问题
I am getting the following exception when I use the Corda createKeystoreForCordaNode function.
I did create a JKS RSA 2048 root and intermediate CA Keystore by KeyStore Explorer 5.3.1 or keytool command.
I also set the DEFAULT_TLS_SIGNATURE_SCHEME to RSA_SHA256.
Exception in thread "main" org.bouncycastle.cert.CertException: unable to process signature: exception on setup: java.security.NoSuchAlgorithmException: 1.2.840.113549.1.1.1 Signature not available at org.bouncycastle.cert.X509CertificateHolder.isSignatureValid(Unknown Source) at net.corda.node.utilities.X509Utilities.createCertificate$node_main(X509Utilities.kt:281) at net.corda.node.utilities.X509Utilities.createCertificate(X509Utilities.kt:142) at net.corda.node.utilities.X509Utilities.createCertificate(X509Utilities.kt:118) at net.corda.node.utilities.X509Utilities.createCertificate$default(X509Utilities.kt:117)
thanks in advance
回答1:
Support for PKCS1 RSA signatures "1.2.840.113549.1.1.1" will be added in Corda V3.
Also note that current recommendation for key size (if you create keys using Corda's api) is 3072bit, but I think a 2048bit key will work as well. Source code in master branch verifies Corda's upcoming support for RSA "1.2.840.113549.1.1.1".
val RSA_SHA256 = SignatureScheme(
1,
"RSA_SHA256",
AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption, null),
listOf(AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, null)), // This is 1.2.840.113549.1.1.1
BouncyCastleProvider.PROVIDER_NAME,
"RSA",
"SHA256WITHRSAEncryption",
null,
3072,
"PKCS1 RSA signature scheme using SHA256 as hash algorithm."
)
Alternatively, instead of using RSA keys, you can generate ECDSA keys using the NIST P-256 (secp256r1 named curve).
With keytool this is:
-keyalg EC -keysize 256 -sigalg SHA256withECDSA
来源:https://stackoverflow.com/questions/47544738/corda-rsa-issue-using-createkeystoreforcordanode