IBM的JCE提供程序有什么问题? [英] What's wrong with IBM's JCE provider?
问题描述
我有一个JCE测试,该测试对我尝试过的所有Sun JDK都可以正常运行,但是对于各种IBM J9 JDK(例如1.6.0 build pwi3260sr8-20100409_01(SR8))却失败了.在加密模式下初始化密码时,会发生以下例外情况.为什么IBM JCE不能使用其自己的私钥?我在代码中遗漏了什么吗?
I have a JCE test that works fine with all Sun JDKs I have tried, but fails with various IBM J9 JDKs (e.g. 1.6.0 build pwi3260sr8-20100409_01(SR8)). The exception below happens when the cipher is initialized in encrypt mode. Why can the IBM JCE not use its own private key? Am I missing something in my code?
public void testBasicKeyGeneration() throws NoSuchAlgorithmException,
NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException,
BadPaddingException, NoSuchProviderException, SignatureException {
KeyPairGenerator generator = KeyPairGenerator.getInstance( "RSA" );
generator.initialize( 2048 );
KeyPair pair = generator.generateKeyPair();
String data1 = "123456789012345678901234567890123456789012345678901234567890";
Cipher cipher = Cipher.getInstance( "RSA" );
cipher.init( Cipher.ENCRYPT_MODE, pair.getPrivate() );
byte[] encrypted = cipher.doFinal( data1.getBytes() );
cipher.init( Cipher.DECRYPT_MODE, pair.getPublic() );
byte[] decrypted = cipher.doFinal( encrypted );
String data2 = new String( decrypted );
assertEquals( "en/decryption failed", data1, data2 );
}
这是堆栈跟踪:
java.security.InvalidKeyException: Private key cannot be used to encrypt.
at com.ibm.crypto.provider.RSA.engineInit(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at test.Test.testBasicKeyGeneration(LicenseHelperTest.java:56)
推荐答案
我不确定这一点,但我相信JCE具有嵌入式策略,该策略限制了对公钥的加密和对私钥的解密.
I don't know this for sure but I believe that the JCE has an embedded policy limiting encryption to the public key and decryption to the private key.
在示例代码中,加密是使用私钥完成的.这将需要公共密钥进行解密,这意味着拥有公共密钥的任何人都可以访问编码数据.尽管有它的用途,但它不是公认的模式,IBM实施可能会保护"您以免意外创建可公开读取的加密数据.
In the example code the encryption was done with the private key. This would require the public key to decrypt, meaning that anyone with the public key could access the encoded data. Although this has it's uses it is not the accepted pattern and the IBM implementation may be "protecting" you from accidentally creating encrypted data that was publicly readable.
当这些错误被逆转时它已经正确测试的事实倾向于证实我的怀疑,但是我还没有找到一份说明那么多的正式文件.
The fact that it tested properly when these were reversed tends to confirm my suspicions but I haven't yet found an official document stating as much.
这篇关于IBM的JCE提供程序有什么问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
