PROBLEM WITH GENERATING CERTIFICATES

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

PROBLEM WITH GENERATING CERTIFICATES

Jenny Degtiar

Hi,

I’m using Bouncy Castle FIPS (bc-fips-1.0.0.jar).

I’m trying to generate a list of certificates using CertificateFactory.class, method engineGenerateCertificate (also tried method engineGenerateCertificates): when using the method with one certificate it works properly, however, when I try to use the method with two certificates chained together – it fails.

This problem does not occurs on non FIPS Bouncy Castle.

 

My input is a byte array representing the following:

-----BEGIN CERTIFICATE-----
[SOME TEXT HERE]

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[SOME TEXT HERE]

-----END CERTIFICATE-----

The method reads the first certificate properly, when it moves to the next certificate, it skips the first character (“-“), reads the first line as “----BEGIN CERTIFICATE-----” (4 hyphens instead on 5 in the beginning of the string),

Continue reading the input stream searching for the exact text of -----BEGIN CERTIFICATE-----, and exit with certificate NULL.

More specifically:

When finishing with the first certificate generation – The PushbackInputStream holds the first hyphen, and positioned on the second hyphen of the second certificate. (Marked in red)

-----BEGIN CERTIFICATE-----
[SOME TEXT HERE]

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[SOME TEXT HERE]

-----END CERTIFICATE-----

On moving to the second certificate generation, after initializing the PushbackInputStream and reading the second hyphen, it is positioned on the third hyphen of the second certificate – therefore skips the first hyphen.

 

Is it a known bug? Is there a fix to this issue?

I would appreciate your help.

Thanks,

Jenny.

 

Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH GENERATING CERTIFICATES

martijn.list
Hi Jenny,

This is known issue. See http://www.bouncycastle.org/jira/browse/BJA-670

Kind regards,

Martijn Brinkers

On 05/30/2017 01:51 PM, Jenny Degtiar wrote:

> Hi,
>
> I’m using Bouncy Castle FIPS (bc-fips-1.0.0.jar).
>
> I’m trying to generate a list of certificates using
> CertificateFactory.class, method engineGenerateCertificate (also tried
> method engineGenerateCertificates): when using the method with one
> certificate it works properly, however, when I try to use the method
> with two certificates chained together – it fails.
>
> This problem does not occurs on non FIPS Bouncy Castle.
>
>  
>
> My input is a byte array representing the following:
>
> -----BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
>
> The method reads the first certificate properly, when it moves to the
> next certificate, it skips the first character (“-“), reads the first
> line as “----BEGIN CERTIFICATE-----” (4 hyphens instead on 5 in the
> beginning of the string),
>
> Continue reading the input stream searching for the exact text of
> -----BEGIN CERTIFICATE-----, and exit with certificate NULL.
>
> More specifically:
>
> When finishing with the first certificate generation – The
> PushbackInputStream holds the first hyphen, and positioned on the second
> hyphen of the second certificate. (Marked in red)
>
> -----BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
>
> -*-*---BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
>
> On moving to the second certificate generation, after initializing the
> PushbackInputStream and reading the second hyphen, it is positioned on
> the *third* hyphen of the second certificate – therefore skips the first
> hyphen.
>
>  
>
> Is it a known bug? Is there a fix to this issue?
>
> I would appreciate your help.
>
> Thanks,
>
> Jenny.
>
>  
>


--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Reply | Threaded
Open this post in threaded view
|

RE: PROBLEM WITH GENERATING CERTIFICATES

Jenny Degtiar
Hi Martijn,
Do you know when the 1.0.1 version containing the fix will be available?

Thanks!


-----Original Message-----
From: martijn.list [mailto:[hidden email]]
Sent: Tuesday, May 30, 2017 3:09 PM
To: Jenny Degtiar <[hidden email]>; [hidden email]
Subject: Re: [dev-crypto] PROBLEM WITH GENERATING CERTIFICATES

Hi Jenny,

This is known issue. See http://www.bouncycastle.org/jira/browse/BJA-670

Kind regards,

Martijn Brinkers

On 05/30/2017 01:51 PM, Jenny Degtiar wrote:

> Hi,
>
> I'm using Bouncy Castle FIPS (bc-fips-1.0.0.jar).
>
> I'm trying to generate a list of certificates using
> CertificateFactory.class, method engineGenerateCertificate (also tried
> method engineGenerateCertificates): when using the method with one
> certificate it works properly, however, when I try to use the method
> with two certificates chained together - it fails.
>
> This problem does not occurs on non FIPS Bouncy Castle.
>
>  
>
> My input is a byte array representing the following:
>
> -----BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
>
> The method reads the first certificate properly, when it moves to the
> next certificate, it skips the first character ("-"), reads the first
> line as "----BEGIN CERTIFICATE-----" (4 hyphens instead on 5 in the
> beginning of the string),
>
> Continue reading the input stream searching for the exact text of
> -----BEGIN CERTIFICATE-----, and exit with certificate NULL.
>
> More specifically:
>
> When finishing with the first certificate generation - The
> PushbackInputStream holds the first hyphen, and positioned on the
> second hyphen of the second certificate. (Marked in red)
>
> -----BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
>
> -*-*---BEGIN CERTIFICATE-----
> [SOME TEXT HERE]
>
> -----END CERTIFICATE-----
>
> On moving to the second certificate generation, after initializing the
> PushbackInputStream and reading the second hyphen, it is positioned on
> the *third* hyphen of the second certificate - therefore skips the
> first hyphen.
>
>  
>
> Is it a known bug? Is there a fix to this issue?
>
> I would appreciate your help.
>
> Thanks,
>
> Jenny.
>
>  
>


--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH GENERATING CERTIFICATES

David Hook-3

Hi Jenny,

1.0.1 has just gone into testing and is currently with the lab.

If Imperva had a support agreement, or were a substantial donor, you
could get access to it now.

Apologies if others on the list feel I'm starting to bang on about this
a bit, but the maths on our FIPS effort, even this project in general,
is pretty simple now.

It's costing real money and real resources - we're trying to keep the
software free, but everything required to do that comes with a price.

Regards,

David

On 30/05/17 22:16, Jenny Degtiar wrote:

> Hi Martijn,
> Do you know when the 1.0.1 version containing the fix will be available?
>
> Thanks!
>
>
> -----Original Message-----
> From: martijn.list [mailto:[hidden email]]
> Sent: Tuesday, May 30, 2017 3:09 PM
> To: Jenny Degtiar <[hidden email]>; [hidden email]
> Subject: Re: [dev-crypto] PROBLEM WITH GENERATING CERTIFICATES
>
> Hi Jenny,
>
> This is known issue. See http://www.bouncycastle.org/jira/browse/BJA-670
>
> Kind regards,
>
> Martijn Brinkers
>
> On 05/30/2017 01:51 PM, Jenny Degtiar wrote:
>> Hi,
>>
>> I'm using Bouncy Castle FIPS (bc-fips-1.0.0.jar).
>>
>> I'm trying to generate a list of certificates using
>> CertificateFactory.class, method engineGenerateCertificate (also tried
>> method engineGenerateCertificates): when using the method with one
>> certificate it works properly, however, when I try to use the method
>> with two certificates chained together - it fails.
>>
>> This problem does not occurs on non FIPS Bouncy Castle.
>>
>>  
>>
>> My input is a byte array representing the following:
>>
>> -----BEGIN CERTIFICATE-----
>> [SOME TEXT HERE]
>>
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> [SOME TEXT HERE]
>>
>> -----END CERTIFICATE-----
>>
>> The method reads the first certificate properly, when it moves to the
>> next certificate, it skips the first character ("-"), reads the first
>> line as "----BEGIN CERTIFICATE-----" (4 hyphens instead on 5 in the
>> beginning of the string),
>>
>> Continue reading the input stream searching for the exact text of
>> -----BEGIN CERTIFICATE-----, and exit with certificate NULL.
>>
>> More specifically:
>>
>> When finishing with the first certificate generation - The
>> PushbackInputStream holds the first hyphen, and positioned on the
>> second hyphen of the second certificate. (Marked in red)
>>
>> -----BEGIN CERTIFICATE-----
>> [SOME TEXT HERE]
>>
>> -----END CERTIFICATE-----
>>
>> -*-*---BEGIN CERTIFICATE-----
>> [SOME TEXT HERE]
>>
>> -----END CERTIFICATE-----
>>
>> On moving to the second certificate generation, after initializing the
>> PushbackInputStream and reading the second hyphen, it is positioned on
>> the *third* hyphen of the second certificate - therefore skips the
>> first hyphen.
>>
>>  
>>
>> Is it a known bug? Is there a fix to this issue?
>>
>> I would appreciate your help.
>>
>> Thanks,
>>
>> Jenny.
>>
>>  
>>
>
> --
> CipherMail email encryption
>
> Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.
>
> https://www.ciphermail.com
>
> Twitter: http://twitter.com/CipherMail
>
>