Help coderanch get a
new server
by contributing to the fundraiser

Manish Sahni

Ranch Hand
+ Follow
since Sep 09, 2009
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Manish Sahni

Thanks for your response BTW , SunPKCS11 does not support NoPadding in version less than JDK 7 and only JDK 7 32 bit JRE (Windows Environment) and 32/64 Bit JDK 7 for Linux Environment.

For such a Transformation , OAEP padding removal becomes a mandate , i also do think that i need to remove it manually in the code itself after decryption.

RSAPadding.unpad might do the trick.

Thanks

Richard Tookey wrote:The BUG report you cited refers to the SunJCE provider and not the SunPKCS11 provider but since it is possible that the padding code it common to both then the BUG may be applicable. If you read to the end of the BUG report then you will see that a suggested work around for dealing with the BUG is to decrypt with no padding and write code to remove the MGF1 padding. The specification for MGF1 padding is available in rfc2437 which Google will find. As an alternative to coding MGF1 from scratch you could look at the Bouncy Castle source and extract the bits you need.




10 years ago
whether the encryption Scheme is using SunJCE or BC for RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING transformation , my requirement is to decrypt the response coming from the server and that too by accessing the key stored in the Hard token.
Since i am using SunPKCS11 Provider, it does not provide the support for decrypting OAEP padding coming from the server end, hence i need to know is it possible that i can decrypt the response with such a Transformation in SunPKCS11.


Thanks



Richard Tookey wrote:Once again I don't understand! You encrypt using "OAEPWITHSHA-256ANDMGF1PADDING" and then decrypt using "PKCS1Padding" and wonder why you get a javax.crypto.BadPaddingException ! Also, you say the problem is due to SunJCE's Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" but you are using bcProvider which presumably means BouncyCastle!

These inconsistencies make it difficult for anyone to take your problem seriously!

P.S. Did you look at the end of the bug report for a suggested way round the SunJCE provider bug?

10 years ago
Sorry for the wrong version.Updated with Correct version as follows :-


Manish Sahni wrote: I have developed an application and using the following keys for digital signatures those of which were placed in a file path (Directory) in testing environment.

1) XXX.p12 file - for Digital signature.

2) XXX.p12 file - for decryption of XML response.

3) XXX.cer file - for encrypting the session keys , input XML etc.

Since the files are on a particular file path location , the code is running fine.So for in the pre-production environment we have procured the CryptoGraphic Token from a CA and imported the XXX.p12 file for testing of the same, i am successfully able to digitally sign the request , However in case of decrypting the session key that is encrypted by the server using "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" i am getting the error as :-




My Testing Method is :-



I have found the issue is that the implementation of SunJCE's Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" is not compatible with other implementations (BouncyCastle/IAIK/PKCS11)

When setting AlgorithmParameters (with OAEPParameterSpec) an exception is thrown (javax.crypto.BadPaddingException)

Refer : Problems with Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" Bug Details: https://bugs.openjdk.java.net/browse/JDK-7038158?page=com.atlassian.jira.plugin.system.issuetabpanels%3aworklog-tabpanel

Is their any way that i can decrypt the data for RSA-OAEP padding.

10 years ago
I have developed an application and using the following keys for digital signatures those of which were placed in a file path (Directory) in testing environment.

1) XXX.p12 file - for Digital signature.

2) XXX.p12 file - for decryption of XML response.

3) XXX.cer file - for encrypting the session keys , input XML etc.

Since the files are on a particular file path location , the code is running fine.So for in the pre-production environment we have procured the CryptoGraphic Token from a CA and imported the XXX.p12 file for testing of the same, i am successfully able to digitally sign the request , However in case of decrypting the session key that is encrypted by the server using "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" i am getting the error as :-




My Testing Method is :-



I have found the issue is that the implementation of SunJCE's Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" is not compatible with other implementations (BouncyCastle/IAIK/PKCS11)

When setting AlgorithmParameters (with OAEPParameterSpec) an exception is thrown (javax.crypto.BadPaddingException)

Refer : Problems with Cipher "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING" Bug Details: https://bugs.openjdk.java.net/browse/JDK-7038158?page=com.atlassian.jira.plugin.system.issuetabpanels%3aworklog-tabpanel

Is their any way that i can decrypt the data for RSA-OAEP padding.
10 years ago
I am developing a web application that needs to prevent multiple login using the same user name and password concurrently.

If it happens on the same machine then we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.

What can be the best approach :-

1) should i store the user session,credentials,and IPAddress of the machine in the DB.

2) should we use the session tracking mechanism in the application itself.If so what is the best approach?


Also , We have to keep following things in mind:

1) If user close the browser without logout.

2) If session times out.


Hope it clears the question.
11 years ago
Hi,

Suppose Their is a String abc ="asddffgghmmaanniisshhssdfg";

and the user gives the input as "masinh"

We need to find the first index of that input from abc and the condition is :-

1) The letters can be repeated
2) The letters might be in a shuffled way , however the letters must be together and no other letter can be in between them.

Suppose abc = "aghamaanniisshhssdfg";
User input = "masinh"

Output will be :- 4

example 2 :-

if abc = "aghmmaanniisshhssdfg"
User Inout = "hs"

Output will be :-13

How should i go about it ?



11 years ago
Thanks everyone..

Me too was thinking that the request will be the same for the server for that session..


11 years ago
Hi,

i have a JSP that has an a href tag :



and in My javascript i am encoding the ID and then submitting the form :-

'



In Servlet, i am getting the ID value as :

String id = request.getParameter("id");

and then decoding the value within the servlets.

Now , my problem is whenever i am hitting the direct link within the servlets using the encoded id that i had passed within the javascript , then the request is again processed.

I need to stop the request from processing if user copies the encoded id and hit the servlet directly .

Example Scenario :-

Suppose id encoded in the javascript and the URL formed is :

http://localhost:8080/MyServlets/abc.do?id=QQWWEEEggie66573== (encoded).

URL formed and submitted via javacript onclicking a link

In controller :-

Id decoded and form processed.

Problem :- Need to stop if the user copies the URL and directly hits from the brower without clicking the link

example :-
http://localhost:8080/MyServlets/abc.do?id=QQWWEEEggie66573==

How can i stop that and determine whether the a href is clicked or user is directly hitting the url.

Thanks
11 years ago
Hi William,

Thanks for your suggestion.

However if i will store some cookie value inside the text file and may be run some scheduler for deleting that cookie value after a certain period of time (Though it would be an increase in the overhead) was what i was thinking!!!

Actually to attain the Single Sign in functionality what would be more better approach.

Thanks and Regards



13 years ago
Hi all,


I am creating a Cookie inside a servlet based on the user info i.e. user name and password.
However i am storing the cookie information inside the text File instead of the database.

So, when the tries to hit the URL again ,then basically i check for the cookie name and if that cookie is already present then the user is not shown the login page again and is signed in without filling the user info again.

My question is :-

1) Is that the correct approach for achieving this functionality ?
2) When should i delete the cookies inside the text file?
13 years ago
Hi ,

I also started my preparation few days ago.
I am in the second chapter of SCJP book and practicing code side by side .

Perhaps we can all share our comments and discussions on each chapter .


Hi all,

Thanks for all your helpful suggestions .

Now have implemented the contextListeners and initializing as the application starts.

13 years ago
Hi All,

While implementing null servlet, i have found that their was not significant improvement in the performance time as compared to the
ServletContext Listeners

Also i think the initialization is needed only once , hence i will agree with Bear and go for the servletContextListener

Thanks All
13 years ago

Tim Holloway wrote:Personally, I prefer to avoid adding listeners and other esoterica unless they're actually essential. If I can use basic building blocks, it's usually simpler, more understandable, and less likely to break unexpectedly when a new and improved standard comes out.

From a performance point of view, however, consider this: listeners are called continually. I mean, their name says it - they listen. However an init() method is only run once. So from a strictly performance point of view, a listener isn't the optimal choice. You definitely don't want to re-init logging each time the listener kicks off, and even though the overhead for checking so you only run the first time is fairly small, it's still overhead. In addition to the overhead of setting up and calling the listener (assuming you didn't need the listener for other purposes, too).




Thanks for your quick reply Tim , really appreciate your response.

I think i will be creating a null servlet now and avoid the use of jsp_init() in all my JSP's.
13 years ago

Tim Holloway wrote:No, you should not initialize logging in each and every JSP.

A relatively clean way to initialize logging is to create what I call a "null servlet", which is a servlet which has an init() method but no GET/POST handlers. Configure logging in the init() method, and make the servlet itself auto-start and be the first servlet to start. Everyone else can pick up from there.

You don't actually have to make a discrete servlet for this purpose as long as you already have something similar that you can add the log config process to. Just keep the design clean.



Can i not use Context Listener instead of this "Null Servlet" ?

FYI:code snippet inside jsp_init()
13 years ago