Search code examples
javasecuritycryptographykeytoolsha

java crypto SHA512withRSA not working genkeypair

  • java Version - Java 8
  • HSM - nCipher

What Works - SHA1withRSA

java -Dprotect=module -DignorePassphrase=true sun.security.tools.keytool.Main -genkeypair -validity 365 -alias aci3 -keyalg RSA -sigalg SHA1withRSA -keystore /ipsbo/keystore/ipskeystore -storetype nCipher.sworld -providerClass com.ncipher.provider.km.nCipherKM -providerName nCipherKM -storepass password -keypass password -dname "CN=aci3,OU=ips,O=vocalink,L=rickmansworth,ST=Unknown,C=uk"

Does not Work - SHA512withRSA

java -Dprotect=module -DignorePassphrase=true sun.security.tools.keytool.Main -genkeypair -validity 365 -alias aci4 -keyalg RSA -sigalg SHA512withRSA -keystore /ipsbo/keystore/ipskeystore -storetype nCipher.sworld -providerClass com.ncipher.provider.km.nCipherKM -providerName nCipherKM -storepass password -keypass password -dname "CN=aci4,OU=ips,O=vocalink,L=rickmansworth,ST=Unknown,C=uk" -v
keytool error: java.security.NoSuchAlgorithmException: Invalid ObjectIdentifier SHA512withRSA
java.security.NoSuchAlgorithmException: Invalid ObjectIdentifier SHA512withRSA
        at sun.security.x509.AlgorithmId.get(AlgorithmId.java:402)
        at sun.security.tools.keytool.CertAndKeyGen.getSelfCertificate(CertAndKeyGen.java:258)
        at sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1626)
        at sun.security.tools.keytool.Main.doCommands(Main.java:966)
        at sun.security.tools.keytool.Main.run(Main.java:343)
        at sun.security.tools.keytool.Main.main(Main.java:336)

Look at http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/x509/AlgorithmId.java

The static method algOID does not contain SHA512withRSA, Why is that ? It seems to have SHA1withRSA.

More details

Nicpher details has SHA512withRSA

-bash$ java -cp "java/classes/*" com.ncipher.provider.InstallationTest
Installed providers:
1: SunJCE
2: nCipherKM
3: SUN
4: SunRsaSign
5: SunEC
6: SunJSSE
7: SunJGSS
8: SunSASL
9: XMLDSig
10: SunPCSC

Unlimited strength jurisdiction files are installed.
The nCipher provider is installed, but is not registered at
the top of the providers list in the java.security file. See
the user guide for more information about the recommended
system configuration.

nCipher JCE services:
Alg.Alias.AlgorithmParameters.DESede
Alg.Alias.AlgorithmParameters.OID.1.2.840.113549.3.7
Alg.Alias.Cipher.1.2.840.113549.1.1.1
Alg.Alias.Cipher.1.2.840.113549.3.4
Alg.Alias.Cipher.1.2.840.113549.3.7
Alg.Alias.Cipher.AES
Alg.Alias.Cipher.CAST6
Alg.Alias.Cipher.DES3
Alg.Alias.Cipher.OID.1.2.840.113549.1.1.1
Alg.Alias.Cipher.OID.1.2.840.113549.3.4
Alg.Alias.Cipher.OID.1.2.840.113549.3.7
Alg.Alias.Cipher.RC4
Alg.Alias.Cipher.Triple-DES
Alg.Alias.Cipher.TripleDES
Alg.Alias.KeyAgreement.Diffie-Hellman
Alg.Alias.KeyAgreement.DiffieHellman
Alg.Alias.KeyFactory.1.2.840.10040.4.1
Alg.Alias.KeyFactory.1.2.840.113549.1.1.1
Alg.Alias.KeyFactory.1.3.14.3.2.12
Alg.Alias.KeyFactory.Diffie-Hellman
Alg.Alias.KeyFactory.DiffieHellman
Alg.Alias.KeyFactory.OID.1.2.840.10040.4.1
Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1.1
Alg.Alias.KeyFactory.OID.1.3.14.3.2.12
Alg.Alias.KeyGenerator.1.2.840.113549.3.4
Alg.Alias.KeyGenerator.1.2.840.113549.3.7
Alg.Alias.KeyGenerator.1.3.14.3.2.7
Alg.Alias.KeyGenerator.AES
Alg.Alias.KeyGenerator.CAST6
Alg.Alias.KeyGenerator.DES3
Alg.Alias.KeyGenerator.OID.1.2.840.113549.3.4
Alg.Alias.KeyGenerator.OID.1.2.840.113549.3.7
Alg.Alias.KeyGenerator.OID.1.3.14.3.2.7
Alg.Alias.KeyGenerator.RC4
Alg.Alias.KeyGenerator.Triple-DES
Alg.Alias.KeyGenerator.TripleDES
Alg.Alias.KeyPairGenerator.1.2.840.10040.4.1
Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1.1
Alg.Alias.KeyPairGenerator.1.3.14.3.2.12
Alg.Alias.KeyPairGenerator.DiffieHellman
Alg.Alias.KeyPairGenerator.ECDHDiffie-Hellman
Alg.Alias.KeyPairGenerator.OID.1.2.840.10040.4.1
Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1.1
Alg.Alias.KeyPairGenerator.OID.1.3.14.3.2.12
Alg.Alias.MessageDigest.SHA-224
Alg.Alias.MessageDigest.SHA-256
Alg.Alias.MessageDigest.SHA-384
Alg.Alias.MessageDigest.SHA-512
Alg.Alias.SecureRandom.SHA1PRNG
Alg.Alias.Signature.1.2.840.10040.4.3
Alg.Alias.Signature.1.2.840.113549.1.1.5
Alg.Alias.Signature.1.3.14.3.2.13
Alg.Alias.Signature.1.3.14.3.2.26with1.2.840.10040.4.1
Alg.Alias.Signature.1.3.14.3.2.26with1.2.840.10040.4.3
Alg.Alias.Signature.1.3.14.3.2.26with1.2.840.113549.1.1.1
Alg.Alias.Signature.1.3.14.3.2.26with1.2.840.113549.1.1.5
Alg.Alias.Signature.1.3.14.3.2.27
Alg.Alias.Signature.DSA
Alg.Alias.Signature.DSAWithSHA1
Alg.Alias.Signature.DSS
Alg.Alias.Signature.OID.1.2.840.10040.4.3
Alg.Alias.Signature.OID.1.2.840.113549.1.1.5
Alg.Alias.Signature.OID.1.3.14.3.2.13
Alg.Alias.Signature.OID.1.3.14.3.2.26withOID.1.2.840.10040.4.1
Alg.Alias.Signature.OID.1.3.14.3.2.26withOID.1.2.840.10040.4.3
Alg.Alias.Signature.OID.1.3.14.3.2.26withOID.1.2.840.113549.1.1.1
Alg.Alias.Signature.OID.1.3.14.3.2.26withOID.1.2.840.113549.1.1.5
Alg.Alias.Signature.OID.1.3.14.3.2.27
Alg.Alias.Signature.RSAforSSL
Alg.Alias.Signature.RawRSA
Alg.Alias.Signature.SHA-1/DSA
Alg.Alias.Signature.SHA/DSA
Alg.Alias.Signature.SHA1/DSA
Alg.Alias.Signature.SHAwithDSA
AlgorithmParameters.GCMParameters
AlgorithmParameters.IVParameters
Cipher.AESWrap
Cipher.ArcFour
Cipher.CAST256
Cipher.DES
Cipher.DES2
Cipher.DESede
Cipher.DESedeCBC
Cipher.DESedeWrap
Cipher.RSA
Cipher.Rijndael
KeyAgreement.DH
KeyFactory.DH
KeyFactory.DSA
KeyFactory.RSA
KeyGenerator.ArcFour
KeyGenerator.CAST256
KeyGenerator.DES
KeyGenerator.DES2
KeyGenerator.DESede
KeyGenerator.HmacMD5
KeyGenerator.HmacRIPEMD160
KeyGenerator.HmacSHA1
KeyGenerator.HmacSHA224
KeyGenerator.HmacSHA256
KeyGenerator.HmacSHA384
KeyGenerator.HmacSHA512
KeyGenerator.HmacTiger
KeyGenerator.Rijndael
KeyPairGenerator.DH
KeyPairGenerator.DSA
KeyPairGenerator.ECDH
KeyPairGenerator.RSA
KeyStore.JKS
KeyStore.nCipher.sworld
Mac.HmacMD5
Mac.HmacRIPEMD160
Mac.HmacSHA1
Mac.HmacSHA224
Mac.HmacSHA256
Mac.HmacSHA384
Mac.HmacSHA512
Mac.HmacTiger
MessageDigest.RIPEMD160
MessageDigest.SHA224
MessageDigest.SHA256
MessageDigest.SHA384
MessageDigest.SHA512
MessageDigest.Tiger
SecretKeyFactory.DES
SecretKeyFactory.DES2
SecretKeyFactory.DESede
SecureRandom.RNG
Signature.MD5andSHA1withRSA
Signature.NONEwithRSA
Signature.RIPEMD160withRSA
Signature.RIPEMD160withRSAandMGF1
Signature.SHA1withDSA
Signature.SHA1withRSA
Signature.SHA1withRSAandMGF1
Signature.SHA224withDSA
Signature.SHA224withRSA
Signature.SHA224withRSAandMGF1
Signature.SHA256withDSA
Signature.SHA256withRSA
Signature.SHA256withRSAandMGF1
Signature.SHA384withDSA
Signature.SHA384withRSA
Signature.SHA384withRSAandMGF1
Signature.SHA512withDSA
Signature.SHA512withRSA
Signature.SHA512withRSAandMGF1

Java Security setup

security.provider.1=com.sun.crypto.provider.SunJCE
security.provider.2=com.ncipher.provider.km.nCipherKM
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC

Please do note the same command works with IBM JDK keytool.

Thanks in advance.

Solution

  • We changed it such that we added sun.security.rsa.SunRsaSign at the top , the com.ncipher.provider.km.nCipherKM at the bottom and sun.security.provider.Sun just before nCipherKM and it worked.

    This is the output from the ncipher installation test

    Installed providers:
    1: SunRsaSign
    2: SunJSSE
    3: SunEC
    4: SunJCE
    5: SUN
    6: nCipherKM

    However as i said we did not have the problem with the previous settings and the same command with the IBM JDK keytool. So i guess, maybe it is a bug in http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/x509/AlgorithmId.java

    However we do have a fix by re configuring the providers.