Matt Hauck
2013-01-05 10:38:57 UTC
I've gotten a little further now and ran into another roadblock. I have a pkcs7 file that is signed and enveloped, and I have the key that was used to decrypt the enveloped contents. I have gotten it working just fine when I add BouncyCastle as a security provider. However, when I do not add BC as a provider, then I get an error:
Exception in thread "main" org.bouncycastle.cms.CMSException: key invalid in message.
at org.bouncycastle.cms.jcajce.EnvelopedDataHelper.execute(Unknown Source)
at org.bouncycastle.cms.jcajce.EnvelopedDataHelper.createContentCipher(Unknown Source)
at org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient.getRecipientOperator(Unknown Source)
at org.bouncycastle.cms.KeyTransRecipientInformation.getRecipientOperator(Unknown Source)
at org.bouncycastle.cms.RecipientInformation.getContentStream(Unknown Source)
at org.bouncycastle.cms.RecipientInformation.getContent(Unknown Source)
at com.bigfix.mdm.CMSTest.main(CMSTest.java:39)
Caused by: java.security.InvalidKeyException: Wrong algorithm: DESede or TripleDES required
at com.ibm.crypto.fips.provider.w.a(Unknown Source)
at com.ibm.crypto.fips.provider.q.a(Unknown Source)
at com.ibm.crypto.fips.provider.DESedeCipher.a(Unknown Source)
at com.ibm.crypto.fips.provider.DESedeCipher.a(Unknown Source)
at com.ibm.crypto.fips.provider.DESedeCipher.engineInit(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at org.bouncycastle.cms.jcajce.EnvelopedDataHelper$1.doInJCE(Unknown Source)
... 7 more
This seems strange to me, because my IBMJCEFIPS does indeed have a DESede algorithm. When I try to read / decrypt the same content using JRuby (which uses bouncy castle for its crypto stuff), it appears that it is using the following more specific cipher: DESede/cbc/PKCS5Padding.
It is strange to me that BC's DESede algorithm works but IBM's (and Sun's, btw) apparently does not? The reason I can't just add BC as a provider and be done with it, is for FIPS compatibility, and thus I need to depend on IBM's crypto only.
Is this a known issue? Would you expect to see this disparity? Perhaps I am just doing something wrong? Thanks for any help.
The CMSSignedData:
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH
AaCAJIAEggMlMIAGCSqGSIb3DQEHA6CAMIACAQAxgfEwge4CAQAwVzBRMQ8w
DQYDVQQKDAZtaGF1Y2sxPjA8BgNVBAMMNW1oYXVjayBSb290IENBIChkZjgy
NzAwNC00Yzg1LTRjNjQtYWRmZS0wMTczZTVmY2YzYTkpAgIrJjANBgkqhkiG
9w0BAQEFAASBgCv/rgKyDV5UOJTGbYwdw0Salw4bB+ea+ovL6kb7HFDDR6la
icjZYvM5FQZ5jIgiFPQdFx8mlXIkjuA/JHQeCEMPKrSlSDxKJg6opFOl3dXf
F0u9I+48PV4QHPrd+iiirnpiVDJLh1m/U2DQTJZjl3d+pd6skxiWn8HhU1XS
KQD6MIAGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIy4tZgNrKyDGggASCAeAG
ezNensHrZr4AbZVEcUGy+wZvKKwQBA9Dqiu4Bu7ItfzuXleaSFDXfhCCkRS5
DBccB2Gvm09SoNy8/mAxp+kg8uDKBOgaYlp0e89R9Q4ABqieUQBgs9OmenSt
Uc8ATz6UtHWB1PYnuJ3+NygdCGemwvmzK3xQm8Wj7MnYurh7oDi6ouNyRyiy
9DtWJMlx4JVbcnIkrTpqHNnE09Q8XIm9BI5bGN+MpdMh9c9cQtSLE07QUs2m
viqRmPQvSLVT8mqDGHK7zUWmqMqVrB6sJUYsWcu0/g8gl+H+QhiqDScaaEUi
Ng0kweoT361MY7s2WCHsyU/uTFPBG+g2neI1E8V806wstLKEGWdThFsQCOzX
2XhjRPKBAsJ8w1KvEesvyT8CwjK9PeK+jjPT97+qTzcCAKvZLZ+vlveV/D+3
TMntIp2unI1N7dzqXf1tNsjIq+vej2p2PGzEoScom0IzNgP5FCZis7I/pF0s
2drUaYS7MvaPOZyVR1TdTKX33+9kc5mTdEsznaSRvPENLi+v8IVQyso2Q7Vr
18Ena9ppEVfVnEwPheHp+RSqiGtcntLHrUo8RvdpGU0qQyay1rKWJ1Gv9SJv
stqjMDkjx+cPMKxB2IrfmbsQR+/OwuKv0xQtk9kECMGTmvxxUYQBAAAAAAAA
AAAAAAAAAAAAAKCCAeowggHmMIIBT6ADAgECAgEBMA0GCSqGSIb3DQEBBQUA
MC8xLTArBgNVBAMTJDBDQTJGRDdFLUIxRTctNDU5My04MDdFLUI2M0E5MzFB
RDdFODAeFw0xMzAxMDUwOTQ1MDJaFw0xNDAxMDUwOTQ1MDJaMC8xLTArBgNV
BAMTJDBDQTJGRDdFLUIxRTctNDU5My04MDdFLUI2M0E5MzFBRDdFODCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqENVMxuC8tscmhs075S8a5Edo6uT
yxdo/5czs/gGxjRfEspXg3mvpQWnsgWR0GHnCwvDa9ManrHTJiajdck0Rh2H
vZ+RNtebKx2WR9P715crs8GzbLv7xbaBZetaV+DBJJewR2CIe3OYXBGe//60
TPxdo9nlaYZNP/glal+ji00CAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0G
CSqGSIb3DQEBBQUAA4GBAF2Aw4EVbn1go9LiCj4eD0zoONsBLGdW1BK1ztBD
AY0N4d3gq2CnEfNt8u8BTk/C8/wrujzyRE9L8GXtEqCn1gipgHt3NGiDPLTi
8rlsXgTd6ethENv7zDzIJQB3q6g6BmAJj+dqHBHxKUd0SILZBA50+hDv+R3H
2VaIM7LcGn9mMYIBqjCCAaYCAQEwNDAvMS0wKwYDVQQDEyQwQ0EyRkQ3RS1C
MUU3LTQ1OTMtODA3RS1CNjNBOTMxQUQ3RTgCAQEwCQYFKw4DAhoFAKCBzTAS
BgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTEzMDEwNTA5NDUwMlowIAYKYIZIAYb4RQEJBTES
BBAa/M+S7NIKUx72cg+7aLZKMCMGCSqGSIb3DQEJBDEWBBRjiqNs5bpIjjaK
xWrfia4g2MvV8jA4BgpghkgBhvhFAQkHMSoTKDNFNjg5NUU1RjNGRTlEQzJF
QTAwODM0MDQ5RjZGNjdFNzIxNzY5N0IwDQYJKoZIhvcNAQEBBQAEgYBa3DUV
AkvgkKOFc3JQuOrYx31BXw3oRV/WS/l34RbsMriQf7F/YEAcdde+YUe0hTzg
gfUnZrm5Hm6a0IvDqPNPI766X1g5Cjl7qidG6qtQFAxefJEmA9asY1WrorNd
pHF75kfVbphkkFsEze0zSQVxyNxSG1iYzQ+XBleo052LdAAAAAAAAA==
The key:
-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQDcQZisNusmwTLOKHpA5SuSQvmR54beP68Hv4anDNLI9hXTxtFM
ibEN/l1oVg4EdbYH+qk0H6AfWnz/HbJX8y8BSX2XY40fdcBNWHvzY3JB6DlzExiD
1mSaibA9DvlfpJUT7+JXZiZVZoeBUhBpYXdYa/NlyMxrqnN9L+yhoqKT1QIDAQAB
AoGBAKB/fE0hx8D5z5fCjzNyy4lNHKdhWznglh7DRc+83GxsRgOIQUPQoiBcVpyM
+LHvRLITyfCdiwTN33/Xl/nWz0x6kSs8NcvZofeYI5YfdMn4DcELrX3YcEid9jGR
NqLNyz72yLXGpVLMeLOQnh0r+bz1CXCe7OaizmlZ3Lz6WjcRAkEA9Od6zRbp9mTy
olzfnPD/5a2/fmiy2iMKu148cE336Ga0FW65fphsBk4W0CDMx6EUviGhnBkaFRj1
iUASiXUtewJBAOY8PLjvfIn7haCu9vDLhsVfSdzIo253ziBzaX9XWecIi8yaBFwD
MYULHzHs9vgaciwqjNR6gnO5+Adjo8uJ+u8CQQDMR9GtBPH/LtEdEa8McBJj+PwE
azzUq+olxENRwheJ6TFJt2RO7sEcuUJaNSHbWse8mLz/Qgj5lCorZCCSPAXFAkEA
qIOubi3bmaLfS5zEYbqWCiCUj2TLOi+2T0oqDWqCAvfeWwLf7fjoZdieHIy0tyOk
LW93ZI3Gra2QPNhRKsjzQQJBAPAfdn3b1nAriwe9fIadMYHCrc0sEoux5e75d651
EFe98Iw3LeIN1wpvig5UQUXuFL8ouBV2Dk9WU89/eONlN5I=
-----END RSA PRIVATE KEY-----
The code:
public static void main(String[] args) throws Exception {
String contents = KeyStoreUtils.readFile(args[0]);
PrivateKey pk = KeyStoreUtils.readPrivateKey(new File(args[1]), null);
CMSSignedData sd = new CMSSignedData(Base64.decode(contents));
CMSEnvelopedData ed = new CMSEnvelopedData(
(byte[]) sd.getSignedContent().getContent()
);
RecipientInformationStore recipients = ed.getRecipientInfos();
Collection c = recipients.getRecipients();
Iterator it = c.iterator();
if (it.hasNext()) {
RecipientInformation recipient = (RecipientInformation)it.next();
byte[] recData = recipient.getContent(
new JceKeyTransEnvelopedRecipient(pk)
);
System.out.println(new String(Base64.encode(recData)));
}
}
Exception in thread "main" org.bouncycastle.cms.CMSException: key invalid in message.
at org.bouncycastle.cms.jcajce.EnvelopedDataHelper.execute(Unknown Source)
at org.bouncycastle.cms.jcajce.EnvelopedDataHelper.createContentCipher(Unknown Source)
at org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient.getRecipientOperator(Unknown Source)
at org.bouncycastle.cms.KeyTransRecipientInformation.getRecipientOperator(Unknown Source)
at org.bouncycastle.cms.RecipientInformation.getContentStream(Unknown Source)
at org.bouncycastle.cms.RecipientInformation.getContent(Unknown Source)
at com.bigfix.mdm.CMSTest.main(CMSTest.java:39)
Caused by: java.security.InvalidKeyException: Wrong algorithm: DESede or TripleDES required
at com.ibm.crypto.fips.provider.w.a(Unknown Source)
at com.ibm.crypto.fips.provider.q.a(Unknown Source)
at com.ibm.crypto.fips.provider.DESedeCipher.a(Unknown Source)
at com.ibm.crypto.fips.provider.DESedeCipher.a(Unknown Source)
at com.ibm.crypto.fips.provider.DESedeCipher.engineInit(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at org.bouncycastle.cms.jcajce.EnvelopedDataHelper$1.doInJCE(Unknown Source)
... 7 more
This seems strange to me, because my IBMJCEFIPS does indeed have a DESede algorithm. When I try to read / decrypt the same content using JRuby (which uses bouncy castle for its crypto stuff), it appears that it is using the following more specific cipher: DESede/cbc/PKCS5Padding.
It is strange to me that BC's DESede algorithm works but IBM's (and Sun's, btw) apparently does not? The reason I can't just add BC as a provider and be done with it, is for FIPS compatibility, and thus I need to depend on IBM's crypto only.
Is this a known issue? Would you expect to see this disparity? Perhaps I am just doing something wrong? Thanks for any help.
The CMSSignedData:
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH
AaCAJIAEggMlMIAGCSqGSIb3DQEHA6CAMIACAQAxgfEwge4CAQAwVzBRMQ8w
DQYDVQQKDAZtaGF1Y2sxPjA8BgNVBAMMNW1oYXVjayBSb290IENBIChkZjgy
NzAwNC00Yzg1LTRjNjQtYWRmZS0wMTczZTVmY2YzYTkpAgIrJjANBgkqhkiG
9w0BAQEFAASBgCv/rgKyDV5UOJTGbYwdw0Salw4bB+ea+ovL6kb7HFDDR6la
icjZYvM5FQZ5jIgiFPQdFx8mlXIkjuA/JHQeCEMPKrSlSDxKJg6opFOl3dXf
F0u9I+48PV4QHPrd+iiirnpiVDJLh1m/U2DQTJZjl3d+pd6skxiWn8HhU1XS
KQD6MIAGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIy4tZgNrKyDGggASCAeAG
ezNensHrZr4AbZVEcUGy+wZvKKwQBA9Dqiu4Bu7ItfzuXleaSFDXfhCCkRS5
DBccB2Gvm09SoNy8/mAxp+kg8uDKBOgaYlp0e89R9Q4ABqieUQBgs9OmenSt
Uc8ATz6UtHWB1PYnuJ3+NygdCGemwvmzK3xQm8Wj7MnYurh7oDi6ouNyRyiy
9DtWJMlx4JVbcnIkrTpqHNnE09Q8XIm9BI5bGN+MpdMh9c9cQtSLE07QUs2m
viqRmPQvSLVT8mqDGHK7zUWmqMqVrB6sJUYsWcu0/g8gl+H+QhiqDScaaEUi
Ng0kweoT361MY7s2WCHsyU/uTFPBG+g2neI1E8V806wstLKEGWdThFsQCOzX
2XhjRPKBAsJ8w1KvEesvyT8CwjK9PeK+jjPT97+qTzcCAKvZLZ+vlveV/D+3
TMntIp2unI1N7dzqXf1tNsjIq+vej2p2PGzEoScom0IzNgP5FCZis7I/pF0s
2drUaYS7MvaPOZyVR1TdTKX33+9kc5mTdEsznaSRvPENLi+v8IVQyso2Q7Vr
18Ena9ppEVfVnEwPheHp+RSqiGtcntLHrUo8RvdpGU0qQyay1rKWJ1Gv9SJv
stqjMDkjx+cPMKxB2IrfmbsQR+/OwuKv0xQtk9kECMGTmvxxUYQBAAAAAAAA
AAAAAAAAAAAAAKCCAeowggHmMIIBT6ADAgECAgEBMA0GCSqGSIb3DQEBBQUA
MC8xLTArBgNVBAMTJDBDQTJGRDdFLUIxRTctNDU5My04MDdFLUI2M0E5MzFB
RDdFODAeFw0xMzAxMDUwOTQ1MDJaFw0xNDAxMDUwOTQ1MDJaMC8xLTArBgNV
BAMTJDBDQTJGRDdFLUIxRTctNDU5My04MDdFLUI2M0E5MzFBRDdFODCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqENVMxuC8tscmhs075S8a5Edo6uT
yxdo/5czs/gGxjRfEspXg3mvpQWnsgWR0GHnCwvDa9ManrHTJiajdck0Rh2H
vZ+RNtebKx2WR9P715crs8GzbLv7xbaBZetaV+DBJJewR2CIe3OYXBGe//60
TPxdo9nlaYZNP/glal+ji00CAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0G
CSqGSIb3DQEBBQUAA4GBAF2Aw4EVbn1go9LiCj4eD0zoONsBLGdW1BK1ztBD
AY0N4d3gq2CnEfNt8u8BTk/C8/wrujzyRE9L8GXtEqCn1gipgHt3NGiDPLTi
8rlsXgTd6ethENv7zDzIJQB3q6g6BmAJj+dqHBHxKUd0SILZBA50+hDv+R3H
2VaIM7LcGn9mMYIBqjCCAaYCAQEwNDAvMS0wKwYDVQQDEyQwQ0EyRkQ3RS1C
MUU3LTQ1OTMtODA3RS1CNjNBOTMxQUQ3RTgCAQEwCQYFKw4DAhoFAKCBzTAS
BgpghkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTEzMDEwNTA5NDUwMlowIAYKYIZIAYb4RQEJBTES
BBAa/M+S7NIKUx72cg+7aLZKMCMGCSqGSIb3DQEJBDEWBBRjiqNs5bpIjjaK
xWrfia4g2MvV8jA4BgpghkgBhvhFAQkHMSoTKDNFNjg5NUU1RjNGRTlEQzJF
QTAwODM0MDQ5RjZGNjdFNzIxNzY5N0IwDQYJKoZIhvcNAQEBBQAEgYBa3DUV
AkvgkKOFc3JQuOrYx31BXw3oRV/WS/l34RbsMriQf7F/YEAcdde+YUe0hTzg
gfUnZrm5Hm6a0IvDqPNPI766X1g5Cjl7qidG6qtQFAxefJEmA9asY1WrorNd
pHF75kfVbphkkFsEze0zSQVxyNxSG1iYzQ+XBleo052LdAAAAAAAAA==
The key:
-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQDcQZisNusmwTLOKHpA5SuSQvmR54beP68Hv4anDNLI9hXTxtFM
ibEN/l1oVg4EdbYH+qk0H6AfWnz/HbJX8y8BSX2XY40fdcBNWHvzY3JB6DlzExiD
1mSaibA9DvlfpJUT7+JXZiZVZoeBUhBpYXdYa/NlyMxrqnN9L+yhoqKT1QIDAQAB
AoGBAKB/fE0hx8D5z5fCjzNyy4lNHKdhWznglh7DRc+83GxsRgOIQUPQoiBcVpyM
+LHvRLITyfCdiwTN33/Xl/nWz0x6kSs8NcvZofeYI5YfdMn4DcELrX3YcEid9jGR
NqLNyz72yLXGpVLMeLOQnh0r+bz1CXCe7OaizmlZ3Lz6WjcRAkEA9Od6zRbp9mTy
olzfnPD/5a2/fmiy2iMKu148cE336Ga0FW65fphsBk4W0CDMx6EUviGhnBkaFRj1
iUASiXUtewJBAOY8PLjvfIn7haCu9vDLhsVfSdzIo253ziBzaX9XWecIi8yaBFwD
MYULHzHs9vgaciwqjNR6gnO5+Adjo8uJ+u8CQQDMR9GtBPH/LtEdEa8McBJj+PwE
azzUq+olxENRwheJ6TFJt2RO7sEcuUJaNSHbWse8mLz/Qgj5lCorZCCSPAXFAkEA
qIOubi3bmaLfS5zEYbqWCiCUj2TLOi+2T0oqDWqCAvfeWwLf7fjoZdieHIy0tyOk
LW93ZI3Gra2QPNhRKsjzQQJBAPAfdn3b1nAriwe9fIadMYHCrc0sEoux5e75d651
EFe98Iw3LeIN1wpvig5UQUXuFL8ouBV2Dk9WU89/eONlN5I=
-----END RSA PRIVATE KEY-----
The code:
public static void main(String[] args) throws Exception {
String contents = KeyStoreUtils.readFile(args[0]);
PrivateKey pk = KeyStoreUtils.readPrivateKey(new File(args[1]), null);
CMSSignedData sd = new CMSSignedData(Base64.decode(contents));
CMSEnvelopedData ed = new CMSEnvelopedData(
(byte[]) sd.getSignedContent().getContent()
);
RecipientInformationStore recipients = ed.getRecipientInfos();
Collection c = recipients.getRecipients();
Iterator it = c.iterator();
if (it.hasNext()) {
RecipientInformation recipient = (RecipientInformation)it.next();
byte[] recData = recipient.getContent(
new JceKeyTransEnvelopedRecipient(pk)
);
System.out.println(new String(Base64.encode(recData)));
}
}
--
Matt Hauck
Matt Hauck