Signing pre-created digest using SunMSCAPI
Question
Digest is created on one server and passed to another server for signing using Tokens/Dongles. Cipher APIs work fine with PKCS11 prvoider.
Cipher c = Cipher.getInstance("RSA");
c.init(Cipher.ENCRYPT_MODE, pk);
DigestInfo di = new DigestInfo(new DefaultDigestAlgorithmIdentifierFinder().find("SHA-256"), hash);
byte[] digestInfo = di.getEncoded();
byte[] data = c.doFinal(digestInfo);
But while using cipher APIs with SunMSCAPI provider, Private key is treated as public key, neither token password is asked and generated signature validation is failed. Also using Cipher with private key is not the right approach ( also discussed here - https://bugs.openjdk.java.net/browse/JDK-7050158 ).
How can I use Signature API while avoiding digest creation again? Output received by "NONEWithRSA" will not be right as my digest is "Sha-256" and signature verification will fail.
1 answers
solution1
0 2017-06-17 05:57:15
Tried reading source code of SunMSCAPI. While using "NONEWithRSA", based on Digest length it finds out the Digest type. For Signatures, Digest info (AlorithmId+Digest) has to be signed hence data passed to Signature API is more than digest length and SunMSCAPI throws error of data length not supported for passed digest.
Looks like for Signing its not possible to use pre-created digest with SunMSCAPI provider. Although same works fine with Pkcs11 provider.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.