几个星期以来,我一直在用头撞墙,试图弄清楚为什么我们的银行无法解密使用 BouncyCaSTLe PGP 单程签名和加密的消息。该银行使用 McAfee E-Business Server 8.6 进行解密。
数据使用银行的公钥加密,并使用我们的私钥签名。
使用我们自己的公钥进行加密,我能够成功解密并验证使用以下代码生成的文件的签名。 Gnupg 可以很好地解密和验证文件。
但是,银行无法解密该文件。我试过先关闭压缩,然后关闭 ASCII 装甲。这两个选项似乎都不起作用,而且无论我尝试什么选项,它们总是收到相同的错误消息:
event 1: initial
event 13: BeginLex
event 8: Analyze
File is encrypted. event 9: Recipients
Secret key is required to read it.
Key for user ID "XXXXXXXXX <XXXXXX@XXXX>"
event 6: Passphrase
event 23: Decryption
symmetric cipher used: CAST5
event 3: error -11391
event 2: final
Error decrypting file '/somepath/FILENAME'.
Corrupt data.
Bad packet
exitcode = 32
这是我用来进行单次通过签名和加密的代码:
public class PGPService {
private static final Logger log = Logger.getLogger(PGPService.class);
static {
Security.addProvider(new BouncyCastleProvider());
}
/**
* A simple routine that opens a key ring file and loads the first available key
* suitable for signature generation.
*
* @param input stream to read the secret key ring collection from.
* @return a secret key.
* @throws IOException on a problem with using the input stream.
* @throws PGPException if there is an issue parsing the input stream.
*/
@SuppressWarnings("rawtypes")
private static PGPSecretKey readSecretKey(InputStream input) throws IOException, PGPException {
PGPSecretKeyRingCollection pgpSec = new PGPSecretKeyRingCollection(
PGPUtil.getDecoderStream(input));
// We just loop through the collection till we find a key suitable for encryption, in the real
// world you would probably want to be a bit smarter about this.
Iterator keyRingIter = pgpSec.getKeyRings();
while (keyRingIter.hasNext()) {
PGPSecretKeyRing keyRing = (PGPSecretKeyRing)keyRingIter.next();
Iterator keyIter = keyRing.getSecretKeys();
while (keyIter.hasNext()) {
PGPSecretKey key = (PGPSecretKey)keyIter.next();
if (key.isSigningKey()) {
return key;
}
}
}
throw new IllegalArgumentException("Can't find signing key in key ring.");
}
/**
* Single pass signs and encrypts the given file to the given output file using the provided keys.
*
* @param fileNameIn - The name and location of the source input file.
* @param fileNameOut - The name and location of the destination output file.
* @param privateKeyIn - The input stream for the private key file.
* @param privateKeyPassword - The password for the private key file.
* @param publicEncryptionKey - The public encryption key.
* @param armoredOutput - Whether or not to ASCII armor the output.
*/
@SuppressWarnings("rawtypes")
public static void signAndEncrypt(String fileNameIn, String fileNameOut, InputStream privateKeyIn, String privateKeyPassword, PGPPublicKey publicEncryptionKey, boolean armoredOutput, boolean compress) {
int bufferSize = 1<<16;
InputStream input = null;
OutputStream finalOut = null;
OutputStream encOut = null;
OutputStream compressedOut = null;
OutputStream literalOut = null;
PGPEncryptedDataGenerator encryptedDataGenerator = null;
PGPCompressedDataGenerator compressedDataGenerator = null;
PGPSignatureGenerator signatureGenerator = null;
PGPLiteralDataGenerator literalDataGenerator = null;
try {
File output = new File(fileNameOut);
OutputStream out = new FileOutputStream(output);
if (armoredOutput) out = new ArmoredOutputStream(out);
// ? Use BCPGOutputStreams ?
// Init encrypted data generator
encryptedDataGenerator = new PGPEncryptedDataGenerator(PGPEncryptedDataGenerator.CAST5, true, new SecureRandom(), "BC");
encryptedDataGenerator.addMethod(publicEncryptionKey);
finalOut = new BufferedOutputStream(out, bufferSize);
encOut = encryptedDataGenerator.open(finalOut, new byte[bufferSize]);
// Init compression
if (compress) {
compressedDataGenerator = new PGPCompressedDataGenerator(PGPCompressedData.ZLIB);
compressedOut = new BufferedOutputStream(compressedDataGenerator.open(encOut));
}
// Init signature
PGPSecretKey pgpSec = readSecretKey(privateKeyIn);
PGPPrivateKey pgpPrivKey = pgpSec.extractPrivateKey(privateKeyPassword.toCharArray(), "BC");
signatureGenerator = new PGPSignatureGenerator(pgpSec.getPublicKey().getAlgorithm(), PGPUtil.SHA1, "BC");
signatureGenerator.initSign(PGPSignature.CANONICAL_TEXT_DOCUMENT, pgpPrivKey);
Iterator it = pgpSec.getPublicKey().getUserIDs();
if (it.hasNext()) {
PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator();
spGen.setSignerUserID(false, (String)it.next());
signatureGenerator.setHashedSubpackets(spGen.generate());
}
PGPOnePassSignature onePassSignature = signatureGenerator.generateOnePassVersion(false);
if (compress) onePassSignature.encode(compressedOut);
else onePassSignature.encode(encOut);
// Create the Literal Data generator Output stream which writes to the compression stream
literalDataGenerator = new PGPLiteralDataGenerator(true);
if (compress) literalOut = literalDataGenerator.open(compressedOut, PGPLiteralData.BINARY, output.getName(), new Date(), new byte[bufferSize]);
else literalOut = literalDataGenerator.open(encOut, PGPLiteralData.TEXT, fileNameIn, new Date(), new byte[bufferSize]);
// Update sign and encrypt
byte[] buffer = new byte[bufferSize];
int bytesRead = 0;
input = new FileInputStream(fileNameIn);
while((bytesRead = input.read(buffer)) != -1) {
literalOut.write(buffer,0,bytesRead);
signatureGenerator.update(buffer,0,bytesRead);
literalOut.flush();
}
// Close Literal data stream and add signature
literalOut.close();
literalDataGenerator.close();
if (compress) signatureGenerator.generate().encode(compressedOut);
else signatureGenerator.generate().encode(encOut);
} catch (Exception e) {
log.error(e);
throw new RuntimeException(e);
} finally {
// Close all streams
if (literalOut != null) try { literalOut.close(); } catch (IOException e) {}
if (literalDataGenerator != null) try { literalDataGenerator.close(); } catch (IOException e) {}
if (compressedOut != null) try { compressedOut.close(); } catch (IOException e) {}
if (compressedDataGenerator != null) try { compressedDataGenerator.close(); } catch (IOException e) {}
if (encOut != null) try { encOut.close(); } catch (IOException e) {}
if (encryptedDataGenerator != null) try { encryptedDataGenerator.close(); } catch (IOException e) {}
if (finalOut != null) try { finalOut.close(); } catch (IOException e) {}
if (input != null) try { input.close(); } catch (IOException e) {}
}
}
@SuppressWarnings("rawtypes")
private static PGPPublicKey readPublicKeyFromCol(InputStream in) throws Exception {
PGPPublicKeyRing pkRing = null;
PGPPublicKeyRingCollection pkCol = new PGPPublicKeyRingCollection(in);
log.info("Key ring size = " + pkCol.size());
Iterator it = pkCol.getKeyRings();
while (it.hasNext()) {
pkRing = (PGPPublicKeyRing) it.next();
Iterator pkIt = pkRing.getPublicKeys();
while (pkIt.hasNext()) {
PGPPublicKey key = (PGPPublicKey) pkIt.next();
log.info("Encryption key = " + key.isEncryptionKey() + ", Master key = " +
key.isMasterKey());
if (key.isEncryptionKey()) {
// Find out a little about the keys in the public key ring.
log.info("Key Strength = " + key.getBitStrength());
log.info("Algorithm = " + key.getAlgorithm());
log.info("Bit strength = " + key.getBitStrength());
log.info("Version = " + key.getVersion());
return key;
}
}
}
return null;
}
private static PGPPrivateKey findSecretKey(InputStream keyIn, long keyID, char[] pass)
throws IOException, PGPException, NoSuchProviderException {
PGPSecretKeyRingCollection pgpSec = new PGPSecretKeyRingCollection(PGPUtil.getDecoderStream(keyIn));
PGPSecretKey pgpSecKey = pgpSec.getSecretKey(keyID);
if (pgpSecKey == null) {
return null;
}
return pgpSecKey.extractPrivateKey(pass, "BC");
}
}
知道是什么原因造成的吗?我使用 Google 发现了大量报告,但没有解决方案或后续行动。
最佳答案
我正在回答我自己的问题,希望它能帮助其他人,因为这个问题的答案很难在网上找到。
McAfee E-Business Server 8.6 之前的版本与 BouncyCaSTLe PGP 存在兼容性问题,似乎大多数人都无法让它工作。因此,如果您的供应商/客户/银行使用的是 8.6 之前的 E-Business Server 版本,您很可能是 SOL,可能需要找到不同的加密包。
来源:https://kc.mcafee.com/corporate/index?page=content&id=KB60816&cat=CORP_EBUSINESS_SERVER&actp=LIST
"Decrypting a file that was encrypted with Bouncy Castle v1.37 may result in Access Violation Error (or SIGSEG on UNIX platforms). This issue has been addressed in this release."
幸运的是,我们的银行正在使用 McAfee E-Business Server 8.6。然而,这只是等式的一部分。为了解决不兼容问题,我们不得不关闭压缩和 ASCII 装甲,它们才能成功解密和验证我们的文件。因此,使用我发布的原始代码,对于使用 E-Business Server 8.6 的客户端,您将这样调用它:
PGPService.signAndEncrypt(clearTextFileName, secureFileName, privKeyIn, privateKeyFilePassword, pubKeyIn, true, false, false);
当然,这意味着您不能使用 ASCII 装甲,这对您来说可能是个问题,也可能不是。如果是,BouncyCaSTLe 开发邮件列表上的 David 建议您在非数据包模式下使用 BouncyCaSTLe。 IE:不要将字节缓冲区传递到流中的打开命令中。或者分两次对文件进行签名和加密。
例如调用:
public static void signFile(String fileNameIn, String fileNameOut, InputStream privKeyIn, String password, boolean armoredOutput) {
OutputStream out = null;
BCPGOutputStream bOut = null;
OutputStream lOut = null;
InputStream fIn = null;
try {
out = new FileOutputStream(fileNameOut);
if (armoredOutput) {
out = new ArmoredOutputStream(out);
}
PGPSecretKey pgpSec = readSecretKey(privKeyIn);
PGPPrivateKey pgpPrivKey = pgpSec.extractPrivateKey(password.toCharArray(), "BC");
PGPSignatureGenerator sGen = new PGPSignatureGenerator(pgpSec.getPublicKey().getAlgorithm(), PGPUtil.SHA1, "BC");
sGen.initSign(PGPSignature.BINARY_DOCUMENT, pgpPrivKey);
Iterator it = pgpSec.getPublicKey().getUserIDs();
if (it.hasNext()) {
PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator();
spGen.setSignerUserID(false, (String)it.next());
sGen.setHashedSubpackets(spGen.generate());
}
PGPCompressedDataGenerator cGen = new PGPCompressedDataGenerator(PGPCompressedData.ZLIB);
bOut = new BCPGOutputStream(cGen.open(out));
sGen.generateOnePassVersion(false).encode(bOut);
File file = new File(fileNameIn);
PGPLiteralDataGenerator lGen = new PGPLiteralDataGenerator();
lOut = lGen.open(bOut, PGPLiteralData.BINARY, file);
fIn = new FileInputStream(file);
int ch = 0;
while ((ch = fIn.read()) >= 0) {
lOut.write(ch);
sGen.update((byte) ch);
}
lGen.close();
sGen.generate().encode(bOut);
cGen.close();
} catch (Exception e) {
log.error(e);
throw new RuntimeException(e);
} finally {
if (lOut != null) try { lOut.close(); } catch (IOException e) {}
if (bOut != null) try { bOut.close(); } catch (IOException e) {}
if (out != null) try { out.close(); } catch (IOException e) {}
if (fIn != null) try { fIn.close(); } catch (IOException e) {}
}
}
接着调用:
public static byte[] encrypt(byte[] data, InputStream pubKeyIn, boolean isPublicKeyArmored) {
FileOutputStream fos = null;
BufferedReader isr = null;
try {
if (isPublicKeyArmored) pubKeyIn = new ArmoredInputStream(pubKeyIn);
PGPPublicKey key = readPublicKeyFromCol(pubKeyIn);
log.info("Creating a temp file...");
// Create a file and write the string to it.
File tempfile = File.createTempFile("pgp", null);
fos = new FileOutputStream(tempfile);
fos.write(data);
fos.close();
log.info("Temp file created at: " + tempfile.getAbsolutePath());
log.info("Reading the temp file to make sure that the bits were written...\n");
isr = new BufferedReader(new FileReader(tempfile));
String line = "";
while ((line = isr.readLine()) != null ) {
log.info(line + "\n");
}
int count = 0;
for (java.util.Iterator iterator = key.getUserIDs(); iterator.hasNext();) {
count++;
log.info(iterator.next());
}
log.info("Key Count = " + count);
// Encrypt the data.
ByteArrayOutputStream baos = new ByteArrayOutputStream();
_encrypt(tempfile.getAbsolutePath(), baos, key);
log.info("Encrypted text length = " + baos.size());
tempfile.delete();
return baos.toByteArray();
} catch (PGPException e) {
log.error(e);
throw new RuntimeException(e);
} catch (Exception e) {
log.error(e);
throw new RuntimeException(e);
} finally {
if (fos != null) try { fos.close(); } catch (IOException e) {}
if (isr != null) try { isr.close(); } catch (IOException e) {}
}
}
注意买者,因为我无法测试此方法以查看这是否甚至可以解决不兼容问题。但如果您别无选择并且必须为电子商务服务器目标使用 ASCII 装甲,那么这是您可以尝试的途径。
可以在 BouncyCaSTLe 开发邮件列表存档中找到更多信息,如果您决定走这条路,这些信息可能会有所帮助。特别是这个线程:http://www.bouncycastle.org/devmailarchive/msg12080.html
关于java - BouncyCaSTLe PGP 和 McAfee eBusiness Server 8.6 不兼容,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6617720/
我真的很习惯使用Ruby编写以下代码:my_hash={}my_hash['test']=1Java中对应的数据结构是什么? 最佳答案 HashMapmap=newHashMap();map.put("test",1);我假设? 关于java-等价于Java中的RubyHash,我们在StackOverflow上找到一个类似的问题: https://stackoverflow.com/questions/22737685/
我正在尝试使用boilerpipe来自JRuby。我看过guide从JRuby调用Java,并成功地将它与另一个Java包一起使用,但无法弄清楚为什么同样的东西不能用于boilerpipe。我正在尝试基本上从JRuby中执行与此Java等效的操作:URLurl=newURL("http://www.example.com/some-location/index.html");Stringtext=ArticleExtractor.INSTANCE.getText(url);在JRuby中试过这个:require'java'url=java.net.URL.new("http://www
我只想对我一直在思考的这个问题有其他意见,例如我有classuser_controller和classuserclassUserattr_accessor:name,:usernameendclassUserController//dosomethingaboutanythingaboutusersend问题是我的User类中是否应该有逻辑user=User.newuser.do_something(user1)oritshouldbeuser_controller=UserController.newuser_controller.do_something(user1,user2)我
什么是ruby的rack或python的Java的wsgi?还有一个路由库。 最佳答案 来自Python标准PEP333:Bycontrast,althoughJavahasjustasmanywebapplicationframeworksavailable,Java's"servlet"APImakesitpossibleforapplicationswrittenwithanyJavawebapplicationframeworktoruninanywebserverthatsupportstheservletAPI.ht
在应用开发中,有时候我们需要获取系统的设备信息,用于数据上报和行为分析。那在鸿蒙系统中,我们应该怎么去获取设备的系统信息呢,比如说获取手机的系统版本号、手机的制造商、手机型号等数据。1、获取方式这里分为两种情况,一种是设备信息的获取,一种是系统信息的获取。1.1、获取设备信息获取设备信息,鸿蒙的SDK包为我们提供了DeviceInfo类,通过该类的一些静态方法,可以获取设备信息,DeviceInfo类的包路径为:ohos.system.DeviceInfo.具体的方法如下:ModifierandTypeMethodDescriptionstatic StringgetAbiList()Obt
这篇文章是继上一篇文章“Observability:从零开始创建Java微服务并监控它(一)”的续篇。在上一篇文章中,我们讲述了如何创建一个Javaweb应用,并使用Filebeat来收集应用所生成的日志。在今天的文章中,我来详述如何收集应用的指标,使用APM来监控应用并监督web服务的在线情况。源码可以在地址 https://github.com/liu-xiao-guo/java_observability 进行下载。摄入指标指标被视为可以随时更改的时间点值。当前请求的数量可以改变任何毫秒。你可能有1000个请求的峰值,然后一切都回到一个请求。这也意味着这些指标可能不准确,你还想提取最小/
HashMap中为什么引入红黑树,而不是AVL树呢1.概述开始学习这个知识点之前我们需要知道,在JDK1.8以及之前,针对HashMap有什么不同。JDK1.7的时候,HashMap的底层实现是数组+链表JDK1.8的时候,HashMap的底层实现是数组+链表+红黑树我们要思考一个问题,为什么要从链表转为红黑树呢。首先先让我们了解下链表有什么不好???2.链表上述的截图其实就是链表的结构,我们来看下链表的增删改查的时间复杂度增:因为链表不是线性结构,所以每次添加的时候,只需要移动一个节点,所以可以理解为复杂度是N(1)删:算法时间复杂度跟增保持一致查:既然是非线性结构,所以查询某一个节点的时候
遍历文件夹我们通常是使用递归进行操作,这种方式比较简单,也比较容易理解。本文为大家介绍另一种不使用递归的方式,由于没有使用递归,只用到了循环和集合,所以效率更高一些!一、使用递归遍历文件夹整体思路1、使用File封装初始目录,2、打印这个目录3、获取这个目录下所有的子文件和子目录的数组。4、遍历这个数组,取出每个File对象4-1、如果File是否是一个文件,打印4-2、否则就是一个目录,递归调用代码实现publicclassSearchFile{publicstaticvoidmain(String[]args){//初始目录Filedir=newFile("d:/Dev");Datebeg
我基本上来自Java背景并且努力理解Ruby中的模运算。(5%3)(-5%3)(5%-3)(-5%-3)Java中的上述操作产生,2个-22个-2但在Ruby中,相同的表达式会产生21个-1-2.Ruby在逻辑上有多擅长这个?模块操作在Ruby中是如何实现的?如果将同一个操作定义为一个web服务,两个服务如何匹配逻辑。 最佳答案 在Java中,模运算的结果与被除数的符号相同。在Ruby中,它与除数的符号相同。remainder()在Ruby中与被除数的符号相同。您可能还想引用modulooperation.
Java的Collections.unmodifiableList和Collections.unmodifiableMap在Ruby标准API中是否有等价物? 最佳答案 使用freeze应用程序接口(interface):Preventsfurthermodificationstoobj.ARuntimeErrorwillberaisedifmodificationisattempted.Thereisnowaytounfreezeafrozenobject.SeealsoObject#frozen?.Thismethodretur