用BCvalidation分离的签名
如何使用Java中的BouncyCastle提供程序validation分离的签名(CMS / pkcs#7签名)?
目前,我的代码抛出exception,消息message-digest attribute value does not match calculated value
Security.addProvider(new BouncyCastleProvider()); File f = new File(filename); byte[] buffer = new byte[(int)f.length()]; DataInputStream in = new DataInputStream(new FileInputStream(f)); in.readFully(buffer); in.close(); CMSSignedData signature = new CMSSignedData(buffer); SignerInformation signer = (SignerInformation) signature.getSignerInfos().getSigners().iterator().next(); CertStore cs = signature.getCertificatesAndCRLs("Collection", "BC"); Iterator iter = cs.getCertificates(signer.getSID()).iterator(); X509Certificate certificate = (X509Certificate) iter.next(); CMSProcessable sc = signature.getSignedContent(); signer.verify(certificate, "BC");
您可以通过以下代码validation分离的签名:
public static boolean verif_Detached(String signed_file_name,String original_file_name) throws IOException, CMSException, NoSuchAlgorithmException, NoSuchProviderException, CertStoreException, CertificateExpiredException, CertificateNotYetValidException{ boolean result= false; Security.addProvider(new BouncyCastleProvider()); File f = new File(signed_file_name); byte[] Sig_Bytes = new byte[(int)f.length()]; DataInputStream in = new DataInputStream(new FileInputStream(f)); in.readFully(Sig_Bytes); in.close(); File fi = new File(original_file_name); byte[] Data_Bytes = new byte[(int)fi.length()]; DataInputStream input = new DataInputStream(new FileInputStream(fi)); input.readFully(Data_Bytes); input.close(); try{ CMSSignedData cms = new CMSSignedData(new CMSProcessableByteArray(Data_Bytes), Sig_Bytes); CertStore certStore = cms.getCertificatesAndCRLs("Collection", "BC"); SignerInformationStore signers = cms.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certStore.getCertificates(signer.getSID()); Iterator certIt = certCollection.iterator(); X509Certificate cert = (X509Certificate) certIt.next(); cert_signer=cert; result=signer.verify(cert, "BC"); } }catch(Exception e){ e.printStackTrace(); result=false; } return result; }
validation分离的pKCS7的关键是使用CMSTypedStream,如下面的代码:
public void verifySign(byte[] signedData,byte[]bPlainText) throws Exception { InputStream is = new ByteArrayInputStream(bPlainText); CMSSignedDataParser sp = new CMSSignedDataParser(new CMSTypedStream (is),signedData); CMSTypedStream signedContent = sp.getSignedContent(); signedContent.drain(); //CMSSignedData s = new CMSSignedData(signedData); Store certStore = sp.getCertificates(); SignerInformationStore signers = sp.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder certHolder = (X509CertificateHolder)certIt.next(); if ( !signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder))) { throw new DENException("Verification FAILED! "); } else { logger.debug("verify success" ); } } }
你可以在这里找到这篇文章的答案。 发生这种情况是因为当S / MIME标头不存在时,bouncy castle / open ssl如何处理S / MIME消息。解决方案是在signimg之前向消息添加S / MIME标头
- SHA256withRSA和SHA256之间的区别然后是RSA
- Java BC SicBlockCipher直接输出等效于c#
- 麻烦整合BouncyCastle Jar
- 如何使用JCA读取BouncyCastle私钥PEM文件?
- 坏填充exception – pkcs11中的RSA / ECB / OAEPWITHSHA-256ANDMGF1PADDING
- ColdFusion 10中的BouncyCastle库
- jce无法validation提供程序bc
- 使用在openjre中需要Java Policy Files的加密
- 带有Bouncy Castle的256位AES / CBC / PKCS5Padding