17

We are generating a digital signature (PKCS7) using Java security API. The digest algorithm is SHA-256 and the encryption algorithm is RSA (SHA256withRSA).

Using SunRsaSign provider in the local machine, a signature was generated on some content. Using IBMJCE provider in WAS 8.0.0.2, we were able to generate the same signature on the same content.

However, the problem is, we had to migrate back to WAS 6.1. Now, the signature generated is different than the one generated in above 2 cases. I checked the message-digests created in all the 3 cases, and it is the same in all the 3 cases, but the signature is different in case of WAS 6.1.

Is there any known issue with WAS 6.1's IBMJCE provider with respect to SHA256withRSA encryption? Any pointers would be greatly appreciated. Thanks

phani nalla
  • 171
  • 3
  • 3
    +1 for checking the digests were identical. – Duncan Jones Apr 11 '13 at 13:45
  • Did you check the entire CMS format or just the PKCS#1 format? What did you generate the hash over? – Maarten Bodewes Apr 11 '13 at 21:57
  • I checked the entire CMS format (PKCS#7). Only the last 4 lines were differing. I understand that the part that is differing in the signature is the encrypted digest, the one that comes after the SIGNING_TIME. (I have been using the same date/time as the SIGNING_TIME_OID). – phani nalla Apr 12 '13 at 02:47
  • I tried to create the Signature instance using Signature.getInstanceOf("SHA256withRSA","SunRsaSign"), because the problem seems to be with IBMJCE provider. But SunRsaSign is not found in Websphere 6.1 I know that we have to make the sunrsasign entry in the java.security file of Webshphere_home's Java/jre/lib/security folder. But I cannot find the sun.security.rsa package at all in Webshphere. – phani nalla Apr 12 '13 at 02:49
  • 2
    Apparently, I was able to generate the correct signature using WAS 6.1.0.35. Earlier it was 6.1.0.25. Don't know yet if this was because of any bug of any missing server policy. Thanks all – phani nalla Apr 12 '13 at 07:57

2 Answers2

1

Is there really a problem? From what I know, this must apply 

signature = sign(message)  
verify(signature) == message

There is no requirement that all signatures must be the same. So do you really have problem with verification of those signatures?

epinuj
  • 142
  • 2
0

We had the same issue and we forced Webspshere to use SUNJCE. Here are the steps.

So In IBM Websphere console go to Application servers > server > Process definition > Java Virtual Machine

Look for Generic JVM arguments and add the following.

-DamCryptoDescriptor.provider=SunJCE -DamKeyGenDescriptor.provider=SunJCE

Then copied

C:\JAVA\jdk1.6.0_34\jre\lib\ext\sunjce_provider.jar

To 

C:\Program Files\IBM\SDP\runtimes\base_v7\java\jre\lib\ext\sunjce_provider.jar

Change 

C:\Program Files\IBM\SDP\runtimes\base_v7\java\jre\lib\security\java.security

By adding the following Sun providers to the list of providers in the java.security file.

#This will help Websphere to load 
security.provider.13=com.sun.crypto.provider.SunJCE
security.provider.14=sun.security.provider.Sun
security.provider.15=sun.security.rsa.SunRsaSign
security.provider.16=sun.security.jgss.SunProvider

Hope this helps.

Reddymails
  • 793
  • 1
  • 10
  • 24