BouncyCastle on the server side with Android phone

2019-06-08 03:13发布

I'm currently having some difficulties with getting BouncyCastle to work. Been searching on this for a couple of days now, so I'm hoping you can provide any helpful insights.

Here's the set-up. Using REST-protocol, the Android-client sends POST-messages to the server. I made a separate project with classes representing these messages, so that I can include this as a library on both the client and the server. The message-objects are first parsed to a JSON-string and afterwards interpreted on the server.

For the sake of data-integrity, a message contains a digital signature (DSA). I asked a question on this issue earlier about the exchange of the public key. The answer I got was helpful, as this seems to work correctly.

However, the verification keeps on failing. Nikolay Elenkov's answer in the other thread mentions a possible cause: "BTW, it will probably be easier if you are dealing with a single provider, so you might want to use Bouncy Castle on the server as well." This is where I'm getting trouble (and since it is kind of a different issue, I made a new topic for this)

Here's an excerpt of the code from the message-class (from the common library):

import org.bouncycastle.jce.provider.BouncyCastleProvider;

// ....

private byte[] signature;

// ....

public void sign(DSAPrivateKey key) throws Exception {
    Security.addProvider(new BouncyCastleProvider());
    Signature signer = Signature.getInstance("SHA1withDSA");
    signer.initSign(key);
    signer.update(this.toByteArray());
    this.signature = signer.sign();
}

public boolean verifySignature(DSAPublicKey key) throws Exception {
    Security.addProvider(new BouncyCastleProvider());
    Signature signer = Signature.getInstance("SHA1withDSA");
    signer.initVerify(key);
    signer.update(this.toByteArray());
    return (signer.verify(this.signature));
}

I included the bcprov-jdk15on-147.jar in the classpath of each project: on the client (don't think that was necessary, but who knows), in the protocol-project and in the server-project.

The server seems not to be able to deal with it, as I am getting an exception that is apparently kind of common for BouncyCastle:

java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389)
at java.lang.Class.getConstructor0(Class.java:2699)
at java.lang.Class.getDeclaredConstructor(Class.java:1985)
at com.google.gson.internal.ConstructorConstructor.newDefaultConstructor(ConstructorConstructor.java:82)
at com.google.gson.internal.ConstructorConstructor.getConstructor(ConstructorConstructor.java:66)
at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:71)
at com.google.gson.Gson.getAdapter(Gson.java:353)
at com.google.gson.Gson.fromJson(Gson.java:754)

The next line being the gson.fromJson() call for the message-class.

Last thing I should mention is that I am working on Mac OS X with Apache Felix server. The server module should be easily portable to another machine if the project is finished.

So, where am I going wrong? Thanks for any help already.

2条回答
smile是对你的礼貌
2楼-- · 2019-06-08 03:31

I don't know how Apache Felix's class loading works, but you are not supposed to add the provider multiple times. Move the Security.addProvider(new BouncyCastleProvider()); part to a static initializer or register bouncy castle in the java.security file of the JDK.

What class is the exception occurring for? Why are you calling JCE code in the default constructor? That is probably a bad idea, especially when using automatic marshaling as offered by Gson. Construct your objects first and the call whatever verification code you have.

查看更多
爷、活的狠高调
3楼-- · 2019-06-08 03:57

Apache Felix is an OSGi environment. Therefore the correct way would be to add the necessary BouncyCastle packages as dependencies to your bundle and install the BouncyCastle JAR as Bundle.

Since about a year or so the BouncyCastle JAR files are already correct bundles - they already include all the necessary data in the MANIFEST.MF.

查看更多
登录 后发表回答