e9 03 00 81 ba 1e 50 55 05 bd 60
    0040 88 84 bb 8e e3 f5 ce 00 42 ae fd 01 05 fd bc 5f
    0050 af cc e3 a4 4d f2 84 8b 9b 0d 24 16 d6 d4 51 da
    0060 50 9c c4 69 d6 b8 18 be e5 5c 48 b8 8a a3 d4 22
    0070 0e 26 f2 15 d8 ff 19 34 d4 1d 69 50 02 51 da e8
    0080 ad 05 a3 2f 1c e9 0f da e3 4c 36 c4 cd 6e a5 76
    0090 88 19 90 78 ad fe 94 62 46 91 2b 0a 36 df e2 ea
    00a0 4a a9 f4 5c dc 77 4d e5 f4 ab e9 b9 da f6 b0 9f
    00b0 6c f5 50 74 14 19 05 df 96 b5 ee af a3 31 a5 af
    00c0 8f 6c be 67 43 78 55 0e 39 46 80 05 12 5f c2 4f
    00d0 24 fc 13 f7 e5 ee 64 0f dd 9a 49 5c 57 10 1c 4b
    00e0 7a 9f 5a 1f 0c ec 5b 8d b4 c4 ed d8 09 cc 1c d9
    00f0 9f 04 3f 85 ab 95 48 8e 77 e0 91 81 39 46 fb a3
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
Key Id Hash(sha1): f0 fc 52 1c c1 a6 16 2d 28 c1 71 84 ae d4 18 87 74 c4 f8 1c
Cert Hash(md5): c9 af 16 63 9e 51 7b 8e 22 25 96 d7 a7 66 fa ab
Cert Hash(sha1): e6 0b ef c1 fb e6 94 13 dc 9f 26 80 33 31 43 d9 ec af d7 be
---------------- End Nesting Level 1 ----------------
CERT_MD5_HASH_PROP_ID(4):
    c9 af 16 63 9e 51 7b 8e 22 25 96 d7 a7 66 fa ab
CERT_SHA1_HASH_PROP_ID(3):
    e6 0b ef c1 fb e6 94 13 dc 9f 26 80 33 31 43 d9 ec af d7 be
CERT_KEY_IDENTIFIER_PROP_ID(20):
    c5 91 51 88 76 e2 a4 13 5a 2f 11 84 29 54 de cf 4f 93 28 eb
Cannot find the certificate and private key for decryption.
================ Certificate 2 ================
================ Begin Nesting Level 1 ================
X509 Certificate:
Version: 3
Serial Number: 1500000003a24d67389af826d7000000000003
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
    Algorithm Parameters:
    30 00
Issuer:
    CN=xyz Issuing CA
NotBefore: 11/15/2012 3:13 PM
NotAfter: 11/15/2013 3:13 PM
Subject:
    [email protected]
    CN=(e) Hugh Kelley
Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000 30 82 01 0a 02 82 01 01 00 e4 55 77 34 c0 b7 58
    0010 55 cd 71 1e da d4 83 fd f4 bd a5 d5 26 52 6c 7e
    0020 8d 74 ea 0a b6 2c 0c ae b4 8f fc 95 07 9b 1a d4
    0030 e1 9f ed e3 7e d7 f4 f0 04 2c e4 ed 4c 49 2b d7
    0040 b4 42 c0 1c 12 7c b8 76 22 83 e6 d9 44 78 ce 26
    0050 20 5c 9c 71 30 3c 78 01 74 fa ac f9 7b b3 83 28
    0060 a8 18 52 10 d4 a5 f0 29 40 15 40 16 5c 90 4b 5d
    0070 c4 57 9d 3d 29 4e ce 80 b1 f1 ae 17 a4 cc 85 0b
    0080 a2 5e 73 0f ac 0f ff 8b 05 0c b9 f2 17 b3 ad 2f
    0090 b7 33 c7 ac bf 16 0f 09 2a e6 b7 f9 90 42 0b 6f
    00a0 3b 7f df 86 e6 e9 33 b6 d5 2d be 5f 65 4b 87 45
    00b0 d4 53 fc 8e de 0f 49 fd 8b 84 f5 2e cd 00 a9 cd
    00c0 0c b2 e2 7e 3e f9 e3 28 2f 9a 55 85 3e b8 b2 3a
    00d0 89 ce 19 bd 88 b2 74 da 42 ac bf 07 6c 4a b8 2e
    00e0 94 36 3b 28 f0 45 ec 59 f4 22 f3 03 47 85 ef 4c
    00f0 ba f5 24 3e 55 60 8b e8 6e e3 e9 1e bf 3c c9 75
    0100 88 9c 39 6c 20 66 c0 92 85 02 03 01 00 01
Certificate Extensions: 10
    1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30
    Certificate Template Information
        Template=1.3.6.1.4.1.311.21.8.11609700.13554795.12405411.13975648.10011376.129.8742862.14 66929
        Major Version Number=100
        Minor Version Number=5
    2.5.29.37: Flags = 0, Length = 22
    Enhanced Key Usage
        Client Authentication (1.3.6.1.5.5.7.3.2)
        Secure Email (1.3.6.1.5.5.7.3.4)
        Encrypting File System (1.3.6.1.4.1.311.10.3.4)
    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Key Encipherment (a0)
    1.3.6.1.4.1.311.21.10: Flags = 0, Length = 28
    Application Policies
        [1]Application Certificate Policy:
             Policy Identifier=Client Authentication
        [2]Application Certificate Policy:
             Policy Identifier=Secure Email
        [3]Application Certificate Policy:
             Policy Identifier=Encrypting File System
    1.2.840.113549.1.9.15: Flags = 0, Length = 37
    SMIME Capabilities
        [1]SMIME Capability
             Object ID=1.2.840.113549.3.2
             Parameters=02 02 00 80
        [2]SMIME Capability
             Object ID=1.2.840.113549.3.4
             Parameters=02 02 00 80
        [3]SMIME Capability
             Object ID=1.3.14.3.2.7
        [4]SMIME Capability
             Object ID=1.2.840.113549.3.7
    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        c2 1d d2 c8 90 64 9c 38 a9 66 9d 12 8b 1a a6 ab a8 72 2a 11
    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=8a 54 1f f7 43 b9 fd 19 3f 82 28 08 13 3d fa 73 42 11 e3 6f
    2.5.29.31: Flags = 0, Length = 44
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=http://pki.xyzre.qa1/crls/xyz Issuing CA.crl
    1.3.6.1.5.5.7.1.1: Flags = 0, Length = 45
    Authority Information Access
        [1]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=http://pki.xyzre.qa1/xyz Issuing CA.crt
    2.5.29.17: Flags = 0, Length = 50
    Subject Alternative Name
        Other Name:
             Principal [email protected]
        RFC822 [email protected]
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
    Algorithm Parameters:
    30 00
Signature: UnusedBits=0
    0000 51 58 a1 89 fc fe 9d b3 67 36 9f 4d 41 75 9e 9f
    0010 b8 30 10 3b c8 f1 0b 6a b8 ab 84 73 2e 91 7e 05
    0020 e0 3a 5b 34 cd 0a 35 bd e0 f6 c2 7c 7f d0 d6 b3
    0030 03 3d 8c dd 52 04 7f 62 55 a5 14 a7 5a 20 77 5d
    0040 0f bb f6 4d a3 8c 2e 98 76 39 f4 30 18 bf be 5f
    0050 0c 62 20 40 39 34 e6 de d2 dd 01 dd e9 bb d0 e5
    0060 1e 93 93 0e de c4 c5 86 9e 15 72 ea 4c 37 5c 6c
    0070 3d dc 69 8d 17 9d f8 b6 2a 51 1f f5 bc f5 fb 58
    0080 2c 03 4f 88 b8 58 a3 cd ca 38 28 3a c9 34 79 4a
    0090 46 7c de a1 a8 fa 28 34 1f 23 96 69 51 f1 c7 41
    00a0 0b c8 a9 39 71 6c 4f 57 81 7f ec a7 2f 65 b9 97
    00b0 c8 2d 1e 24 ff fc d9 58 5c 07 e9 2c 83 77 64 a9
    00c0 8f 5d 42 9e c3 ea 85 88 39 7b 23 56 38 6d c9 15
    00d0 4c 80 de cf 00 e0 73 27 e2 f1 b3 d4 c9 b5 83 74
    00e0 4f 6e 6f 03 2f df c1 29 24 de 6a 70 cf de d4 1f
    00f0 fb 07 08 85 89 f9 08 f7 68 5c 68 29 2e 3c 6c de
Non-root Certificate
Key Id Hash(rfc-sha1): c2 1d d2 c8 90 64 9c 38 a9 66 9d 12 8b 1a a6 ab a8 72 2a 11
Key Id Hash(sha1): 42 9c bd 63 60 4c d2 a8 55 bd 1b f4 70 25 34 cd 72 38 ca 8c
Cert Hash(md5): af 8b 1e 76 71 f5 53 f4 93 62 1d e7 5e a8 d1 ff
Cert Hash(sha1): 4f 3b d3 48 ba 05 65 dd 99 bb 33 65 5b 5e ba 13 28 fe 2d 80
---------------- End Nesting Level 1 ----------------
CERT_MD5_HASH_PROP_ID(4):
    af 8b 1e 76 71 f5 53 f4 93 62 1d e7 5e a8 d1 ff
CERT_SHA1_HASH_PROP_ID(3):
    4f 3b d3 48 ba 05 65 dd 99 bb 33 65 5b 5e ba 13 28 fe 2d 80
CERT_KEY_PROV_INFO_PROP_ID(2):
    Key Container = {0136F9BB-2135-4642-827C-B883E0BDAF41}
Unique container name: 1119ced7dad9cbd7d39924c9f35b5886_f10cfee5-eccc-4ef4-b0fb-7042bc1815c3
    Provider = Microsoft Enhanced Cryptographic Provider v1.0
    ProviderType = 1
    Flags = 0
    KeySpec = 1 -- AT_KEYEXCHANGE
CERT_CEP_PROP_ID(87):
Enrollment Policy Url: ldap:
Enrollment Policy Id: {D8416D24-E050-45B1-B348-B9218292357C}
Enrollment Server Url: Q-PKI-01.xyzre.qa1\xyz Issuing CA
Request Id: 3
Flags = 0
    DefaultNone -- 0
Url Flags = 20 (32)
    PsfAllowUnTrustedCA -- 20 (32)
Authentication = 2
    Kerberos -- 2
Enrollment Server Authentication = 2
    Kerberos -- 2
CERT_REQUEST_ORIGINATOR_PROP_ID(71):
    Q-APPDEV7-01.xyzre.qa1
CERT_KEY_IDENTIFIER_PROP_ID(20):
    c2 1d d2 c8 90 64 9c 38 a9 66 9d 12 8b 1a a6 ab a8 72 2a 11
Unique container name: 1119ced7dad9cbd7d39924c9f35b5886_f10cfee5-eccc-4ef4-b0fb-7042bc1815c3
PP_KEYSTORAGE = 1
    CRYPT_SEC_DESCR -- 1
KP_PERMISSIONS = 3f (63)
    CRYPT_ENCRYPT -- 1
    CRYPT_DECRYPT -- 2
    CRYPT_EXPORT -- 4
    CRYPT_READ -- 8
    CRYPT_WRITE -- 10 (16)
    CRYPT_MAC -- 20 (32)
D:(A;ID;GAGR;;;SY)(A;ID;GAGR;;;BA)(A;ID;GAGR;;;S-1-5-21-2052111302-1708537768-839522115-2 4370)
    Allow Full Control    NT AUTHORITY\SYSTEM
    Allow Full Control    BUILTIN\Administrators
    Allow Full Control    xyzRE\hugh.kelley
Private Key:
PRIVATEKEYBLOB
Version: 2
aiKeyAlg: 0xa400
    CALG_RSA_KEYX
    Algorithm Class: 0xa000(5) ALG_CLASS_KEY_EXCHANGE
    Algorithm Type: 0x400(2) ALG_TYPE_RSA
    Algorithm Sub-id: 0x0(0) ALG_SID_RSA_ANY
0000 52 53 41 32                                        RSA2
0000 ...
048c
Encryption test passed
CertUtil: -dump command completed successfully.

Hi Hugh,
As you figured out the certificate was using a signature algorithm that Acrobat did not understand. The "signature algorithm" is a composite of the the digest algorithm (e.g. sha1), and the encryption algorithm (e.g. RSA). Acrobat understands the following digest algorithms; MD5, SHA-1, RIPEMD-160, SHA-256, SHA384, and SHA512. As far as encryption algorithms go, it understands DSA and RSA. Just to make things a little more complicated, version XI also can handle elliptic curve, but versions 6 thru 10 were limited to DSA & RSA. If you are using a digital ID created with the DSA encryption algorithm then the only digest algorithm Acrobat can use with is SHA-1. Just like you saw sha1RSA, you could also use a digital ID with the sha1DSA signature algorithm. If you are using RSA then it will pair with all six digest algorithms I noted above (e.g. sha256RSA).
The Probabilistic Signature Scheme is not something Acrobat understands at all.
Steve

Signatures - two issues

Hi, all. This behavior seems to be common to both Reader and Acrobat, so I figured I'd start here.
First off - Reader XI automatically renames documents when a signature is placed. This is problematic, in that if a user wants to keep the name unchanged, they must manually delete the "-signed" part of the filename every time. For users who deal with it dozens of times or more per day, this is not only a tiresome waste of energy, but prone to error.
I know others have commented on this, but I've not been able to find anything official from Adobe. Does anyone know if Adobe will be changing this behavior, or at least giving us the option to turn it off?
Second - The document signing process itself seems to have lost functionality. In version 9, when a user was signing a document, the button used to do so had a dropdown where they could pick from multiple signatures. This does not exist in 11. The "Place Signature" button simply reuses the last signature, and picking a new one requires the user to:
Click the dropdown arrow
Click "Change Saved Signature"
Click "Use an image"
Click Browse and hope it opens up in the proper location, otherwise they need to navigate there
Pick the file containing the signature to be used
Click Accept
Again, for users who need to do this dozens or more times a day, this is a tiresome waste of effort and time.
Example: We have a secretary who is authorized by her department to place any of four people's signatures on a document. She is required to process many of these documents each day, and depending on which of those four people she's processing for, she has to go through this whole process each time, instead of just picking one of the names from the dropdown like she used to be able to.
Is there some way to add back the functionality that was in the old version?
I've tried setting up multiple appearances from
Edit --> Preferences --> Signatures -->Creation and Appearance --> More
but I'm not seeing anywhere that those appearances are actually exposed for use. The Place Signature option behaves the same even after creating the appearances, no new option shows up under the Fill and Sign that makes use of those Preference settings. I found a posting (http://answers.acrobatusers.com/Saving-multiple-signatures-q82338.aspx) specific to Acrobat saying that this would cause a dropdown to appear, allowing the user to choose from the appearances, but again the behavior is shared between both Acrobat and Reader, in that the alleged dropdown never appears.

Hi Stark,
Exactly....Even my list of signatures does not return anything with PSS. Like how you said may be there is no engine support. But is there any workaround for this??? How can i use PSS with RSA in Java 1.5??? Any idea??
And also in the JCE Crypto Spec, it is given that "For the new signature schemes defined in PKCS #1 v 2.0, for which the <digest>with<encryption> form is insufficient, <digest>with<encryption>and<mgf> can be used to form a name. Here, <mgf> should be replaced by a mask generation function such as MGF1. Example: MD5withRSAandMGF1. " but this also is not displayed in the list of signatures. Am I wrong in my understanding or over looking something or is it that java 5 has not yet started supporting if signature algos are given in this format. Any idea here too ??

RSA -- signing/verifying data

assuming i have the public and private keys already....
class RSA{
     Signature sign;
... //sets up keys and stuff
     private void setupRSA(){
          sign = Signature.getInstance("RSA");
          sign.initSign(privateKey);
          sign.initVerify(publicKey);
     public void sign(final String plaintext) throws SignatureException{
          byte [] plaintextByte = plaintext.getBytes();
          sign.update(plaintextByte);
          byte [] signedData = sign.sign();
          return new sun.misc.BASE64Encoder().encode(signedData);
     public boolean verify(final String signed) throws IOException, SignatureException{
          byte [] signedByte = new sun.misc.BASE64Decoder().decodeBuffer(signed);
          sign.update(signedByte);
          return sign.verify(signedByte);
     public static void main(String [] args){
          String signed = rsa.sign("Signature");
          boolean verify = rsa.verify(signed);
     }i get the following exception:
java.security.NoSuchAlgorithmException: RSA Signature not available
     at java.security.Signature.getInstance(Signature.java:193)
     at RSA.setupRSA(RSA.java:62)
     at RSA.<init>(RSA.java:18)
     at Test.main(Test.java:7)
java.lang.NullPointerException
what should i do to fix this problem?
over CodeProject, i see the example using "SHA1withRSA". when i use that, i get only the NullPointerException.
is there a way to use RSA only... and how do i get rid of the NullPointerException?

1) Normally, a signature is the encryption of the digest of the data to be signed so you need to specify the digest method. "RSA" on it's own does not specify the digest method since there is no default digest method.
2) A Signature cannot be initialised for for both 'signing' and 'verification' at the same time. You can re-initialize whenever you like so you just have to initSign() just before signing and initVerify() just before verifying.

How many space takes a digital signature

Hello,
I wait for the activation key of JCOP to use with Eclipse. so I can try nothing, only plan and clue some code snippets together. For planning my data structures I need to know how big a digital signature is.
Thank you very much.
mimaxx

It depends on the encryption algorithm you use to create the actual signature, i.e. if you use 1024 bit RSA, the signature will be 1024 bit. Easy peacy.

XML Signatures - How To ?

I need of help how to organize a XML structure for hierarchical (nested) signature scheme. For example:
Signed Object 1: O1
Signatures Level 1:
- S1.1 signs O1;
- S1.2 signs O1;
Signature Level 2:
- S2.1 signs O1, S1.1 and S1.2
- S2.2 signs O1, S1.1 and S1.2
Signature Level 3:
- S3.1 signs O1, S2.1 and S2.2.
Maybe it is good to combine the signature of different levels in Manifest, but I don't know how to do that.
Any help?

Hi,
There are 3 variant:
1. Using only references;
2. Using XPath;
3. Using Manifest.
The clear for me which is simple and easy for realization is the 1st variant.
I can't find any examples for using of Manifest, so I don't know how to implement it.
XPath is very complicated for me.
So, the References are my way.

JAXB: XJC src-resolve error when importing other schemes

Hi!
I keep getting a src-resolve error from the JAXB binding compiler whenever I try to import other XML schemes into my own.
For example:
I want to use a SignatureType element as defined in the official XML signature schema.
So I imported it into my own schema and use it as follows:
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xsd:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xsd:complexType name="PayloadType">
<xsd:sequence>
<xsd:element name="signature" type="ds:SignatureType" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>However if I run XJC to compile my schema I get this error:
[xjc] [ERROR] src-resolve: Cannot resolve the name 'ds:SignatureType' to a(n) 'type definition' component.I am using JAXB 2.0 EA from the JWSDP 2.0 and XJC is called from an Ant task.
I am pretty new to JAXB and XML schemes, so any help on this topic would be greatly appreciated.

I got the the answer from another forum; it was a proxy problem. Just to inform succeeding readers, here is what I did:
To receive a better error output, I modified my ant buildfile to use the "nv" parameter:
<xjc schema="${path}/.../mySchema.xsd" package="mySchemaPackage" destdir="${path}/.../src">
<arg value="-nv" />
<produces dir="${path}/.../src/mySchemaPackage" includes="**/*.java" />
</xjc>Result:
The XJC compiler gives me a different (better) error message:
[xjc] [ERROR] java.net.ConnectException: Connection timed out: connectSo I looked in my Ant buildfile again to check the proxy settings. I merely used property-tags to define my proxy settings (<property name="http.proxyHost" value="nnn.nnn.nnn.nnn" /> and <property name="http.proxyPort" value="nnnn" /> ) which apparently do not work.
Instead this here does the trick:
<setproxy proxyhost="nnn.nnn.nnn.nnn" proxyport="nnnn"/>Good to now that "nv" might give you a better error report.

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
Has anyone seen this before and might know the answer? Any suggestions? Thanks!
I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
More info:
- I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
- if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
- I am not using SSL in any of this yet, it's all http://
- yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
- here's an example of the settings in rsa securid authentication scheme:
action:/OracleAccessManager/securid-cgi/securid.pl
form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
creds:login password domain newpin newpin2
passthrough:yes
authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
Environment:
OAM 7.0.4.3
RSA Ace Server 5.2
Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
\Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
Only error seen in log produced by the RSA agent that sits on the Access server:
[20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
[20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
[20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
[20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
[20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
[20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
[20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
[20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
-Vinod

RSA cryptography with NOPAD

Can anyone provide me with pseudo code/algorithm, that will give the steps to encrypt and decrypt a message using the RSA/NOPAD combination. I will implement using cryptix 3.2.
If any documentation is available regarding RSA/NOPAD, please provide the link(s) or mail it to my id.
I also need verified test data to test the implementation. I looked in rsalabs but was unable to find any.
Thanks to all.
Regards.
Arnab.

sabre150 >Of course there are! The mathematics says that if your planetext converted to number is bigger than the modulus then you will loose information.
Arnab> Missed this point before. Thank you.
sabre150 >Also, if your planetext converted to a number is small such that m^e is less than the modulus ............... published by Wiley.
Arnab> Thanks again.
sabre150 >I don't understand what you are trying to do? If you are doing it all yourself (as you imply) then YOU will have to split the planetext into blocks and YOU will have to provide any padding.
Arnab>I am splitting the plain text to proper block, based on the key length. For PKCS#1 implementation I am providing a 11 byte header and padding if necessary.
For NoPad, I guess I can leave the byte and header out, and just split the message into blocks of size equal to modulus.
If by "doing it all yourself ", you mean that "am I writing the code to do the splitting and padding" then yes.
sabre150 >Your search does not seem to have been very thorough because the fifth entry that Google came up with is.......
Arnab> Thank you for the link. However the test vectors contain data for RSAES-OAEP and RSA-PSS algorithms.
Cipher text generated using RSAES-PKCS1 or NOPAD obviously will not validate against the test data which are meant for RSAES-OAEP.
Did I miss anything here?
Thank you again for your patience and time. Please let me know if you see that I am wrong somewhere.
Regards.
Arnab.

Web Service Security username token...

Hi All,
I am presently trying to build in security authentication into my web service using the username-token and the verify-username-token tokens.
My WS_stub.xml on the proxy side looks like the following:-
other tokens
<security>
<inbound/>
<outbound>
<username-token name="NAME" password="PASS" password-type="DIGEST" add-nonce="true" add-created="true"/>
</outbound>
</security>
other tokens
and my oracle-webservices.xml on hte web service side looks like the following:-
other tokens
<security>
<inbound>
<verify-username-token name="NAME" password="PASS" password-type="DIGEST"
require-nonce="true"
require-created="true"/>
</inbound>
<outbound/>
</security>
other tokens
I have set the javacache.xml for the embedded OC4J location as follows:-
</persistence>
<max-objects>1000</max-objects>
<max-size>48</max-size>
<clean-interval>60</clean-interval>
</cache-configuration>
When I run the web service followed by the proxy I get the following error at the proxy side.
javax.xml.rpc.soap.SOAPFaultException: Policy requires DIGEST passwords
     at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
     at com.airliquide.smartcyl.runtime.TrailerWSSoapHttp_Stub.addtrailerinfo(TrailerWSSoapHttp_Stub.java:76)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.addtrailerinfo(TrailerWSSoapHttpPortClient.java:60)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.main(TrailerWSSoapHttpPortClient.java:47)
Also it gives exceptions with repect to nonces such as "Policy requires nonce". Please could someone tell me how to setup an nonce in the xml files above and how to use nonce in web services?
Regards,
Lester.

Hi All,
Presently I am trying to set the security for my web service and am receiving the following error when doing so at the proxy side:-
oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: java.lang.NullPointerException
     at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.createSoapFaultException(InterceptorChainImpl.java:338)
     at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.handleException(InterceptorChainImpl.java:256)
     at oracle.j2ee.ws.common.mgmt.runtime.InterceptorChainImpl.handleRequest(InterceptorChainImpl.java:128)
     at oracle.j2ee.ws.common.mgmt.runtime.AbstractInterceptorPipeline.handleRequest(AbstractInterceptorPipeline.java:87)
     at oracle.j2ee.ws.client.StubBase._preRequestSendingHook(StubBase.java:699)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:147)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
     at com.airliquide.smartcyl.runtime.TrailerWSSoapHttp_Stub.addtrailerinfo(TrailerWSSoapHttp_Stub.java:76)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.addtrailerinfo(TrailerWSSoapHttpPortClient.java:62)
     at com.airliquide.smartcyl.TrailerWSSoapHttpPortClient.main(TrailerWSSoapHttpPortClient.java:49)
Process exited with exit code 0.
My WS_Stub.xml file under runtime of the proxy project looks as follows:-
<?xml version="1.0" encoding="UTF-8"?>
<oracle-webservice-clients xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:noNamespaceSchemaLocation='http://xmlns.oracle.com/oracleas/schema/oracle-webservices-client-10_0.xsd'>
<webservice-client>
<service-qname namespaceURI="http://trailerinfo/" localpart="TrailerWS"/>
<port-info>
<wsdl-port namespaceURI="http://trailerinfo/" localpart="TrailerWSSoapHttpPort"/>
<runtime enabled="security">
<security>
<key-store name="mytestkeystore" store-pass="mytestkeystore" path="C:\Temp\mytestkeystore.jks"/>
<signature-key key-pass="sampwd" alias="sam"/>
<encryption-key key-pass="davepwd" alias="dave"/>
<inbound>
<verify-signature>
<signature-methods>
<signature-method>DSA-SHA1</signature-method>
<signature-method>RSA-MD5</signature-method>
<signature-method>RSA-SHA1</signature-method>
</signature-methods>
<tbs-elements>
<tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<verify-timestamp created="true" expiry="28800"/>
</verify-signature>
<decrypt>
<encryption-methods>
<encryption-method>AES-128</encryption-method>
<encryption-method>AES-256</encryption-method>
<encryption-method>3DES</encryption-method>
</encryption-methods>
<tbe-elements>
<tbe-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT"/>
</tbe-elements>
</decrypt>
</inbound>
<outbound>
<username-token password-type="PLAINTEXT" add-nonce="false" add-created="true"/>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800"/>
</signature>
<encrypt>
<recipient-key alias="dave"/>
<encryption-method>3DES</encryption-method>
<keytransport-method>RSA-1_5</keytransport-method>
<tbe-elements>
<tbe-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT"/>
</tbe-elements>
</encrypt>
</outbound>
</security>
</runtime>
<operations>
<operation name='addtrailerinfo'>
<runtime>
<security>
<inbound/>
<outbound>
<username-token password-type="PLAINTEXT" add-nonce="false" add-created="true"/>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800"/>
</signature>
<encrypt>
<recipient-key alias="test"/>
<encryption-method>3DES</encryption-method>
<keytransport-method>RSA-1_5</keytransport-method>
<tbe-elements>
<tbe-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT"/>
</tbe-elements>
</encrypt>
</outbound>
</security>
</runtime>
</operation>
</operations>
</port-info>
</webservice-client>
</oracle-webservice-clients>
My oracle-webservices.xml file looks like the following:-
<oracle-webservices xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/oracle-webservices-10_0.xsd">
<webservice-description name="TrailerWS">
<port-component name="TrailerWSSoapHttpPort">
<runtime enabled="security">
<security>
<key-store name="mytestkeystore" store-pass="mytestkeystore"
path="META-INF/mytestkeystore.jks"/>
<signature-key key-pass="sampwd" alias="sam"/>
<encryption-key key-pass="davepwd" alias="dave"/>
<inbound>
<verify-username-token password-type="PLAINTEXT"
require-nonce="false"
require-created="true"/>
<verify-signature>
<signature-methods>
<signature-method>DSA-SHA1</signature-method>
<signature-method>RSA-MD5</signature-method>
<signature-method>RSA-SHA1</signature-method>
</signature-methods>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<verify-timestamp created="true" expiry="28800"/>
</verify-signature>
<decrypt>
<encryption-methods>
<encryption-method>AES-128</encryption-method>
<encryption-method>AES-256</encryption-method>
<encryption-method>3DES</encryption-method>
</encryption-methods>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbe-elements>
</decrypt>
</inbound>
<outbound>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800"/>
</signature>
<encrypt>
<recipient-key key-pass="" alias="dave"/>
<encryption-method>3DES</encryption-method>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbe-elements>
</encrypt>
</outbound>
</security>
</runtime>
<operations>
<operation name="addtrailerinfo"
input="{http://trailerinfo/}addtrailerinfoElement">
<runtime>
<security>
<inbound>
<verify-username-token require-nonce="false"
require-created="true"
password-type="PLAINTEXT"/>
<verify-signature>
<signature-methods>
<signature-method>DSA-SHA1</signature-method>
<signature-method>RSA-MD5</signature-method>
<signature-method>RSA-SHA1</signature-method>
</signature-methods>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<verify-timestamp created="true" expiry="28800"/>
</verify-signature>
<decrypt>
<encryption-methods>
<encryption-method>AES-128</encryption-method>
<encryption-method>AES-256</encryption-method>
<encryption-method>3DES</encryption-method>
</encryption-methods>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"
mode="CONTENT"/>
</tbe-elements>
</decrypt>
</inbound>
<outbound/>
</security>
</runtime>
</operation>
</operations>
</port-component>
</webservice-description>
</oracle-webservices>
I checked this exception out at hte following link
http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html#keystore
which lists hte instructions to secure a web service. The trouble shooting section lists this exception and says it might be due to a timestamp created flag being set to false. However I have made sure that both the client and service side xml files above have this set to true and are matching.
However I am still not able to eliminate this error. Please could someone help me out? This is urgent.
Regards,
Lester.

JDeveloper WS Security Client Proxy - Axis WS

Hi everybody
i'm using JDeveloper 10.1.3.3.0.
I'm trying to connect to a webservice developed by a external provider. The external provider used axis (i dont know what is its version nor nothing about its configuration) to create the ws. When i test the ws client proxy, the ws developed in axis returns the following fault:
javax.xml.rpc.soap.SOAPFaultException: WSDoAllReceiver: security processing failed (actions mismatch)
     at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:555)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
Reading the axis documentation, i found that the problem could be the order and the quantity of the ws security header elements. In my case, i'm trying with only the Signature and Timestamp elements (In that order). The external provider told me that those are the actions expected by them. So, the logical alternative than probably solve this problem is to switch the order of the ws security header elementes (Firts Timestamp, then Signature).
I created the ws proxy using the jdeveloper wizard. Then, i modified the xxxSoapBinding_Stub.xml like this:
<oracle-webservice-clients xmlns:....
<runtime enabled="security">
<security>
<key-store name="myks" path="c:/temp/cert/myks.jks" store-pass="password"/>
<signature-key alias="test" key-pass="password"/>
<encryption-key alias="test" key-pass="password"/>
<inbound/>
<outbound>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800" />
</signature>
</outbound>
</security>
</runtime>
<operations>
<operation name="queryDeclarations">
</operation>
</operations>
</port-info>
</webservice-client>
</oracle-webservice-clients>
This is the ws security header generated by my proxy client in this moment:
<wsse:Security
     xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
     xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
     xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
     env:mustUnderstand="1">
     <wsse:BinarySecurityToken
          xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
          xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
          ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
          EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
          wsu:Id="_6F60NR6IXB2dYJCgIYy9JA22"
          xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          MIIGLzCCBRegAwIBAg...
     </wsse:BinarySecurityToken>
     <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
          xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
          <dsig:SignedInfo>
               <dsig:CanonicalizationMethod
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               <dsig:SignatureMethod
                    Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
               <dsig:Reference URI="#MOmq8nF2iGaNEXc4TEN0ew22">
                    <dsig:Transforms>
                         <dsig:Transform
                              Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </dsig:Transforms>
                    <dsig:DigestMethod
                         Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <dsig:DigestValue>
                         ExIbc9ws2rIxB4j8DD64y3kjSoA=
                    </dsig:DigestValue>
               </dsig:Reference>
          </dsig:SignedInfo>
          <dsig:SignatureValue>
               ieZtnbn2ytnmyE8fL9lO10nwzYARHu...
          </dsig:SignatureValue>
          <dsig:KeyInfo>
               <wsse:SecurityTokenReference
                    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                    xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:Reference
                         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                         xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                         URI="#_6F60NR6IXB2dYJCgIYy9JA22"
                         ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
               </wsse:SecurityTokenReference>
          </dsig:KeyInfo>
     </dsig:Signature>
     <wsu:Timestamp
          xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
          xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsu:Created>2010-04-29T23:17:38Z</wsu:Created>
          <wsu:Expires>2010-04-30T07:17:38Z</wsu:Expires>
     </wsu:Timestamp>
</wsse:Security>
is there any way to switch the ws security header elements using jdeveloper or does exist some diferent thing that i can do?
I try using Handlers to capture the SOAPMessage object with the request before it were send. But, on that moment the ws security headers are not present yet in the request. It seems that the request is proceced later behind the scenes :(.... maybe far away from my develpment workspace scope :).
Anyone has tried to do something like i trying to do??
any suggestion?
Thanks in advance
Javier Murcia

I thought you were getting that exception when accessing the proxy.
No. Authentification works fine. Proxy body works fine. But at the end of proxy appears the exception.
Sorry for my english - I tried to show this situation on image: http://imglink.ru/show-image.php?id=9c0e0c1719f00289faf11696c6703bc3
Are you getting this exception when routing to a business service which is configured for WS-Security ??
I don't use business service in this test project - only simple proxy service with all logic inside.
PS transformation in replace action is very simple too:
(:: pragma bea:global-element-parameter parameter="$newOperation1" element="ns0:NewOperation" location="WSSecurityService.wsdl" ::)
(:: pragma bea:global-element-return element="ns0:NewOperationResponse" location="WSSecurityService.wsdl" ::)
declare namespace ns0 = "http://www.troika.ru/Enterprise/WSSecurityService/";
declare namespace xf = "http://tempuri.org/OSB%20Project%20WS-Security/Hello/";
declare function xf:Hello($newOperation1 as element(ns0:NewOperation))
as element(ns0:NewOperationResponse) {
<ns0:NewOperationResponse>
<out>Hello, { data($newOperation1/in) }!</out>
</ns0:NewOperationResponse>
declare variable $newOperation1 as element(ns0:NewOperation) external;
xf:Hello($newOperation1)
Edited by: Andrey L. on Jun 10, 2010 12:21 PM

RSA PSS Signature scheme

Similar Messages

Maybe you are looking for