JCE | JPSX CodeEncode - Auxiliary script | Hacking library

While analyzing the file document-with signingTime.pdf you provided in a comment, I recognized an issue in it. Being aware of that issue I re-checked your original document-17 21.08.14.pdf and also recognized that issue therein, so maybe this issue causes the validation problem you're here to solve. Thus, ...

Both your example files (document-17 21.08.14.pdf and document-with signingTime.pdf) contain each actually two concatenated copies of the same, multi-revision PDF with a single signature Signature1, merely the second copy has a changed ID entry. Added to them are incremental updates with a signature Signature2.

These are only applicable when running on Flood - you will need to provide the Host and Port of your local Selenium WebDriver instance to test locally. you could even use instead of remote driver the following to run on your local:

WebDriver driver;

The byte[] with the ciphertext has twice the length of the key size, where the first half corresponds to c0 and the second half to c1. The conversion of ci is achievable e.g. with new BigInteger(1, ci).

Verification is easily possible by performing the decryption manually with the BigIntegers converted in this way:

The implementation of the key derivation (like practically all modern implementations) uses the Carmichael totient function lambda(n) = lcm(p-1, q-1), instead of the Euler totient function phi(n) = (p-1)*(q-1).

If the test is performed with the Carmichael totient function, the condition d*e = 1 (mod lambda(n)) is fulfilled for all tests:

I found answer to this problem, sharing if it saves time for anybody else. What is been observed is that in some cases only CA root certificate is not sufficient. But when other intermediate certs are also loaded then this issue didnt occur. So basically the whole chain certificates were needed to overcome this problem. As a combination of bouncy castle library upgrade and including whole chain certs worked for me.

Ultimately, I was able to resolve this by:

• downloading Java straight from Oracle (rather than uninstalling and reinstalling with homebrew),
• deleting spark, downloading again (from apache, not via homebrew), and setting up environment variables as described here (mostly... I use a virtual environment so I didn't hardcode PYSPARK_PYTHON to system python3)
• uninstalling pyspark and reinstalling
• quitting pycharm and reopening (this refreshed all my environment variables that were set in .zshrc, like JAVA_HOME)

There's almost certainly an easier way, but this worked.

.NET Core itself doesn't let you plug in your own crypto stack.

You pointed to Bouncy Castle as an example of Java letting you use an alternate crypto stack; there's a port of Bouncy Castle to C#/.NET as well.

Their source code has a test case that demonstrates how to write a TLS client using Bouncy Castle:

https://github.com/bcgit/bc-csharp/blob/master/crypto/test/src/crypto/tls/test/TlsClientTest.cs

Please, review the java configuration related to TLS in the affected servers, the SDK uses the security properties jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithm to disable algorithms during TLS protocol negotiation, and maybe SHA256WithRSAEncryption has been disabled.

You can find the value of these properties in the /jre/lib/security/java.security file of your Java installation.

Please, consider read this related article, it is for IBM SDK 8, but the behavior described should be the same or very similar for other SDK versions and vendors.

Also, consider to enable the java.security.debug environment property with a value of certpath or all when running your program in the affected servers:

I don't know what Lucee's classloader is doing either to be honest, but this kind of error seems to be quite common when loading certain more complex jars via the Lucee /lib path. It's likely there are "class clashes" going on somewhere.

Lucee is now OSGi based which means the best way of avoiding this is to load third-party java libraries as OSGi bundles. Some libraries are already packaged for OSGi and others can be converted fairly easily. More details here.

The Amazon library doesn't seem to be OSGi friendly, although it could probably be converted without too much effort.

For now, I would look at JavaLoader as the simplest way of getting it working. I don't have any valid Amazon keys to test fully with, but using JavaLoader I was able to at least call the payConfig.setPrivateKey() method without getting a ClassNotFoundException error.