santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40826] Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Date Thu, 07 Aug 2008 09:17:08 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=40826


Dario Napolitano <d.napolitano@reply.it> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |d.napolitano@reply.it
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |




--- Comment #17 from Dario Napolitano <d.napolitano@reply.it>  2008-08-07 02:17:07 PST
---
I seem to be experiencing the same problem reported in this bug, but no
workaround seems to be effective, apart form restarting the application
altogether.

The situation I have is this: my application makes use of several different
types of KeyStore. The user can use a configuration window to select which one
to use, and even change some properties (e.g. the .dll module for the PKCS11
provider, or the slot number).
The application uses the selected provider to send SOAP requests using
Axis/Rampart 1.3. I have written a replacement Crypto class for Rampart that
gets the keys and certificates from the correct keystore/provider. While
everything works fine with JKS keystores, the PKCS11 provider only works until
it gets reconfigured. 

Please note that I remove the previous Provider instance entirely, discard all
previously obtained keys and keystores and recreate everything anew, but only
the very first instance of the PKCS11 provider works.

Code excerpt:
----------------------------------------------------
StringBuilder sb = new StringBuilder();
sb.append("name = ");
sb.append(providerName);
sb.append("\nlibrary = ");
sb.append(ConfigManager.getInstance().getConf().getDllPkcs11()); // Get the
selected PKCS11 DLL
sb.append("\nslot ="); 
sb.append(ConfigManager.getInstance().getConf().getPkcs11Slot()); // Get the
selected slot
sb.append("\ndisabledMechanisms = { CKM_SHA1_RSA_PKCS }\n");

String pkcs11config = sb.toString();

byte pkcs11configBytes[] = pkcs11config.getBytes();
ByteArrayInputStream configStream = new
ByteArrayInputStream(pkcs11configBytes);
if (Security.getProvider(fullProvName)!=null) // Provider name + SunPKCS11
prefix
        Security.removeProvider(fullProvName);
prov = new SunPKCS11(configStream);
Security.insertProviderAt(prov, 1); // This is done to have Rampart select this
provider for signature operations.
ks = KeyStore.getInstance("PKCS11");
-----------------------------------------------------

Any key obtained after the first ever Provider instance gets replaced leads to
this exception:

-----------------------------------------------------
org.apache.ws.security.WSSecurityException: Signature creation failed; nested
exception is: 
        org.apache.xml.security.signature.XMLSignatureException: Private key
must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
Original Exception was org.apache.xml.security.signature.XMLSignatureException:
Private key must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
Original Exception was java.security.InvalidKeyException: Private key must be
instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
        at
org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:663)
        at
org.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:611)
        at
org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:385)
        at
org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:95)
        at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:131)
        at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
        at org.apache.axis2.engine.Phase.invoke(Phase.java:292)
        at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:212)
        at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:377)
        at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:374)
        at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:211)
        at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
-----------------------------------------------------



Is there any way to replace the PKCS11 provider without having to restart the
application? Note that since I have to change the configuration parameters at
run-time I cannot leave the first provider instance alone...


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Mime
View raw message