Comments (7)
Which signature algorithm was that? RSASSA-PSS? The "stepped out of BC provider" part is only true for p12 files.
That feature would fit nicely in release 5.4 which will add verification of jar signatures. I'll consider it.
from keystore-explorer.
You read my mind :). It was indeed that one.
from keystore-explorer.
I've had this problem a couple of months ago at work. The verification code in Java (Certificate.verify()
) assumes that the signature parameters are always empty which is not the case for PSS signatures.
from keystore-explorer.
Hmm you're making reopen the test project I happily closed couple of hours ago. I did step through both the java and BC code below that method. I didn't step in Java 's Signature instantiation which was throwing the algorithm not supported exception trusting it that it knew it didn't support it. BC did fail the signature and it looked an honest sig failure. Now I am going to see if I can use OpenSSL to peer-review that verification. So if I understand correctly what you're saying RSASSA-PSS is supported by JCE but the Certificate.verify() doesn't read it correctly? IIRC, it was using it's OID form as algorithm ID so I assumed it really doesn't know it. I already told the customer to go get another SSL cert from their CA because the signature is broken, I wonder if I was wrong...
from keystore-explorer.
JCA/JCE follows a plugin concept. If the BC provider is registered, then the OID for PSS is recognized by JCE and almost everything works. Except for code that is not generic enough to handle those new algorithms (like Certificate.verify()
). But it is possible to verify PSS certificates in Java by using Signature.verify()
(and manually reading out and setting the PSS parameters for verification).
That being said, I have never seen PSS certificates in the wild. And in my experience a lot of standard software (some relatively new Firefox versions for example) has problems with them.
from keystore-explorer.
Kai, thank you for the info on this. "openssl verify ..." passes just fine on the chain, as your info above has suggested. We do have BC registered at slot 2 in our server, but unfortunately for my customer the issue arises on SSL handshake when JSSE's handshaker verifies peer trust which uses the Java PKIX classes which in turn use the Certificate.verify() at one point. They will just get another SSL cert. Again, thanks for your help!
from keystore-explorer.
You're welcome!
from keystore-explorer.
Related Issues (20)
- add Keystore name to Certificate Detail Window HOT 1
- show fingerprint in overview HOT 2
- [GUI][i18n] Open question about label of number of revoked certs on CRL view HOT 3
- Manage verify self-signature for SPKAC CSR HOT 3
- How to add `User Notice` on `Certificate Policies` extension on cert.? HOT 2
- Issue on format of `Private Key Usage Period` extension HOT 5
- Bug Report: Keys can be used in ways that the key usage data should prohibit. HOT 2
- CRMF support (Certificate Request Message Format) HOT 2
- Certificate Fingerprint gives wrong values HOT 2
- Suggestion: Update JavaInfo.dll to 1.6.0 HOT 2
- Display fingerprint 3 ways HOT 3
- Export Selected Certificates HOT 6
- NPE verifying OCSP certificate HOT 4
- Unknown object id - ORG_ID HOT 5
- Make it compatible with Java 22 HOT 5
- KeyStore Explorer And Blank Password HOT 2
- Java d3d causes window components redraw HOT 10
- How to disable auto-updates HOT 2
- Unable to Recreate Expired Certificates HOT 6
- Add an option to generate an X25519 keypair HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keystore-explorer.