RSAEncryption
Hello,
i want to use the RSA-Encryption to encryt the communication between the host and the javacard.
On the host side i use the following code to generate the private and public key and to create the cipher:
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(512);
KeyPair kp = kpg.genKeyPair();
publicKey = kp.getPublic();
privateKey = kp.getPrivate();
Cipher cipher = Cipher.getInstance("RSA");Then I send the exponent and the modulus to the card using normal apdus.
In the constructor of the applet i use the following code to init the key and the cipher:
protected WalletApplication(byte[] bArray, short bOffset, byte bLength) {
serverPublicKey = (RSAPublicKey) KeyBuilder.buildKey(
KeyBuilder.TYPE_RSA_PUBLIC,
KeyBuilder.LENGTH_RSA_512, false);
cipher = Cipher.getInstance(ALG_RSA_PKCS1 ,false);
register();
}But if i encrypt a message on the javacard and send it back to the host in order to decrypt it. I got an BadPaddingException. Can someone explain how to fix this problem.
Thanks.
Thanks for your answer, changing the parameter in the getInstance does not solve so the problem, so here is the complete code:
public class Client {
private byte[] message;
private Socket socketCard;
private InputStream is;
private OutputStream os;
private CadClientInterface cad;
private PrivateKey privateKey;
private RSAPublicKey publicKey;
public Client() {
initRSA();
connectToSmartCardSimulator();
public void connectToSmartCardSimulator() {
try {
socketCard = new Socket("localhost", 9025);
is = socketCard.getInputStream();
os = socketCard.getOutputStream();
cad = CadDevice.getCadClientInstance(CadDevice.PROTOCOL_T1, is, os);
cad.powerUp();
cad.exchangeApdu(selectAppletApdu());
// send the public key to the card
cad.exchangeApdu(sendExponentApdu(publicKey.getPublicExponent()));
cad.exchangeApdu(sendModulusApdu(publicKey.getModulus()));
// send a message to the card and get it back encrypted
message = encryptMessage();
cad.powerDown();
socketCard.close();
System.out.println(new String(message));
System.out.println(new String(rsaDecrypt(message)));
} catch (IOException ex) {
ex.printStackTrace();
} catch (CadTransportException ex) {
ex.printStackTrace();
private Apdu selectAppletApdu() {
Apdu apdu = new Apdu();
apdu.command[Apdu.CLA] = (byte) 0x00;
apdu.command[Apdu.INS] = (byte) 0xa4;
apdu.command[Apdu.P1] = (byte) 0x04;
apdu.command[Apdu.P2] = (byte) 0x00;
byte[] aid = {(byte) 0x20, (byte) 0xDC, (byte) 0xA1, (byte) 0xCA,
(byte) 0xC9, (byte) 0xF5};
apdu.setDataIn(aid);
return apdu;
private Apdu sendExponentApdu(BigInteger exponent) {
Apdu apdu = new Apdu();
apdu.command[Apdu.CLA] = (byte) 0xB0;
apdu.command[Apdu.INS] = (byte) 0x20;
apdu.command[Apdu.P1] = (byte) 0x02;
apdu.command[Apdu.P2] = (byte) 0x00;
apdu.setDataIn(exponent.toByteArray());
return apdu;
private Apdu sendModulusApdu(BigInteger modulus) {
Apdu apdu = new Apdu();
apdu.command[Apdu.CLA] = (byte) 0xB0;
apdu.command[Apdu.INS] = (byte) 0x30;
apdu.command[Apdu.P1] = (byte) 0x01;
apdu.command[Apdu.P2] = (byte) 0x00;
apdu.setDataIn(modulus.toByteArray());
return apdu;
public byte[] rsaDecrypt(byte[] data) {
try {
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
cipher.init(Cipher.DECRYPT_MODE, privateKey);
byte[] cipherData = cipher.doFinal(data);
return cipherData;
} catch (InvalidKeyException ex) {
ex.printStackTrace();
} catch (IllegalBlockSizeException ex) {
ex.printStackTrace();
} catch (BadPaddingException ex) {
ex.printStackTrace();
} catch (NoSuchAlgorithmException ex) {
ex.printStackTrace();
} catch (NoSuchPaddingException ex) {
ex.printStackTrace();
return null;
private void initRSA() {
try {
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(512);
KeyPair kp = kpg.genKeyPair();
publicKey = (RSAPublicKey) kp.getPublic();
privateKey = kp.getPrivate();
} catch (NoSuchAlgorithmException ex) {
ex.printStackTrace();
public static void main(String[] args) {
Client client = new Client();
private byte[] encryptMessage() throws CadTransportException, IOException {
Apdu apdu = new Apdu();
apdu.command[Apdu.CLA] = (byte) 0xB0;
apdu.command[Apdu.INS] = (byte) 0x40;
apdu.command[Apdu.P1] = (byte) 0x02;
apdu.command[Apdu.P2] = (byte) 0x00;
apdu.setDataIn("This is a test".getBytes());
cad.exchangeApdu(apdu);
return apdu.getDataOut();
public class WalletApplication extends Applet {
// codes of CLA byte in the command APDUs
final static byte Wallet_CLA = (byte) 0xB0;
final static byte INS_SET_PUBLIC_KEY = (byte) 0x20;
final static byte P1_SET_PUBLIC_KEY_MODULUS = (byte) 0x01;
final static byte P1_SET_PUBLIC_KEY_EXPONENT = (byte) 0x02;
final static byte INS_CRYPTION_MODE = (byte) 0x40;
final static byte P1_DECRYPTION_MODE = (byte) 0x01;
final static byte P1_ENCRYPTION_MODE = (byte) 0x02;
private RSAPublicKey publicKey;
private Cipher cipher;
public static void install(byte[] bArray, short bOffset, byte bLength) {
new WalletApplication(bArray, bOffset, bLength);
protected WalletApplication(byte[] bArray, short bOffset, byte bLength) {
publicKey = (RSAPublicKey) KeyBuilder.buildKey(
KeyBuilder.TYPE_RSA_PUBLIC,
KeyBuilder.LENGTH_RSA_512, false);
cipher = Cipher.getInstance(Cipher.ALG_RSA_PKCS1,false);
// register the applet instance with the JCRE
register();
public boolean select() {
return true;
public void deselect() {
public void process(APDU apdu) {
byte[] buffer = apdu.getBuffer();
if (selectingApplet()) {
return;
// verify the CLA byte
if (buffer[ISO7816.OFFSET_CLA] != Wallet_CLA) {
ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
// check the INS byte to decide which service method to call
switch (buffer[ISO7816.OFFSET_INS]) {
case INS_SET_PUBLIC_KEY:
switch (buffer[ISO7816.OFFSET_P1]) {
case P1_SET_PUBLIC_KEY_EXPONENT:
setServerKeyExp(apdu);
break;
case P1_SET_PUBLIC_KEY_MODULUS:
setServerKeyMod(apdu);
break;
return;
case INS_CRYPTION_MODE:
switch (buffer[ISO7816.OFFSET_P1]) {
case P1_ENCRYPTION_MODE:
rsaEncrypt(apdu);
break;
return;
default:
ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
private void setServerKeyMod(APDU apdu) {
byte[] buffer = apdu.getBuffer();
byte byteRead = (byte) (apdu.setIncomingAndReceive());
try {
publicKey.setModulus(buffer, ISO7816.OFFSET_CDATA, byteRead);
} catch (ArrayIndexOutOfBoundsException ex) {
ISOException.throwIt((short) 0x6889);
} catch (TransactionException ex) {
ISOException.throwIt((short) (0x6803 + ex.getReason()));
private void setServerKeyExp(APDU apdu) {
byte[] buffer = apdu.getBuffer();
byte byteRead = (byte) (apdu.setIncomingAndReceive());
try {
publicKey.setExponent(buffer, ISO7816.OFFSET_CDATA, byteRead);
} catch (ArrayIndexOutOfBoundsException ex) {
ISOException.throwIt((short) 0x6801);
} catch (NullPointerException ex) {
ISOException.throwIt((short) 0x6800);
} catch (TransactionException ex) {
ISOException.throwIt((short) 0x6803);
private void rsaEncrypt(APDU apdu) {
byte[] buffer = apdu.getBuffer();
byte byteRead = (byte) (apdu.setIncomingAndReceive());
cipher.init(publicKey, Cipher.MODE_ENCRYPT);
short length = cipher.doFinal(buffer, (short) ISO7816.OFFSET_CDATA, byteRead, buffer, (short) ISO7816.OFFSET_CDATA);
apdu.setOutgoing();
apdu.setOutgoingLength((short) length);
apdu.sendBytesLong(buffer, (short) ISO7816.OFFSET_CDATA, (short) length);
}Best regards,
Thorsten
Similar Messages
-
Need Help about Certificate based Authentication
Hi friends..
Currently, i'm trying to develop an applet that using Certificate Based Authentication..
i have looked at this thread : http://forums.sun.com/thread.jspa?threadID=5433603
these is what Safarmer says about steps to generate CSR :
0. Generate key pair on the card.
1. Get public key from card
2. Build CSR off card from the details you have, the CSR will not have a signature
3. Decide on the signature you want to use (the rest assumes SHA1 with RSA Encryption)
4. Generate a SHA1 hash of the CSR (without the signature section)
5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
6. Send DigestInfo to the card
7. On the card, the matching private key to encrypt the DigestInfo
8. Return the encrypted digest info to the host
9. Insert the response into the CSR as the signature
Sorry, i'm a little bit confused about those steps.. (Sorry i'm pretty new in X509Certificate)..
on step 4,
Generate a SHA1 hash of the CSR (without the signature section)
Does it mean we have to "build" CSR looks like :
Data:
Version: 0 (0x0)
Subject: C=US, ST=California, L=West Hollywood, O=ITDivision, OU=Mysys, CN=leonardo.office/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:be:a0:5e:35:99:1c:d3:49:ba:fb:2f:87:6f:d8:
ed:e4:61:f2:ae:6e:87:d0:e2:c0:fd:c1:0f:ed:d7:
84:04:b5:c5:66:cd:6b:f0:27:a2:cb:aa:3b:d7:ad:
fa:f4:72:10:08:84:88:19:24:d0:b0:0b:a0:71:6d:
23:5e:53:4f:1b:43:07:98:4d:d1:ea:00:d1:e2:29:
ea:be:a9:c5:3e:78:f3:5e:30:1b:6c:98:16:60:ba:
61:57:63:5e:6a:b5:99:17:1c:ae:a2:86:fb:5b:8b:
24:46:59:3f:e9:84:06:e2:91:b9:2f:9f:98:04:01:
db:38:2f:5b:1f:85:c1:20:eb
Exponent: 65537 (0x10001)
Attributes:
a0:00
on step 5, Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
How DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) looks like?
And what is the DigestInfo Contains, and what is TAG for DigestInfo?..
Please help me regarding this..
Thanks in advance..
Leonardo CarreiraHi,
Leonardo Carreira wrote:
Sorry, Encode the Public Key is handled by On Card Application or Off Card Application?..
I think its' easier to encode the public key by Off Card app..
Could you guide me how to achieve this?, i think Bouncy Castle can do this, but sorry, i don't know how to write code for it.. :( All you need to do is extract the modulus and exponent of the public key. These will be in a byte array (response from your card) that you can use to create a public key object in your host application. You can then use this key to create a CSR with bouncycastle.
I have several some questions :
1. Does Javacard provide API to deal with DER data format?JC 2.2.1 does not buy JC 2.2.2 does, however I believe this is an optional package though. You can implement this in your applet though.
2. Regarding the Certificate Based Authentication, what stuff that need to be stored in the Applet?..
- I think Applet must holds :
- its Private Key,
- its Public Key Modulus and its Public Key Exponent,
- its Certificate,
- Host Certificate
i think this requires too much EEPROM to store only the key..This depends on what you mean by Certificate Based Authentication. If you want your applet to validate certificates it is sent against a certificate authority (CA) then you need the public keys for each trust point to the root CA. To use the certificate for the card, you need the certificate and corresponding private key. You would not need to use the public key on the card so this is not needed. You definitely need the private key.
Here is a rough estimate of data storage requirements for a 2048 bit key (this is done off the top of my head so is very rough):
~800 bytes for your private key
~260 bytes per public key for PKI hierarchy (CA trust points)
~1 - 4KB for the certificate. This depends on the amount of data you put in your cert
3. What is the appropriate RSA key length that appropriate, because we have to take into account that the buffer, is only 255 bytes (assume i don't use Extended Length)..You should not base your key size on your card capabilities. You can always use APDU chaining to get more data onto the card. Your certificate is guaranteed to be larger than 256 bytes anyway. You should look at the NIST recommendations for key strengths. These are documented in NIST SP 800-57 [http://csrc.nist.gov/publications/PubsSPs.html]. You need to ensure that the key is strong enough to protect the data for a long enough period. If the key is a transport key, it needs to be stronger than the key you are transporting. As you can see there are a lot of factors to consider when deciding on key size. I would suggest you use the strongest key your card supports unless performance is not acceptable. Then you would need to analyse your key requirements to ensure your key is strong enough.
Cheers,
Shane -
Cannot submit web filing form using acroread version 9.4.2 02/11/2011
Hello there.
I am running Fedora14 fully updated.
If I complete the interactive pdf form supplied by Companies House in the United Kingdom I get the following error message.
SSL Error!!!. Please install the CA certificate(s) for SSL communication.
If certificate resides on local disk, try "acroread -installCertificate [-PEM|
-DER] [pathname]" on tyhe command line.
If certificate resides on the server, try "acroread -installCertificate ewf.companieshouse.gov.uk 443" on command line.
So checked I the firewall settings.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipp
ACCEPT udp -- anywhere 224.0.0.251 state NEW udp dpt:mdns
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ipp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipp
ACCEPT udp -- anywhere anywhere state NEW udp dpts:6881:6889
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:6881:6889
ACCEPT udp -- anywhere anywhere state NEW udp dpt:56849
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:56849
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-is-bridged
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Which looks ok to me.
[user@k8 tv]$ acroread -installCertificate ewf.companieshouse.gov.uk 443
Fetching certificate from website....
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = IE, ST = Dublin, L = Dublin, O = Digi-Sign Limited, OU = Terms and Conditions of use: http://www.digi-sign.com/repository, CN = Digi-Sign CA Digi-SSL Xp
verify return:1
depth=0 C = GB, ST = Wales, L = Cardiff, O = Companies House, OU = Web Filing, OU = Provided by Digi-Sign Limited, OU = Digi-SSL Xp, CN = ewf.companieshouse.gov.uk
verify return:1
DONE
Processing ....
The website presented the following Certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:a4:23:f4:cc:ef:4e:e9:d5:89:76:b4:ee:2f:4c:4b
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, ST=Dublin, L=Dublin, O=Digi-Sign Limited, OU=Terms and Conditions of use: http://www.digi-sign.com/reposi
tory, CN=Digi-Sign CA Digi-SSL Xp
Validity
Not Before: Jul 26 00:00:00 2009 GMT
Not After : Jul 26 23:59:59 2011 GMT
Subject: C=GB, ST=Wales, L=Cardiff, O=Companies House, OU=Web Filing, OU=Provided by Digi-Sign Limited, OU=Digi-SSL Xp,
CN=ewf.companieshouse.gov.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e8:68:c9:f7:4f:c5:98:18:5f:d6:34:d0:2a:3d:
53:f8:40:6f:4b:0a:ad:7b:d1:5c:99:85:8a:dd:19:
70:9d:9a:03:95:20:1d:a1:c3:9d:a9:cf:4f:10:97:
dc:5e:1e:c8:c0:d7:50:09:7c:e3:a5:df:48:3d:4e:
09:06:49:1b:ad:dc:b9:f4:42:35:ea:fd:14:e6:c9:
7d:2a:ef:1e:80:3f:26:cd:8e:2f:56:be:13:3c:3e:
f0:62:47:e2:ca:53:f8:8d:57:e7:5d:17:81:b6:1a:
f1:fd:1b:4a:e6:43:83:05:8a:02:92:a4:2d:57:07:
b8:f8:7c:8c:93:a1:09:ad:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:33:5A:0B:4E:35:DA:B8:8E:87:05:64:5F:D8:EC:7D:25:98:DA:BA:3F
X509v3 Subject Key Identifier:
24:CB:12:A4:AA:53:7E:96:83:80:ED:48:FB:D1:6D:CD:B8:3C:1B:BA
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.9
CPS: http://www.digi-sign.com/repository
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.digi-sign.com/DigiSignCADigiSSLXp.crl
Full Name:
URI:http://crl2.digi-sign.com/DigiSignCADigiSSLXp.crl
X509v3 Subject Alternative Name:
DNS:ewf.companieshouse.gov.uk, DNS:www.ewf.companieshouse.gov.uk
Signature Algorithm: sha1WithRSAEncryption
65:4d:83:e7:fa:42:f4:b2:fa:c9:bb:bb:68:56:63:39:f1:14:
98:a8:cb:35:42:32:40:a8:4e:54:95:cd:c9:6c:31:f3:f8:74:
00:df:80:4f:b5:61:65:06:7e:fc:a5:30:36:da:55:10:58:21:
c6:82:ba:f0:11:42:37:5a:6e:82:16:29:be:09:d3:a6:b9:11:
fb:f3:24:1a:ea:bb:73:ea:79:59:67:d7:bb:c8:48:51:bd:70:
01:6e:f2:11:bd:b7:86:13:9a:e9:22:9e:3b:c1:a6:a0:78:fc:
eb:e0:a7:2b:48:2c:26:b3:f9:f4:5b:bd:54:2f:56:83:1f:0a:
ee:2f:50:40:7f:c7:1a:e9:07:da:cd:23:18:14:c8:46:f5:f4:
c3:26:fa:af:12:8e:d8:ac:7a:b7:03:5c:8e:6e:23:9c:1b:ce:
53:03:1a:8e:74:98:47:c9:c5:3a:fa:7f:d3:f6:ca:dd:a4:0b:
50:02:40:64:cf:77:1d:72:3e:9b:4f:f9:c5:df:50:2e:90:a3:
3d:76:62:d8:ef:99:6e:be:1a:b4:89:5e:93:89:fd:0e:f5:47:
0b:2a:a6:08:c5:e5:6f:15:e9:82:42:ba:6a:0b:31:76:dc:d8:
77:70:3f:0a:87:2b:b3:21:0d:4e:09:62:9f:53:14:11:b3:ec:
0f:fb:4a:02
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIQB6Qj9MzvTunViXa07i9MSzANBgkqhkiG9w0BAQUFADCB
uTELMAkGA1UEBhMCSUUxDzANBgNVBAgTBkR1YmxpbjEPMA0GA1UEBxMGRHVibGlu
MRowGAYDVQQKExFEaWdpLVNpZ24gTGltaXRlZDFJMEcGA1UECxNAVGVybXMgYW5k
IENvbmRpdGlvbnMgb2YgdXNlOiBodHRwOi8vd3d3LmRpZ2ktc2lnbi5jb20vcmVw
b3NpdG9yeTEhMB8GA1UEAxMYRGlnaS1TaWduIENBIERpZ2ktU1NMIFhwMB4XDTA5
MDcyNjAwMDAwMFoXDTExMDcyNjIzNTk1OVowgcAxCzAJBgNVBAYTAkdCMQ4wDAYD
VQQIEwVXYWxlczEQMA4GA1UEBxMHQ2FyZGlmZjEYMBYGA1UEChMPQ29tcGFuaWVz
IEhvdXNlMRMwEQYDVQQLEwpXZWIgRmlsaW5nMSYwJAYDVQQLEx1Qcm92aWRlZCBi
eSBEaWdpLVNpZ24gTGltaXRlZDEUMBIGA1UECxMLRGlnaS1TU0wgWHAxIjAgBgNV
BAMTGWV3Zi5jb21wYW5pZXNob3VzZS5nb3YudWswgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAOhoyfdPxZgYX9Y00Co9U/hAb0sKrXvRXJmFit0ZcJ2aA5UgHaHD
nanPTxCX3F4eyMDXUAl846XfSD1OCQZJG63cufRCNer9FObJfSrvHoA/Js2OL1a+
Ezw+8GJH4spT+I1X510XgbYa8f0bSuZDgwWKApKkLVcHuPh8jJOhCa1vAgMBAAGj
ggGPMIIBizAfBgNVHSMEGDAWgBQzWgtONdq4jocFZF/Y7H0lmNq6PzAdBgNVHQ4E
FgQUJMsSpKpTfpaDgO1I+9Ftzbg8G7owDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEsGA1UdIAREMEIw
QAYLKwYBBAGyMQECAgkwMTAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5kaWdpLXNp
Z24uY29tL3JlcG9zaXRvcnkwegYDVR0fBHMwcTA2oDSgMoYwaHR0cDovL2NybC5k
aWdpLXNpZ24uY29tL0RpZ2lTaWduQ0FEaWdpU1NMWHAuY3JsMDegNaAzhjFodHRw
Oi8vY3JsMi5kaWdpLXNpZ24uY29tL0RpZ2lTaWduQ0FEaWdpU1NMWHAuY3JsMEMG
A1UdEQQ8MDqCGWV3Zi5jb21wYW5pZXNob3VzZS5nb3YudWuCHXd3dy5ld2YuY29t
cGFuaWVzaG91c2UuZ292LnVrMA0GCSqGSIb3DQEBBQUAA4IBAQBlTYPn+kL0svrJ
u7toVmM58RSYqMs1QjJAqE5Ulc3JbDHz+HQA34BPtWFlBn78pTA22lUQWCHGgrrw
EUI3Wm6CFim+CdOmuRH78yQa6rtz6nlZZ9e7yEhRvXABbvIRvbeGE5rpIp47waag
ePzr4KcrSCwms/n0W71UL1aDHwruL1BAf8ca6QfazSMYFMhG9fTDJvqvEo7YrHq3
A1yObiOcG85TAxqOdJhHycU6+n/T9srdpAtQAkBkz3cdcj6bT/nF31AukKM9dmLY
75luvhq0iV6Tif0O9UcLKqYIxeVvFemCQrpqCzF23Nh3cD8KhyuzIQ1OCWKfUxQR
s+wP+0oC
-----END CERTIFICATE-----
Do you want to accept and install it (y|n)? [n] y
Certificate successfully installed.
Which looked ok to my inexperienced glance.
So I tried a resubmission.
I got the first error dialog again, followed by a second which said:
An error occurred during the submit process. Cannot process response due to unknown content type.
Can anybody here help me with this at all?
It would be a real boon to all of Britains UNIX users if anyone could suggest a way forward- as it would appear that the mandated web filing process
is preventing all UNIX and Linux users from filing their compulsory company returns online..
Thankyou.I wish to reiterate anonym0u5 concerns for this problem, but it could be a problem with Companies House.
I did
acroread -installCertificate -PEM ewf.companieshouse.gov.uk
acroread -installCertificate -PEM UTN-USERFirst-Hardware
acroread -installCertificate -PEM Digi-Sign\ CA\ Digi-SSL\ Xp
acroread -installCertificate -PEM Builtin\ Object\ Token\:AddTrust\ External\ Root
after having clicked the padlock at the top in Chrome and downloaded the certificates. Note the slight difference in file name.
then restarting acroread I get the above (again). So I stop it and do as it says:
acroread -installCertificate xmlgw.companieshouse.gov.uk 443
Unfortunately:
The problem still persists. I have written to Companies House:
Filling in my CT600 online and taking advantage of the ability to submit accounts to Companies House, I put in my company number and authentication code but then am presented by the following:
so I save the file, close Acrobat and do as it says:
nigel@p4dx2:~/Documents/accounts/nsl/certificates$ acroread -installCertificate xmlgw.companieshouse.gov.uk443
which eventually returns
Do you want to accept and install it (y|n)? [n] y
Certificate successfully installed.
Then I reopen the CT600 with Acrobat. But unfortunately the same thing happens. What digital certificate is needed? Where can I find it?
I will let this forum know of any response. -
Can I encrypt a string with RSA encryption using DBMS_CRYPTO?
We have an web application that does a redirect thru a database package to a 3rd party site. They would like us to encrypt the querystring that is passed using RSA encryption. The example that they've given us (below) uses the RSA cryptographic service available in .NET. Is it possible to do this using DBMS_CRYPTO or some other method in Oracle?
Below are the steps outlined to use the key to generate the encrypted URL
2.1 Initialize Service
The RSA cryptographic service must be initialized with the provided public key. Below is sample code that can be used to initialize the service using the public key
C#
private void InitializeRSA( string keyFileName )
CspParameters cspParams = new CspParameters( );
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
m_sp = new RSACryptoServiceProvider( cspParams );
//Load the public key from the supplied XML file
StreamReader reader = new StreamReader( keyFileName );
string data = reader.ReadToEnd( );
//Initializes the public key
m_sp.FromXmlString( data );
2.2 Encryption method
Create a method that will encrypt a string using the cryptographic service that was initialized in step 2.1. The encryption method should convert the encryption method to Base64 to avoid special characters from being passed in the URL. Below is sample code that uses the method created in step 2.1 that can be used to encrypt a string.
C#
private string RSAEncrypt( string plainText )
ASCIIEncoding enc = new ASCIIEncoding( );
int numOfChars = enc.GetByteCount( plainText );
byte[ ] tempArray = enc.GetBytes( plainText );
byte[ ] result = m_sp.Encrypt( tempArray, false );
//Use Base64 encoding since the encrypted string will be used in an URL
return Convert.ToBase64String( result );
2.3 Generate URL
The query string must contain the necessary data elements configured for you school in Step 1. This will always include the Client Number and the Student ID of the student clicking on the link.
1. Build the query string with Client Number and Student ID
C#
string queryString = “schoolId=1234&studentId=1234”;
The StudentCenter website will validate that the query string was generated within 3 minutes of the request being received on our server. A time stamp in UTC universal time (to prevent time zone inconsistencies) will need to be attached to the query string.
2. Get the current UTC timestamp, and add the timestamp to the query string
C#
string dateTime = DateTime.UtcNow.ToString(“yyyy-MM-dd HH:mm:ss”);
queryString += “¤tDT=” + dateTime;
Now that the query string has all of the necessary parameters, use the RSAEncrypt (Step 2.2) method created early to encrypt the string. The encrypted string must also be url encoded to escape any special characters.
3. Encrypt and Url Encode the query string
C#
string rsa = RSAEncrypt(querystring);
string eqs = Server.UrlEncode(rsa);
The encrypted query string is now appended to the Url (https://studentcenter.uhcsr.com), and is now ready for navigation.
4. Build the URL
C#
string url = “https://studentcenter.uhcsr.com/custom.aspx?eqs=” + eqsThe documentation lists all the encyrption types:
http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_crypto.htm#ARPLS664 -
Error -2147415740 from Keychain when importing a root CA certificate
I've been given an iMac at work to use as my primary workstation, and work in an environment that uses certificate based authentication. I was provided the root CA certificate as a .pem file to import into my system, and every time I try, Keychain Access throws an error of "-2147415740".
Running "openssl x509 -inform pem -in cacert.pem -text" shows the certificate as valid, and specifically:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (8192 bit)
Modulus (8192 bit):
I've seen a few other reports of this, and it seems to be tied to the certificate being signed with an 8192 bit key. Asking the company to change to a lower key to sign the certificate is not a possibility, as it would require redistribution across a high number of machines to work around what appears to be an OS X specific bug. Does anyone know a workaround?
Out of curiosity, I took the certificate and imported it successfully into an iBook running OS X 10.4.0. The certificate continues to work all the way up to 10.4.8, but breaks once Security Update 2006-007 or 10.4.9 is applied. The certificate is also imported just fine on an iPad running iOS 4.2.1.
For now, I have to avoid using any Apple provided tools, and many 3rd party OS X programs, negating the benefit of using OS X and an iMac.sigh
Result 1, this thread
Result 2, another person encountering the same problem and posted here on the discussion forums, unanswered, beyond me responding to see if it is the exact same situation I'm now running into.
Result 3, a posting to the OpenCA users list, also confirming the problem, with no specific solution to the error. Only a workaround of resigning the CA with a 4096bit or lower key, a workaround that as I mentioned already, cannot be done here without forcing every other user in the company to do work for what appears to only be an OS X specific problem/bug.
Please only respond again if you have an actual useful suggestion for this exact problem. These boards are to help facilitate discussion about problems leading to a solution. Neither of your generic responses has helped, and I'd appreciate it if you could avoid wasting more of my time following up on a new post notification. -
Hi,
Im trying to verify the PKCS& detached signature.. Verification is working fine. But if i try to alter or delete certian characters in my signature file its still saying verification success can anybody have a look at this code and help me to sort out this issue. Is there any other way with which i can verify the signature.
Here is the code:
import java.security.Security;
import java.io.*;
import org.bouncycastle.jce.PKCS7SignedData;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.util.Arrays;
import java.util.*;
import java.text.SimpleDateFormat;
import java.util.Iterator;
import java.util.List;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.io.FileInputStream;
import javax.security.auth.x500.X500Principal;
import java.lang.*;
import java.io.PrintWriter;
import java.security.cert.*;
import java.util.Vector;
import java.lang.*;
import java.io.IOException;
import java.util.Collection;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
class VerifyP7s {
public static void main(String args[]) {
if (args.length < 2)
usage();
//Plug the Provider into the JCA/JCE
Security.addProvider(new BouncyCastleProvider());
FileInputStream freader = null;
//------ Get the content data from file -------------
File f = new File(args[1]) ;
int sizecontent = ((int) f.length());
byte[] bytes = new byte[sizecontent];
try {
freader = new FileInputStream(f);
System.out.print("\nContent Bytes: " + freader.read(bytes, 0, sizecontent));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
//------ Get the pkcs #7 data from file -------
File p7s = new File(args[0]) ;
int size = ((int) p7s.length());
byte[] bytessig = new byte[size];
try {
freader = new FileInputStream(p7s);
System.out.println(" PKCS#7 bytes: " + freader.read(bytessig, 0, size));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
// --- Use Bouncy Castle provider to attempt verification of p7s ---
if(isBase64Encoded(bytessig)){
System.out.println("Signature file is BASE64 encoded") ;
try{
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder() ;
byte[] bdecoded = dec.decodeBuffer(new String(bytessig));
if (isVerified(bdecoded, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as BASE64-encoded DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
catch(Exception exc) {
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
return;
else { //if NOT base64 encoded
if (isVerified(bytessig, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as binary DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
private static byte[] toUnicode(byte[] bytes) {
byte[] ucbytes = new byte[2*bytes.length];
for (int j = 0; j< bytes.length; j++) {
ucbytes[2*j] = bytes[j];
ucbytes[2*j+1] = 0x00; //null byte for UNICODE encoding
return ucbytes;
private static final boolean isVerified(byte[] sig, byte[] content) {
try{
PKCS7SignedData pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(content, 0, content.length); // Update checksum
boolean verified = pkcs7.verify(); // Does it add up?
if(!verified) { //see if original data was UNICODE byte encoding
//System.out.println("Original byte content not verified.\nTrying UNICODE encoding ...");
pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(toUnicode(content), 0, 2*content.length);
verified = pkcs7.verify();
if(verified){
System.out.println("\nUNICODE-encoding of signed content was verified.");
return true;
else
//System.out.println("\nCould NOT verify signed detached content");
return false;
else
System.out.println("ANSI-encoding of signed content was verified.");
return true ;
catch(java.security.cert.CRLException crle) {
//System.out.println("crl " + crle.toString());
return false;
catch(java.security.SignatureException sigex) {
//System.out.println("sigexcept " + sigex.toString());
return false;
catch(Exception secex) {
//System.out.println("other exception " + secex.toString());
return false;
private static final boolean isBase64Encoded(byte[] data) {
Arrays.sort(Base64Map);
for (int i=0; i<data.length; i++){
//System.out.println("data[" + i + "] " + (char)data) ;
if( Arrays.binarySearch(Base64Map, (char)data)<0
&& !Character.isWhitespace((char)data) )
return false;
return true;
public String printX509Cert(X509Certificate cert){
try{
String discrt = cert.getPublicKey().toString();
return discrt;
catch(Exception exception)
System.err.println("Exception is: "+exception.getMessage());
String ex = exception.getMessage();
return ex;
private static char[] Base64Map =
{ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/', '='
private static void usage() {
System.out.println("Usage:\n java VerifyP7s <pkcs #7 signature file> <contentfile> ") ;
System.exit(1);
Here is my signature file:
MIIEoAYJKoZIhvcNAQcCoIIEkTCCBI0CAQExDjAMBggqhkiG9w0CBQUAMAsGCSqGSIb3DQEHAaCC
A3kwggN1MIICXaADAgECAhBjffJNbUvAx4VWV4qkdNLGMA0GCSqGSIb3DQEBBAUAMDExETAPBgNV
BAoTCFNJRlkgTHRkMRwwGgYDVQQDExNTSUZZIEx0ZCBQcml2YXRlIENBMB4XDTA0MDcyNjAwMDAw
MFoXDTA1MDcyNjIzNTk1OVowgZwxETAPBgNVBAoUCFNJRlkgTHRkMSIwIAYDVQQLFBlIdW1hbiBS
ZXNvdXJjZSBEZXBhcnRtZW50MRswGQYDVQQLFBJFbXBsb3llZUlEIC0gU0YwNjcxGzAZBgNVBAMT
ElN1ZGVlcCBLdW1hciBQLiBLLjEpMCcGCSqGSIb3DQEJARYac3VkZWVwa3VtYXJAc2FmZXNjcnlw
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGOpSIhZEDQ5Z6cxLMpZssi5WWdD0h7
kFWkbXPQk842HqCBFPcClUUWWeT/LJ10VCC9Ff0KrI5lviGl9umnVW+LeCYiI/ksnea/p7tKfOgN
NO+UBoJ4PE5XnUEq03CFWdHhGNfukNqWZiMC+bUX8e6+blFU/6ipUtHmIkIrlNZBAgMBAAGjgaAw
gZ0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgeAMF0GA1UdHwRWMFQw
UqBQoE6GTGh0dHA6Ly9vbnNpdGVjcmwuc2FmZXNjcnlwdC5jb20vU0lGWUx0ZEh1bWFuUmVzb3Vy
Y2VEZXBhcnRtZW50L0xhdGVzdENSTC5jcmwwEQYKYIZIAYb4RQEGCQQDAQH/MA0GCSqGSIb3DQEB
BAUAA4IBAQBpFEGmTHOSfA/SkeC/bvZE3sYpBU0+RG8iSm+DTbP5tiCyWT+L0AidTWDk0ZuXz7yA
eF9NR0OZyxp3/v+OQYn3Q0a1awe+JKnDCD+zayehcPbvD+q79WYHO5Ibm5UA2VnGoBbV3CDhj1qC
lCyqllEKVWk11iB6wu24PzB31uARxkar3cynFNX4P6nxy6vb83W/Wnt8eOMQHI2SiVvJtjU5SwL6
ILrkZfrm7NLcCQY2w7w4/WeFgeb2Ko8hYHSRyvJWwBUyv2ExDGnv0eqHJn6HC+4IE8wzirWre0jY
Y0529u3MfIL0F7lrkuwYnpVa3zE/b2HwCaMrN+TuY/oNkf2YMYHtMIHqAgEBMEUwMTERMA8GA1UE
ChMIU0lGWSBMdGQxHDAaBgNVBAMTE1NJRlkgTHRkIFByaXZhdGUgQ0ECEGN98k1tS8DHhVZXiqR0
0sYwDAYIKoZIhvcNAgUFADANBgkqhkiG9w0BAQEFAASBgDUpkV5Zpi781vTmtydAdOVJ7cecnQ9v
8fdTZwMgz56Q3ZI0pj6+60e8lIafO3mo596eCF2mBsZm2wEO1PhnXPKAQFXWIseDp0GVdmwTp1tH
M2e9fC2bOppNhBKkpZAr26PE6/BIDittE1rM8nJOa+9lzJcDCBBpJM3MdlHjY+8v
My Content file is:
<table width=100%><TR align=center><TH COLSPAN=3>Transfer Funds Request</TH></TR><TR><TD ALIGN=RIGHT><FONT COLOR="#0000FF" SIZE=-1 FACE="Courier">TRANSFER FROM</FONT></TD><TD>..........</TD><TD><FONT SIZE=-1 FACE="Courier"><B>Money Market</B></FONT></TD></TR><TR><TD ALIGN=RIGHT><FONT COLOR="#0000FF" SIZE=-1 FACE="Courier">TRANSFER TO</FONT></TD><TD>..........</TD><TD><FONT SIZE=-1 FACE="Courier"><B>Cash</B></FONT></TD></TR><TR><TD ALIGN=RIGHT><FONT COLOR="#0000FF" SIZE=-1 FACE="Courier">AMOUNT</FONT></TD><TD>..........</TD><TD><FONT SIZE=-1 FACE="Courier"><B>/ \ & \n</B></FONT></TD></TR></table><BR>I am authorizing the transfer of the above funds <B>by digitally signing </B> this request.
Thanx in advance.Your PKCS#7 signature file is dumped by DUMPASN1 as follows:
The verifying code only checks the public key against the data.
If you change some byte of the PKCS#7 data that can "blow up" the ASN.1 structures, you cannot get the public key, so the data would not be verified OK.
But if you change some other byte in the PKCS#7 signature data, it could change some things that are not important to ASN.1 Parsing, like changing 'Human Resource Department' to 'Departamentos de Recursos' that is a string with the same length. So as you don't changed the Public key bytes it's all OK.
If you are concerned about PKCS#7 signature file modification, you can try verifying the signer certificates inside - an additional step, but not difficult to do.
0 30 1184: SEQUENCE {
4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 A0 1169: [0] {
19 30 1165: SEQUENCE {
23 02 1: INTEGER 1
26 31 14: SET {
28 30 12: SEQUENCE {
30 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
40 05 0: NULL
42 30 11: SEQUENCE {
44 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
55 A0 889: [0] {
59 30 885: SEQUENCE {
63 30 605: SEQUENCE {
67 A0 3: [0] {
69 02 1: INTEGER 2
72 02 16: INTEGER
: 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
90 30 13: SEQUENCE {
92 06 9: OBJECT IDENTIFIER
: md5withRSAEncryption (1 2 840 113549 1 1 4)
103 05 0: NULL
105 30 49: SEQUENCE {
107 31 17: SET {
109 30 15: SEQUENCE {
111 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
116 13 8: PrintableString 'SIFY Ltd'
126 31 28: SET {
128 30 26: SEQUENCE {
130 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
135 13 19: PrintableString 'SIFY Ltd Private CA'
156 30 30: SEQUENCE {
158 17 13: UTCTime 26/07/2004 00:00:00 GMT
173 17 13: UTCTime 26/07/2005 23:59:59 GMT
188 30 156: SEQUENCE {
191 31 17: SET {
193 30 15: SEQUENCE {
195 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
200 14 8: TeletexString 'SIFY Ltd'
210 31 34: SET {
212 30 32: SEQUENCE {
214 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
219 14 25: TeletexString 'Human Resource Department'
246 31 27: SET {
248 30 25: SEQUENCE {
250 06 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
255 14 18: TeletexString 'EmployeeID - SF067'
275 31 27: SET {
277 30 25: SEQUENCE {
279 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
284 13 18: PrintableString 'Sudeep Kumar P. K.'
304 31 41: SET {
306 30 39: SEQUENCE {
308 06 9: OBJECT IDENTIFIER
: emailAddress (1 2 840 113549 1 9 1)
319 16 26: IA5String '[email protected]'
347 30 159: SEQUENCE {
350 30 13: SEQUENCE {
352 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
363 05 0: NULL
365 03 141: BIT STRING, encapsulates {
369 30 137: SEQUENCE {
372 02 129: INTEGER
: 00 D1 8E A5 22 21 64 40 D0 E5 9E 9C C4 B3 29 66
: CB 22 E5 65 9D 0F 48 7B 90 55 A4 6D 73 D0 93 CE
: 36 1E A0 81 14 F7 02 95 45 16 59 E4 FF 2C 9D 74
: 54 20 BD 15 FD 0A AC 8E 65 BE 21 A5 F6 E9 A7 55
: 6F 8B 78 26 22 23 F9 2C 9D E6 BF A7 BB 4A 7C E8
: 0D 34 EF 94 06 82 78 3C 4E 57 9D 41 2A D3 70 85
: 59 D1 E1 18 D7 EE 90 DA 96 66 23 02 F9 B5 17 F1
: EE BE 6E 51 54 FF A8 A9 52 D1 E6 22 42 2B 94 D6
: [ Another 1 bytes skipped ]
504 02 3: INTEGER 65537
509 A3 160: [3] {
512 30 157: SEQUENCE {
515 30 9: SEQUENCE {
517 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
522 04 2: OCTET STRING, encapsulates {
524 30 0: SEQUENCE {}
526 30 11: SEQUENCE {
528 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
533 04 4: OCTET STRING, encapsulates {
535 03 2: BIT STRING 5 unused bits
: '101'B
539 30 17: SEQUENCE {
541 06 9: OBJECT IDENTIFIER
: netscape-cert-type (2 16 840 1 113730 1 1)
552 04 4: OCTET STRING, encapsulates {
554 03 2: BIT STRING 7 unused bits
: '1'B (bit 0)
558 30 93: SEQUENCE {
560 06 3: OBJECT IDENTIFIER
: cRLDistributionPoints (2 5 29 31)
565 04 86: OCTET STRING, encapsulates {
567 30 84: SEQUENCE {
569 30 82: SEQUENCE {
571 A0 80: [0] {
573 A0 78: [0] {
575 86 76: [6]
: 'http://onsitecrl.safescrypt.com/SIFYLtdHumanReso'
: 'urceDepartment/LatestCRL.crl'
653 30 17: SEQUENCE {
655 06 10: OBJECT IDENTIFIER '2 16 840 1 113733 1 6 9'
667 04 3: OCTET STRING, encapsulates {
669 01 1: BOOLEAN TRUE
672 30 13: SEQUENCE {
674 06 9: OBJECT IDENTIFIER
: md5withRSAEncryption (1 2 840 113549 1 1 4)
685 05 0: NULL
687 03 257: BIT STRING
: 69 14 41 A6 4C 73 92 7C 0F D2 91 E0 BF 6E F6 44
: DE C6 29 05 4D 3E 44 6F 22 4A 6F 83 4D B3 F9 B6
: 20 B2 59 3F 8B D0 08 9D 4D 60 E4 D1 9B 97 CF BC
: 80 78 5F 4D 47 43 99 CB 1A 77 FE FF 8E 41 89 F7
: 43 46 B5 6B 07 BE 24 A9 C3 08 3F B3 6B 27 A1 70
: F6 EF 0F EA BB F5 66 07 3B 92 1B 9B 95 00 D9 59
: C6 A0 16 D5 DC 20 E1 8F 5A 82 94 2C AA 96 51 0A
: 55 69 35 D6 20 7A C2 ED B8 3F 30 77 D6 E0 11 C6
: [ Another 128 bytes skipped ]
948 31 237: SET {
951 30 234: SEQUENCE {
954 02 1: INTEGER 1
957 30 69: SEQUENCE {
959 30 49: SEQUENCE {
961 31 17: SET {
963 30 15: SEQUENCE {
965 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
970 13 8: PrintableString 'SIFY Ltd'
980 31 28: SET {
982 30 26: SEQUENCE {
984 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
989 13 19: PrintableString 'SIFY Ltd Private CA'
1010 02 16: INTEGER
: 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
1028 30 12: SEQUENCE {
1030 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
1040 05 0: NULL
1042 30 13: SEQUENCE {
1044 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
1055 05 0: NULL
1057 04 128: OCTET STRING
: 35 29 91 5E 59 A6 2E FC D6 F4 E6 B7 27 40 74 E5
: 49 ED C7 9C 9D 0F 6F F1 F7 53 67 03 20 CF 9E 90
: DD 92 34 A6 3E BE EB 47 BC 94 86 9F 3B 79 A8 E7
: DE 9E 08 5D A6 06 C6 66 DB 01 0E D4 F8 67 5C F2
: 80 40 55 D6 22 C7 83 A7 41 95 76 6C 13 A7 5B 47
: 33 67 BD 7C 2D 9B 3A 9A 4D 84 12 A4 A5 90 2B DB
: A3 C4 EB F0 48 0E 2B 6D 13 5A CC F2 72 4E 6B EF
: 65 CC 97 03 08 10 69 24 CD CC 76 51 E3 63 EF 2F
: } -
Signing message with certificate: JCE, IAIK or similar in IBM SDK 5.0
So, I'm in a very difficult problem.
Using Java:
I've an enterprise certificate (in .p12 format) altogether with its public key ("password" string). Also I've a text message which I've to sign in PKCS7 format. I've been reading a lot and I've realized that there's no STANDARD implementation to do what I want to do. There is the JCE/JCA API and the Certification API, but they are just API's, no implementation. Here are the facts:
-I've to run the application in the IBM JDK 5.0 (AS400 system).
-My application actually works in the SUN JDK 6.0 using the IAIK security provider, but not using JCE, its a very ugly code which I dont know really what it does, but it works. When I put it on the IBM JDK 5.0 it fails (java nullpointer blah blah).
-IAIK Documentation says that it works on JDK 5.0. Yeah, it works, but in SUN implementation, not in IBM's.
Today I don't know what the heck to do, really. What do you think it's the best solution?
-Trying to make the IAIK code work in IBM SDK 5.0 by test-and-error method.
-Trying to sign the message using JCE and the IBM JCE provider (this is what I'm actually trying to do). It would be very nice if somebody provides something to read about (I've read lot of IBM/SUN documentation and I couldnt find anything useful for now.
-Trying to put the SUN JDK 6.0 in the AS400. This would be the easy solution but my bosses said that this is impossible and very dangerous, and additionally this wouldn't work.
-Also I've another code which uses the BouncyCastle provider but this doesn't work. Would this be better to learn how to use? I prefer using standards, though.
In conclusion:
I've 4 security providers: IBM, SUN, IAIK and BouncyCastle (just IAIK works, and I need IBM), and
I've 4 SDK's: IBM 5.0, IBM 6.0, SUN 5.0 and SUN 6.0 (just SUN/IBM 6.0 works, and I need IBM 5.0).
I would like any documentation useful to read. I would provide any information which could be important to answer my question.But I hope this could fix it :(
My last code:
public static String firmar(String contenido, String certificado, String password)
throws Exception {
System.out.println(new Date() + ":: Signing using IAIK provider.");
boolean dettached = true;
boolean attributes = true;
boolean CRLF = true;
IAIK iaik = new IAIK();
Security.addProvider(iaik);
byte aByteInfoToSign[] = contenido.getBytes("UTF8");
if(aByteInfoToSign == null)
throw new IOException("Empty message.");
byte digest[] = SHA1(aByteInfoToSign);
String digestHEX = toHexString(digest);
KeyStore keystore = KeyStore.getInstance("PKCS12");
FileInputStream fileinputstream = new FileInputStream(certificado);
keystore.load(fileinputstream, password.toCharArray());
String alias = null;
Enumeration enumeration = keystore.aliases();
if(enumeration.hasMoreElements())
alias = enumeration.nextElement().toString();
else
throw new KeyStoreException("Firmador IAIK: Empty Keystore.");
Certificate certificate = keystore.getCertificate(alias);
PrivateKey privatekey = (PrivateKey)keystore.getKey(alias, password.toCharArray());
* Declared absolutely to avoid incompatibilities betwenn IAIK and Sun classes.
iaik.x509.X509Certificate ax509certificate[] = new iaik.x509.X509Certificate[1];
ax509certificate[0] = new iaik.x509.X509Certificate(certificate.getEncoded());
IssuerAndSerialNumber issuerandserialnumber = new IssuerAndSerialNumber(ax509certificate[0]);
SignerInfo asignerinfo[] = new SignerInfo[1];
asignerinfo[0] = new SignerInfo(issuerandserialnumber, AlgorithmID.sha1, AlgorithmID.rsaEncryption, privatekey);
Attribute aattribute[] = new Attribute[4];
aattribute[0] = new Attribute(ObjectID.contentType, new ASN1Object[] {
ObjectID.pkcs7_data
aattribute[1] = new Attribute(ObjectID.signingTime, new ASN1Object[] {
(new ChoiceOfTime()).toASN1Object()
ObjectID oid = new ObjectID("1.2.840.113549.3.2");
SEQUENCE seqRC2 = new SEQUENCE();
seqRC2.addComponent(oid,0);
seqRC2.addComponent(new INTEGER(40));
SEQUENCE seqEncrypAlgoritmos = new SEQUENCE();
seqEncrypAlgoritmos.addComponent(seqRC2);
Attribute atributo = new Attribute(ObjectID.symmetricCapabilities,
new ASN1Object[] {seqEncrypAlgoritmos});
aattribute[2] = atributo;
aattribute[3] = new Attribute(ObjectID.messageDigest, new ASN1Object[]{ new OCTET_STRING(digest) });
if(attributes)
asignerinfo[0].setAuthenticatedAttributes(aattribute);
byte byte0;
if(dettached)
byte0 = 2;
else
byte0 = 1;
SignedData signeddata = new SignedData(digestHEX.getBytes(), byte0);
signeddata.setCertificates(ax509certificate);
signeddata.addSignerInfo(asignerinfo[0]);
ContentInfo contentinfo = new ContentInfo(signeddata);
if(!contentinfo.hasContent())
throw new Exception("Couldn't create the sign");
ByteArrayOutputStream result = new ByteArrayOutputStream();
ByteArrayOutputStream source = new ByteArrayOutputStream();
contentinfo.writeTo(source); // <-- here is the error (line 136)
Base64OutputStream base64outputstream = new Base64OutputStream(result);
base64outputstream.write(source.toByteArray());
base64outputstream.flush();
base64outputstream.close();
String resFinal;
if(CRLF)
resFinal = result.toString();
else
resFinal = result.toString().replaceAll("[\r\n]+","");
// resFinal = sinCRLF(result.toString());
if(resFinal.equals(""))
throw new Exception("Couldn't create the sign");
* Restore the Security variable.
Security.removeProvider(iaik.getName());
return resFinal;
private static byte[] SHA1(byte abyte0[])
try
MessageDigest messagedigest = MessageDigest.getInstance("SHA-1");
byte abyte1[] = messagedigest.digest(abyte0);
messagedigest.reset();
return abyte1;
catch(NoSuchAlgorithmException nosuchalgorithmexception)
throw new Error("Configuration error", nosuchalgorithmexception);
private static String toHexString(byte abyte0[])
StringBuffer stringbuffer = new StringBuffer();
int i = abyte0.length;
for(int j = 0; j < i; j++)
byte2hex(abyte0[j], stringbuffer);
return stringbuffer.toString().toUpperCase();
private static void byte2hex(byte byte0, StringBuffer stringbuffer)
char ac[] = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
'a', 'b', 'c', 'd', 'e', 'f'
int i = (byte0 & 0xf0) >> 4;
int j = byte0 & 0xf;
stringbuffer.append(ac);
stringbuffer.append(ac[j]);
}Using the IBM SDK 5.0, the error:iaik.pkcs.PKCSException: iaik.asn1.CodingException: iaik.asn1.CodingException: Unable to encrypt digest: No installed provider supports this key: (null)
at iaik.pkcs.pkcs7.SignedData.toASN1Object(Unknown Source)
at iaik.pkcs.pkcs7.SignedDataStream.toASN1Object(Unknown Source)
at iaik.pkcs.pkcs7.ContentInfo.toASN1Object(Unknown Source)
at iaik.pkcs.pkcs7.ContentInfo.writeTo(Unknown Source)
at aeat.FirmadorIAIK.firmar(FirmadorIAIK.java:136)
... more irrelevant data... -
Example provided is on 1941 ISR routers with 15.2(2)T1 software. One router has 15.3(1)T.
IKEv2 with pre-shared key comes up fine.
IKEv2 with certificates gives auth exchange fail error
IKEv1 with same certificates comes up fine.
The above were Microsoft CA certificates.
I tried with IOS CA certificates, still auth exchange fail error.
Same results with 3945 and 2911 routers on IOS 15.1(2)TThis is details of how I got it working.
sho tech ipsec
------------------ show version ------------------
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 29-Feb-12 20:40 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
happy uptime is 30 minutes
System returned to ROM by power-on
System restarted at 20:26:58 UTC Fri Mar 1 2013
System image file is "flash0:c2900-universalk9-mz.SPA.152-2.T1.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX1621AJFU
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO2911/K9 FTX1621AJFU
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc None None None
data None None None
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 6483 bytes
! Last configuration change at 20:56:07 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname happy
boot-start-marker
boot-end-marker
security passwords min-length 6
logging buffered 51200 warnings
no logging console
enable secret 4 4Q5iiIH2YznVeGHA3p6Qjm8oBj4LWNDTHjsG21MxgXU
no aaa new-model
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip domain name csfc.com
ip name-server 192.168.1.3
no ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint dc-ca
enrollment terminal
subject-name cn=happy.csfc,c=us
revocation-check none
crypto pki certificate map CRT 10
issuer-name co csfc
crypto pki certificate chain dc-ca
certificate 3F51979A000000000012
3082038E 30820333 A0030201 02020A3F 51979A00 00000000 12300A06 082A8648
CE3D0403 02303B31 13301106 0A099226 8993F22C 64011916 03636F6D 31143012
060A0992 268993F2 2C640119 16046373 6663310E 300C0603 55040313 0564632D
6361301E 170D3133 30333031 31383532 35365A17 0D313530 33303131 38353235
365A3022 310B3009 06035504 06130275 73311330 11060355 0403130A 68617070
792E6373 66633059 30130607 2A8648CE 3D020106 082A8648 CE3D0301 07034200
0429D4D8 F89E295B F7AF826F 86A3F29D EF48FCFF D2374B0F D39CD393 620D3EFD
D484BFA4 3ED08E16 7FDF839D 0FF85690 26C0545C 1B56EC17 7A2E6C1D 5D1A6CD8
DDA38202 36308202 32300B06 03551D0F 04040302 06C0301D 0603551D 0E041604
142DCC8D 554A4853 C4C03B3D 2400E3EA 459406B5 AE301F06 03551D23 04183016
80142389 F56583FC B73D3F11 79A47EAB 96721E76 81AA3081 BB060355 1D1F0481
B33081B0 3081ADA0 81AAA081 A78681A4 6C646170 3A2F2F2F 434E3D64 632D6361
2C434E3D 44432C43 4E3D4344 502C434E 3D507562 6C696325 32304B65 79253230
53657276 69636573 2C434E3D 53657276 69636573 2C434E3D 436F6E66 69677572
6174696F 6E2C4443 3D637366 632C4443 3D636F6D 3F636572 74696669 63617465
5265766F 63617469 6F6E4C69 73743F62 6173653F 6F626A65 6374436C 6173733D
63524C44 69737472 69627574 696F6E50 6F696E74 3081B406 082B0601 05050701
010481A7 3081A430 81A10608 2B060105 05073002 8681946C 6461703A 2F2F2F43
4E3D6463 2D63612C 434E3D41 49412C43 4E3D5075 626C6963 2532304B 65792532
30536572 76696365 732C434E 3D536572 76696365 732C434E 3D436F6E 66696775
72617469 6F6E2C44 433D6373 66632C44 433D636F 6D3F6341 43657274 69666963
6174653F 62617365 3F6F626A 65637443 6C617373 3D636572 74696669 63617469
6F6E4175 74686F72 69747930 3C06092B 06010401 82371507 042F302D 06252B06
01040182 37150881 98D47A81 B6D74A87 A98B18DF C60887B8 D4794787 BCE00C86
9D892C02 01640201 11301306 03551D25 040C300A 06082B06 01050508 0202301B
06092B06 01040182 37150A04 0E300C30 0A06082B 06010505 08020230 0A06082A
8648CE3D 04030203 49003046 022100E7 E5814B90 CE6EABE2 B12C818A 6323160D
632C0551 B765DA29 0CA4BAAC 27325F02 2100E516 11985F3E CDB23FE7 BB91C836
74C457BB 5EA87ED6 3D9DCF41 AE4CDD40 A28F
quit
certificate ca 2C8A76A7904BB4B341B3AAFA9ED387D3
308201DC 30820183 A0030201 0202102C 8A76A790 4BB4B341 B3AAFA9E D387D330
0A06082A 8648CE3D 04030230 3B311330 11060A09 92268993 F22C6401 19160363
6F6D3114 3012060A 09922689 93F22C64 01191604 63736663 310E300C 06035504
03130564 632D6361 301E170D 31333031 32333135 32383435 5A170D31 38303132
33313533 3834345A 303B3113 3011060A 09922689 93F22C64 01191603 636F6D31
14301206 0A099226 8993F22C 64011916 04637366 63310E30 0C060355 04031305
64632D63 61305930 1306072A 8648CE3D 02010608 2A8648CE 3D030107 03420004
EFA5B6B5 BC89C22A B91DDDBB 60034DB9 21655D71 3965177D 9D5956D0 8C45ABC9
38EB4175 44AA06DC 19B94DAB 368AC06C 35077B97 24BE5879 758256FA 03838F2F
A3693067 30130609 2B060104 01823714 0204061E 04004300 41300E06 03551D0F
0101FF04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 142389F5 6583FCB7 3D3F1179 A47EAB96 721E7681 AA301006 092B0601
04018237 15010403 02010030 0A06082A 8648CE3D 04030203 47003044 022010BD
C2ADC8B7 C2C05DB2 CFE2E78A B3A47E2E 8A3193CA 607E4AE3 EEF105F0 42CE0220
056C951C 45ECD966 DFA9BADB 9F1CC71E 8F029C12 F94593A6 21B50A49 C1E62581
quit
license udi pid CISCO2911/K9 sn FTX1621AJFU
username csfc privilege 15 secret 4
username admin privilege 15 secret 4
username Happy privilege 15 secret 4
redundancy
crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 policy policy1
proposal prop-1
crypto ikev2 profile default
match certificate CRT
identity local dn
authentication local ecdsa-sig
authentication remote rsa-sig
authentication remote ecdsa-sig
pki trustpoint dc-ca
no crypto ikev2 diagnose error
no crypto ikev2 http-url cert
crypto ikev2 certificate-cache 750
crypto ikev2 fragmentation mtu 1400
crypto logging ikev2
crypto ipsec transform-set SEC esp-aes esp-sha256-hmac
crypto ipsec profile default
set transform-set SEC
set ikev2-profile default
interface Tunnel0
no ip address
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 192.168.11.42
tunnel protection ipsec profile default
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.40 255.255.255.0
duplex full
speed auto
interface GigabitEthernet0/1
ip address 192.168.11.41 255.255.255.252
duplex full
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 192.168.2.0 255.255.255.0 Tunnel1
no cdp advertise-v2
control-plane
banner login ^CCPLEEEESE!^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
sntp server 192.168.1.3 version 3
end
------------------ show crypto tech-support ------------------
------------------ show crypto isakmp sa count ------------------
Active ISAKMP SA's: 0
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0
------------------ show crypto ipsec sa count ------------------
IPsec SA total: 2, active: 2, rekeying: 0, unused: 0, invalid: 0
------------------ show crypto isakmp sa detail ------------------
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
IPv6 Crypto ISAKMP SA
------------------ show crypto ipsec sa detail ------------------
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.11.41
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.11.41/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.11.42/255.255.255.255/47/0)
current_peer 192.168.11.42 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
#pkts decaps: 275, #pkts decrypt: 275, #pkts verify: 275
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 192.168.11.41, remote crypto endpt.: 192.168.11.42
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x1DF8CFFA(502845434)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBF473CF2(3209116914)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4181836/3479)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1DF8CFFA(502845434)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4181837/3479)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
------------------ show crypto session summary ------------------
------------------ show crypto session detail ------------------
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel1
Uptime: 00:02:00
Session status: UP-ACTIVE
Peer: 192.168.11.42 port 500 fvrf: (none) ivrf: (none)
Phase1_id: cn=grumpy.csfc,c=us
Desc: (none)
IKEv2 SA: local 192.168.11.41/500 remote 192.168.11.42/500 Active
Capabilities:(none) connid:3 lifetime:23:58:00
IPSEC FLOW: permit 47 host 192.168.11.41 host 192.168.11.42
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 275 drop 0 life (KB/Sec) 4181836/3479
Outbound: #pkts enc'ed 271 drop 0 life (KB/Sec) 4181837/3479
------------------ show crypto isakmp peers ------------------
------------------ show crypto ruleset detail ------------------
Mtree:
199 VRF 0 11 192.168.11.41/500 ANY Forward, Forward
299 VRF 0 11 192.168.11.41/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
6553700000000000101 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Encrypt
6553700000000000199 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Discard/notify
------------------ show processes memory | include Crypto IKMP ------------------
260 0 5432 880 18424 3 3 Crypto IKMP
------------------ show processes cpu | include Crypto IKMP ------------------
260 0 6 0 0.00% 0.00% 0.00% 0 Crypto IKMP
------------------ show crypto eli ------------------
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 0 active, 3200 max, 0 failed
------------------ show cry engine accelerator statistic ------------------
Device: Onboard VPN
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 1826 seconds ago
0 packets in 0 packets out
0 bytes in 0 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 0 packets encrypted
0 bytes before decrypt 0 bytes encrypted
0 bytes decrypted 0 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
Last 5 minutes:
0 packets in 0 packets out
0 paks/sec in 0 paks/sec out
0 bits/sec in 0 bits/sec out
0 bytes decrypted 0 bytes encrypted
0 Kbits/sec decrypted 0 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
------------------ show cry isakmp diagnose error ------------------
Exit Path Table - status: disable, current entry 0, deleted 0, max allow 10
------------------ show cry isakmp diagnose error count ------------------
Exit Trace counters
------------------ show crypto call admission statistics ------------------
Crypto Call Admission Control Statistics
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0
Max IPSEC SAs: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0
Phase1.5 SAs under negotiation: 0
sho ip int bri
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.168.1.40 YES NVRAM up up
GigabitEthernet0/1 192.168.11.41 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
Tunnel0 unassigned YES unset up down
Tunnel1 192.168.100.1 YES NVRAM up up
happy#
happy#sho crypto pki cert verb
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3F51979A000000000012
Certificate Usage: Signature
Issuer:
cn=dc-ca
dc=csfc
dc=com
Subject:
Name: happy.csfc
cn=happy.csfc
c=us
CRL Distribution Points:
ldap:///CN=dc-ca,CN=DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=csfc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 18:52:56 UTC Mar 1 2013
end date: 18:52:56 UTC Mar 1 2015
Subject Key Info:
Public Key Algorithm: rsaEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: BF234623 9E7F2C73 EBE07B0A 9E89FC76
Fingerprint SHA1: DB8A8D50 23D9E2DD AC2ED2DC 5A857569 279F44D5
X509v3 extensions:
X509v3 Key Usage: C0000000
Digital Signature
Non Repudiation
X509v3 Subject Key ID: 2DCC8D55 4A4853C4 C03B3D24 00E3EA45 9406B5AE
X509v3 Authority Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
Authority Info Access:
Extended Key Usage:
1.3.6.1.5.5.8.2.2
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#12.cer
Key Label: happy.csfc.com
Key storage device: private config
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2C8A76A7904BB4B341B3AAFA9ED387D3
Certificate Usage: Signature
Issuer:
cn=dc-ca
dc=csfc
dc=com
Subject:
cn=dc-ca
dc=csfc
dc=com
Validity Date:
start date: 15:28:45 UTC Jan 23 2013
end date: 15:38:44 UTC Jan 23 2018
--More-- Subject Key Info:
Public Key Algorithm: rsaEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: 1F937411 4DB57036 73D54124 E50E83FC
Fingerprint SHA1: E78FE0BF DF5F168A 67860C48 78EC427C 66FE551A
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#87D3CA.cer
happy#sho crypt key mypubkey all
% Key pair was generated at: 18:44:07 UTC Mar 1 2013
Key name: eckey
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 4200049A 28E9709A
2F81DEE9 9ED27787 B790D3B4 487B3F2D DBA06E95 43298A54 19A3B0B7 E9107223
5CB9F3CD 9D8BD0E9 9AB9FFC4 698C1912 CBADC469 9E7CD6D3 46E5A2
% Key pair was generated at: 18:49:21 UTC Mar 1 2013
Key name: happy.csfc.com
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 42000429 D4D8F89E
295BF7AF 826F86A3 F29DEF48 FCFFD237 4B0FD39C D393620D 3EFDD484 BFA43ED0
8E167FDF 839D0FF8 569026C0 545C1B56 EC177A2E 6C1D5D1A 6CD8DD
happy# sho crypto ike2 v2 session detail
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.11.41/500 192.168.11.42/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
Life/Active Time: 86400/339 sec
CE id: 1084, Session-id: 1
Status Description: Negotiation done
Local spi: 239BE9D173BFD509 Remote spi: C7A295975E26147B
Local id: cn=happy.csfc,c=us
Remote id: cn=grumpy.csfc,c=us
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Child sa: local selector 192.168.11.41/0 - 192.168.11.41/65535
remote selector 192.168.11.42/0 - 192.168.11.42/65535
ESP spi in/out: 0xBF473CF2/0x1DF8CFFA
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 128, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
IPv6 Crypto IKEv2 Session
happy#sho crypto ikev2 session sa detail
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.11.41/500 192.168.11.42/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
Life/Active Time: 86400/386 sec
CE id: 1084, Session-id: 1
Status Description: Negotiation done
Local spi: 239BE9D173BFD509 Remote spi: C7A295975E26147B
Local id: cn=happy.csfc,c=us
Remote id: cn=grumpy.csfc,c=us
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
IPv6 Crypto IKEv2 SA
happy#sho crypto ikev2 sa detail stats
Crypto IKEv2 SA Statistics
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 1000
Total IKEv2 SA Count: 1 active: 1 negotiating: 0
Incoming IKEv2 Requests: 34 accepted: 34 rejected: 0
Outgoing IKEv2 Requests: 50 accepted: 50 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
happy#exit -
RV180 CSR is changed after reboot
I find that RV180 changes its CSR (cert signing request) after a reboot. This causes my cert to fail to upload.
Power up RV180
Create a CSR
View CSR (copy-n-paste into text file)
Power down RV180
Take CSR to Microsoft CA server to sign. Get cert in return.
Power up RV180
Upload cert. FAILED.
Open CSR in RV180.
Found CSR is different from that in step 3
If I change the workflow, it works:
Power up RV180
Create a CSR
View CSR (copy-n-paste into text file)
Take CSR to Microsoft CA server to sign. Get cert in return.
Upload cert. PASSED.
Open CSR in RV180.
Found CSR is same as that in step 3
The only difference in the two workflows is reboot the RV180. All this is happening on firmware 1.0.3.10.
On the out-of-the-box firmware 1.0.0.x, there is no issue.
CSR before reboot
-----BEGIN CERTIFICATE REQUEST-----
MIHJMHUCAQAwEDEOMAwGA1UEAxMFUlYxODAwXDANBgkqhkiG9w0BAQEFAANLADBI
AkEAz46n5j/6AtcVLzQdqMpf7QnyvdNk2nofmj2CZifRgMO2NMz+PWgZ+otipWmS
Yt+IJTxnB39BwLA01KFiouWwfQIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQAMcPbJ
9CEKKIi8TU1a2GFB4QRoO37b+CE9Z386VbbFDzz+xgATJPP6eYwETvYmRBH1Ffhv
iqyv9JRMqts79l9W
-----END CERTIFICATE REQUEST-----
$ openssl req -text -noout -verify -in a.txt
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=RV180
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:cf:8e:a7:e6:3f:fa:02:d7:15:2f:34:1d:a8:ca:
5f:ed:09:f2:bd:d3:64:da:7a:1f:9a:3d:82:66:27:
d1:80:c3:b6:34:cc:fe:3d:68:19:fa:8b:62:a5:69:
92:62:df:88:25:3c:67:07:7f:41:c0:b0:34:d4:a1:
62:a2:e5:b0:7d
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
0c:70:f6:c9:f4:21:0a:28:88:bc:4d:4d:5a:d8:61:41:e1:04:
68:3b:7e:db:f8:21:3d:67:7f:3a:55:b6:c5:0f:3c:fe:c6:00:
13:24:f3:fa:79:8c:04:4e:f6:26:44:11:f5:15:f8:6f:8a:ac:
af:f4:94:4c:aa:db:3b:f6:5f:56
CSR after reboot
-----BEGIN CERTIFICATE REQUEST-----
MIHJMHUCAQAwEDEOMAwGA1UEAxMFUlYxODAwXDANBgkqhkiG9w0BAQEFAANLADBI
AkEAuVXZl+Y+eE7xQKoq9Zn2t+InYE+GCdbESZN2/tqSjY1s+dQ5cEnRKmVdN96Z
HOle0h8+MnT/kXqKn4KpzxZe0QIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQAMCjHx
SwP6MG3x4ri/Ips69ZvHL/EGGozH0kw0FkTRvx5ZKK4DWhbFDC/DmVYXN4CR+m10
oHOZm2jfFRShD+OE
$ openssl req -text -noout -verify -in b.txt
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=RV180
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b9:55:d9:97:e6:3e:78:4e:f1:40:aa:2a:f5:99:
f6:b7:e2:27:60:4f:86:09:d6:c4:49:93:76:fe:da:
92:8d:8d:6c:f9:d4:39:70:49:d1:2a:65:5d:37:de:
99:1c:e9:5e:d2:1f:3e:32:74:ff:91:7a:8a:9f:82:
a9:cf:16:5e:d1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
0c:0a:31:f1:4b:03:fa:30:6d:f1:e2:b8:bf:22:9b:3a:f5:9b:
c7:2f:f1:06:1a:8c:c7:d2:4c:34:16:44:d1:bf:1e:59:28:ae:
03:5a:16:c5:0c:2f:c3:99:56:17:37:80:91:fa:6d:74:a0:73:
99:9b:68:df:15:14:a1:0f:e3:84Hi ballerinasnoopy,
When you restored the device, it updated the iOS on the iPod to iOS 7. There is no way to go back to the old look. Sorry....
Cheers,
GB -
Hi I have done encryptionin bouncycastle algorithm but it tells the following error:
ERROR:
java.lang.NoClassDefFoundError: java/security/SecureRandom: Cannot create class in system package
PROGRAM:
import java.math.BigInteger;
import java.security.SecureRandom;
import org.bouncycastle.crypto.AsymmetricBlockCipher;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.encodings.PKCS1Encoding;
import org.bouncycastle.crypto.engines.RSAEngine;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters;
import javax.microedition.lcdui.*;
import javax.microedition.midlet.*;
public class Encryption extends MIDlet implements CommandListener
Form f = new Form("MyForm");
Command okCmd = new Command("Ok",Command.OK,1);
Command exitCmd = new Command("Exit",Command.EXIT,2);
private RSAPrivateCrtKeyParameters _RSAPrivateKey;
private RSAKeyParameters _RSAPublicKey;
public void startApp()
f.addCommand(okCmd);
f.addCommand(exitCmd);
f.setCommandListener(this);
Display.getDisplay(this).setCurrent(f);
public void pauseApp()
public void destroyApp(boolean unconditional)
public void commandAction(Command c, Displayable d)
if (c == okCmd)
functionCall();
if (c == exitCmd)
notifyDestroyed();
void functionCall()
String theStringBeforeEncryption = "String to encrypt";
String theStringAfterEncryption = null;
byte[] theEncryptedString;
try
System.out.println(theStringBeforeEncryption);
generateRSAKeyPair();
theEncryptedString = RSAEncrypt(theStringBeforeEncryption.getBytes());
theStringAfterEncryption = new String(RSADecrypt(theEncryptedString));
System.out.println(theStringAfterEncryption);
catch (Exception e)
// TODO Handle exception!
e.printStackTrace();
}//end of functionCall()
private void generateRSAKeyPair () throws Exception
SecureRandom theSecureRandom = new SecureRandom();
BigInteger thePublicExponent = new BigInteger("10001", 16);
RSAKeyGenerationParameters theRSAKeyGenParam =
new RSAKeyGenerationParameters(thePublicExponent, theSecureRandom, 1024, 80);
RSAKeyPairGenerator theRSAKeyPairGen = new RSAKeyPairGenerator();
theRSAKeyPairGen.init(theRSAKeyGenParam);
AsymmetricCipherKeyPair theKeyPair = theRSAKeyPairGen.generateKeyPair();
_RSAPrivateKey = (RSAPrivateCrtKeyParameters) theKeyPair.getPrivate();
_RSAPublicKey = (RSAKeyParameters) theKeyPair.getPublic();
private byte [] RSAEncrypt (byte [] toEncrypt) throws Exception
if (_RSAPublicKey == null)
throw new Exception("Please generate RSA keys first in order to work");
AsymmetricBlockCipher theEngine = new RSAEngine();
theEngine = new PKCS1Encoding(theEngine);
theEngine.init(true, _RSAPublicKey);
return theEngine.processBlock(toEncrypt, 0, toEncrypt.length);
private byte [] RSADecrypt (byte [] toDecrypt) throws Exception
if (_RSAPrivateKey == null)
throw new Exception("Please generate RSA keys first in order to work");
AsymmetricBlockCipher theEngine = new RSAEngine();
theEngine = new PKCS1Encoding(theEngine);
theEngine.init(false, _RSAPrivateKey);
return theEngine.processBlock(toDecrypt, 0, toDecrypt.length);
please Help me
Regards,
NelsonThere is no class by name "SecureRandom" in "java.security" package as far as CLDC/MIDP API's available for the application developer are concerned with.
May be you need to check out the alternative for SecureRandom class provided by the J2ME implementation of the BouncyCastle API.
~Mohan -
I am finding some information about the below things :
rsaEncryption OID:
RSA Exponent:
RSA Modules:
these are thinks are present in RSA public key. If someone have good answer please help me to share.As has been pointed out, typically one uses "block" or "stream" when discussing shared-key ciphers, not public-key ones. However, given the following from "Applied Cryptography," Schneier, p.189:
"Block ciphers operate on blocks of plaintext and ciphertext - usually of 64 bits but sometimes longer. Stream ciphers operate on streams of plaintext and ciphertext one bit or byte (sometimes even one 32-bit word) at a time."
Given this definition, RSA is definately a BLOCK cipher - it operates on a block of data (dependent on keysize) at a time, and produces a block of ciphertext as output.
Grant -
How to create a Certificate that gets validated by Mozilla
Hi,
I've written an application that enables it's user to act as a CA.
He can create Key-Paris, Certificates, sign Certificates and various other things.
Among them he is able to export any KeyStore-Entry (i.E. a Key-Pair) to a PKCS#12 file.
The problem that I am encountering here is, that Mozilla Browsers (i.E. Firefox) won't recognize the importet Certificate as a valid one. It says "The certificate couldn't be verified for unknown reason" (sorry, but I can't provide the exact error message because I use a localized build of firefox).
What I do in order to reproduce this Problem is basicly this:
- Create a Key-Pair
- Create a (self-signed) certificate from the Public-Key
- Store them as a PrivateKeyEntry in my KeyStore
- sign the certificate with my self-signed CA-Certificate
- export my CA-Certificate to Firefox
- export my PrivateKeyPair to a PKCS#12-File wich I import with Firefox
Any help would be greatly apreciated.(I would have appreciated it if you had pasted the certificate with the line-breaks, as required for PEM format certificates. Nevertheless...)
Your certificate shows why Mozilla will not recognize the self-signed certificate from keytool as a Root CA: it does not contain the SubjectKeyIdentifier or AuthorityKeyIdentifier extensions in them.
RFC3280 (http://www.ietf.org/rfc/rfc3280.txt) states the following:
Conforming CAs MUST support key identifiers (sections 4.2.1.1 and
4.2.1.2), basic constraints (section 4.2.1.10), key usage (section
4.2.1.3), and certificate policies (section 4.2.1.5) extensions.Implementors of software that handle digital certificates choose to implement PKIX standards in stages; Mozilla has implemented more PKIX standards than keytool does, so while keytool will recoginize a Mozilla (or other PKIX-compliant) CA certficate, almost no PKIX-conformant certificate-handling software will handle self-signed CA certs issued by keytool.
I would recommend you download something like EJBCA or OpenCA from sourceforge.net to create your self-signed CA. Ultimately, your CA certificate must look something like this (don't miss the SubjectKeyIdentifier and AuthorityKeyIdentifier extensions):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2b:d0:5f:b0:71:64:67:0e
Signature Algorithm: 1.2.840.113549.1.1.11
Issuer: CN=StrongKey DEMO Root CA, OU=For StrongKey DEMO Use Only, O=StrongAuth Inc
Validity
Not Before: Jul 25 16:02:17 2006 GMT
Not After : Jul 22 16:12:17 2016 GMT
Subject: CN=StrongKey DEMO Root CA, OU=For StrongKey DEMO Use Only, O=StrongAuth Inc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:88:42:9c:c0:40:1f:06:8a:f7:55:93:c5:35:4b:
54:38:58:61:9b:04:2b:61:07:44:05:76:42:f9:e8:
2d:b9:99:c5:84:16:b1:40:43:5b:06:ca:fc:9b:d4:
59:f7:d6:2e:28:78:63:12:09:58:9e:db:a2:91:c2:
58:b5:5b:1e:9f:5e:cd:57:bb:83:ec:10:85:45:c3:
ee:0e:f7:6a:71:63:95:5f:5c:ce:6c:fd:43:54:bd:
af:ef:63:ae:e3:37:18:44:7b:2c:a3:7f:8d:00:04:
9a:a4:7e:48:c9:9e:c6:de:65:40:17:f6:3e:58:3b:
b1:f2:a9:4b:61:fb:d7:52:b2:c7:7f:22:25:5b:53:
c3:0e:22:94:17:21:ce:82:c3:79:cd:96:9f:cd:7e:
b2:b5:f4:0a:38:ac:1a:2d:bb:21:66:b5:20:43:3d:
94:85:fa:2b:a7:53:88:43:bc:9b:03:d2:5e:4a:dc:
d0:90:ac:55:99:54:5c:34:d2:f0:8e:18:ff:ea:12:
14:da:7f:77:63:30:d1:75:77:f1:ef:ac:11:3a:48:
43:c3:d0:f9:bb:1e:07:f5:6e:da:c9:ab:88:ff:e2:
ad:b8:24:e6:b1:3a:88:14:69:0b:41:3e:b0:02:00:
61:b3:a0:43:b2:46:3a:b8:37:a8:c3:57:a6:db:71:
78:97:04:cf:19:e8:e8:5a:c9:1a:73:77:75:36:5e:
19:7b:f6:24:fa:2d:df:19:5c:5c:3d:a3:79:aa:81:
55:5b:34:4a:c5:7d:85:e5:d9:ee:5f:74:30:5f:23:
63:e9:45:49:5d:d6:ef:95:32:d3:2c:10:08:86:06:
be:79:3c:3c:f8:82:b7:37:2c:dd:59:66:96:fe:cf:
9a:60:58:23:a1:26:ff:16:f0:c9:55:bf:27:fc:af:
de:6a:11:da:9a:c8:65:77:e4:ca:b6:2f:d3:58:ef:
93:1b:34:de:3a:81:07:b7:12:b2:61:83:a2:77:fc:
f3:53:fc:c2:71:db:d2:97:c5:50:c8:34:e8:4e:54:
da:c3:fb:31:79:34:c2:eb:b3:e0:be:38:fc:1e:5c:
ca:04:13:83:9e:e3:b0:66:30:33:56:82:d6:dd:c9:
94:9d:3b:ca:10:f6:fc:99:05:e2:de:ca:0c:d6:6b:
60:a6:f8:29:fc:c4:18:82:ae:38:c2:9f:62:fe:3a:
66:da:8c:17:12:a1:24:4c:a3:a6:9b:7b:bb:54:b8:
da:ff:e2:81:a7:33:54:0b:17:ee:2a:db:d4:e3:1d:
42:23:c1:8b:01:9e:42:8f:da:62:7b:21:9a:1c:b6:
9c:f3:28:75:16:11:23:d0:42:65:cc:34:70:9e:f1:
04:00:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
82:05:B5:4B:E2:61:B0:C9:7A:6F:0F:D1:CC:A0:C3:62:FB:D2:5A:02
X509v3 Authority Key Identifier:
keyid:82:05:B5:4B:E2:61:B0:C9:7A:6F:0F:D1:CC:A0:C3:62:FB:D2:5A:02
X509v3 Certificate Policies:
Policy: 1.3.6.4.1.10514.509.1.4
Signature Algorithm: 1.2.840.113549.1.1.11
63:94:13:a9:6a:3b:a8:aa:34:e6:2b:0f:20:a9:55:d8:80:e8:
54:0f:6a:15:b0:76:91:0d:98:a4:75:f9:50:09:2e:cf:30:2e:
15:bc:21:c2:fe:f0:36:4b:60:7d:bb:b8:76:bd:9d:2b:d8:a5:
a6:e7:60:83:00:f3:9c:65:f1:f7:b8:16:f7:72:ab:70:d7:c4:
60:bf:fb:33:1e:67:e6:fa:a1:d0:23:5f:bf:69:fc:25:19:71:
5a:c1:41:a3:ab:9b:da:09:92:2c:ee:83:c2:de:61:3a:b2:a4:
c6:18:6d:dd:ef:77:2b:91:40:c5:9c:fb:61:66:f5:2d:4f:20:
5a:c5:b6:1b:08:4b:a4:18:a7:b4:86:07:e1:c8:c1:a7:e3:8f:
cf:01:4b:a4:a6:07:b3:65:5f:0a:1d:a1:7d:52:12:c3:43:8b:
72:16:75:78:0a:b0:39:8a:92:33:4b:0e:ef:a8:c1:33:2e:cc:
96:fd:a1:b1:2e:0b:1c:68:ff:fa:48:4f:43:60:32:a0:4f:9a:
c0:29:e3:66:b9:ce:cb:0b:99:67:c0:74:33:4f:9b:e3:db:68:
b9:ea:c2:67:f0:7a:db:88:93:7b:cf:5f:da:3b:ea:61:88:24:
e7:82:5e:ce:be:39:c3:de:03:b5:42:3b:b3:50:12:95:25:b9:
dc:7a:66:95:3b:97:6a:85:06:66:68:84:0f:3d:5b:93:de:2e:
44:2e:58:97:1b:8b:56:db:7a:27:58:fe:ad:3c:32:4e:09:f9:
60:2e:c0:3b:b4:80:53:04:41:ae:53:ff:b2:b7:f0:4d:72:9f:
8b:59:14:7f:cc:42:83:74:3a:08:1c:2a:ab:95:7e:8e:ee:51:
eb:2a:4c:82:5c:12:17:ec:22:92:93:22:62:55:36:91:6a:d7:
5b:55:2d:46:e7:d4:30:fd:d5:c4:87:be:ea:a9:2c:fe:ac:5b:
d7:51:fc:c7:4d:72:6a:f5:3e:40:ef:f7:63:8f:94:8c:95:f4:
0f:4d:b0:02:31:9a:86:5f:0c:ce:f0:de:18:92:a8:09:3b:f9:
3f:9b:95:5c:0e:ab:82:22:41:cc:7f:e2:83:d7:2f:cf:bc:1b:
d7:65:ce:c1:7f:42:8d:5e:36:00:d6:14:42:0b:52:9b:23:46:
5c:83:bb:ce:b8:e1:ac:43:b5:fb:c9:00:f7:cf:8d:2f:98:b8:
99:f0:fb:a8:3b:38:df:a5:19:c6:d7:a8:f8:aa:9a:4d:50:4f:
0a:f7:19:82:16:e0:92:6b:fc:47:a9:b3:c0:09:a4:ac:7b:8f:
15:aa:60:c6:f3:4f:fa:1d:17:5c:24:bc:5b:3b:3e:8b:28:48:
3d:26:c5:31:7e:f3:cb:36
-----BEGIN CERTIFICATE-----
MIIFvjCCA6agAwIBAgIIK9BfsHFkZw4wDQYJKoZIhvcNAQELBQAwYDEfMB0GA1UE
AxMWU3Ryb25nS2V5IERFTU8gUm9vdCBDQTEkMCIGA1UECxMbRm9yIFN0cm9uZ0tl
eSBERU1PIFVzZSBPbmx5MRcwFQYDVQQKEw5TdHJvbmdBdXRoIEluYzAeFw0wNjA3
MjUxNjAyMTdaFw0xNjA3MjIxNjEyMTdaMGAxHzAdBgNVBAMTFlN0cm9uZ0tleSBE
RU1PIFJvb3QgQ0ExJDAiBgNVBAsTG0ZvciBTdHJvbmdLZXkgREVNTyBVc2UgT25s
eTEXMBUGA1UEChMOU3Ryb25nQXV0aCBJbmMwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQCIQpzAQB8GivdVk8U1S1Q4WGGbBCthB0QFdkL56C25mcWEFrFA
Q1sGyvyb1Fn31i4oeGMSCVie26KRwli1Wx6fXs1Xu4PsEIVFw+4O92pxY5VfXM5s
/UNUva/vY67jNxhEeyyjf40ABJqkfkjJnsbeZUAX9j5YO7HyqUth+9dSssd/IiVb
U8MOIpQXIc6Cw3nNlp/NfrK19Ao4rBotuyFmtSBDPZSF+iunU4hDvJsD0l5K3NCQ
rFWZVFw00vCOGP/qEhTaf3djMNF1d/HvrBE6SEPD0Pm7Hgf1btrJq4j/4q24JOax
OogUaQtBPrACAGGzoEOyRjq4N6jDV6bbcXiXBM8Z6OhayRpzd3U2Xhl79iT6Ld8Z
XFw9o3mqgVVbNErFfYXl2e5fdDBfI2PpRUld1u+VMtMsEAiGBr55PDz4grc3LN1Z
Zpb+z5pgWCOhJv8W8MlVvyf8r95qEdqayGV35Mq2L9NY75MbNN46gQe3ErJhg6J3
/PNT/MJx29KXxVDINOhOVNrD+zF5NMLrs+C+OPweXMoEE4Oe47BmMDNWgtbdyZSd
O8oQ9vyZBeLeygzWa2Cm+Cn8xBiCrjjCn2L+OmbajBcSoSRMo6abe7tUuNr/4oGn
M1QLF+4q29TjHUIjwYsBnkKP2mJ7IZoctpzzKHUWESPQQmXMNHCe8QQAdwIDAQAB
o3wwejAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU
ggW1S+JhsMl6bw/RzKDDYvvSWgIwHwYDVR0jBBgwFoAUggW1S+JhsMl6bw/RzKDD
YvvSWgIwFwYDVR0gBBAwDjAMBgorBgQB0hKDfQEEMA0GCSqGSIb3DQEBCwUAA4IC
AQBjlBOpajuoqjTmKw8gqVXYgOhUD2oVsHaRDZikdflQCS7PMC4VvCHC/vA2S2B9
u7h2vZ0r2KWm52CDAPOcZfH3uBb3cqtw18Rgv/szHmfm+qHQI1+/afwlGXFawUGj
q5vaCZIs7oPC3mE6sqTGGG3d73crkUDFnPthZvUtTyBaxbYbCEukGKe0hgfhyMGn
44/PAUukpgezZV8KHaF9UhLDQ4tyFnV4CrA5ipIzSw7vqMEzLsyW/aGxLgscaP/6
SE9DYDKgT5rAKeNmuc7LC5lnwHQzT5vj22i56sJn8HrbiJN7z1/aO+phiCTngl7O
vjnD3gO1QjuzUBKVJbncemaVO5dqhQZmaIQPPVuT3i5ELliXG4tW23onWP6tPDJO
CflgLsA7tIBTBEGuU/+yt/BNcp+LWRR/zEKDdDoIHCqrlX6O7lHrKkyCXBIX7CKS
kyJiVTaRatdbVS1G59Qw/dXEh77qqSz+rFvXUfzHTXJq9T5A7/djj5SMlfQPTbAC
MZqGXwzO8N4YkqgJO/k/m5VcDquCIkHMf+KD1y/PvBvXZc7Bf0KNXjYA1hRCC1Kb
I0Zcg7vOuOGsQ7X7yQD3z40vmLiZ8PuoOzjfpRnG16j4qppNUE8K9xmCFuCSa/xH
qbPACaSse48VqmDG80/6HRdcJLxbOz6LKEg9JsUxfvPLNg==
-----END CERTIFICATE-----BTW, why are you using a non-standard key-size of 1023 bits? -
Why this Verisign certificate is not automatically recognized ?
Hello,
We used java and JSSE to acces an https URL, with a 64 bit certificate, it's ok.
We try to use the new certificate 128 bit, it's KO.
We need to declare this new certificate with keytool in a keystore, and to add in the java program the reference to the keystore file.
Is it normal, why this new certificate is not automatically recognized in the cacerts ?
thanks for your response.
******* Old certificate ********************
Record ID: 14
Issuer Record ID: 4
Trusted: Yes
Version: 1
Issuer name: Secure Server Certification Authority
RSA Data Security, Inc.
US
Public key algorithm: rsaEncryption
Public key size: 1024
Signature algorithm: md5WithRsaEncryption
Issuer unique ID: None
Subject unique ID: None
Number of extensions: 0
******* New Certificate *************************
Record ID: 14
Issuer Record ID: 0
Trusted: Yes
Version: 3
Issuer name: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign
VeriSign International Server CA - Class 3
VeriSign, Inc.
VeriSign Trust Network
Public key algorithm: rsaEncryption
Public key size: 1024
Signature algorithm: md5WithRsaEncryption
Issuer unique ID: None
Subject unique ID: None
Number of extensions: 4
*****************************Hi,
we had the some problem.
The new certificate is Class 3 Version 3, but in the cacerts file is present only the Version 1.
The first solution was been to include our certificate in cacerts file and redistribute the cacert file to our clients (or click always in the alert pop-up). ORRIBLE!
The finally solution (i hope) is to set up correctly the web-server.
We have Apache 1.3.27 + mod-ssl. The installation of certificates has involved the only authenticated certificate file and private key. By the way there's another file that is not in use by default: the intermediate.crt file (in httpd.conf is indicated by tag SSLCACertificateFile). The intermediate.crt is distribuited by Verisign and it must be installed to solve the problem.
The difference is visible in Mozilla browser too.
I
Best Regards.
Rosas!! -
Symantec Class 3 Secure Server CA - G4
Even though I include this in the configuration profile, it still shows as not verified and the user always has to click Accept. I need to avoid that step using the configuration profiles for iPads. The cert 'Symantec Class 3 Secure Server CA - G4' is not currently listed in the IOS list of trusted certs but that shouldn't matter because I'm installing it manually via configuration profile. So what else am I missing? The cert is installed but they still have to click accept when connecting to the SSID.
iOS 8: List of available trusted root certificates - Apple SupportCertificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:35:ef:32:7c:44:07:34:8d:bd:9a:9e:e7:e2:1f:e7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
Validity
Not Before: Jul 1 00:00:00 2014 GMT
Not After : Jul 2 23:59:59 2015 GMT
Subject: <redacted>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:<redacted>
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Authority Key Identifier:
keyid:5F:60:CF:61:90:55:DF:84:43:14:8A:60:2A:B2:F5:7A:F4:43:18:EF
X509v3 CRL Distribution Points:
Full Name:
URI:http://ss.symcb.com/ss.crl
Authority Information Access:
OCSP - URI:http://ss.symcd.com
CA Issuers - URI:http://ss.symcb.com/ss.crt
Signature Algorithm: sha256WithRSAEncryption -
Site to Site FlexVPN w/Certificates IOS 15.2
Has anyone been able to bring up a simple site to site IKEv2 IPSec VPN using the Microsoft AD CS on a Cisco ISR running IOS15.2?
We have not seen any examples of this type of configuration and have been trying to construct our configuration from the documentation.I've not used IKEv2 on Cisco IOS routers yet (done that on Checkpoint firewall); however, I've been using Cisco IOS 12.4(24)T4 with Microsoft AD Certificate Server 2003 server (do not use 2008) for site-2-site VPN. It is very simple. here is the process:
- install Windows 2003 with IIS and Certificate Server,
- install scep.exe on windows 2003. This will allow the router to communicate with the IIS server using scep protocol over port 80, do NOT use scep challenge password,
- configure the MS CS to immediately issue the certificate,
here is the step how to get the router to communicate with the microsoft CS:
crypto ca trustpoint exchange2010
enrollment retry count 5
enrollment retry period 3
enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll
crl optional
crypto ca authenticate exchange2010
crypto ca enroll exchange2010
Now you can go ahead and configure site-2-site VPN, instead of using "authentication pre-share" under crypto isakmp policy, you just leave it blank, because by default, it will use PKI as default.
Easy right?
here is what you will see on the router during the certificate authentication and enrollment:
c3845(config)#do term mon
c3845(config)#crypto ca trustpoint exchange2010
c3845(ca-trustpoint)# enrollment retry count 5
c3845(ca-trustpoint)# enrollment retry period 3
c3845(ca-trustpoint)# enrollment url http://192.168.70.129:80/certsrv/mscep/mscep.dll
c3845(ca-trustpoint)# crl optional
c3845(ca-trustpoint)#crypto ca authenticate exchange2010
Certificate has the following attributes:
Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11
Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
c3845(config)#crypto ca enroll exchange2010
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: c3845
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose exchange2010' commandwill show the fingerprint.
c3845(config)#
*Nov 1 02:16:15.726: CRYPTO_PKI: Certificate Request Fingerprint MD5: 11C23B80 FE62AFCC 794A516F 001DD3F8
*Nov 1 02:16:15.726: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 31BF71AE 85379C32 A9F5E001 05B7D8AF 6E30DBA2
c3845(config)#
*Nov 1 02:16:17.254: %PKI-6-CERTRET: Certificate received from Certificate Authority
c3845(config)#
c3845(config)#
c3845(config)#end
c3845#
c3845#show crypto pki certificate verbose exchange2010
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 15899F1F00000000000F
Certificate Usage: General Purpose
Issuer:
cn=exchange2010
dc=exchange2010
dc=com
Subject:
Name: c3845
hostname=c3845
CRL Distribution Points:
ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl
Validity Date:
start date: 01:20:51 UTC Nov 1 2012
end date: 01:20:51 UTC Nov 1 2014
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: CDF71E9F 5E5B0560 A48A9E32 62996644
Fingerprint SHA1: 82F3E9F1 BBBB9115 32156714 4623FEB1 308AC8C5
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 72DC04D4 343115B0 2DAEFAEF 36F23D29 9D432382
X509v3 Basic Constraints:
CA: FALSE
X509v3 Subject Alternative Name:
c3845
X509v3 Authority Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550
Authority Info Access:
Associated Trustpoints: exchange2010
Key Label: c3845
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 50271D7CD98632B74ABC894310D34244
Certificate Usage: Signature
Issuer:
cn=exchange2010
dc=exchange2010
dc=com
Subject:
cn=exchange2010
dc=exchange2010
dc=com
CRL Distribution Points:
ldap:///CN=exchange2010,CN=lab-exc2010-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=exchange2010,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://lab-exc2010-dc1.exchange2010.com/CertEnroll/exchange2010.crl
Validity Date:
start date: 01:45:14 UTC Oct 24 2012
end date: 01:54:43 UTC Oct 24 2019
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 54213BA2 8D41C3BF 683DE9D5 510ACB11
Fingerprint SHA1: ABA434E6 CE349335 CE912A32 B479D691 C1804FF9
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 060E0E2D 0498DB60 606151F5 E0F48DE8 27FAC550
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: exchange2010
c3845#
Maybe you are looking for
-
ITunes silently fails to launch in just my user account
I'm running Windows XP SP3 32-bit with an administrator level account, installing iTunes for the first time ever on any of my systems in order to use it with my new iPod touch 5th gen, only to find that after install it won't launch. Went through the
-
Registering MBean in Dispatcher node
Hi All, I am trying to figure out a way to register a customized StandardMBean in all cluster nodes. Unfortunately I don't manage to register my mbean in dispatcher MBeanServer as it doesn't have the MBean classloader. Currently I am registering th
-
How can I stop the iOs 6 - iOS 7 update on iPhone 4 when I've already started it?
Started an update on my iPhone 4 but I figured out after making that decision that I'd rather stay on iOs 6. What do I do now? If I connect my phone to wifi, it resumes the update automatically. I don't want the iOs 7 as most of the features don't wo
-
Hi all, I have an essbase cube with 2 dimensions related to time. Year and Time (that contains Qtr, Months and days). I'm working with OBIEE and would like to know if I can create 1 Time dimension that combines Year and Time so I can have: 2010 - QTR
-
User Exit Triggered during Campus Management Student admission data created
Hi Exports, This is jnana ranjan working as a campus management implementation project. Here we are impl student admission process workflow and i want trigger my event through user exit. I am new in user exit please guide me how to find user exit for