I generate an ARCFOUR key like this :
myKeyGenerator= KeyGenerator.getInstance("ARCFOUR");
myKeyGenerator.init(1024);
myKey = myKeyGenerator.generateKey();
and then I want to store it in my KeyStorewith myKeyStore.setKeyEntry(myKeyAlias, myKey, myPassword, null); but it triggers the following error :
Key protection algorithm not found: java.security.NoSuchAlgorithmException: unrecognized algorithm name: ARCFOUR
And I don't understand why as the "ARCFOUR" algorithm is supposed to be supported by my Java implementation (retrieved through the Provider list).
And, with the same code, I don't get any error if I use the "AES" algorithm.
I use PKCS #12 for my KeyStore.
Related
I am trying to encrypt a string using Jasypt 1.9.3 and my JDK version is 1.8.0_281.
This is the code I am have written:
Security.setProperty("crypto.policy", "unlimited");
if (pooledPBEStringEncryptor == null) {
pooledPBEStringEncryptor = new PooledPBEStringEncryptor();
pooledPBEStringEncryptor.setPassword(encryptionKey);
pooledPBEStringEncryptor.setAlgorithm("PBEWITHHMACSHA512ANDAES256");
pooledPBEStringEncryptor.setPoolSize(4);
pooledPBEStringEncryptor.setSaltGenerator(new RandomSaltGenerator());
}
encrypted = pooledPBEStringEncryptor.encrypt(cValue);
But when I run it, I get the error
Exception in thread "main" java.lang.RuntimeException: Security Error in doEncrypt: org.jasypt.exceptions.EncryptionInitializationException: java.security.NoSuchAlgorithmException: PBEWITHHMACSHA512ANDAES256 SecretKeyFactory not available
I ran the AlgorithmRegistry.getAllPBEAlgorithms() and my output is:
PBEWITHHMACSHA1ANDAES_128, PBEWITHHMACSHA1ANDAES_256, PBEWITHHMACSHA224ANDAES_128, PBEWITHHMACSHA224ANDAES_256, PBEWITHHMACSHA256ANDAES_128, PBEWITHHMACSHA256ANDAES_256, PBEWITHHMACSHA384ANDAES_128, PBEWITHHMACSHA384ANDAES_256, PBEWITHHMACSHA512ANDAES_128, PBEWITHHMACSHA512ANDAES_256, PBEWITHMD5ANDDES, PBEWITHMD5ANDTRIPLEDES, PBEWITHSHA1ANDDESEDE, PBEWITHSHA1ANDRC2_128, PBEWITHSHA1ANDRC2_40, PBEWITHSHA1ANDRC4_128, PBEWITHSHA1ANDRC4_40
When I use the algorithm PBEWITHHMACSHA256ANDAES_256 I get a different error.
Exception in thread "main" java.lang.RuntimeException: Security Error in doEncrypt: org.jasypt.exceptions.EncryptionOperationNotPossibleException
I am a little lost as to what to do.
I have downloaded the unlimited policy jars from Oracle and saved them in JAVA_HOME\jre\lib\security\ folder. And I am on Windows.
The code lacks the specification of the IV generator with setIvGenerator(), e.g.:
pooledPBEStringEncryptor.setIvGenerator(new RandomIvGenerator());
By default, NoIvGenerator is used, which causes the exception because the algorithm applies the CBC mode, which requires an IV.
The default salt generator, by the way, is RandomSaltGenerator, so this would not necessarily need to be specified with setSaltGenerator().
The PooledPBEStringEncryptor#encrypt() method returns the Base64 encoded concatenation of salt (16 bytes), IV (16 bytes) and ciphertext.
The exception org.jasypt.exceptions.EncryptionOperationNotPossibleException is a general exception that is generated in many error situations and is therefore not very meaningful, see here. This includes e.g. the missing of the JCE Unlimited Strength Jurisdiction Policy (which however seems to be installed on your system).
For completeness: The algorithm is called PBEWITHHMACSHA512ANDAES_256 (which you have already figured out yourself).
PBEWITHHMACSHA512ANDAES_256 derives a 32 bytes key for AES-256 from password and salt using PBKDF2. HMAC/SHA512 is applied. Since not explicitly specified, the default iteration count of 1000 is used. The algorithm applies the CBC mode for encryption (which is why the IV is needed).
I am getting the exception SignatureException: Signature length not correct: got 64 but was expecting 66 when verifying a signature.
I signed the data on a JavaCard:
Signature signature = Signature.getInstance(Signature.ALG_RSA_MD5_PKCS1, false);
KeyPair key = new KeyPair(KeyPair.ALG_RSA, (short)512);
key.genKeyPair();
signature.init(key.getPrivate(), Signature.MODE_SIGN);
signature.sign(dataToBeSigned, offsetOfData, lengthOfData, outputArray, outputoffset);
And I get the exception when I try to verify the signature in a separate Java program
Signature signature = Signature.getInstance("MD5withRSA");
signature.initVerify(publicKey);
signature.update(dataToBeVerified);
boolean verified = signature.verify(signatureToBeVerified);
It seems that signature.verify() expects a signature of length 66, but the signature generated in the JavaCard applet is only 64 bytes long - I can't work out why this is.
Any help as to why the signature generated is too short, or why signature.verify() expects a longer signature would be greatly appreciated.
Edit to add extra information:
bigIntExp: 65537
bigIntMod:132308419546647374128240292677530807315542691147982039135818279043817855879255964354323446465801763768751278796804645533108455181966328171561226049067030642228779581871262216901734159959403381829035369468203140058451522951118452394154357893479460331007989274416039890367651223156420250223950749870305488385775751757831611317020777731747216787964833937998955451058221004606237913446120467690829592472183785281175197045866416933142014254513781922812566056256864142790656
I've been trying to programatically generate OpenSSH host keys in my Java application, but I'm unable to get a working Ed25519 key in the OpenSSH v1 key format. My current thought is that there's a problem with OpenSSHPrivateKeyUtil, but I'm not sure how to verify that. Here's my current attempt:
import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
import org.bouncycastle.crypto.util.OpenSSHPrivateKeyUtil;
import java.util.Base64;
...
Ed25519PrivateKeyParamters keyParamters = new Ed25519PrivateKeyParamters(new SecureRandom());
byte[] encodedPrivateKey = OpenSSHPrivateKeyUtil.encodePrivateKey(keyParameters);
System.out.println(Base64.getEncoder().encodeToString(encodedPrivateKey));
The output looks like what I'm expecting (similar to the results of an ssh-keygen -t ed25519), but when I put the results into /etc/ssh/sshd_host_ed25519_key (and the corresponding public key into /etc/ssh/sshd_host_ed25519_key.pub), I get the following error from sshd in /var/log/messages:
auth.err: error: Could not load host key: /etc/ssh/sshd_host_ed25519_key
I'm using the following:
centos 7.6
java 1.8.0_212
openssh 7.4p1-16.e17
bouncycastle 1.63
Any help would be appreciated, thanks.
I would like to know whether there exists a public/private key specification (preferrably in Java itself, no external libs) that can do both a KeyAgreement and Signature.
Try elliptic curves:
KeyPairGenerator eckpg = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec p256 = new ECGenParameterSpec("secp256r1");
eckpg.initialize(p256);
KeyPair doubleUseKeyPair = eckpg.generateKeyPair();
KeyAgreement ecdh = KeyAgreement.getInstance("ECDH");
ecdh.init(doubleUseKeyPair.getPrivate());
// ...
Signature ecdsa = Signature.getInstance("SHA256withECDSA");
ecdsa.initSign(doubleUseKeyPair.getPrivate());
// ...
System.out.println(eckpg.getProvider());
System.out.println(ecdh.getProvider());
System.out.println(ecdsa.getProvider());
Should return:
SunEC version 1.7
SunEC version 1.7
SunEC version 1.7
This is on Java 7 from Sun/Oracle of course.
Note that using the same key (pair) two different purposes is considered bad key management by most. It may allow for attacks that uses vulnerabilities in either or a combination in both the algorithms and the protocol. Using the same key type / strength is of course fine.
I would like to share a public key generated on an iPhone/iPad with an Java based Server or an Android device. On the Java side (Server or Android) I would like to use java.security and libcommonCrypto (the SecKeyRef stuff) on iOS.
I've got everything working except the public key exchange between these two platforms. By using SecItemCopyMatching I can only export the public key into some format not supported by anything else then Apple. With Java I can load public keys as X509 certificate (through java.security.X509EncodedKeySpec) or as module and exponent (through java.security.RSAPublicKeySpec).
Now I need to know how to export a SecKeyRef as X509 certificate or (what I guess is the easier solution) get the module and exponent from it. And I also need the way backwards.
Here is some sample public key loaded from a SecKeyRef and encoded to BASE64:
MIGJAoGBAMYgXP6rvD/Y8F0VQE0HvxpVnnOxXYl5TDlOfW/leyrCLWGWg9Jp+Tl9dYvK/zWgNpoEfFzMVRpUk9UHcIaDWHW3g0BpS2MVC3Vs/0e2eu6S2WMGHpzqcJB51jJRbnqXQ23nVKC2YE520Po3EvFyTr8MlFJqTCJrovgc7fze4RI5AgMBAAE=
The protocol Apples libcommonCrypto is using is described in RFC3347 and is the modulus and public exponent as a ASN.1 sequence.
An RSA public key should be represented with the ASN.1 type RSAPublicKey:
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e
}
Quote from RFC3347, Ver. 2.1, A.1.1