使用createKeystoreForCordaNode的Corda RSA问题 [英] Corda RSA issue using createKeystoreForCordaNode
问题描述
当我使用Corda createKeystoreForCordaNode函数时遇到以下异常。
I am getting the following exception when I use the Corda createKeystoreForCordaNode function.
我确实通过KeyStore Explorer 5.3.1创建了JKS RSA 2048根和中间CA Keystore。
I did create a JKS RSA 2048 root and intermediate CA Keystore by KeyStore Explorer 5.3.1 or keytool command.
我还将DEFAULT_TLS_SIGNATURE_SCHEME设置为RSA_SHA256。
I also set the DEFAULT_TLS_SIGNATURE_SCHEME to RSA_SHA256.
线程 main中的异常org.bouncycastle.cert.CertException:无法处理签名:设置异常:java.security.NoSuchAlgorithmException:1.2.840.113549。 1.1.1签名不可用
在org.bouncycastle.cert.X509CertificateHolder.isSignatureValid(未知源)
在net.corda.node.utilities.X509Utilities.createCertificate $ node_main(X509Utilities.kt:281)
在net.corda.node.utilities.X509Utilities.createCertificate(X509Utilities.kt:142)
在net.corda.node.utilities.X509Utilities.createCertificate(X509Utilities.kt:118)
在net.corda.node.utilities.X509Utilities.createCertificate $ default(X509Utilities.kt:117)
预先感谢
推荐答案
在Corda V3中将添加对PKCS1 RSA签名的支持 1.2.840.113549.1.1.1
Support for PKCS1 RSA signatures "1.2.840.113549.1.1.1" will be added in Corda V3.
还请注意,当前密钥大小的建议(如果您使用Corda的api创建密钥)为3072位,但我认为2048位的密钥也可以使用。
master分支中的源代码验证了Corda即将支持RSA 1.2.840.113549.1.1.1 。
Also note that current recommendation for key size (if you create keys using Corda's api) is 3072bit, but I think a 2048bit key will work as well. Source code in master branch verifies Corda's upcoming support for RSA "1.2.840.113549.1.1.1".
val RSA_SHA256 = SignatureScheme(
1,
"RSA_SHA256",
AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption, null),
listOf(AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, null)), // This is 1.2.840.113549.1.1.1
BouncyCastleProvider.PROVIDER_NAME,
"RSA",
"SHA256WITHRSAEncryption",
null,
3072,
"PKCS1 RSA signature scheme using SHA256 as hash algorithm."
)
或者,也可以不使用RSA密钥,而可以使用NIST P-256(称为curvep的secp256r1)生成ECDSA密钥。
使用 keytool
这是:
Alternatively, instead of using RSA keys, you can generate ECDSA keys using the NIST P-256 (secp256r1 named curve).
With keytool
this is:
-keyalg EC -keysize 256 -sigalg SHA256withECDSA
这篇关于使用createKeystoreForCordaNode的Corda RSA问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!