Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Why signed data using two methods do not match?

user-7hjahMay 1 2023

Hi,

I created a CSR file and a private key PEM file used the following command in openSSL

openssl req -new -utf8 -nameopt multiline,utf8 -config rahat.cnf -newkey rsa:2048 -nodes -keyout rahat.key -out rahat.Csr

Then I got the certificate from authorities in the form of a crt file. I converted to cer and then extract the public key with the following command in OpenSSL

openssl x509 -pubkey -noout -in rahat.cer > pubkey.txt

Then I created a p12 file containing the certificate and also both the public and private keys using the following OpenSSL command:

openssl pkcs12 -export -out rahat.p12 -inkey rahat.key -in rahat.cer

I have a physical actual ePass3003Auto token. I imported the p12 file into this Token used ePassManagerAdm_3003.exe application to create a signature. Then extracted the cer file and extracted the public key and compared with the pubkey.txt above and both were identical.

Now the problem:

I used the actual token to sign a "Hello World" string in java. It worked and then I could verify the signed data using certificate and public key again in java.

On the other hand I used contents of the rahat.key file that is actually Base64 private key, and with the following lines in java I signed "Hello World" again.

Suppose PRIVATE_KEY is the private key string.

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import java.security.Provider;
import java.security.Security;
import java.util.Base64;

import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;


public byte[] signData(byte[] data, String PRIVATE_KEY) throws Exception {

    byte[] encoded = Base64.getDecoder().decode(PRIVATE_KEY);

    PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
    KeyFactory kf = KeyFactory.getInstance("RSA");
    PrivateKey pk = kf.generatePrivate(keySpec);
    
    Signature signature = Signature.getInstance("SHA256withRSA");
    signature.initSign(pk);
    signature.update(data);

    byte[] signedData = signature.sign();

    return signedData;
}`

WHY the result are different? Shouldn't be the resulting signed data from two methods be identical?

Here is the signing code with the actual Token:

    Provider p = Security.getProvider("SunPKCS11");
    p = p.configure("config.cfg");
    Security.addProvider(p);
    KeyStore keyStore = KeyStore.getInstance("PKCS11", p);

    char[] pin = "4321".toCharArray();
    keyStore.load(null, pin);

    java.util.Enumeration<String> aliases = keyStore.aliases();
    String alias = aliases.nextElement();

    PrivateKey pk = (PrivateKey)keyStore.getKey(alias, "4321".toCharArray());
    Certificate[] chain = keyStore.getCertificateChain(alias);
    X509Certificate cert = (X509Certificate)chain[0];

    Signature signature = Signature.getInstance("SHA256withRSA");
    signature.initSign(pk);
    signature.update(data);

    byte[] signedData = signature.sign();

    signature.initVerify(cert.getPublicKey());
    signature.update(data);
    boolean verified = signature.verify(signedData);
    System.out.println("Verified: " + verified);
    return signedData;

Please check the second part of the code "signing with token". What changes should I make?

I can do nothing about the first part of code. What I am concerned is regarding the second part of code when signing with the Token.

The result of Token signature:

xDFul4EPEjzDpEzRqh9Dkp1fSDR7YcfSHqnEqO+f80tDg0DLcKdHtXOJp/ZdPVmwrd295JEG/6BQ7LCCgbGfwRcfgibAMD8H8reJw+MuW9ms4+dfTj16kTC+nQ9G2diOX4Gmxf6wISPGsLp6/MJs6Uu2SRA3kkXvwUTEPgEtehm3XzXKeHNQ+rGhb3nYH20uCv3y4uayxqm5QNZVLbRmeHQEXC3abqHcSSJwr7CSE+IDhlpB6SgO2f0wtrHftieZTL5zGHiN0fEIRkV6x3dd1wYhbSbr8+gxd+S8vclkljQt7vs4ffTLOcAuXyqjnIxy4avsN85BAW1cUtfbgOqrwQ==
256

The result of PKCS8 signature:

YcwHcx8jvDwuZDTmSXMFtoob3k4kFkm2ZG/TBOkJNilV6Zd81oK+uBWrJ/BrqUIabaDl6VPrTTQpWyY+QjMsRKHOtdlyIHD3EKDBJBamNRrbWNcixsYg9ettUukqTql/wy/PSfLVQCLb5AFbc1SdcH88x6U8IZYMkbv0HqlJ2YJhbUX1vhGPkUEXMqBl00W7En8HP5HUfNJMyJdnydByRKw4kjE2o2tRedID3sgqXI9ALV1Beow7rAjViTy3Huf9KDCLZN+JAmuDXYXD9UhtZrSq3Mdo3KLXdXxckss2/rzj033eEqhJUdA/s4IGfGCo15sLt9Qo7n5fkZSLF1Jk9g==
256

I could manage it somehow if only one or two characters were different!!

Any comment on this matter is appreciated.

Comments

The language shown in the Forms runtime is the result of your NLS_LANG setting in the runtime environment configuration (e.g. default.env). However, Forms can only change the language of labels it knows about. For example, the ones you highlighted. The column titles, in your example are labels that you elected to use (or column names from the DB). As a result, we cannot change them automatically because we would have no idea if that is what you wanted to do.

You would need to programmatically change those if desired. For example:

SET_LOV_COLUMN_PROPERTY ('LOV1', 2, TITLE, 'Nombre del empleado (Spanish)');

In this example, I am running a form in English but want one column to show in Spanish. So, I use the code above to make that change at runtime.

xu meng Feb 12 2025

Thanks for your reply, your example has inspired me a bit, but it still can't meet my usage needs.
I'm confused about:
When my system language variable is Chinese, I want to make the LOV component's Query/Confirm/Cancel button appear separately in other languages. As shown in the image above.
I don't know, but you can understand what I mean.

xu meng Feb 12 2025

As shown on the picture you provided. "查询" is displayed when the Chinese environment variable is used, and "FIND" is displayed when it is used in English. At present, I want to make the button of its LOV component window display "FIND" separately in the Chinese system, but I have not found the method in the help document and the network.

As I mentioned, strings built into Forms like “Find”, “Ok”, “Cancel”, and others can be translated into the language you choose in the runtime environment using the NLS_LANG settings. Unfortunately, this cannot be changed after the application has been started. So if the app is started with for example, Chinese-Traditional it cannot later be changed to French while the form is running. This means that you must either configure your server to support multiple languages and create modules for each language. This is often the best approach. There are other ways that customers have used, but what I described here likely would require the smallest effort.

You did not mention which Forms version you are using and therefore I cannot point you to the documentation for that version. However, here is the link to the related documentation for Forms 14.1.2. The concepts are basically the same for earlier versions, although some minor improvements have been introduced in the latest release (14.1.2).

https://docs.oracle.com/en/middleware/developer-tools/forms/14.1.2/working-forms/enabling-language-detection.html

But again, for strings that do not natively belong to Forms (you created them) you would need to programmatically change them as necessary.

xu meng Feb 12 2025

OH! I will try to implement your plan first. Thank you for your patience. My Forms version is 11.1.2.

As you are likely aware, but I feel it necessary to mention in case you are not, Forms 11.1.2 was desupported many years ago. I recommend you consider upgrading to the latest Supported version in order to ensure that you can get the latest bug fixes (including security fixes), the latest features, and improvements like what I mentioned about language support and others.

Details can always be found on the Forms product page.

https://www.oracle.com/application-development/technologies/forms/forms.html

xu meng Feb 12 2025

Thank you for telling me this news. I will consider your suggestion carefully and refer to it later. Thank you for your answer.

1 - 7

Post Details

Added on May 1 2023
0 comments
301 views