ssl - "Algorithm ECDH not available"在 JRockit 6 上使用 bcprov 和 bctls

标签 ssl bouncycastle lets-encrypt java-6 jrockit

我正在尝试授权在 JRockit 6 上运行的旧 JBoss 5 使用 Let's encrypt 证书访问 CAS 服务器。

问题是 JDK6 不支持 Let's encrypt,所以 I added the root certificatecacerts 文件。

现在的问题是 JDK 6 不理解这么大的 key (java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive))所以我尝试通过将 bcprov-jdk15on-1.61.jar & bctls-jdk15on-1.61.jar 添加到 $JAVA_HOME/来切换到 Bouncy CaSTLe JCE/JCA jre/lib/ext 文件夹并添加 org.bouncycaSTLe.jce.provider.BouncyCaSTLeProviderorg.bouncycaSTLe.jsse.provider.BouncyCaSTLeJsseProvider 作为第一个安全提供者$JAVA_HOME/jre/lib/security/java.security 文件 as explained partly here .

java.lang.ArrayIndexOutOfBoundsException: 64 之后,我从 SunX509 切换到 X.509 ssl.KeyManagerFactory 的值。 java.security 文件中的算法 键。

现在我有以下错误(我认为与 this thread on Oracle forum 相同):

java.security.NoSuchAlgorithmException: Algorithm ECDH not available
  javax.crypto.KeyAgreement.getInstance(DashoA13*..)
  org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyAgreement(Unknown Source)
  org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.calculateKeyAgreement(Unknown Source)
  org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(Unknown Source)
  org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDH.calculateSecret(Unknown Source)
  org.bouncycastle.tls.TlsECDHEKeyExchange.generatePreMasterSecret(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.establishMasterSecret(Unknown Source)
  org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
  org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
  org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
  org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
  org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
  org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
  sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
  sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
  sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
  sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
  org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)

但是通过查看 org.bouncycastle.jcajce.provider.asymmetric.EC's sources org.bouncycastle.jce.provider.BouncyCastleProvider 应正确设置此类 KeyAgreement .

但实际上,因为它是 org.bouncycastle.jsse.provider.BouncyCastleJsseProvider这是在创建 https 客户端时使用的,此提供程序未注册此算法,我不知道如何执行此操作。

有人知道如何解决这个问题吗?

我还尝试将这些 jar 声明为对我的 war 的依赖项,并像这样明确地实例化它们:

    static {
            org.bouncycastle.jce.provider.BouncyCastleProvider bcp = new org.bouncycastle.jce.provider.BouncyCastleProvider();
            java.security.Security.insertProviderAt(bcp, 1);
            org.bouncycastle.jsse.provider.BouncyCastleJsseProvider bcjp = new org.bouncycastle.jsse.provider.BouncyCastleJsseProvider(bcp);
            java.security.Security.insertProviderAt(bcjp, 1);
    }

但是,我有这个堆栈 seems to be linked to a problem in JBoss :

java.lang.SecurityException: JCE cannot authenticate the provider BC
    javax.crypto.Cipher.getInstance(DashoA13*..)
    org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
    org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
    org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
    org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
    org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
    sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
Caused by: java.util.jar.JarException: Cannot parse jar:file:/opt/jboss-5.1.0.GA/server/default/deploy/myapp.war/WEB-INF/lib/bcprov-jdk15on-1.61.jar!/
    javax.crypto.SunJCE_c.a(DashoA13*..)
    javax.crypto.SunJCE_b.b(DashoA13*..)
    javax.crypto.SunJCE_b.a(DashoA13*..)
    javax.crypto.Cipher.getInstance(DashoA13*..)
    org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
    org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
    org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
    org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
    org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
    org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
    sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
    sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)

以防万一,我有 opened the issue #514在 BouncyCaSTLe GitHub 上。

最佳答案

您所看到的与未注册的 BouncyCaSTLe JCE 提供程序一致。因此,对 ECDH 协议(protocol)的搜索并未在 JCE 搜索路径中找到它。

要动态注册提供者,只需将以下行添加到您的代码中

Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());

根据 BouncyCastle Specifications 6.1节和测试样例代码BouncyCastle JSSE Test Code

我怀疑你没有正确启动环境

关于ssl - "Algorithm ECDH not available"在 JRockit 6 上使用 bcprov 和 bctls,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55971726/

上一篇:apache - 如何使用 Apache 重定向对 Node-Red 的请求?

下一篇:java - 收到致命警报:SSLHandshakeException中的handshake_failure

相关文章:

amazon-web-services - 使用 VeriSign G5 连接到 SSL 的问题

azure - 无法将 TXT 记录设置为 Freenom 提供商中的域

java - BouncyCasSTLe 在服务器端,Android 手机作为客户端

lets-encrypt - 使用让我们使用 Spring Boot 加密本地

node.js - greenlock(让'加密)与快速和端口转发

子域的 SSL 影响根域安全

apache - 需要帮助在 WSL2 上设置 HTTPS

java - Java字符串的PGP加密

java - CertPath 中的证书顺序

lets-encrypt - 在 Traefik 中使用现有的 LetsEncrypt 证书

©2024 IT工具网  联系我们