-
Bug
-
Resolution: Cannot Reproduce
-
P3
-
None
-
8u45
-
x86_64
-
windows_7
FULL PRODUCT VERSION :
In Linux:
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)
In windows the same version but for 32bit.
ADDITIONAL OS VERSION INFORMATION :
I have tested similar problems in 2 environments:
1) Windows 7 64 bit but in a Firefox Applet, so a 32bit JRE.
2) Ubuntu Linux 14.04 64bit as a command line executable or as an applet, always 64bit.
I think this problem is not OS related.
EXTRA RELEVANT SYSTEM CONFIGURATION :
I have tested with and without the Unrestricted JCA policies installed.
With Java 7 in Linux (Java(TM) SE Runtime Environment (build 1.7.0_80-b15)) it does work like a charm, not tested in Windows yet.
A DESCRIPTION OF THE PROBLEM :
We have some code that does some PADES signature using the JRE PKCS#11 API and Bouncy Castle as a provider.
We have 2 different PKCS#11 cards, one of them uses SHA1withRSA the other SHA256WithRSA. The one with a SHA256 has a 2024 bit RAS key.
When we use the SHA1 card there is no problem but with the SHA256 we get a bouncy castle exception caused by previous JRE's exception:
Exception in thread "main" es.binovo.ag.signature.exception.SignatureError: org.bouncycastle.operator.OperatorCreationException: cannot create signer: RSA key must be at most 1024 bits
at es.binovo.ag.signature.command.sign.CommandSignaturePades$PDFSignature.sign(CommandSignaturePades.java:357)
at org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:779)
at org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1165)
at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:552)
at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1511)
at org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1396)
at es.binovo.ag.signature.command.sign.CommandSignaturePades.execute(CommandSignaturePades.java:575)
at es.binovo.ag.signature.cli.CliSignPades.signIzenpePades(CliSignPades.java:161)
at es.binovo.ag.signature.cli.CliSignPades.signByType(CliSignPades.java:106)
at es.binovo.ag.signature.cli.Cli.parse(Cli.java:88)
at es.binovo.ag.signature.cli.Cli.main(Cli.java:51)
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot create signer: RSA key must be at most 1024 bits
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source)
at es.binovo.ag.signature.command.sign.CommandSignaturePades$PDFSignature.sign(CommandSignaturePades.java:330)
... 10 more
Caused by: java.security.InvalidKeyException: RSA key must be at most 1024 bits
at sun.security.pkcs11.P11Signature.checkKeySize(P11Signature.java:366)
at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:430)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1174)
at java.security.Signature.initSign(Signature.java:527)
... 12 more
We know that there are some encryption strength restrictions in the JRE but even after installing "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8" the problem persists.
With Java 7 it works like a charm even without the JCA policy files.
REGRESSION. Last worked in version 7u80
REPRODUCIBILITY :
This bug can be reproduced always.
In Linux:
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)
In windows the same version but for 32bit.
ADDITIONAL OS VERSION INFORMATION :
I have tested similar problems in 2 environments:
1) Windows 7 64 bit but in a Firefox Applet, so a 32bit JRE.
2) Ubuntu Linux 14.04 64bit as a command line executable or as an applet, always 64bit.
I think this problem is not OS related.
EXTRA RELEVANT SYSTEM CONFIGURATION :
I have tested with and without the Unrestricted JCA policies installed.
With Java 7 in Linux (Java(TM) SE Runtime Environment (build 1.7.0_80-b15)) it does work like a charm, not tested in Windows yet.
A DESCRIPTION OF THE PROBLEM :
We have some code that does some PADES signature using the JRE PKCS#11 API and Bouncy Castle as a provider.
We have 2 different PKCS#11 cards, one of them uses SHA1withRSA the other SHA256WithRSA. The one with a SHA256 has a 2024 bit RAS key.
When we use the SHA1 card there is no problem but with the SHA256 we get a bouncy castle exception caused by previous JRE's exception:
Exception in thread "main" es.binovo.ag.signature.exception.SignatureError: org.bouncycastle.operator.OperatorCreationException: cannot create signer: RSA key must be at most 1024 bits
at es.binovo.ag.signature.command.sign.CommandSignaturePades$PDFSignature.sign(CommandSignaturePades.java:357)
at org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:779)
at org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1165)
at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:552)
at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1511)
at org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1396)
at es.binovo.ag.signature.command.sign.CommandSignaturePades.execute(CommandSignaturePades.java:575)
at es.binovo.ag.signature.cli.CliSignPades.signIzenpePades(CliSignPades.java:161)
at es.binovo.ag.signature.cli.CliSignPades.signByType(CliSignPades.java:106)
at es.binovo.ag.signature.cli.Cli.parse(Cli.java:88)
at es.binovo.ag.signature.cli.Cli.main(Cli.java:51)
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot create signer: RSA key must be at most 1024 bits
at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source)
at es.binovo.ag.signature.command.sign.CommandSignaturePades$PDFSignature.sign(CommandSignaturePades.java:330)
... 10 more
Caused by: java.security.InvalidKeyException: RSA key must be at most 1024 bits
at sun.security.pkcs11.P11Signature.checkKeySize(P11Signature.java:366)
at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java:430)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1174)
at java.security.Signature.initSign(Signature.java:527)
... 12 more
We know that there are some encryption strength restrictions in the JRE but even after installing "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8" the problem persists.
With Java 7 it works like a charm even without the JCA policy files.
REGRESSION. Last worked in version 7u80
REPRODUCIBILITY :
This bug can be reproduced always.