OCSP - unable to verify with algorithm SHA256WithRSA signed server certificate - NoSuchAlgorithmException from "BCFIPS" provider

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP - unable to verify with algorithm SHA256WithRSA signed server certificate - NoSuchAlgorithmException from "BCFIPS" provider

Sabalpara, Mrugesh

Hi,

 

Facing an issue may be known and can straight forward for youJ

 

I recently start working with bc-fips-1.0.1.jar and tangled in a situation - OCSP validation with certificate signing signature SHA256WithRSA algorithm.

 

NOTE: - Referring to  :- https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf    [Example 55 – Creating an OCSP Request & Example 56 – Creating an OCSP Response]

 

Server provides certificate with signature algorithm SHA256WithRSA. Hence passing SHA256WithRSA to fetch DigestCalculatorProvider to get digest and generate CertID while creating OCSP request, which returned  “NoSuchAlgorithmException” exception.

 

When I saw “No such algorithm exception for SHA256WithRSA”, tried to add it as  below  :-

 

public static BouncyCastleFipsProvider bc = null;
static {

   
bc = new BouncyCastleFipsProvider();
   
bc.put("SHA256WITHRSA",PKCSObjectIdentifiers.sha256WithRSAEncryption);
    Security.addProvider(
bc);
}

 

Set “bc” object as provider, to validate server certificate in OCSPRequest and OCSPResponse method.

 

In OCSPRequest method:-

 

I used AlgorithmIdentifier to get required algorithm and set into

{

DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(bc).build();
AlgorithmIdentifier algorithmIdentifier =
new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption);
CertificateID certId =
new JcaCertificateID(digCalcProv.get(algorithmIdentifier), caCert, certToCheck.getSerialNumber());

}

 

In OCSPResponse method:-

{

new JcaContentVerifierProviderBuilder().setProvider(bc).build(caCert.getPublicKey())

}

 

org.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider BCFIPS

               at org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder$1.get(Unknown Source)

               at syslog.OCSPValidator.makeOcspRequest(OCSPValidator.java:62)

………

………..

Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider BCFIPS

               at sun.security.jca.GetInstance.getService(GetInstance.java:101)

               at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)

               at java.security.Security.getImpl(Security.java:724)

               at java.security.MessageDigest.getInstance(MessageDigest.java:275)

               at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createDigest(Unknown Source)

               at org.bouncycastle.operator.jcajce.OperatorHelper.createDigest(Unknown Source)

               ... 21 more

 

 

Please let me know if anything incorrect in understanding.

 

Thank you.

 

 

Regards,

Mrugesh

Reply | Threaded
Open this post in threaded view
|

Re: OCSP - unable to verify with algorithm SHA256WithRSA signed server certificate - NoSuchAlgorithmException from "BCFIPS" provider

David Hook-3
Hi Mrugesh,

The algorithm is definitely supported. I suspect something else might be going on - the bcprov jar isn't in the class path as well is it?

Thanks,

David

On 25/2/19 11:41 pm, Sabalpara, Mrugesh wrote:

Hi,

 

Facing an issue may be known and can straight forward for youJ

 

I recently start working with bc-fips-1.0.1.jar and tangled in a situation - OCSP validation with certificate signing signature SHA256WithRSA algorithm.

 

NOTE: - Referring to  :- https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf    [Example 55 – Creating an OCSP Request & Example 56 – Creating an OCSP Response]

 

Server provides certificate with signature algorithm SHA256WithRSA. Hence passing SHA256WithRSA to fetch DigestCalculatorProvider to get digest and generate CertID while creating OCSP request, which returned  “NoSuchAlgorithmException” exception.

 

When I saw “No such algorithm exception for SHA256WithRSA”, tried to add it as  below  :-

 

public static BouncyCastleFipsProvider bc = null;
static {

   
bc = new BouncyCastleFipsProvider();
   
bc.put("SHA256WITHRSA",PKCSObjectIdentifiers.sha256WithRSAEncryption);
    Security.addProvider(
bc);
}

 

Set “bc” object as provider, to validate server certificate in OCSPRequest and OCSPResponse method.

 

In OCSPRequest method:-

 

I used AlgorithmIdentifier to get required algorithm and set into

{

DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(bc).build();
AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption);
CertificateID certId = new JcaCertificateID(digCalcProv.get(algorithmIdentifier), caCert, certToCheck.getSerialNumber());

}

 

In OCSPResponse method:-

{

new JcaContentVerifierProviderBuilder().setProvider(bc).build(caCert.getPublicKey())

}

 

org.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider BCFIPS

               at org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder$1.get(Unknown Source)

               at syslog.OCSPValidator.makeOcspRequest(OCSPValidator.java:62)

………

………..

Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider BCFIPS

               at sun.security.jca.GetInstance.getService(GetInstance.java:101)

               at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)

               at java.security.Security.getImpl(Security.java:724)

               at java.security.MessageDigest.getInstance(MessageDigest.java:275)

               at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createDigest(Unknown Source)

               at org.bouncycastle.operator.jcajce.OperatorHelper.createDigest(Unknown Source)

               ... 21 more

 

 

Please let me know if anything incorrect in understanding.

 

Thank you.

 

 

Regards,

Mrugesh


Reply | Threaded
Open this post in threaded view
|

RE: OCSP - unable to verify with algorithm SHA256WithRSA signed server certificate - NoSuchAlgorithmException from "BCFIPS" provider

Sabalpara, Mrugesh

Hi David,

 

 

We are using bc-fips-1.0.1.jar & bcpkix-fips-1.0.1.jar. We don’t use bcprov.jar file.

Will it work with current jars ?

 

 

Regards,

Mrugesh

 

 

From: David Hook <[hidden email]>
Sent: Tuesday, February 26, 2019 11:46 AM
To: Sabalpara, Mrugesh <[hidden email]>; [hidden email]
Subject: Re: [dev-crypto] OCSP - unable to verify with algorithm SHA256WithRSA signed server certificate - NoSuchAlgorithmException from "BCFIPS" provider

 

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hi Mrugesh,

 

The algorithm is definitely supported. I suspect something else might be going on - the bcprov jar isn't in the class path as well is it?

 

Thanks,

 

David

 

On 25/2/19 11:41 pm, Sabalpara, Mrugesh wrote:

Hi,

 

Facing an issue may be known and can straight forward for youJ

 

I recently start working with bc-fips-1.0.1.jar and tangled in a situation - OCSP validation with certificate signing signature SHA256WithRSA algorithm.

 

NOTE: - Referring to  :- https://www.bouncycastle.org/fips-java/BCFipsIn100.pdf    [Example 55 – Creating an OCSP Request & Example 56 – Creating an OCSP Response]

 

Server provides certificate with signature algorithm SHA256WithRSA. Hence passing SHA256WithRSA to fetch DigestCalculatorProvider to get digest and generate CertID while creating OCSP request, which returned  “NoSuchAlgorithmException” exception.

 

When I saw “No such algorithm exception for SHA256WithRSA”, tried to add it as  below  :-

 

public static BouncyCastleFipsProvider bc = null;
static {

   
bc = new BouncyCastleFipsProvider();
   
bc.put("SHA256WITHRSA",PKCSObjectIdentifiers.sha256WithRSAEncryption);
    Security.addProvider(
bc);
}

 

Set “bc” object as provider, to validate server certificate in OCSPRequest and OCSPResponse method.

 

In OCSPRequest method:-

 

I used AlgorithmIdentifier to get required algorithm and set into

{

DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(bc).build();
AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption);
CertificateID certId = new JcaCertificateID(digCalcProv.get(algorithmIdentifier), caCert, certToCheck.getSerialNumber());

}

 

In OCSPResponse method:-

{

new JcaContentVerifierProviderBuilder().setProvider(bc).build(caCert.getPublicKey())

}

 

org.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider BCFIPS

               at org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder$1.get(Unknown Source)

               at syslog.OCSPValidator.makeOcspRequest(OCSPValidator.java:62)

………

………..

Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SHA256WITHRSA for provider BCFIPS

               at sun.security.jca.GetInstance.getService(GetInstance.java:101)

               at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)

               at java.security.Security.getImpl(Security.java:724)

               at java.security.MessageDigest.getInstance(MessageDigest.java:275)

               at org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createDigest(Unknown Source)

               at org.bouncycastle.operator.jcajce.OperatorHelper.createDigest(Unknown Source)

               ... 21 more

 

 

Please let me know if anything incorrect in understanding.

 

Thank you.

 

 

Regards,

Mrugesh