【问题标题】:BouncyCastle does not find algorithms that it provides?BouncyCastle 找不到它提供的算法?
【发布时间】:2015-10-22 20:56:42
【问题描述】:

我在玩BouncyCastle 1.46 令我惊讶的是,下面 sn-p 中的 catch-block 经常被触发。

Security.addProvider(new BouncyCastleProvider());

final Set<String> found = new HashSet<String>();
final Set<String> missing = new HashSet<String>();

final DefaultSignatureAlgorithmIdentifierFinder finder = new DefaultSignatureAlgorithmIdentifierFinder();
for (Service service : new BouncyCastleProvider().getServices()) {
    if ("Signature".equals(service.getType())) {
        final String algorithm = service.getAlgorithm();
        try {
            finder.find(algorithm);
            found.add(algorithm);
        } catch (IllegalArgumentException ex) {
            missing.add(algorithm);
        }
    }
}

System.out.println("Found: " + found);
System.out.println("Missing: " + missing);

我似乎无法通过 Finder 使用大多数算法,即使存在提供这些算法的服务。我做错了什么?

更新我已经稍微修改了代码以更好地说明问题。可能感兴趣的是我使用的是 JDK1.5 版本的 BouncyCastle。上面的代码给出了这个输出:

Found: [RIPEMD256WithRSAEncryption, MD5WithRSAEncryption, MD2WithRSAEncryption, SHA384WithRSAEncryption, SHA224WITHECDSA, SHA384WITHDSA, SHA256WITHDSA, SHA512WithRSAEncryption, SHA512WITHDSA, RIPEMD160WithRSAEncryption, SHA224WithRSAEncryption, SHA256WITHECDSA, RIPEMD128WithRSAEncryption, SHA384WITHECDSA, SHA256WithRSAEncryption, SHA512WITHECDSA, SHA1WithRSAEncryption, SHA224WITHDSA]

缺少:[SHA1WITHECNR, NONEwithECDSA, ECDSA, SHA512withRSA/PSS, RIPEMD160WITHECDSA, RSA, GOST3410, SHA256WITHECNR, MD5withRSA/ISO9796-2, SHA1WITHCVC-ECDSA, SHA384withRSA/PSS, SHA1withRSA/PSSA, MD4WithRSA512WI, RSAS SHA256WITHCVC-ECDSA, SHA1withRSA/ISO9796-2, SHA224withRSA/PSS, SHA224WITHCVC-ECDSA, RAWRSASSA-PSS, SHA256withRSA/PSS, NONEWITHDSA, SHA384WITHECNR, RIPEMD160withRSA/ISO9796-2, DSA, ECGOST3410, SHA224WITHECNR, 1.2.840.113549.1.1.10]

【问题讨论】:

  • 您可以调试它并在您的问题中添加service.getAlgorithm() 中返回的内容吗?

标签: java security digital-signature bouncycastle


【解决方案1】:

我认为DefaultSignatureAlgorithmIdentifierFinder 是 bcmail API 的一部分。它返回此 API 识别的算法标识符。 (检查Cryptographic Message Syntax)另一方面,有弹性的种姓提供者提供了更多的算法。您可以查看DefaultSignatureAlgorithmIdentifierFinder 的来源,其中识别的算法是硬编码的:

algorithms.put("MD2WITHRSAENCRYPTION", PKCSObjectIdentifiers.md2WithRSAEncryption);
algorithms.put("MD2WITHRSA", PKCSObjectIdentifiers.md2WithRSAEncryption);
algorithms.put("MD5WITHRSAENCRYPTION", PKCSObjectIdentifiers.md5WithRSAEncryption);
algorithms.put("MD5WITHRSA", PKCSObjectIdentifiers.md5WithRSAEncryption);
algorithms.put("SHA1WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha1WithRSAEncryption);
algorithms.put("SHA1WITHRSA", PKCSObjectIdentifiers.sha1WithRSAEncryption);
algorithms.put("SHA224WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha224WithRSAEncryption);
algorithms.put("SHA224WITHRSA", PKCSObjectIdentifiers.sha224WithRSAEncryption);
algorithms.put("SHA256WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha256WithRSAEncryption);
algorithms.put("SHA256WITHRSA", PKCSObjectIdentifiers.sha256WithRSAEncryption);
algorithms.put("SHA384WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha384WithRSAEncryption);
algorithms.put("SHA384WITHRSA", PKCSObjectIdentifiers.sha384WithRSAEncryption);
algorithms.put("SHA512WITHRSAENCRYPTION", PKCSObjectIdentifiers.sha512WithRSAEncryption);
algorithms.put("SHA512WITHRSA", PKCSObjectIdentifiers.sha512WithRSAEncryption);
algorithms.put("SHA1WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS);
algorithms.put("SHA224WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS);
algorithms.put("SHA256WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS);
algorithms.put("SHA384WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS);
algorithms.put("SHA512WITHRSAANDMGF1", PKCSObjectIdentifiers.id_RSASSA_PSS);
algorithms.put("RIPEMD160WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160);
algorithms.put("RIPEMD160WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd160);
algorithms.put("RIPEMD128WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128);
algorithms.put("RIPEMD128WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd128);
algorithms.put("RIPEMD256WITHRSAENCRYPTION", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256);
algorithms.put("RIPEMD256WITHRSA", TeleTrusTObjectIdentifiers.rsaSignatureWithripemd256);
algorithms.put("SHA1WITHDSA", X9ObjectIdentifiers.id_dsa_with_sha1);
algorithms.put("DSAWITHSHA1", X9ObjectIdentifiers.id_dsa_with_sha1);
algorithms.put("SHA224WITHDSA", NISTObjectIdentifiers.dsa_with_sha224);
algorithms.put("SHA256WITHDSA", NISTObjectIdentifiers.dsa_with_sha256);
algorithms.put("SHA384WITHDSA", NISTObjectIdentifiers.dsa_with_sha384);
algorithms.put("SHA512WITHDSA", NISTObjectIdentifiers.dsa_with_sha512);
algorithms.put("SHA1WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA1);
algorithms.put("ECDSAWITHSHA1", X9ObjectIdentifiers.ecdsa_with_SHA1);
algorithms.put("SHA224WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA224);
algorithms.put("SHA256WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256);
algorithms.put("SHA384WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384);
algorithms.put("SHA512WITHECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512);
algorithms.put("GOST3411WITHGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94);
algorithms.put("GOST3411WITHGOST3410-94", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_94);
algorithms.put("GOST3411WITHECGOST3410", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001);
algorithms.put("GOST3411WITHECGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001);
algorithms.put("GOST3411WITHGOST3410-2001", CryptoProObjectIdentifiers.gostR3411_94_with_gostR3410_2001);

干杯!

【讨论】:

    【解决方案2】:

    您是否将 BouncyCastle 添加到安全提供商?你可以用这一行来做到这一点:

    Security.addProvider(new BouncyCastleProvider());
    

    【讨论】:

    • 是的,我做到了,但我忽略了将它复制到我在这里发布的 sn-p 中。我会更新的。
    【解决方案3】:

    这个答案与 BouncyCastle 没有直接关系。但是,我认为这对其他人有用:

    就我而言,我使用的是 SpongyCastle。我遇到了类似的问题: org.e.h.p:无法创建签名者:提供者 SC 不提供 SHA256WITHRSA 在 org.e.h.a.a.a(SourceFile:101)

    事实证明,proguard 正在删除一些必需的类。在 proguard 配置文件中添加以下内容后: -keep class org.spongycastle.** { *; }

    问题已解决。

    【讨论】:

      【解决方案4】:

      您可以通过两个步骤将 Bouncy Castle 添加到您的 java 平台上的安全提供程序:

      1. 复制 BC 库(当前为 bcpkix-jdk15on-149.jar、bcprov-jdk15on -149.jar) 到目录 $JAVA_HOME/jre/lib/ext/

      2. 注册 BC 提供程序:编辑文件 $JAVA_HOME/ jre/lib/security/java.security 和下一行

      security.provider.1=sun.security.provider.Sun
      

      添加您的 BC 提供商

      security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
      

      更改休息提供者的数量。整个提供程序块应该类似于:

      security.provider.1=sun.security.provider.Sun
      security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
      security.provider.3=sun.security.rsa.SunRsaSign
      security.provider.4=sun.security.ec.SunEC
      security.provider.5=com.sun.net.ssl.internal.ssl.Provider
      security.provider.6=com.sun.crypto.provider.SunJCE
      security.provider.7=sun.security.jgss.SunProvider
      security.provider.8=com.sun.security.sasl.Provider
      security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
      security.provider.10=sun.security.smartcardio.SunPCSC
      

      【讨论】:

        猜你喜欢
        • 2023-03-29
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2016-10-23
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        相关资源
        最近更新 更多