X509 RFC3820 Certificates

Hi,
I have used X509 certificates in conjunction with SAP web applications a number of times and have had little problem is getting them to work, however I have come across a scenario wherby we now need to use X509 RFC3820 certficates. They differ in that it is signed by the end-entity certificate and not by the certificate authority (CA). Usually the proxy cert is presented along with the end-entity (vanilla) X.509 certificate and the chain is used for authentication as opposed to just the vanilla certificate.
Details of the standard are here http://www.ietf.org/rfc/rfc3820.txt
Does anyone know if these can be used in conjunction with SAP? Or what changes to the standard X509 certificate setup would be needed
Kind regards
Richard

Hi Rich,
just install the proxy (cert's) into the SAP system.
regards,
Patrick

Similar Messages

IPhone Mail app; IMAP; x509 client certificate?

The title says it all really.
I have an x509 client certificate happily installed in my iPhone's keychain. This certificate works correctly in Safari, allowing access to sites which demand it. When I try to collect mail from an IMAP server which also requires a client certificate, it doesn't work.
As far as I can work out, the Mail app is not sending my client certificate when the server requests it to do so. Is this true? Is there a way to configure the Mail app to respond correctly to the server's client certificate request? Any pointers or information welcome!

I think so.
Actually I think I need to get the App Password for Mail on my phone. It generates the app password and I enter it into the password in the gmail setup for mail.
The problem is that when I hit next on that page, I get the message:
"my name" is already added" and I cannot proceed.
Before doing this setup I deleted my gmail account by tapping the email address and hitting delete in the Mail, Contact and Calendars setup..
but, there is something hiding in my iPhone that remembers my old gmail password (I guess) and doesn't let me proceed.
If I enter my gmail iChain password I get the same thing.
If i do this in airplane mode (no connection to google) i also get the same.
I talked to an apple care person who had me reset all my settings... still the same thing.
I am trying to avoid a gull reset of the iPhone, but that may be in the cards.
Going to go to the apple store and ask there, but i am not hopeful.
Barry

JWSDP 1.4 accepts only X509 v3 certificates?

Hi!
The sample keys and demos supplied with JWSDP 1.4 worked fine for me. I tried generating my own keys to use with SOAP encryption and I got the following exception:
java.rmi.RemoteException: Expected Version 3 Certificate, found Version 1; nested exception is:
com.sun.xml.wss.SecurityTokenException: Expected Version 3 Certificate, found Version 1
I checked keytool's doc and it says that it can only generate v1 certificates (it is able to handle v1 through v3).
Has anyone any suggestions as to what would be the easiest way to solve this (either by generating v3 certs easily or by forcing JWSDP to accept v1 certs)?
Rgs,
Panu

I'll answer to myself if anyone else encounters the same problem: JWSDP 1.4 (or WSS to be more specific) indeed requires X509 v3 certs and keytool does not generate that version.
One has to use other tools to generate them, for example openssl. After that Sun's pkcs12import is used to make them understood by Java environment.

X509 encoded certificate - is it really ASN.1?

I can get a good Certificate from encoded bytes bcert
ByteArrayInputStream bis = new ByteArrayInputStream(bcert);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(bis);
my question: is an encoded certificate (eg bcert) a good ASN.1 ?
I cant DeCode with marben nor with codec.sourceforge
Am I wasting my time looking for an ASN.1 decoder? anyway java decodes the bytes to a certificate just fine.

I am giving up looking for ASN.1 decoders
marben does NOT decode codec.sourceforge does NOT decode ViewBer does NOT decode
I guess oughta look for DER decoders
ASN1VE thinks it has decoded, but gives final element a bitstring 1022 which you might think was the public key,
except it isnt
and I believe the last item is 2.5.29.19 BasicConstraints 0402300 (java says so, and 0402300 << 2 = 1008C00 whereas my encoded ends in ...C08C0 notice some matching bits?
I've been waiting since the 90's for X509 to get rational.
Thanks Almighty that Java at least has come to the party.
PS
ASN1VE does display some objects which java says are CN C L O OU et al
wo its not totally useless - maybe it has a DER switch ?
Edited by: 915773 on 14-Mar-2012 20:46

Subject Key Identifier of x509 v3 certificate

Hi everyone,
I have the following code I am using to extract the Subject Key Identifier from a X509 Certificate-
byte[] subjectKeyIdentifier =
cert.getExtensionValue("2.5.29.14");
This returns the DER encoded Octet string. However I want the octet string exclusing the encoding of the octet string prefix... How do I know the exact length of the prefix?
appreciate any help,
--Manveen

if you use bouncycastle provider you can take advantage of the classes in org.bouncycastle.asn1 package.
byte[] outer = cert.getExtensionValue("2.5.29.14");
DERInputStream dis = new DERInputStream(new ByteArrayInputStream(outer));
ASN1OctetString oc =(ASN1OctetString)dis.readObject();
byte[] inner = oc.getOctets();If you want to take that to check in a certpath check or validation you might check posts like
http://forums.java.sun.com/thread.jspa?threadID=633098

Digital Certificates purchase

I want to use digital signatures for adobe forms for 1000 users.
If I have to get X509 Client Certificates for 1000 users, what am I supposed to do?Shall I have to order all those client certificates from the Entrust? or any other way?
Thanks in advance
Syam.
Edited by: Shyam Thupurani on Feb 19, 2009 6:28 AM

Hello,
it is also possibble, that you use an own CA Certificate to sign these documents. Or you try to get an intermediate certificate and you create the certificates signed by this intermediate certificates.
It of courese also depends on what you want to use these forms for.
Kind regards,
Dezso

Changing Administration Connector Certificate

I have installed OUD using a CA issued certificate during installation using the --useJavaKeystore option and I see that the LDAPS connector is utilizing this certificate. However the Administration Connector is still using a self-signed certificate. I would like to replace this self-signed certificate with the CA issued certificate. I tried finding instructions but all I found was this link (Managing Administration Traffic to the Server - Oracle Fusion Middleware Administration Guide for Oracle Unified Directo…) which had this small blurb: "You can manage the administration connector certificate using external tools, such as keytool."
From doing a little digging I think I have come up with the correct sequence/steps to get this working. Basically I have removed the admin-cert from the two keystores:/config/admin-truststore and /config/admin-keystore. I then imported the keypair I created for the initial install. I also changed the /config/admin-keystore.pin to match the pin I used when creating the keystore.
This appears to be working but I would like to know if this is the correct method and if there would be any side effects to replacing the certificate used by the Administration Connector.
The exact steps I followed are below:
Generate keypair and keystore: keytool -genkeypair -dname "CN=server-cert,dc=myorg" -alias server-cert -keyalg RSA -keypass 'myKeyPass' -storepass 'myKeyPass' -keystore mykeystore.jks
Generate certificate request keytool -certreq -alias server-cert -keystore mykeystore.jks -file myCertRequest.csr
Obtain x509 server certificate from CA (server.crt) and root CA public Cert (rootca.crt)
Import root CA cert into keystorekeytool -import -trustcacerts -alias root -file rootca.crt -keystore mykeystore.jks -storepass 'myKeyPass'
Import CA issued certificate into keystorekeytool -import -trustcacerts -alias server-cert -file server.crt -keystore mykeystore.jks -storepass 'myKeyPass' -keypass 'myKeyPass'
Change keystore password of default OUD Admin truststorekeytool -storepasswd -keystore $OUD_INSTANCE/config/admin-truststore -storepass 'contents of admin-keystore.pin' -new 'myKeyPass'
Change keystore password of default OUD admin keystorekeytool -storepasswd -keystore $OUD_INSTANCE/config/admin-keystore -storepass 'contents of admin-keystore.pin' -new 'myKeyPass'
Change clear text password file to the new keystore passwordvim /$OUD_INSTANCE/config/admin-keystore.pin ## replace with new key [myKeyPass]
Import root CA cert into default OUD admin truststorekeytool -import -trustcacerts -alias root -file rootca.crt -keystore $OUD_INSTANCE/config/admin-truststore -storepass 'myKeyPass'
Import root CA cert into default OUD admin keystorekeytool -import -trustcacerts -alias root -file rootca.crt -keystore $OUD_INSTANCE/config/admin-keystore -storepass 'myKeyPass'
Delete self-signed admin-cert from default OUD admin truststorekeytool -delete -alias admin-cert -keystore $OUD_INSTANCE/config/admin-truststore -storepass 'myKeyPass'
Delete self-signed admin-cert from default OUD admin keystorekeytool -delete -alias admin-cert -keystore $OUD_INSTANCE/config/admin-keystore -storepass 'myKeyPass'
Import CA issued keypair into default OUD Admin keystorekeytool -importkeystore -srckeystore mykeystore.jks -destkeystore $OUD_INSTANCE/config/admin-keystore -srcstorepass 'myKeyPass' -deststorepass 'myKeyPass' -srcalias server-cert -destalias admin-cert -srckeypass 'myKeyPass' -destkeypass 'myKeyPass'
Import CA issued keypair into default OUD truststorekeytool -importkeystore -srckeystore mykeystore.jks -destkeystore $OUD_INSTANCE/config/admin-truststore -srcstorepass 'myKeyPass' -deststorepass 'myKeyPass' -srcalias server-cert -destalias admin-cert -srckeypass 'myKeyPass' -destkeypass 'myKeyPass'

There is a report in sap in which you can create the ticket

Signing message with certificate: JCE, IAIK or similar in IBM SDK 5.0

So, I'm in a very difficult problem.
Using Java:
I've an enterprise certificate (in .p12 format) altogether with its public key ("password" string). Also I've a text message which I've to sign in PKCS7 format. I've been reading a lot and I've realized that there's no STANDARD implementation to do what I want to do. There is the JCE/JCA API and the Certification API, but they are just API's, no implementation. Here are the facts:
-I've to run the application in the IBM JDK 5.0 (AS400 system).
-My application actually works in the SUN JDK 6.0 using the IAIK security provider, but not using JCE, its a very ugly code which I dont know really what it does, but it works. When I put it on the IBM JDK 5.0 it fails (java nullpointer blah blah).
-IAIK Documentation says that it works on JDK 5.0. Yeah, it works, but in SUN implementation, not in IBM's.
Today I don't know what the heck to do, really. What do you think it's the best solution?
-Trying to make the IAIK code work in IBM SDK 5.0 by test-and-error method.
-Trying to sign the message using JCE and the IBM JCE provider (this is what I'm actually trying to do). It would be very nice if somebody provides something to read about (I've read lot of IBM/SUN documentation and I couldnt find anything useful for now.
-Trying to put the SUN JDK 6.0 in the AS400. This would be the easy solution but my bosses said that this is impossible and very dangerous, and additionally this wouldn't work.
-Also I've another code which uses the BouncyCastle provider but this doesn't work. Would this be better to learn how to use? I prefer using standards, though.
In conclusion:
I've 4 security providers: IBM, SUN, IAIK and BouncyCastle (just IAIK works, and I need IBM), and
I've 4 SDK's: IBM 5.0, IBM 6.0, SUN 5.0 and SUN 6.0 (just SUN/IBM 6.0 works, and I need IBM 5.0).
I would like any documentation useful to read. I would provide any information which could be important to answer my question.

But I hope this could fix it :(
My last code:
public static String firmar(String contenido, String certificado, String password)
     throws Exception {
          System.out.println(new Date() + ":: Signing using IAIK provider.");
          boolean dettached = true;
         boolean attributes = true;
         boolean CRLF = true;
         IAIK iaik = new IAIK();
        Security.addProvider(iaik);
       byte aByteInfoToSign[] = contenido.getBytes("UTF8");
        if(aByteInfoToSign == null)
            throw new IOException("Empty message.");
        byte digest[] = SHA1(aByteInfoToSign);
        String digestHEX = toHexString(digest);
        KeyStore keystore = KeyStore.getInstance("PKCS12");
        FileInputStream fileinputstream = new FileInputStream(certificado);
        keystore.load(fileinputstream, password.toCharArray());
        String alias = null;
        Enumeration enumeration = keystore.aliases();
        if(enumeration.hasMoreElements())
            alias = enumeration.nextElement().toString();
        else
             throw new KeyStoreException("Firmador IAIK: Empty Keystore.");
        Certificate certificate = keystore.getCertificate(alias);
        PrivateKey privatekey = (PrivateKey)keystore.getKey(alias, password.toCharArray());
         * Declared absolutely to avoid incompatibilities betwenn IAIK and Sun classes.
        iaik.x509.X509Certificate ax509certificate[] = new iaik.x509.X509Certificate[1];
        ax509certificate[0] = new iaik.x509.X509Certificate(certificate.getEncoded());
        IssuerAndSerialNumber issuerandserialnumber = new IssuerAndSerialNumber(ax509certificate[0]);
        SignerInfo asignerinfo[] = new SignerInfo[1];
        asignerinfo[0] = new SignerInfo(issuerandserialnumber, AlgorithmID.sha1, AlgorithmID.rsaEncryption, privatekey);
          Attribute aattribute[] = new Attribute[4];
          aattribute[0] = new Attribute(ObjectID.contentType, new ASN1Object[] {
               ObjectID.pkcs7_data
          aattribute[1] = new Attribute(ObjectID.signingTime, new ASN1Object[] {
               (new ChoiceOfTime()).toASN1Object()
          ObjectID oid = new ObjectID("1.2.840.113549.3.2");
          SEQUENCE seqRC2 = new SEQUENCE();
          seqRC2.addComponent(oid,0);
          seqRC2.addComponent(new INTEGER(40));
          SEQUENCE seqEncrypAlgoritmos = new SEQUENCE();
          seqEncrypAlgoritmos.addComponent(seqRC2);
          Attribute atributo = new Attribute(ObjectID.symmetricCapabilities,
                               new ASN1Object[] {seqEncrypAlgoritmos});
          aattribute[2] = atributo;
          aattribute[3] = new Attribute(ObjectID.messageDigest, new ASN1Object[]{ new OCTET_STRING(digest) });
        if(attributes)
            asignerinfo[0].setAuthenticatedAttributes(aattribute);
        byte byte0;
        if(dettached)
            byte0 = 2;
        else
            byte0 = 1;
        SignedData signeddata = new SignedData(digestHEX.getBytes(), byte0);
        signeddata.setCertificates(ax509certificate);
        signeddata.addSignerInfo(asignerinfo[0]);
        ContentInfo contentinfo = new ContentInfo(signeddata);
        if(!contentinfo.hasContent())
             throw new Exception("Couldn't create the sign");
        ByteArrayOutputStream result = new ByteArrayOutputStream();
        ByteArrayOutputStream source = new ByteArrayOutputStream();
        contentinfo.writeTo(source); // <-- here is the error (line 136)
        Base64OutputStream base64outputstream = new Base64OutputStream(result);
        base64outputstream.write(source.toByteArray());
        base64outputstream.flush();
        base64outputstream.close();
        String resFinal;
        if(CRLF)
             resFinal = result.toString();
        else
             resFinal = result.toString().replaceAll("[\r\n]+","");
//         resFinal = sinCRLF(result.toString());
        if(resFinal.equals(""))
            throw new Exception("Couldn't create the sign");
         * Restore the Security variable.
        Security.removeProvider(iaik.getName());
        return resFinal;
     private static byte[] SHA1(byte abyte0[])
        try
            MessageDigest messagedigest = MessageDigest.getInstance("SHA-1");
            byte abyte1[] = messagedigest.digest(abyte0);
            messagedigest.reset();
            return abyte1;
        catch(NoSuchAlgorithmException nosuchalgorithmexception)
             throw new Error("Configuration error", nosuchalgorithmexception);
     private static String toHexString(byte abyte0[])
        StringBuffer stringbuffer = new StringBuffer();
        int i = abyte0.length;
        for(int j = 0; j < i; j++)
            byte2hex(abyte0[j], stringbuffer);
        return stringbuffer.toString().toUpperCase();
     private static void byte2hex(byte byte0, StringBuffer stringbuffer)
        char ac[] = {
            '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
            'a', 'b', 'c', 'd', 'e', 'f'
        int i = (byte0 & 0xf0) >> 4;
        int j = byte0 & 0xf;
        stringbuffer.append(ac);
stringbuffer.append(ac[j]);
}Using the IBM SDK 5.0, the error:iaik.pkcs.PKCSException: iaik.asn1.CodingException: iaik.asn1.CodingException: Unable to encrypt digest: No installed provider supports this key: (null)
     at iaik.pkcs.pkcs7.SignedData.toASN1Object(Unknown Source)
     at iaik.pkcs.pkcs7.SignedDataStream.toASN1Object(Unknown Source)
     at iaik.pkcs.pkcs7.ContentInfo.toASN1Object(Unknown Source)
     at iaik.pkcs.pkcs7.ContentInfo.writeTo(Unknown Source)
     at aeat.FirmadorIAIK.firmar(FirmadorIAIK.java:136)
... more irrelevant data...

Installing wildcard certificate - error

Hello guys,
I'm not quite sure do I post within the right thread so please correct me if I'm wrong.
Anyway, the problem is as subject says - Problem with installation of wildcard certificate on Cisco ASA 5520 (VPN Plus license). Software version is 8.2(2).
I noticed two issues. We've bought a wildcard certificate for our domains example.com, example.org. Certificate provider is Geo Trust.
The first problem is that I'm unable to install the complete certificate chain. If I install the Root CA of GeoTrust, I'm unable to install the sub-ordinate CA, which has actually signed my cert, within the same trustpoint. The warning message says that "WARNING: Trustpoint GeoTrustRA is already authenticated." (this happens when I try to install the sub-ordinate CA, which stays in between Root CA and my certificate, within the same trustpoint as RootCA certificate.
The second problem is the actuall problem however. When I try to install the wildcard certificate, using ASDM, i got the following error: (actually I did intentionally type the wrong password and I receive absolutely the same error)
Here is the setup of CA. As you can see, both certificates which must relay on the same trustpoint as chain, are divided in two trustpoint configurations:
I tried to debug crypto ca 255 but there is nothing interesting within the log file.
If I try to add the Sub-ordinate certificate within the trustpoint where Root CA is installed, I got the following error:
When I try to manually install the wildcard certificate from CLI (It's in BASE-64 format), I do receive the following error:
CLI Issue
vpngw2(config)# crypto ca import GeoTrust pkcs12 password_here
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgICekswDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
[cut]
RPg4gnOGlySGVA==
-----END CERTIFICATE-----
quit
ERROR: Import PKCS12 operation failed
Any thoughts, ideas, questions or whetever are more than welcome!

Hi there,
I just wanted to tell you that I have found the solution for this case. It appears that the wildcard certificate had been enrolled without State ("ST") attribute of x509.3 certificate. The issuer (GeoTrust) refused to enroll it again evethough we have supplied that information and it was completely their fault. Anyway, we changed the issuer and now everything is just fine.
Sent from Cisco Technical Support iPad App

How to convert a certificate from byte[] typeback to its original type

Doing work about transfer Certificate through network using socket, after using
Certificate.getEncode() convert it into byte[] type, then send through network, but
at the receiver side, don't know how to convert the byte[] format back to the
Certificate? Or there is a better way to transfer Certificate as a file through
socket?

If it is an X509 one:
Certificates are instantiated using a certificate factory. The following is an example of how to instantiate an X.509 certificate:
InputStream inStream = new FileInputStream("fileName-of-cert");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
inStream.close();

2nd try - DPS 7 dpadm add-virtual-transformation not working as expected

I use DPS 7.0 B2009.1104.2146 on RHEL 4 update 8. (32 bits)
I have an LDAP back-end where X509 user certificates are stored in either the usercertificate;binary attribute or the certAuth;binary attribute.
I want my DPS to authenticate users thanks to their personal certificate, with SASL external BIND method. So, I need DPS 7 to be able to
search the user certificate in two different attributes.
Since it's not possible, (the cert-search-user-attr property is single-valued, unfortunately ), I 've tried to setup a virtual transformation, to
have both physical attribute values in a single virtual attribute.
The problem is that both physical attributes have the ";binary" qualifier and DPS doesn't seem to like it.
When searching for the virtual attribute through DPS, DPS creates and return it, but I get garbage/wrong values:
Transformation configuration:
-bash-3.00$ dpconf get-virtual-transformation-prop vue-P0 mapping_add-attr_certauth
action : add-attr
attr-name : certauth;binary
internal-value : none
model : mapping
view-value : ${usercertificate;binary}
LDAP search straight to the LDAP back-end:
-bash-3.00$ ldapsearch -p myport -h myldaphost -b "dc=my namingcontext" cn=sslconnect
version: 1
dn: cn=sslconnect.gip-cps.fr,......
objectClass: top
cn: sslconnect
userCertificate;binary:: MIIC/zCCAmigAwIBAgIQMDAwMTIwNzkwMEDUnWNGsjANBgkqhkiG
9w0BAQUFADA/MQswCQYDVQQGEwJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUMRkwFwYDVQQLExBB
Qy1DTEFTU0UtNC1URVNUMB4XDTA5MDUyODA4NDMyOFoXDTEyMDUyODA4NDMyOFowazELMAkGA1UE
LDAP search through the DPS 7 server:
-bash-3.00$ ldapsearch -p 1389 -b "dc=my namingcontext" cn=sslconnect
version: 1
dn: cn=sslconnect
objectClass: top
cn: sslconnect
userCertificate;binary:: MIIC/zCCAmigAwIBAgIQMDAwMTIwNzkwMEDUnWNGsjANBgkqhkiG
9w0BAQUFADA/MQswCQYDVQQGEwJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUMRkwFwYDVQQLExBB
Qy1DTEFTU0UtNC1URVNUMB4XDTA5MDUyODA4NDMyOFoXDTEyMDUyODA4NDMyOFowazELMAkGA1UE
certauth;binary:: MO+/vQLvv70w77+9Amjvv70DAgECAhAwMDAxMjA3OTAwQNSdY0bvv70wDQY
JKu+/vUjvv73vv70NAQEFBQAwPzELMAkGA1UEBhMCRlIxFTATBgNVBAoTDEdJUC1DUFMtVEVTVDE
ZMBcGA1UECxMQQUMtQ0xBU1NFLTQtVEVTVDAeFw0wOTA1MjgwODQzMjhaFw0xMjA1MjgwODQzMjh
aMGsxCzAJBgNVBAYTAkZSMQ0wCwYDVQQKEwRURVNUMRMwEQYDVQQHFApQYXJpcyAoNzUpMRgwFgY
DVQQLEw8zMTgwMDMwMDA5MDAwMzkxHjAcBgNVBAMTFXNzbGNvbm5lY3QuZ2lwLWNwcy5mcjDvv73
vv70wDQYJKu+/vUjvv73vv70NAQEBBQAD77+977+9ADDvv73vv70C77+977+9AO+/vQAW77+9VC7
vv71Bfe+/vRjvv71JNHIELu+/vSB+77+9Pu+/vTbvv73vv71R77+9Fm9ic++/ve+/vSVgS++/vUz
vv71M77+9NO+/vQrvv71Yae+/vTgv77+9dw0+77+9cO+/vSLvv71wPCrvv71YUu+/vTEbYe+/ve+
/vTlK77+9Pu+/vci477+9dmo8T++/ve+/ve+/ve+/vRxU77+9K++/vRjvv73vv73vv71J77+977+
9CwXvv73vv70xdCIc35rvv73vv73vv73Iku+/ve+/vWbvv73vv73vv71n77+977+9AgMBAAHvv73
...

Hi there
I'm having exactly the same problem here (AIR 3.6, Flash Builder 4.7). But somehow I don't really feel comfortable to write my own LocalizationManager when there's a built-in solution around. So I'm still trying to find the problem.
I noticed that when I update the compiler argument (-locale=en_US,de_DE ), the ResourceManager *sometimes* switches the language, but somehow randomly and definitely not based the value set for localeChain.
Furthermore, ResourceManager.getInstance().getLocales() does not return anything.
The strange thing: Even when I do not include the localization resources ('locale/{locale}' in ActionScript Build Path -> Source Path) the resources in 'locale/en_US' or 'locale/de_DE' are available to the ResourceManager.
Anyone with similar experiences?
I'm grateful for any hint!

Exception in thread "Thread-4" java.lang.IllegalAccessError

Hi All,
I am getting this error at run-time while trying to run below code
Exception in thread "Thread-4" java.lang.IllegalAccessError
CODE:
================================
* FileName : UMAC.java *
* Program Details : For getting Signed data. *
* Invoked From : SignedDataImpl.java *
package sfmsbr.bankapi;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import com.ibm.misc.BASE64Decoder;
import com.ibm.misc.BASE64Encoder;
import sun.security.pkcs.ContentInfo;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.PKCS9Attribute;
import sun.security.pkcs.PKCS9Attributes;
import sun.security.pkcs.SignerInfo;
import com.ibm.security.util.DerOutputStream;
/*import sun.security.x509.AlgorithmId;*/
import com.ibm.security.x509.AlgorithmId;
/*import sun.security.x509.X500Name;*/
import com.ibm.security.x509.X500Name;
/*import com.ibm.jsse.IBMJSSEProvider;*/
import org.apache.harmony.security.asn1.DerInputStream;
import com.cs.common.Utilities;
import com.sun.net.ssl.internal.ssl.Provider;
/*import javax.net.ssl.*;*/
import sun.security.pkcs.*;
public class UMAC
private static String storetype = null;
private static String storepath = null;
private static char keyPassword[] = null;
private static char filePassword[] = null;
private static String alias = null;
private static X509Certificate x509 = null;
private static Certificate certs[] = null;
private static final String digestAlgorithm = "SHA256";
private static final String signingAlgorithm = "SHA256withRSA";
private static Key key = null;
private static KeyPair pair = null;
private static KeyStore keystore = null;
private static PrivateKey priv = null;
private static PublicKey pub = null;
private static String signedData = null;
File certificateFile;
private static String fileName = "";
private static final String ALGORITHM = "PBEWithSHA256AndDes";
private String characterEncoding;
private Cipher encryptCipher;
private Cipher decryptCipher;
private BASE64Encoder base64Encoder = new BASE64Encoder();
private BASE64Decoder base64Decoder = new BASE64Decoder();
* Constructor to initialize the Parameters used
* @param s file name/path
* @param s1 is file password
* @param s2 is key password
* @param s3 is alias name
* @throws IOException
public UMAC(String s, String s1, String s2, String s3) throws IOException
try {
String dkeyPassword = Utilities.decodeDBPwd(s2);
String dFilePassword = Utilities.decodeDBPwd(s1);
keyPassword = (new String(dkeyPassword)).toCharArray();
filePassword = (new String(dFilePassword)).toCharArray();
alias = s3;
fileName = s;
} catch (Exception e) {
e.printStackTrace();
* method will prepare the digital signature for the message received as argument and returns the digital signature
* @param s the message to prepare signed data
* @return signed data prepard for the message received
* @throws NoSuchAlgorithmException
* @throws InvalidKeyException
* @throws IllegalBlockSizeException
* @throws NoSuchProviderException
* @throws BadPaddingException
* @throws NoSuchPaddingException
* @throws Exception
public String getSingedData(String s) throws NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, NoSuchProviderException, BadPaddingException, NoSuchPaddingException, Exception
Security.addProvider(new Provider()); // addProvider(Provider provider).. Adds a provider to the next position available.
System.out.println("reached here a");
certificateFile = new File(fileName);
/*keystore = KeyStore.getInstance("pkcs12", "SunJSSE");*/
keystore = KeyStore.getInstance("pkcs12", "IBMJCE");
System.out.println("reached here b");
BASE64Encoder base64encoder = new BASE64Encoder();
System.out.println("reached here ba");
keystore.load(new FileInputStream(certificateFile), filePassword);
System.out.println("reached here bb");
Enumeration enumeration = keystore.aliases();
do {
if(!enumeration.hasMoreElements())
break;
String s1 = enumeration.nextElement().toString();
if(keystore.isKeyEntry(s1))
alias = s1;
} while(true);
System.out.println("reached here c");
pair = getPrivateKey(keystore, alias, keyPassword);
priv = pair.getPrivate();
String s2 = base64encoder.encode(priv.getEncoded());
if(keystore.isKeyEntry(alias))
certs = keystore.getCertificateChain(alias);
if(certs[0] instanceof X509Certificate)
x509 = (X509Certificate)certs[0];
if(certs[certs.length - 1] instanceof X509Certificate)
x509 = (X509Certificate)certs[certs.length - 1];
} else
if(keystore.isCertificateEntry(alias))
Certificate certificate = keystore.getCertificate(alias);
if(certificate instanceof X509Certificate)
x509 = (X509Certificate)certificate;
certs = (new Certificate[] {
x509
} else {
throw new Exception(alias + " Wrong alias, Please Check");
AlgorithmId aalgorithmid[] = {
AlgorithmId.get("SHA256")
byte abyte0[] = s.getBytes("UTF8");
System.out.println("reached here d");
MessageDigest messagedigest = MessageDigest.getInstance("SHA256");
messagedigest.update(abyte0);
byte abyte1[] = messagedigest.digest();
PKCS9Attribute apkcs9attribute[] = {
new PKCS9Attribute(PKCS9Attribute.CONTENT_TYPE_OID, ContentInfo.DATA_OID), new PKCS9Attribute(PKCS9Attribute.SIGNING_TIME_OID, new Date()), new PKCS9Attribute(PKCS9Attribute.MESSAGE_DIGEST_OID, abyte1)
PKCS9Attributes pkcs9attributes = new PKCS9Attributes(apkcs9attribute);
Signature signature = Signature.getInstance("SHA256withRSA", "SunJSSE");
signature.initSign(priv);
signature.update(pkcs9attributes.getDerEncoding());
byte abyte2[] = signature.sign();
ContentInfo contentinfo = null;
contentinfo = new ContentInfo(ContentInfo.DATA_OID, null);
X509Certificate ax509certificate[] = {
x509
java.math.BigInteger biginteger = x509.getSerialNumber();
SignerInfo signerinfo = new SignerInfo(new X500Name(x509.getIssuerDN().getName()), biginteger, AlgorithmId.get("SHA256"), pkcs9attributes, new AlgorithmId(AlgorithmId.RSAEncryption_oid), abyte2, null);
SignerInfo asignerinfo[] = {
signerinfo
PKCS7 pkcs7 = new PKCS7(aalgorithmid, contentinfo, ax509certificate, asignerinfo);
DerOutputStream deroutputstream = new DerOutputStream();
pkcs7.encodeSignedData(deroutputstream);
byte abyte3[] = deroutputstream.toByteArray();
String s3 = new String(abyte3);
BASE64Encoder base64encoder1 = new BASE64Encoder();
String s4 = base64encoder1.encodeBuffer(abyte3);
BASE64Decoder base64decoder = new BASE64Decoder();
System.out.println("reached here e");
byte abyte4[] = base64decoder.decodeBuffer(s4);
PKCS7 pkcs7_1 = new PKCS7(abyte4);
SignerInfo asignerinfo1[] = null;
if(pkcs7_1.getContentInfo().getContentBytes() == null)
byte abyte5[] = s.getBytes("UTF8");
asignerinfo1 = pkcs7_1.verify(abyte5);
} else
asignerinfo1 = pkcs7.verify();
if(asignerinfo1 == null) {
throw new Exception("Signature failed verification, data has been tampered");
} else {
Utilities.log(3, "asignerinfo1 is not null Verification OK>>" + new Date(System.currentTimeMillis()), "UMAC", "run");
return s4;
* gets the private key for opening the signing file
* @param keystore1
* @param s is file path
* @param ac
* @return keypair
* @throws Exception
public KeyPair getPrivateKey(KeyStore keystore1, String s, char ac[]) throws Exception
PublicKey publickey;
System.out.println("inside UMAC.getPrivateKey");
key = keystore1.getKey(s, ac);
System.out.println("key --->" +key);
if(!(key instanceof PrivateKey))
return null;
Certificate certificate = keystore1.getCertificate(s);
publickey = certificate.getPublicKey();
System.out.println("Returning from UMAC.getPrivateKey : publickey is --->" +publickey);
return new KeyPair(publickey, (PrivateKey)key);
===========================================
Its compiling properly but at run-time it's showing below error
OUTPUT:
===========================================
reached here a
reached here b
reached here ba
Exception in thread "Thread-4" java.lang.IllegalAccessError
at sun.security.util.DerInputStream.init(Unknown Source)
at sun.security.util.DerInputStream.<init>(Unknown Source)
at sun.security.rsa.RSAPublicKeyImpl.parseKeyBits(Unknown Source)
at sun.security.x509.X509Key.decode(X509Key.java:396)
at sun.security.x509.X509Key.decode(X509Key.java:408)
at sun.security.rsa.RSAPublicKeyImpl.<init>(Unknown Source)
at sun.security.rsa.RSAKeyFactory.generatePublic(Unknown Source)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(Unknown Source)
at java.security.KeyFactory.generatePublic(KeyFactory.java:145)
at com.ibm.security.x509.X509Key.buildX509Key(X509Key.java:278)
at com.ibm.security.x509.X509Key.parse(X509Key.java:189)
at com.ibm.security.x509.X509Key.parse(X509Key.java:215)
at com.ibm.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:112)
at com.ibm.security.x509.X509CertInfo.parse(X509CertInfo.java:966)
at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:236)
at com.ibm.security.x509.X509CertInfo.<init>(X509CertInfo.java:222)
at com.ibm.security.x509.X509CertImpl.parse(X509CertImpl.java:2285)
at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:227)
at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:213)
at com.ibm.security.pkcs12.CertBag.decode(CertBag.java:599)
at com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.java:251)
at com.ibm.security.pkcs12.CertBag.<init>(CertBag.java:76)
at com.ibm.security.pkcs12.BasicPFX.getCertificates(BasicPFX.java:1422)
at com.ibm.security.pkcs12.PFX.getCertificates(PFX.java:549)
at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:414)
at sfmsbr.bankapi.UMAC.getSingedData(UMAC.java:137)
at sfmsbr.bankapi.SignedDataImpl.getSingedData(SignedDataImpl.java:42)
at com.cs.sfms.SFMSMessageSender.run(SFMSMessageSender.java:226)
at java.lang.Thread.run(Thread.java:736)
18:10:05 10-Feb-2012 AFTER JAVA Execution
Please share your valuable inputs to resolve this
Regards,
Haris

java version
java version "1.6.0"
Java(TM) 2 Runtime Environment, Standard Edition (build pap32devifx-20110211b (SR12 FP3 +IZ94331))
IBM J9 VM (build 2.3, J2RE 1.6.0 IBM J9 2.3 AIX ppc-32 j9vmap3223ifx-20101130 (JIT enabled)
J9VM - 20101129_69669_bHdSMr
JIT - 20100623_16197ifx1_r8
GC - 20100211_AA)
JCL - 20110208
Regards
Haris
Edited by: user12848704 on Feb 10, 2012 3:27 AM

JDeveloper is acting weird

Hey guys,
I am still trying to get used to JDeveloper but unfortunately its various bugs, such as the automatic deletion of java and jsp files and now this is rather annoying. So I have been playing around with the creation of web services from a Java class file and the IDE is great and very fast in creating what I need through the wizard. It all works fine, compiles, deploys and runs. Voila! But after changing a few things around in the web service and recompiling and editing and some more changes etc, as the project gets more and mroe updates as in the security settings of the web service and gets redeployed, what happens is that when you click on the web service node and in the structure window, it shows the contents of the web service like the WSDL, the Java classes etc, it starts duplicating, and evn triplicating in the view. One time at least in the structure window it showed each file 5 times! I restarted the IDE and it went back to normal. Am I doing something wrong?
Also another thing, when I enter the keystore information for web service encryptio and digitally signatures and so on for the WS security, if I want to revert back to the state where I just had username and password authentication and nothnig else, it wont let me. It keeps asking me for the keystore. Apparently it seems that the xml file that has the configuration information for the security doesnt get changed even though I disable all the security options except just username and password textual identification setting. I hope I am able to explain this problem because it is very annoying. I basically want to revert back to my original security setting fof the wb service being abled to be accessed by only authroized usernames and passwords, no encyrption or digital signatures necessary. CAn someone tell me what I am doing wrong or is this another bug in the IDE?
Surya

Hi Surya,
Which version of JDev are you using for this scenario? Am not able to reproduce the files duplication in Structure Pane, on 10.1.3 Production (10.1.3.3673).
Theres a bug logged for keystore values not cleared in oracle-webservices.xml when X509 Certificate option is unchecked. But even though the values in oracle-webservices.xml are not cleared, the wizard correctly disables the keystore options page, and doesnot ask for entering keystore values when X509 Digital Certificate authentication option is unchecked.
If you are using the 10.1.3 production build, can you please specify the steps to reproduce the duplication and also for the securuty scenarios..
Regards,
Sunil..

[kinda urgent] Is that possible signing without digital ID?

Hello!
I want to ask two questions. Those things might similar to each other, which may concerning signing without Digital ID.
First one is that we want to get sign right away right on the place(maybe without Digital ID). Probably a pad or something, such the device we use when taking bills with credit card, would be connected to the computer. Is that possible or at least sounds probable? and if it is, please let me know how.
Not only that, I wanna ask u one more thing. It is using pdf file with table pc, such as I-PAD. hmm.. giving an example, let's say I read a dynamic forms with I-pad, and I want to sign without Digital ID thing, specifically 'on the pad'. is that possible? like the former one, if it is, please tell me how to do it.
The former one is more important and the fact whether possible or not is the first priority.
In case the information is not specific enough, just comment about that, I am gonna add more detail.
kinda in a hurry, Please help me.
Any comment would be appreciated!!
virtuodo123

The PDF format supports many types of "Electronic" signatures, including signatures created using a signature pad. Acrobat and Reader (with a reader extended form) have the ability to sign PDF documents using Digital IDs (x509 digital certificates) out of the box. Other types of signatures are supported using third party plugins.
For more info, check out http://www.adobe.com/security/partners/index.html
Regards
Steve

Can I limit options when creating digital sig?

Hi, all. Thanks, in advance, for any help :-)
We have created an application in LiveCycle and have incorporated digital signatures to allow applicants to sign the various forms within the application, including W-4 and I-9. I have several questions and will post some as other topics, but let's start with this...
The average person filling out one of these applications jack around with options in the create digital ID wizard that they don't need to change, so I want to know if there is a way to lock down these options, such as the font, digital sig file type, country and show only the create new ID option in the first dropdown rather than showing every ID that's been created on that pc. As well, some options are totally unneccesary and I would like them to not show up at all.
Is there any way I can change these things in the wizard?
Thanks,
Michelle

Michelle
As I mentioned in my reply to yuor other question, when Acrobat is used to create a digital certificate, it is creating a self-signed certificate that conforms to the X509 certificate standard. I'm sure that the information that the self-signed certificate creation wizard in Acrobatis capturing is necessary to create a valid X509 digital certificate.
There is no way that I am aware of to "customize" the self-signed certificate creation wizard in Acrobat.
Regards
Steve

X509 RFC3820 Certificates

Similar Messages

Maybe you are looking for