0

我正在尝试授权在 JRockit 6 上运行的旧 JBoss 5 使用 Let's encrypt 证书访问 CAS 服务器。

问题是JDK6不支持Let's encrypt,所以我将根证书添加cacerts文件中。

现在的问题是 JDK 6 不理解这么大的密钥 ( java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)),因此我尝试通过将bcprov-jdk15on-1.61.jar&添加bctls-jdk15on-1.61.jar$JAVA_HOME/jre/lib/ext文件夹并添加org.bouncycastle.jce.provider.BouncyCastleProvider&作为文件org.bouncycastle.jsse.provider.BouncyCastleJsseProvider中的第一个安全提供程序来切换到 Bouncy Castle JCE/JCA,如此处部分解释$JAVA_HOME/jre/lib/security/java.security

之后,java.lang.ArrayIndexOutOfBoundsException: 64我从文件中的键值切换SunX509X.509值。ssl.KeyManagerFactory.algorithmjava.security

现在我有以下错误(我认为与Oracle论坛上的这个帖子相同):

java.security.NoSuchAlgorithmException: Algorithm ECDH not available
  javax.crypto.KeyAgreement.getInstance(DashoA13*..)
  org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyAgreement(Unknown Source)
  org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.calculateKeyAgreement(Unknown Source)
  org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(Unknown Source)
  org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDH.calculateSecret(Unknown Source)
  org.bouncycastle.tls.TlsECDHEKeyExchange.generatePreMasterSecret(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.establishMasterSecret(Unknown Source)
  org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
  org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
  org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
  org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
  org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
  sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
  sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
  sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
  sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
  org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)

但是通过查看org.bouncycastle.jcajce.provider.asymmetric.EC's 来源这样的 KeyAgreement 应该被正确设置org.bouncycastle.jce.provider.BouncyCastleProvider

但实际上,因为它是org.bouncycastle.jsse.provider.BouncyCastleJsseProvider在创建 https 客户端时使用的,所以这个提供者没有注册这个算法,我不知道该怎么做。

有人知道如何解决这个问题吗?

我还尝试将这些 jar 声明为我的战争的依赖项,并像这样明确地实例化它们:

    static {
            org.bouncycastle.jce.provider.BouncyCastleProvider bcp = new org.bouncycastle.jce.provider.BouncyCastleProvider();
            java.security.Security.insertProviderAt(bcp, 1);
            org.bouncycastle.jsse.provider.BouncyCastleJsseProvider bcjp = new org.bouncycastle.jsse.provider.BouncyCastleJsseProvider(bcp);
            java.security.Security.insertProviderAt(bcjp, 1);
    }

但是,我有这个堆栈似乎与 JBoss 中的一个问题有关

java.lang.SecurityException: JCE cannot authenticate the provider BC
    javax.crypto.Cipher.getInstance(DashoA13*..)
    org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
    org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
    org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
    org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
    org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
    sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
Caused by: java.util.jar.JarException: Cannot parse jar:file:/opt/jboss-5.1.0.GA/server/default/deploy/myapp.war/WEB-INF/lib/bcprov-jdk15on-1.61.jar!/
    javax.crypto.SunJCE_c.a(DashoA13*..)
    javax.crypto.SunJCE_b.b(DashoA13*..)
    javax.crypto.SunJCE_b.a(DashoA13*..)
    javax.crypto.Cipher.getInstance(DashoA13*..)
    org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
    org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
    org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
    org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
    org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
    sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)

以防万一,我在 BouncyCastle GitHub 上打开了问题 #514 。

4

3 回答 3

0

您所看到的与未注册的 BouncyCastle JCE Provider 一致。因此,对 ECDH 协议的搜索不在 JCE 搜索路径中找到它。

要动态注册提供程序,只需将以下行添加到您的代码中

Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());

根据BouncyCastle 规范第 6.1 节和测试示例代码BouncyCastle JSSE 测试代码

我怀疑您没有正确启动环境

于 2019-05-07T15:24:57.357 回答
0

这个问题由 anthony-o 在https://github.com/bcgit/bc-java/issues/514中解决,因为它是由重新打包问题引起的。

但是,该解决方案对我不起作用,因为我的 bouncycastle 罐子没有重新包装到遮光/脂肪罐中

这是我解决问题的方法:https ://stackoverflow.com/a/59845413/497378

(我不确定将链接发布到另一个stackoverflow问题的答案的礼仪,所以如果不合适,请删除)

于 2020-01-21T16:57:04.553 回答
0 
java.lang.SecurityException: JCE cannot authenticate the provider BC

我得到了同样的错误(并且 JAR 直接来自 Maven,没有重新打包),我认为因为从 BC 1.61 版本开始,JAR 使用 Java 6 无法验证的更新的签名算法(或根证书)进行签名.

通过将 BC 降级到 1.60,我设法连接到支持 SNI 的 TLS 服务器(Java 6 通常无法访问该服务器)。我使用了以下 Maven 依赖项:

<dependency groupId="org.bouncycastle" artifactId="bctls-jdk15on" version="1.60"/>
于 2020-08-31T15:50:20.620 回答