对于我的项目,我必须对字符串进行数字签名,而我正在使用bouncycastle jar。环境详细信息如下。
Weblogic 12c JSF,Primefaces Java版本:1.7.0_45 BC罐子: bcmail-jdk15on-152.jar,bcpkix-jdk15on-152.jar, bcprov-ext-jdk15on-152.jar,bcprov-jdk15on-152.jar
或者我也使用过bcprov-jdk16-1.45.jar和bcmail-jdk16-1.45.jar但结果是一样的。我得到的错误是,
java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: SHA1WithRSAEncryption, provider: BC, class: org.bouncycastle.jce.provider.JDKDigestSignature$SHA1WithRSAEncryption)
at java.security.Provider$Service.newInstance(Provider.java:1262) ~[?:1.7.0_45]
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) ~[?:1.7.0_45]
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) ~[?:1.7.0_45]
at java.security.Signature.getInstance(Signature.java:355) ~[?:1.7.0_45]
at DigiSigner.sign(DigiSigner.java:185) [DigiSigner.class:?]
... 40 more
Caused by: java.lang.SecurityException: SHA1 digest error for org/bouncycastle/jce/provider/JDKDigestSignature$SHA1WithRSAEncryption.class
at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:220) ~[?:1.7.0_45]
at java.util.jar.JarVerifier.processEntry(JarVerifier.java:229) ~[?:1.7.0_45]
at java.util.jar.JarVerifier.update(JarVerifier.java:216) ~[?:1.7.0_45]
at java.util.jar.JarVerifier$VerifierStream.read(JarVerifier.java:471) ~[?:1.7.0_45]
at sun.misc.Resource.getBytes(Resource.java:124) ~[?:1.7.0_45]
at java.net.URLClassLoader.defineClass(URLClassLoader.java:444) ~[?:1.7.0_45]
at java.net.URLClassLoader.access$100(URLClassLoader.java:71) ~[?:1.7.0_45]
at java.net.URLClassLoader$1.run(URLClassLoader.java:361) ~[?:1.7.0_45]
at java.net.URLClassLoader$1.run(URLClassLoader.java:355) ~[?:1.7.0_45]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.7.0_45]
at java.net.URLClassLoader.findClass(URLClassLoader.java:354) ~[?:1.7.0_45]
at java.lang.ClassLoader.loadClass(ClassLoader.java:425) ~[?:1.7.0_45]
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) ~[?:1.7.0_45]
at java.lang.ClassLoader.loadClass(ClassLoader.java:358) ~[?:1.7.0_45]
at java.security.Provider$Service.getImplClass(Provider.java:1279) ~[?:1.7.0_45]
at java.security.Provider$Service.newInstance(Provider.java:1237) ~[?:1.7.0_45]
... 44 more
DigiSigner.java的代码是
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSTypedData;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.Store;
import sun.misc.BASE64Encoder;
@SuppressWarnings("rawtypes")
public class DigiSigner {
private String certFilePath = null;
private String pfxFilename = null;
private String jksFilename = null;
private String certPassword = null;
private char[] certPasswordArr = null;
private KeyStore keystore = null;
CMSSignedDataGenerator sgen = null;
@SuppressWarnings("unchecked")
public DigiSigner(String certificatePrefix) throws IBException{
ConfigManager config = ConfigManager.getConfigManager();
this.certFilePath = "D:/Chintan/cert_files";
this.pfxFilename = "chintan.pfx";
this.jksFilename = "chintan.jks";
this.certPassword = "abc123";
certPasswordArr = certPassword.toCharArray();
try{
this.keystore = KeyStore.getInstance("jks");
File jksFile = new File(certFilePath + "/" + jksFilename);
if(!jksFile.exists()){
this.createJKS();
}
InputStream input = new FileInputStream(certFilePath + "/" + jksFilename);
keystore.load(input, certPasswordArr);
}
catch(KeyStoreException e){
e.printStacktrace();
}
catch (NoSuchAlgorithmException e) {
e.printStacktrace();
}
catch (CertificateException e) {
e.printStacktrace();
}
catch (IOException e) {
e.printStacktrace();
}
}
@SuppressWarnings("unchecked")
public String sign(String dataToSign) throws IBException{
String signedData = null;
try {
byte[] dataToSignArr = dataToSign.getBytes();
Security.addProvider(new BouncyCastleProvider());
Enumeration e = keystore.aliases();
String alias = "";
if(e != null){
while(e.hasMoreElements()){
String n = (String)e.nextElement();
if (keystore.isKeyEntry(n)){
alias = n;
}
}
}
PrivateKey privateKey = (PrivateKey) keystore.getKey(alias, certPasswordArr);
Signature signature = Signature.getInstance("SHA1WithRSA", "BC");
signature.initSign(privateKey);
signature.update(dataToSignArr);
//Build CMS
X509Certificate cert = (X509Certificate) this.keystore.getCertificate(alias);
List certList = new ArrayList();
CMSTypedData msg = new CMSProcessableByteArray(signature.sign());
certList.add(cert);
Store certs = new JcaCertStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey);
gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(sha1Signer, cert));
gen.addCertificates(certs);
CMSSignedData sigData = gen.generate(msg, false);
BASE64Encoder encoder = new BASE64Encoder();
signedData = encoder.encode((byte[]) sigData.getSignedContent().getContent());
System.out.println("Signature is : " + signedData);
}
catch(KeyStoreException e){
e.printStacktrace();
}
catch (NoSuchAlgorithmException e) {
e.printStacktrace();
}
catch (NoSuchProviderException e) {
e.printStacktrace();
}
catch (CMSException e) {
e.printStacktrace();
}
catch (UnrecoverableKeyException e) {
e.printStacktrace();
}
catch (SignatureException e) {
e.printStacktrace();
}
catch (InvalidKeyException e) {
e.printStacktrace();
}
catch (CertificateEncodingException e) {
e.printStacktrace();
}
catch (OperatorCreationException e) {
e.printStacktrace();
}
return signedData;
}
public void createJKS() throws IBException{
try{
File fileIn = new File(certFilePath + "/" + pfxFilename);
File fileOut = new File(certFilePath + "/" + jksFilename);
if(!fileIn.canRead()){
throw new IBException("Unable to access input keystore: " + fileIn.getPath());
}
if(fileOut.exists() && !fileOut.canWrite()){
throw new IBException("Output file is not writable: " + fileOut.getPath());
}
KeyStore kspkcs12 = KeyStore.getInstance("PKCS12");
KeyStore ksjks = KeyStore.getInstance("jks");
char inphrase[] = certPassword.toCharArray();
char outphrase[] = certPassword.toCharArray();
kspkcs12.load(new FileInputStream(fileIn), inphrase);
ksjks.load(fileOut.exists() ? ((java.io.InputStream) (new FileInputStream(fileOut))) : null, outphrase);
Enumeration eAliases = kspkcs12.aliases();
do{
if(!eAliases.hasMoreElements())
break;
String strAlias = (String)eAliases.nextElement();
if(kspkcs12.isKeyEntry(strAlias))
{
java.security.Key key = kspkcs12.getKey(strAlias, inphrase);
Certificate chain[] = kspkcs12.getCertificateChain(strAlias);
ksjks.setKeyEntry(strAlias, key, outphrase, chain);
}
}
while(true);
OutputStream out = new FileOutputStream(fileOut);
ksjks.store(out, outphrase);
out.close();
}
catch(KeyStoreException e){
e.printStacktrace();
}
catch (NoSuchAlgorithmException e) {
e.printStacktrace();
}
catch (CertificateException e) {
e.printStacktrace();
}
catch (FileNotFoundException e) {
e.printStacktrace();
}
catch (IOException e) {
e.printStacktrace();
}
catch (UnrecoverableKeyException e) {
e.printStacktrace();
}
System.out.println("Java Key Store created successfully");
}
}
我提到了这个链接:Bouncycastle for JDK 1.7 and PKCS libraries - 但是,它对我不起作用。
错误在这一行:签名签名= Signature.getInstance(“SHA1WithRSA”,“BC”);
答案 0 :(得分:1)
作为mentioned here,Weblogic包含无效的 bcprov-jdk16-1.45.jar
尝试使用 jarsigner 实用程序验证MW_HOME/oracle_common/modules/bcprov-jdk16-1.45.jar:
jarsigner -verify bcprov-jdk16-1.45.jar
抛出SecurityException:
jarsigner: java.lang.SecurityException: SHA1 digest error for org/bouncycastle/jce/ECKeyUtil$UnexpectedException.class
该文件与Maven Repository中的文件不同,后者成功通过了验证。
答案 1 :(得分:0)
Bouncycastle 支持的list of related signature algorithms:
SHA1withRSA
SHA1withRSA/ISO9796-2
SHA1withRSA/PSS
SHA1withRSA/X9.31
SHA1withRSAEncryption
SHA1withRSAandMGF1
因此,它应该工作!
我猜你的Java classpath出了问题。您可能会按照here的说明混合不兼容的 Bouncycastle Jar文件。
您正在引用bcprov-ext-jdk15on-152.jar 和 bcprov-jdk15on-152.jar。但是只应采取其中一种方法。省略ext版本。