[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-jce] Help! BadPaddingException when decrypting PKCS12



Keith,

Thanks again for your time.  Your results were very interesting.  Using
Microsoft's VM (JDK 1.1.4, I think) I cannot parse the certificates.  Using
Solaris JCE 1.2.1, you can.

I decided to try using the JDK 1.3 VM.  To my surprise, it worked!  It
appears that the IAIK JCE versions 2.5.1 and 2.6 do not work well inside the
current Microsoft VM.

Here's what I've found so far:

Operating System  JDK             IAIK JCE  PKCS12 parsing result
================  ==============  ========  =====================
Windows 2000      JavaSoft 1.3    2.6       success
Solaris           JavaSoft 1.2.1  2.6       success
Windows 2000      MS 1.1.4        2.5.1     ArrayIndexOutOfBoundsException
Windows 2000      MS 1.1.4        2.6       BadPaddingException

I wonder what IAIK would say about this.  I have already opened two bugs,
one for JCE 2.5.1, another for JCE 2.6, but they have not yet responded.


Paul

> -----Original Message-----
> From: Keith Wiseman [mailto:keith@digsigtrust.com]
> Sent: Tuesday, August 22, 2000 11:50 AM
> To: Paul Williams
> Subject: Re: [iaik-jce] Help! BadPaddingException when 
> decrypting PKCS12
> 
> 
> I was able to get my program to run with your cert with the 
> IAIK JCE 2.6 (eval version). With the
> correct password I get:
> 
> > java help
> ***                                                           
>             ***
> ***                    Welcome to the IAIK JCE Library        
>             ***
> ***                                                           
>             ***
> *** This version of IAIK JCE is licensed for educational and 
> research use ***
> *** and evaluation only. Commercial use of this software is 
> prohibited.   ***
> *** For details please see 
> http://jcewww.iaik.at/legal/license.htm .      ***
> *** This message does not appear in the registered commercial 
> version.    ***
> ***                                                           
>             ***
> 
> Cert: Version: 3
> Serial number: 0
> Signature algorithm: md5WithRSAEncryption
> Issuer: CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte 
> Certification,ST=FOR TESTING PURPOSES
> ONLY,C=ZA
> Valid not before: Wed Jul 31 18:00:00 MDT 1996
>       not after: Thu Dec 31 14:59:59 MST 2020
> Subject: CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte 
> Certification,ST=FOR TESTING PURPOSES
> ONLY,C=ZA
> public exponent: 10001
> modulus:
> b57d906f8eb3ac7f0ce866fad29441fcd53161a113de6c16612d90c3135f66
> 62e27ea2e81bf3a11789e678f3b752c572abb811493d262db47a028a7e6a91
> ce64052cfefed6789275f244504edc298e3442823df76ef43d3acb8c979a31
> c0a5f80625fa40fe44be41b6e28a5373eead872c0acadee9a4ef8cc72aa5324e19e48f
> 
> Extensions: 1
> Certificate Fingerprint: 
> 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
> 
> 
> with the incorrect password I get:
> 
> > java help
> ***                                                           
>             ***
> ***                    Welcome to the IAIK JCE Library        
>             ***
> ***                                                           
>             ***
> *** This version of IAIK JCE is licensed for educational and 
> research use ***
> *** and evaluation only. Commercial use of this software is 
> prohibited.   ***
> *** For details please see 
> http://jcewww.iaik.at/legal/license.htm .      ***
> *** This message does not appear in the registered commercial 
> version.    ***
> ***                                                           
>             ***
> 
> Exception in thread "main" iaik.pkcs.PKCSException: Unable to 
> decrypt PrivateKey!
>         at java.lang.Throwable.fillInStackTrace(Native Method)
>         at java.lang.Throwable.fillInStackTrace(Compiled Code)
>         at java.lang.Throwable.<init>(Compiled Code)
>         at java.lang.Exception.<init>(Exception.java:42)
>         at iaik.pkcs.PKCSException.<init>(Unknown Source)
>         at iaik.pkcs.pkcs12.AuthenticatedSafe.decrypt(Compiled Code)
>         at iaik.pkcs.pkcs12.PKCS12.decrypt(Compiled Code)
>         at help.main(help.java:7)
> 
> 
> I'm using java version 1.2.1 on Solaris.
> 
> Good luck,
> Keith
> 
> 
> 
> Paul Williams wrote:
> 
> > Keith,
> >
> > Thank you for responding.
> >
> > Using your same code, I cannot decode my certificates with 
> the IAIK JCE 2.6.
> > What version are you using?
> >
> > If you're using JCE 2.5 or 2.5.1, try decoding the 
> certificates with the
> > wrong password.  For example, for the certificate with 
> password "test", try
> > using "te" and "tes".  You should get an 
> ArrayIndexOutOfBoundsException (see
> > my earlier post in the list archives).
> >
> > Anyway, it's time I opened a support ticket.  Thanks again.
> >
> > > -----Original Message-----
> > > From: Keith Wiseman [mailto:keith@digsigtrust.com]
> > > Sent: Monday, August 21, 2000 8:02 PM
> > > To: Paul Williams
> > > Cc: 'iaik-jce@iaik.tu-graz.ac.at'
> > > Subject: Re: [iaik-jce] Help! BadPaddingException when
> > > decrypting PKCS12
> > >
> > >
> > > Here is a sample application that will open one of the certs
> > > you included:
> > >
> > > class help {
> > >
> > >   public static void main(String argv[]) throws Exception {
> > >     iaik.security.provider.IAIK.addAsProvider(false);
> > >
> > >     iaik.pkcs.pkcs12.PKCS12 p12 = new
> > > iaik.pkcs.pkcs12.PKCS12(new 
> java.io.FileInputStream("testcert.pfx"));
> > >     p12.decrypt("test".toCharArray());
> > >
> > >     iaik.pkcs.pkcs12.CertificateBag[] certbag =
> > > p12.getCertificateBags();
> > >     iaik.x509.X509Certificate EECert =
> > > iaik.pkcs.pkcs12.CertificateBag.getCertificates(certbag)[certb
> > > ag.length-1];
> > >     System.out.println("Cert: " + EECert.toString());
> > >   }
> > >
> > > }
> > >
> > >
> > >
> > > Paul Williams wrote:
> > >
> > > > Since nobody has responded so far, let me provide an 
> example of a
> > > > certificate that generates BadPaddingExceptions.  The
> > > attached files are the
> > > > same RSA 1024-bit certificate exported using Microsoft's
> > > Certificate Export
> > > > Wizard.  For one, I entered no password.  On the other, I
> > > entered the
> > > > password "test".  On both, I chose to export the private
> > > key, and I did not
> > > > choose strong encryption.
> > > >
> > > > Is there something wrong with these PKCS 12 files?  I
> > > regret that I am not a
> > > > PKI expert.  I do not yet understand the PKCS formats.
> > > >
> > > > I would greatly appreciate someone trying to load these
> > > certificates.  I get
> > > > a BadPaddingException using JCE 2.6 (the exception thrown
> > > to my code is a
> > > > PKCSException, but the first exception thrown in the IAIK
> > > provider code is a
> > > > BadPaddingException).  I get an
> > > ArrayIndexOutOfBoundsException using JCE
> > > > 2.5.1 (see my earlier post in the list archives).
> > > >
> > > > Thank you for your time,
> > > >
> > > > Paul
> > > >
> > > > P.S. - My deadline for fixing this problem is Friday.  :(
> > > >
> > > > > -----Original Message-----
> > > > > From: Paul Williams [mailto:paulw@alibre.com]
> > > > > Sent: Thursday, August 17, 2000 11:08 AM
> > > > > To: 'iaik-jce@iaik.tu-graz.ac.at'
> > > > > Subject: RE: [iaik-jce] Help! BadPaddingException when
> > > > > decrypting PKCS12
> > > > >
> > > > >
> > > > > Sorry, I forgot to mention that my code does call
> > > > > IAIK.addAsProvider(false);
> > > > > at the beginning of my program.  I am using Microsoft's
> > > > > latest Java VM,
> > > > > which I believe is somewhere around JDK 1.1.4.  My OS is
> > > > > Windows 2000 SP 1.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Paul Williams
> > > > > > Sent: Wednesday, August 16, 2000 7:33 PM
> > > > > > To: iaik-jce@iaik.tu-graz.ac.at
> > > > > > Subject: Help! BadPaddingException when decrypting PKCS12
> > > > > >
> > > > > >
> > > > > > Hello all,
> > > > > >
> > > > > > I'm using the IAIK JCE 2.6 and the iSaSiLk toolkit version
> > > > > > 3.01.  I am getting a BadPaddingException when decrypting a
> > > > > > PKCS12 file.  The exception thrown to my program is a
> > > > > > PKCSException saying "Unable to decrypt private 
> key!".  I use
> > > > > > Visual J++; this IDE lets me break on every 
> exception thrown,
> > > > > > so I was able to see the actual problem was a
> > > > > > BadPaddingException.  The stack trace is:
> > > > > >
> > > > > >     iaik.security.cipher.l.b(param0, param1, param2)
> > > > > >     iaik.security.cipher.BufferedCipher.a(param0, param1,
> > > > > > param2, param3, param4, param5)
> > > > > > iaik.security.cipher.BufferedCipher.engineDoFinal(param0,
> > > > > > param1, param2)
> > > > > >     javax.crypto.Cipher.doFinal(param0)
> > > > > >     iaik.pkcs.pkcs8.EncryptedPrivateKeyInfo.decrypt(param0)
> > > > > >     iaik.pkcs.pkcs12.PKCS8ShroudedKeyBag.decrypt(param0)
> > > > > >     iaik.pkcs.pkcs12.AuthenticatedSafe.decrypt(param0)
> > > > > >     iaik.pkcs.pkcs12.PKCS12.decrypt(param0)
> > > > > >
> > > > > > This exception happens with every PKCS12 certificate I
> > > > > > attempt to decrypt, whether or not the password is correct.
> > > > > > The PKCS12 file was generated from Microsoft's Certificate
> > > > > > Export Wizard and includes both the private and public keys.
> > > > > > I did not choose the "enhanced security" setting in the
> > > > > > wizard.  Windows is able to load these PKCS12 certificates.
> > > > > >
> > > > > > The code I use follows the examples given by the 
> documentation:
> > > > > >
> > > > > >                     FileInputStream fileIn = new
> > > > > > FileInputStream (file);
> > > > > >                     BufferedInputStream in = new
> > > > > > BufferedInputStream (fileIn);
> > > > > >                     PKCS12 pkcs12 = new PKCS12 (in);
> > > > > >                     String password = "test";
> > > > > >                     pkcs12.verify (password.toCharArray ());
> > > > > >                     pkcs12.decrypt 
> (password.toCharArray ());
> > > > > >
> > > > > > I expected IAIK's JCE to be able to parse any PKCS12 file.
> > > > > > What is wrong?  The messages I read in the archives 
> mentioned
> > > > > > problems matching public keys to private keys, but I'm not
> > > > > > doing that here.
> > > > > >
> > > > > > The PKCS12.toString () method returns
> > > > > >
> > > > > >     PKCS#12 object:
> > > > > >     Version: 3
> > > > > >     AuthenticatedSafe: 0
> > > > > >     mode: UNENCRYPTED
> > > > > >
> > > > > >     SafeBag: 0
> > > > > >     PKCS8ShroudedKeyBag: not decrypted yet!
> > > > > >
> > > > > >     AuthenticatedSafe: 1
> > > > > >     mode: PASSWORD_ENCRYPTED
> > > > > >     Content encrypted with: PbeWithSHAAnd40BitRC2-CBC
> > > > > >     No SafeBags or not decrypted yet.
> > > > > >
> > > >
> > > >
> > > >
> > > --------------------------------------------------------------
> > > ----------
> > > >                                                   Name:
> > > Test Certificate Weak Encryption 'test'.pfx
> > > >    Test Certificate Weak Encryption 'test'.pfx    Type:
> > > Personal Information Exchange (application/x-pkcs12)
> > > >                                               Encoding: base64
> > > >
> > > >                                                  Name: Test
> > > Certificate Weak Encryption NoPwd.pfx
> > > >    Test Certificate Weak Encryption NoPwd.pfx    Type:
> > > Personal Information Exchange (application/x-pkcs12)
> > > >                                              Encoding: base64
> > >
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-jce