问题描述
我目前正在使用Java Bouncy Castle库来创建CMS签名的数据(或PKCS7签名的数据).但是,我似乎不愿意添加证书(即使证书签名者已正确添加).
I am currently using the java Bouncy Castle libraries in order to create CMS signed data (or PKCS7 signed data). I seem however to be stuck with adding certificates (even though the certificate signer is properly added).
我检查了此问题有关正确的内容签名数据,但没有满足我的SCEP服务器的需求.我使用的代码来自EJBCA,但似乎没有向PKCS7签名的数据添加证书.
I checked out this question about properly signing data, but it didn't respond the needs of my SCEP server. The code I used was from EJBCA but doesn't seem to add certificates to the PKCS7 signed data.
当我使用openssl cms
工具解析签名的数据时,我看到证书"字段为空".此外,当我尝试使用openssl pkcs7 [...] -print_certs
打印证书时,我什么也没得到.
When I parse the signed data with the openssl cms
tool, I see that the "certificates" field is "EMPTY". Additionally, when I try to the print the certs with openssl pkcs7 [...] -print_certs
, I get nothing.
这是我与Bouncy Castle签署数据的方式(代码很多,但足以重现此问题):
Here is how I sign my data with Bouncy Castle (it's a lot code but enough to reproduce the issue):
CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
CMSTypedData msg;
List<X509Certificate> certList = new ArrayList<>();
// Make sure the certificate is not null
if (this.certificate != null) {
certList.add((X509Certificate) this.certificate);
}
/**
* Create the signed CMS message to be contained inside the envelope
* this message does not contain any message, and no signerInfo
**/
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
Collection<JcaX509CertificateHolder> x509CertificateHolder = new ArrayList<>();
try {
for (X509Certificate certificate : certList) {
x509CertificateHolder.add(new JcaX509CertificateHolder(certificate));
}
CollectionStore<JcaX509CertificateHolder> store = new CollectionStore<>(x509CertificateHolder);
gen.addCertificates(store);
} catch (Handle all exceptions) {}
上面的代码片段通常应添加证书.我是从EJBCA那里获得的.
This snippet of code above should normally add certificates. I took this from EJBCA.
这是我完成签名数据的方式:
Here is how I complete the signed data:
CMSSignedDataGenerator gen1 = new CMSSignedDataGenerator();
// I add ALL of my attributes here
// Once they're added...
Certificate caCert = this.caCertificate;
try {
String provider = BouncyCastleProvider.PROVIDER_NAME;
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithmName).
setProvider(provider).
build(signerKey);
JcaDigestCalculatorProviderBuilder calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder().
setProvider(provider);
JcaSignerInfoGeneratorBuilder builder = new JcaSignerInfoGeneratorBuilder(calculatorProviderBuilder.build());
builder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(new AttributeTable(attributes)));
gen1.addSignerInfoGenerator(builder.build(contentSigner, (X509Certificate) ca));
} catch (Handle all exceptions) {}
// Create the signed data
CMSSignedData sd = gen1.generate(msg, true);
byte[] results = sd.getEncoded();
bytes数组的结果是DER格式的PKCS7签名数据...但未添加证书.
The bytes array results is the DER formatted PKCS7 signed data... but no certificate is added.
我错过了什么吗?谢谢您的帮助!
Am I missing something? Thank you for your help!
推荐答案
CMSSignedDataGenerator gen1
必须显式添加我不知道的证书.
The CMSSignedDataGenerator gen1
has to explicitly add the certificate, which I wasn't aware of.
可以简单地通过以下方式完成
It can simply be done by:
- 将证书添加到
X509Certificates
的List
; - 将
List
转换为JcaX509CertificateHolder
的Collection
; - 将此集合添加到
JcaX509CertificateHolder
的CollectionStore
; - 添加商店
CMSSignedDataGenerator
.
- Adding the certificates to a
List
ofX509Certificates
; - Converting that
List
into aCollection
ofJcaX509CertificateHolder
; - Adding this collection to a
CollectionStore
ofJcaX509CertificateHolder
; - Adding the store the
CMSSignedDataGenerator
.
代码示例:
CMSSignedDataGenerator gen1 = new CMSSignedDataGenerator();
List<X509Certificate> certificates = new ArrayList<>();
// I chose to add the CA certificate
certificates.add((X509Certificate) this.caCertificate);
// In this case, this is a certificate that I need to add
if (this.certificate != null)
certificates.add((X509Certificate) this.certificate);
// This is the recipient certificate
if (this.recipientCert != null)
certificates.add((X509Certificate) this.recipientCert);
Collection<JcaX509CertificateHolder> x509CertificateHolder = new ArrayList<>();
// Of course, we need to handle the exceptions...
for (X509Certificate certificate : certificates) {
x509CertificateHolder.add(new JcaX509CertificateHolder(certificate));
}
CollectionStore<JcaX509CertificateHolder> store = new CollectionStore<>(x509CertificateHolder);
// The final stage.
gen1.addCertificates(store);
希望这对以后的所有人有帮助.
Hope this helps anyone in the future.
这篇关于将证书添加到CMS签名数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!