WAS 6.1 IBMJCE provider generating wrong sha256withrsa signature

Asked 11/4, 2013 at 10:4 Answered 9/1, 2014 at 16:2

We are generating a digital signature (PKCS7) using Java security API. The digest algorithm is SHA-256 and the encryption algorithm is RSA (SHA256withRSA).

Using SunRsaSign provider in the local machine, a signature was generated on some content. Using IBMJCE provider in WAS 8.0.0.2, we were able to generate the same signature on the same content.

However, the problem is, we had to migrate back to WAS 6.1. Now, the signature generated is different than the one generated in above 2 cases. I checked the message-digests created in all the 3 cases, and it is the same in all the 3 cases, but the signature is different in case of WAS 6.1.

Is there any known issue with WAS 6.1's IBMJCE provider with respect to SHA256withRSA encryption? Any pointers would be greatly appreciated. Thanks

Tridentine answered 11/4, 2013 at 10:4 Comment(5)

+1 for checking the digests were identical. – Mezereon 11/4, 2013 at 13:45

Did you check the entire CMS format or just the PKCS#1 format? What did you generate the hash over? – Lepidolite 11/4, 2013 at 21:57

I checked the entire CMS format (PKCS#7). Only the last 4 lines were differing. I understand that the part that is differing in the signature is the encrypted digest, the one that comes after the SIGNING_TIME. (I have been using the same date/time as the SIGNING_TIME_OID). – Tridentine 12/4, 2013 at 2:47

I tried to create the Signature instance using Signature.getInstanceOf("SHA256withRSA","SunRsaSign"), because the problem seems to be with IBMJCE provider. But SunRsaSign is not found in Websphere 6.1 I know that we have to make the sunrsasign entry in the java.security file of Webshphere_home's Java/jre/lib/security folder. But I cannot find the sun.security.rsa package at all in Webshphere. – Tridentine 12/4, 2013 at 2:49

Apparently, I was able to generate the correct signature using WAS 6.1.0.35. Earlier it was 6.1.0.25. Don't know yet if this was because of any bug of any missing server policy. Thanks all – Tridentine 12/4, 2013 at 7:57

Is there really a problem? From what I know, this must apply

signature = sign(message)  
verify(signature) == message

There is no requirement that all signatures must be the same. So do you really have problem with verification of those signatures?

Lambent answered 24/11, 2013 at 13:28 Comment(0)

We had the same issue and we forced Webspshere to use SUNJCE. Here are the steps.

So In IBM Websphere console go to Application servers > server > Process definition > Java Virtual Machine

Look for Generic JVM arguments and add the following.

-DamCryptoDescriptor.provider=SunJCE -DamKeyGenDescriptor.provider=SunJCE

Then copied

C:\JAVA\jdk1.6.0_34\jre\lib\ext\sunjce_provider.jar

C:\Program Files\IBM\SDP\runtimes\base_v7\java\jre\lib\ext\sunjce_provider.jar

Change

C:\Program Files\IBM\SDP\runtimes\base_v7\java\jre\lib\security\java.security

By adding the following Sun providers to the list of providers in the java.security file.

#This will help Websphere to load 
security.provider.13=com.sun.crypto.provider.SunJCE
security.provider.14=sun.security.provider.Sun
security.provider.15=sun.security.rsa.SunRsaSign
security.provider.16=sun.security.jgss.SunProvider

Hope this helps.

Rounder answered 9/1, 2014 at 16:2 Comment(0)

Recommended topics

Hot tags