Questions about as2.p12 keystore, auto-signed certs and signature
466 views
Skip to first unread message
didier.p...@gmail.com
Nov 15, 2007, 3:27:08 AM11/15/07
to Hermes 2.0 Discussion List
Hi everyone,
i've launched a new project in my company which aim is to send data
via a secure channel to a partner using AS2 protocol. We choose for
test purpose the H2O solution for its open source aspects.
Our partner is using the closed source SEEBURGER AS2 solution.
We are the sender, our partner the receiver. We only catch MDN. The
data must be sent compressed, signed and encrypted.
i searched this list for informations while installing and configuring
my platform.
This thread was useful for adding a new key in the keystore and
modifiing the validity : http://groups.google.com/group/cecid-hermes2/browse_frm/thread/8f85c948cb00cc3
i added BC jar (from http://www.bouncycastle.org/fr/download/bcprov-jdk15-138.jar)
in my jre/lib/ext directory
i was able to send with the loopback test a compressed-signed-
encrypted message, using the autosigned certificate exported from my
as2.p12 keystore (i added it to both outbound and inbound parameters
for the two partnerships)
But, when i try to send the message to my partner (with a correct
partnership configured), he isn't able to decrypt the message. We
tried using for encryption a Verisign Certificate owned by our
partner, and he is then able to decrypt the message.... but not to
verify its signature.
If i try to create a new key with:
keytool -genkey -alias test -validity 3650 -keypass test -keystore
as2.p12 -storetype pkcs12 -storepass password -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -
sigalg="SHA1withDSA",
i get this error when restarting :
Caused by: java.io.IOException: exception unwrapping private key -
java.security.InvalidKeyException: pad block corrupted
at
org.bouncycastle.jce.provider.JDKPKCS12KeyStore.unwrapKey(Unknown
Source)
at
org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown
Source)
at java.security.KeyStore.load(KeyStore.java:1150)
at
hk.hku.cecid.piazza.commons.security.KeyStoreComponent.load(KeyStoreComponent.java:
169)
So could someone explain me what's wrong in my configuration ?
What is used for signing process ?
Where is stored the certificate configured in partnership ?
How can i create a fresh new keystore ? When trying to create a new
one, i get the same errors as when trying to generate a new key with
sigalg parameter.
i'm quite confused
Thanks.
i've launched a new project in my company which aim is to send data
via a secure channel to a partner using AS2 protocol. We choose for
test purpose the H2O solution for its open source aspects.
Our partner is using the closed source SEEBURGER AS2 solution.
We are the sender, our partner the receiver. We only catch MDN. The
data must be sent compressed, signed and encrypted.
i searched this list for informations while installing and configuring
my platform.
This thread was useful for adding a new key in the keystore and
modifiing the validity : http://groups.google.com/group/cecid-hermes2/browse_frm/thread/8f85c948cb00cc3
i added BC jar (from http://www.bouncycastle.org/fr/download/bcprov-jdk15-138.jar)
in my jre/lib/ext directory
i was able to send with the loopback test a compressed-signed-
encrypted message, using the autosigned certificate exported from my
as2.p12 keystore (i added it to both outbound and inbound parameters
for the two partnerships)
But, when i try to send the message to my partner (with a correct
partnership configured), he isn't able to decrypt the message. We
tried using for encryption a Verisign Certificate owned by our
partner, and he is then able to decrypt the message.... but not to
verify its signature.
If i try to create a new key with:
keytool -genkey -alias test -validity 3650 -keypass test -keystore
as2.p12 -storetype pkcs12 -storepass password -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -
sigalg="SHA1withDSA",
i get this error when restarting :
Caused by: java.io.IOException: exception unwrapping private key -
java.security.InvalidKeyException: pad block corrupted
at
org.bouncycastle.jce.provider.JDKPKCS12KeyStore.unwrapKey(Unknown
Source)
at
org.bouncycastle.jce.provider.JDKPKCS12KeyStore.engineLoad(Unknown
Source)
at java.security.KeyStore.load(KeyStore.java:1150)
at
hk.hku.cecid.piazza.commons.security.KeyStoreComponent.load(KeyStoreComponent.java:
169)
So could someone explain me what's wrong in my configuration ?
What is used for signing process ?
Where is stored the certificate configured in partnership ?
How can i create a fresh new keystore ? When trying to create a new
one, i get the same errors as when trying to generate a new key with
sigalg parameter.
i'm quite confused
Thanks.
Ronnie Kwok
Nov 15, 2007, 5:47:42 AM11/15/07
to Hermes 2.0 Discussion List
Hello,
Let's try to tackle the question one by one.
1. What is used for signing process ?
The keystore-manager defined in the as2.module.core.xml will be used.
The default will be the as2.p12 file stored in the security folder
inside the AS2 plugin.
2. Where is stored the certificate configured in partnership ?
The certificate will be stored as a binary object in the database.
Refer to the table "partnership" in the as2 database.
3. How can i create a fresh new keystore ?
Follow the instruction of the thread that you have spot, using OpenSSL
to generate the key and certificate will work.
4. When trying to create a new one, i get the same errors as when
As said, please use OpenSSL to generate the keystore, since I find
that only keystore generated this way works. I am still figuring the
different between using Keytool and OpenSSL for keystore preparation.
Also, if you are going to use your self signed certificate and
signature for encryption and signing, please make sure your partner
possess your public certificate to verify and decrypt your message.
You mentioned about the failing of verifying the signature by your
partner, can you advise on which keystore did you use for signing in
that particular test?
Regards,
ronnie
Let's try to tackle the question one by one.
1. What is used for signing process ?
The keystore-manager defined in the as2.module.core.xml will be used.
The default will be the as2.p12 file stored in the security folder
inside the AS2 plugin.
2. Where is stored the certificate configured in partnership ?
The certificate will be stored as a binary object in the database.
Refer to the table "partnership" in the as2 database.
3. How can i create a fresh new keystore ?
Follow the instruction of the thread that you have spot, using OpenSSL
to generate the key and certificate will work.
4. When trying to create a new one, i get the same errors as when
trying to generate a new key with
sigalg parameter.
The -sigalg parameter should be "-sigalg SHA1withDSA"
sigalg parameter.
As said, please use OpenSSL to generate the keystore, since I find
that only keystore generated this way works. I am still figuring the
different between using Keytool and OpenSSL for keystore preparation.
Also, if you are going to use your self signed certificate and
signature for encryption and signing, please make sure your partner
possess your public certificate to verify and decrypt your message.
You mentioned about the failing of verifying the signature by your
partner, can you advise on which keystore did you use for signing in
that particular test?
Regards,
ronnie
Reply all
Reply to author
Forward
0 new messages