如何将分离的CAdES签名转换为使用BC封装?
max*_*a72 5 java cryptography bouncycastle digital-signature
我的java applet能够使用分离类型的Bouncy Castle 1.4.9生成CMSSignedData.然后将字节数组sigData.getEncoded()存储在服务器上的表中(该表可以访问未包含的内容数据).现在我想在服务器中创建封装的CMSSignedData,以便用户下载.p7m文件.
我需要开发的函数具有分离签名的字节数组和内容数据的字节数组,并且必须返回CaDES封装签名的字节数组,该字符数组将用于下载.p7m文件.
问题是我无法将分离的签名转换为封闭的签名.
以下是我在applet中使用的一些代码: signCAdeS使用分离签名对文档进行签名,然后调用attach(仅用于测试)将分离转换为封装但未成功:使用Dike打开创建的.p7m文件是不可能的查看内容数据.
private byte[] signCAdES(byte[] aDocument, PrivateKey aPrivateKey, Certificate[] certChain)
throws GeneralSecurityException {
byte[] digitalSignature = null;
try {
Security.addProvider(new BouncyCastleProvider());
ArrayList<X509Certificate> certsin = new ArrayList<X509Certificate>();
for (int i = 0; i < certChain.length; i++) {
certsin.add((X509Certificate) certChain[i]);
}
X509Certificate cert = certsin.get(0);
//Nel nuovo standard di firma digitale e' richiesto l'hash del certificato di sottoscrizione:
String digestAlgorithm = "SHA-256";
String digitalSignatureAlgorithmName = "SHA256withRSA";
MessageDigest sha = MessageDigest.getInstance(digestAlgorithm);
byte[] digestedCert = sha.digest(cert.getEncoded());
//Viene ora create l'attributo ESSCertID versione 2 cosi come richiesto nel nuovo standard:
AlgorithmIdentifier aiSha256 = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256);
ESSCertIDv2 essCert1 = new ESSCertIDv2(aiSha256, digestedCert);
ESSCertIDv2[] essCert1Arr = {essCert1};
SigningCertificateV2 scv2 = new SigningCertificateV2(essCert1Arr);
Attribute certHAttribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(scv2));
//Aggiungiamo l'attributo al vettore degli attributi da firmare:
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(certHAttribute);
AttributeTable at = new AttributeTable(v);
CMSAttributeTableGenerator attrGen = new DefaultSignedAttributeTableGenerator(at);
//Creaiamo l'oggetto che firma e crea l'involucro attraverso le librerie di Bouncy Castle:
SignerInfoGeneratorBuilder genBuild = new SignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
genBuild.setSignedAttributeGenerator(attrGen);
//Si effettua la firma con l'algoritmo SHA256withRSA che crea l'hash e lo firma con l'algoritmo RSA:
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner shaSigner = new JcaContentSignerBuilder("SHA256withRSA").build(aPrivateKey);
SignerInfoGenerator sifGen = genBuild.build(shaSigner, new X509CertificateHolder(cert.getEncoded()));
gen.addSignerInfoGenerator(sifGen);
X509CollectionStoreParameters x509CollectionStoreParameters = new X509CollectionStoreParameters(certsin);
JcaCertStore jcaCertStore = new JcaCertStore(certsin);
gen.addCertificates(jcaCertStore);
CMSTypedData msg = new CMSProcessableByteArray(aDocument);
CMSSignedData sigData = gen.generate(msg, false); // false=detached
byte[] encoded = sigData.getEncoded();
FileOutputStream fos = new FileOutputStream("H:\\prova2.txt.p7m");
fos.write(attach(aDocument, encoded));
fos.flush();
fos.close();
digitalSignature = encoded;
} catch (CMSException ex) {
ex.printStackTrace();
} catch (IOException ex) {
ex.printStackTrace();
} catch (OperatorCreationException ex) {
ex.printStackTrace();
}
return digitalSignature;
}
这是附加功能:
public static byte[] attach(byte[] originalData, byte[] detached) {
try {
ASN1InputStream in = new ASN1InputStream(detached);
CMSSignedData sigData = new CMSSignedData(new CMSProcessableByteArray(originalData), in);
return sigData.getEncoded();
} catch (Exception e) {
return null;
}
}
这个回应来得有点晚了。当然,您会找到替代方案,因为不可能将分离的 CAdES 转换为包络
查看RFC 3852 -CMS中定义的CAdESSignedData签名节点的ASN.1 结构
SignedData包含encapContentInfo包含用于封装签名的原始数据,但不存在于分离签名中。由于SignedData已签名,因此无法添加原始数据以将分离数据转换为封装数据
注意:正确的术语是enveloping,因为签名包装了数据。封装的签名将嵌入到数据中