You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2006/10/27 13:14:56 UTC
DO NOT REPLY [Bug 40826] New: - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
Summary: Private keys must be instance of RSAPrivate or have
PKCS#8 encoding
Product: Security
Version: unspecified
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: fillipelima@gmail.com
Hello
I am having a problem. My application is an applet that generate a xml and sign
it with PrivateKey from SmartCard.
The first time, it works fine! however when i try to sign again (second time), i
get this exception:
java.security.InvalidKeyException: Private keys must be instance of
RSAPrivate(Crt)Key or have PKCS#8 encoding
The exception occurs when calling the method: DOMSignContext dsc = new
DOMSignContext(pk, doc.getDocumentElement()); This method is part of the
following code:
Does any body know what could i do to solve this problem ?
======= code that generates the xml signature
String providerName = System.getProperty("jsr105Provider",
"org.jcp.xml.dsig.internal.dom.XMLDSigRI");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance(
"DOM",
(Provider) Class.forName(providerName).newInstance());
Reference ref = fac.newReference(
"",
fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform(
Transform.ENVELOPED,
(TransformParameterSpec) null)),
null,
null);
SignedInfo si = fac.newSignedInfo(
fac.newCanonicalizationMethod(
CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS,
(C14NMethodParameterSpec) null),
fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
Collections.singletonList(ref));
KeyInfoFactory kif = fac.getKeyInfoFactory();
X509Data x509 = kif.newX509Data(Collections.singletonList(cert));
KeyInfo ki = kif.newKeyInfo(Collections.singletonList(x509));
DOMSignContext dsc = new DOMSignContext(pk, doc.getDocumentElement());
XMLSignature signature = fac.newXMLSignature(si, ki);
signature.sign(dsc);
return doc;
}
======= code that get de PrivateKey and Certificate from Smart Card:
String configuracao = "name = SmartCard\n" +
"library = c:\\windows\\system32\\aetpkss1.dll";
byte[] configuracaoBytes = configuracao.getBytes();
ByteArrayInputStream configuracaoStream = new
ByteArrayInputStream(configuracaoBytes);
sun.security.pkcs11.SunPKCS11 provider = new
sun.security.pkcs11.SunPKCS11(configuracaoStream);
Security.addProvider(provider);
this.nomeProvider = provider.getName();
this.repositorio = KeyStore.getInstance("PKCS11", provider);
repositorio.load(null, pin.toCharArray());
this.inicializarDados(pin);
String keyEntry = null;
boolean ok = false;
Enumeration en = repositorio.aliases();
while(en.hasMoreElements()) {
keyEntry = (String)en.nextElement();
if(repositorio.isKeyEntry(keyEntry)){
ok = true;
break;
}
}
if(ok){
certificado = (X509Certificate) repositorio.getCertificate(keyEntry);
chavePrivada = (PrivateKey) repositorio.getKey(keyEntry, pin.toCharArray());
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From sean.mullan@sun.com 2006-10-27 10:18 -------
(In reply to comment #2)
> The complete stack trace:
>
> AssinaturaXMLException: java.security.InvalidKeyException: Private keys must be
> instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
> at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:86)
This stack trace doesn't help. The AssinaturaXMLException is swallowing the
stack trace of the cause: InvalidKeyException. I need to have that the stack
trace of the InvalidKeyException to be able to help.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From fillipelima@gmail.com 2006-11-02 05:36 -------
(In reply to comment #9)
> Ok, I looked into this a little bit more and still need more details.
>
> First, if you remove the SunPKCS11 provider and create a new instance, then any
> PrivateKey objects from the old SunPKCS11 instance will not be usable with the
> new instance (and this exception will be thrown).
> If the privateKey object is from the new provider, it should work.
>
> Can you let me know if you are doing this?
Each time i sign, i add the provider (Security.addProvider(p)) and create a new
PrivateKey object. Im not reusing nothing.. is it correct ? or i must have to
remove and add the provider each time? from what i know...when we use the
addProvider, it add the provider in the available slot, but we can add in a
specific slot, just using addProviderAt(p, 2) for instance.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From alon.barlev@gmail.com 2007-08-09 12:28 -------
Thought about this again...
And I don't think this solution is valid.
By convention all crypto functions throughout the SDK API accept explicit
provider.
If you can find another exception to this rule I may understand and drop
this...
But if xmlsec is the only exception, than it should sync up.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From alon.barlev@gmail.com 2007-08-08 13:29 -------
As PKCS#11 has so great design, a separate instance must be instantiate for
each slot of each provider.
I tried to do what you requested, registered the provider to system, and passed
null to KeyStore.Builder as a provider and it does work.
But I don't think this is a valid solution, as there is no reason why all
providers should be added to the global scope.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From sean.mullan@sun.com 2006-11-01 14:21 -------
Ok, I looked into this a little bit more and still need more details.
First, if you remove the SunPKCS11 provider and create a new instance, then any
PrivateKey objects from the old SunPKCS11 instance will not be usable with the
new instance (and this exception will be thrown).
If the privateKey object is from the new provider, it should work.
Can you let me know if you are doing this?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From fillipelima@gmail.com 2006-10-27 09:20 -------
(In reply to comment #1)
> (In reply to comment #0)
> > Hello
> >
> > I am having a problem. My application is an applet that generate a xml and
sign
> > it with PrivateKey from SmartCard.
> >
> > The first time, it works fine! however when i try to sign again (second
time), i
> > get this exception:
> >
> > java.security.InvalidKeyException: Private keys must be instance of
> > RSAPrivate(Crt)Key or have PKCS#8 encoding
> This exception indicates that you are trying to use the key that is
> stored on the smart card with a software based crypto provider. It won't
work.
> See
http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#DelayedSelect
> for some more information about that.
> However, we need to figure out why you are getting that exception.
> > The exception occurs when calling the method: DOMSignContext dsc = new
> > DOMSignContext(pk, doc.getDocumentElement()); This method is part of the
> > following code:
> >
> > Does any body know what could i do to solve this problem ?
> Can you attach the full exception stack trace?
I will try to do this:
"It is recommended that applications only call getProvider() after they have
called the relevant initialization method. "
Im using xml signature...
i) Is this my initialization method "XMLSignature signature =
fac.newXMLSignature(si, ki)"; ?
ii) Is my getProvider() this part? "XMLSignatureFactory fac =
XMLSignatureFactory.getInstance(
"DOM",
(Provider) Class.forName(providerName).newInstance());
Reference ref = fac.newReference(
"",
fac.newDigestMethod(DigestMethod.SHA1, null),
Collections.singletonList(fac.newTransform(
Transform.ENVELOPED,
(TransformParameterSpec) null)),
null,
null);
" ?
The complete stack trace:
AssinaturaXMLException: java.security.InvalidKeyException: Private keys must be
instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:86)
at AssinadorDigital.AssinarDados(AssinadorDigital.java:133)
at AssinadorDigital.btnAssinar_actionPerformed
(AssinadorDigital.java:189)
at AssinadorDigital_btnAssinar_actionAdapter.actionPerformed
(AssinadorDigital.java:201)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown
Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From sean.mullan@sun.com 2006-11-02 07:42 -------
> Each time i sign, i add the provider (Security.addProvider(p)) and create a new
> PrivateKey object. Im not reusing nothing.. is it correct ? or i must have to
> remove and add the provider each time? from what i know...when we use the
> addProvider, it add the provider in the available slot, but we can add in a
> specific slot, just using addProviderAt(p, 2) for instance.
Ahh, here's what I think is happening:
The first time you call Security.addProvider(p), your provider is added
correctly, you create a new PrivateKey object using that same provider and
the xml signing operation works ok.
The next time you create a new provider and call Security.addProvider(p),
I bet the provider is not added because it is already installed (from the APIs
standpoint, it is the same provider even though it is a new instance). Check
the return value of addProvider to see if it returns -1.
*But* (and this is a major but), you then use the new provider instance to
create a PrivateKey object. There's the problem. When you use this PrivateKey
to sign, the xml signature cannot find the provider that you used to create it
(since it is not installed, it only finds the old provider but that won't
work with the new PrivateKey) and therefore the signing operation fails because
it cannot find a provider that the key can be used with.
Workarounds:
Either, 1) explicitly remove the provider before you reinstall it each
time, or 2) only create and install the provider once and always use
this provider to create the PrivateKeys.
Please confirm if this is the case.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From sean.mullan@sun.com 2006-10-27 07:46 -------
(In reply to comment #0)
> Hello
>
> I am having a problem. My application is an applet that generate a xml and sign
> it with PrivateKey from SmartCard.
>
> The first time, it works fine! however when i try to sign again (second time), i
> get this exception:
>
> java.security.InvalidKeyException: Private keys must be instance of
> RSAPrivate(Crt)Key or have PKCS#8 encoding
This exception indicates that you are trying to use the key that is
stored on the smart card with a software based crypto provider. It won't work.
See http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html#DelayedSelect
for some more information about that.
However, we need to figure out why you are getting that exception.
> The exception occurs when calling the method: DOMSignContext dsc = new
> DOMSignContext(pk, doc.getDocumentElement()); This method is part of the
> following code:
>
> Does any body know what could i do to solve this problem ?
Can you attach the full exception stack trace?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From fillipelima@gmail.com 2006-11-02 09:44 -------
(In reply to comment #11)
> > Each time i sign, i add the provider (Security.addProvider(p)) and create a new
> > PrivateKey object. Im not reusing nothing.. is it correct ? or i must have to
> > remove and add the provider each time? from what i know...when we use the
> > addProvider, it add the provider in the available slot, but we can add in a
> > specific slot, just using addProviderAt(p, 2) for instance.
>
> Ahh, here's what I think is happening:
>
> The first time you call Security.addProvider(p), your provider is added
> correctly, you create a new PrivateKey object using that same provider and
> the xml signing operation works ok.
>
> The next time you create a new provider and call Security.addProvider(p),
> I bet the provider is not added because it is already installed (from the APIs
> standpoint, it is the same provider even though it is a new instance). Check
> the return value of addProvider to see if it returns -1.
>
> *But* (and this is a major but), you then use the new provider instance to
> create a PrivateKey object. There's the problem. When you use this PrivateKey
> to sign, the xml signature cannot find the provider that you used to create it
> (since it is not installed, it only finds the old provider but that won't
> work with the new PrivateKey) and therefore the signing operation fails because
> it cannot find a provider that the key can be used with.
>
> Workarounds:
>
> Either, 1) explicitly remove the provider before you reinstall it each
> time, or 2) only create and install the provider once and always use
> this provider to create the PrivateKeys.
>
> Please confirm if this is the case.
Exactly! the addProvider is returning -1 at the second time! (the first returned
a high position: 7). however i am not having problems anymore because im using
like this:
Security.addProvider(p);
KeyStore.getInstance("PKCS11");
If i use KeyStore.getInstance("PKCS11", p), then i get the exception the second
time!
Sean Mullan, Thank you very much for your clarifications! i am doing this as a
part of my monograph project (Information Systems course). I will put your name
in the gratfulness area! :))
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |WORKSFORME
------- Additional Comments From sean.mullan@sun.com 2006-11-06 11:55 -------
Closing this out, as it looks like my explanation is correct and the
problem has been resolved.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From info@frankcornelis.be 2006-10-30 23:05 -------
I'm experiencing the same kind of weird behavior when I try to sign twice. The
code does something like:
Document document = loadDocument();
smartCard.open(...); // registers SunPKCS11 provider
PrivateKey privateKey = smartCard.getPrivateKey(); // from the keystore
xmlSign(document, privateKey, ...);
smartCard.close(); // removes SunPKCS11 provider
smartCard.open(...); // registers SunPKCS11 provider again
PrivateKey privateKey = smartCard.getPrivateKey();
xmlSign(document, privateKey, ...);
The second sign operation gives me:
Caused by: org.apache.xml.security.signature.XMLSignatureException: Private key
must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
Original Exception was org.apache.xml.security.signature.XMLSignatureException:
Private key must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
Original Exception was java.security.InvalidKeyException: Private key must be
instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
In my smart card code it doesn't matter whether to use
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11",
this.pkcs11Provider, callbackHandlerProtection);
or
...("PKCS11", null, callbackHandlerProtection);
I always get the exception. The funny thing is that I can sign twice via a
non-XML signature, i.e., using
Signature.getInstance("SHA1withRSA");
but, when using xmlsec, it's throwing the exception.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From fillipelima@gmail.com 2006-10-28 14:28 -------
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > The complete stack trace:
> > >
> > > AssinaturaXMLException: java.security.InvalidKeyException: Private keys
> must be
> > > instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
> > > at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:86)
> > This stack trace doesn't help. The AssinaturaXMLException is swallowing the
> > stack trace of the cause: InvalidKeyException. I need to have that the stack
> > trace of the InvalidKeyException to be able to help.
>
> Ok. I think this may help:
>
> javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException:
> Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
Hello
I solved the problem just changing the way i get the instance of the KeyStore:
It was: "this.repositorio = KeyStore.getInstance("PKCS11", provider);"
Now is: "this.repositorio = KeyStore.getInstance("PKCS11");"
I singed the xml many times, without closing the application and it�s is working
fine now.
But i still have some doubts....
1) If i use KeyStore.getInstance("PKCS11", provider) The Exception doesnt occurs
at the first time and the xml document is signed normally. However, i if try to
sign again, the exception occurs. why ? is it a Bug ?
2) What�s the difference between each one? When use each one ?
Tks
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From sean.mullan@sun.com 2007-08-10 09:51 -------
(In reply to comment #15)
> Thought about this again...
> And I don't think this solution is valid.
> By convention all crypto functions throughout the SDK API accept explicit
> provider.
> If you can find another exception to this rule I may understand and drop
> this...
> But if xmlsec is the only exception, than it should sync up.
xmlsec/jsr 105 are at a higher layer than the JCE APIs.
I still think there should be a workaround to your problem.
Something is happening in your code that causes the
PrivateKey's provider to be different than what is in the JRE's list of
Providers. Have you tried the solution in this bug report, that is:
Security.addProvider(p);
KeyStore.getInstance("PKCS11");
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
------- Additional Comments From fillipelima@gmail.com 2006-10-27 15:15 -------
(In reply to comment #3)
> (In reply to comment #2)
> > The complete stack trace:
> >
> > AssinaturaXMLException: java.security.InvalidKeyException: Private keys
must be
> > instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
> > at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:86)
> This stack trace doesn't help. The AssinaturaXMLException is swallowing the
> stack trace of the cause: InvalidKeyException. I need to have that the stack
> trace of the InvalidKeyException to be able to help.
Ok. I think this may help:
javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException:
Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign
(DOMXMLSignature.java:370)
at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:80)
at AssinadorDigital.AssinarDados(AssinadorDigital.java:134)
at AssinadorDigital.btnAssinar_actionPerformed
(AssinadorDigital.java:190)
at AssinadorDigital_btnAssinar_actionAdapter.actionPerformed
(AssinadorDigital.java:202)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown
Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.security.InvalidKeyException: Private keys must be instance of
RSAPrivate(Crt)Key or have PKCS#8 encoding
at sun.security.rsa.RSAKeyFactory.translatePrivateKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.engineTranslateKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.toRSAKey(Unknown Source)
at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.init(Unknown Source)
at java.security.Signature$Delegate.chooseProvider(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Unknown Source)
at java.security.Signature.initSign(Unknown Source)
at org.jcp.xml.dsig.internal.dom.DOMRSASignatureMethod.sign
(DOMRSASignatureMethod.java:134)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign
(DOMXMLSignature.java:367)
... 27 more
java.security.InvalidKeyException: Private keys must be instance of RSAPrivate
(Crt)Key or have PKCS#8 encoding
at sun.security.rsa.RSAKeyFactory.translatePrivateKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.engineTranslateKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.toRSAKey(Unknown Source)
at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.init(Unknown Source)
at java.security.Signature$Delegate.chooseProvider(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Unknown Source)
at java.security.Signature.initSign(Unknown Source)
at org.jcp.xml.dsig.internal.dom.DOMRSASignatureMethod.sign
(DOMRSASignatureMethod.java:134)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign
(DOMXMLSignature.java:367)
at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:80)
at AssinadorDigital.AssinarDados(AssinadorDigital.java:134)
at AssinadorDigital.btnAssinar_actionPerformed
(AssinadorDigital.java:190)
at AssinadorDigital_btnAssinar_actionAdapter.actionPerformed
(AssinadorDigital.java:202)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown
Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
java.security.InvalidKeyException: Private keys must be instance of RSAPrivate
(Crt)Key or have PKCS#8 encoding
at sun.security.rsa.RSAKeyFactory.translatePrivateKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.engineTranslateKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.toRSAKey(Unknown Source)
at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
at sun.security.rsa.RSASignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.init(Unknown Source)
at java.security.Signature$Delegate.chooseProvider(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Unknown Source)
at java.security.Signature.initSign(Unknown Source)
at org.jcp.xml.dsig.internal.dom.DOMRSASignatureMethod.sign
(DOMRSASignatureMethod.java:134)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign
(DOMXMLSignature.java:367)
at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:80)
at AssinadorDigital.AssinarDados(AssinadorDigital.java:134)
at AssinadorDigital.btnAssinar_actionPerformed
(AssinadorDigital.java:190)
at AssinadorDigital_btnAssinar_actionAdapter.actionPerformed
(AssinadorDigital.java:202)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown
Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
AssinaturaXMLException: java.security.InvalidKeyException: Private keys must be
instance of RSAPrivate(Crt)Key or have PKCS#8 encoding
at AssinaturaXMLEnveloped.assinar(AssinaturaXMLEnveloped.java:87)
at AssinadorDigital.AssinarDados(AssinadorDigital.java:134)
at AssinadorDigital.btnAssinar_actionPerformed
(AssinadorDigital.java:190)
at AssinadorDigital_btnAssinar_actionAdapter.actionPerformed
(AssinadorDigital.java:202)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown
Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
DO NOT REPLY [Bug 40826] - Private keys must be instance of RSAPrivate or have PKCS#8 encoding
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40826>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40826
alon.barlev@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |alon.barlev@gmail.com
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.