PKCS7 codifica in Java senza librerie esterne come BouncyCastle ecc

Naviga le tue risposte
10

Sto lavorando alla firma e alla codifica dei messaggi CMS / PKCS # 7 (qualcosa di simile a C # SignedCms ).

Ho x509certificato dal keystore, rsa private key,
ContentInfo. ContentType è "oidPkcs7Data".

Non capisco cosa dovrei fare dopo.

Ho pensato:

  1. genera una firma e firma i dati ContentInfo 
    Signature signature = Signature.getInstance("MD5withRSA");
    signature.initSign(rsaPrivateKeyFromStore); 
    signature.update(contentInfo.getData());
    signedData = signature.sign();
  1. codifica firma firmata + firma. 
    PKCS7 pkcs7 = new PKCS7(signedData);
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    pkcs7.encodeSignedData(baos);

Ma ho ottenuto l'eccezione 

sun.security.pkcs.ParsingException: Unable to parse the encoded bytes
    at sun.security.pkcs.PKCS7.(PKCS7.java:94)

Ovviamente sto sbagliando.

Inoltre mi piacerebbe farlo senza BouncyCastle o Classpth o smth come questi.

È possibile utilizzare solo le classi sun.security. *? Io uso Java 1.5.

Sono un nuovo membro del mondo DigitalSignature e qualsiasi aiuto o consiglio è apprezzato.

UPD

Ho generato il mio certificato e ho provato a firmare i dati con esso.

. Codice netto 

        X509Certificate2 certificate = new X509Certificate2("X:\mypfxstore.pfx", "123");
        String text = "text";
        ContentInfo contentInfo = new ContentInfo(System.Text.Encoding.UTF8.GetBytes(text));
        SignedCms cms = new SignedCms(contentInfo, false);
        CmsSigner signer = new CmsSigner(certificate);
        signer.IncludeOption = X509IncludeOption.None;
        signer.DigestAlgorithm = new Oid("SHA1");
        cms.ComputeSignature(signer, false);
        byte[] signature = cms.Encode();
        print(signature);

.Java code 

    char[] password = "123".toCharArray();
    String text = "text";

    FileInputStream fis = new FileInputStream("X:\mypfxstore.pfx");
    KeyStore ks = KeyStore.getInstance("pkcs12");
    ks.load(fis, password);

    String alias = ks.aliases().nextElement();
    PrivateKey pKey = (PrivateKey)ks.getKey(alias, password);
    X509Certificate c = (X509Certificate)ks.getCertificate(alias);

    //Data to sign
    byte[] dataToSign = text.getBytes("UTF-8");
    //compute signature:
    Signature signature = Signature.getInstance("SHA1WithRSA");
    signature.initSign(pKey);
    signature.update(dataToSign);
    byte[] signedData = signature.sign();

    //load X500Name
    X500Name xName      = X500Name.asX500Name(c.getSubjectX500Principal());
    //load serial number
    BigInteger serial   = c.getSerialNumber();
    //laod digest algorithm
    AlgorithmId digestAlgorithmId = new AlgorithmId(AlgorithmId.SHA_oid);
    //load signing algorithm
    AlgorithmId signAlgorithmId = new AlgorithmId(AlgorithmId.RSAEncryption_oid);

    //Create SignerInfo:
    SignerInfo sInfo = new SignerInfo(xName, serial, digestAlgorithmId, signAlgorithmId, signedData);

    //Create ContentInfo:
    ContentInfo cInfo = new ContentInfo(ContentInfo.DIGESTED_DATA_OID, new DerValue(DerValue.tag_OctetString, dataToSign));

    //Create PKCS7 Signed data
    PKCS7 p7 = new PKCS7(new AlgorithmId[] { digestAlgorithmId }, cInfo,
            new java.security.cert.X509Certificate[] { /*cert,*/ },
            new SignerInfo[] { sInfo });

    //Write PKCS7 to bYteArray
    ByteArrayOutputStream bOut = new DerOutputStream();
    p7.encodeSignedData(bOut);
    byte[] encoded = bOut.toByteArray();

    print(encoded);

Output Java 

length=264
3082010406092A864886F70D010702A081F63081F3020101310B300906052B0E03021A0500
301306092A864886F70D0 -> 10705A <- 0060404746578743181CB3081C8020101302630123110300E06
035504031307436F6D70616E790210FCAF9B5224FB4B9F4000B5127D881E2E300906052B0E0302
1A0500300D06092A864886F70D0101010500048180636ADD9F7E218AF3CBC5A75FA2076A53BE49
03DC864E87EBA3C1EE594FAACAFE93CA6F3410D847AC0C0ACB9FD88EC9CF6B00379FA9AD256C86
7204ED81E3FA2F8F492109FF87E81398B7B489B00A35914A2B51919DAAEC2BA87CEFB5AF52294E
2448B5B150D50A39BA0471A9AA1EA2B38A4E23BBA56E029842459F0D5BA3D511

. Output netto 

length=264
3082010406092A864886F70D010702A081F63081F3020101310B300906052B0E03021A0500
301306092A864886F70D0 -> 10701A <- 0060404746578743181CB3081C8020101302630123110300E06
035504031307436F6D70616E790210FCAF9B5224FB4B9F4000B5127D881E2E300906052B0E0302
1A0500300D06092A864886F70D0101010500048180636ADD9F7E218AF3CBC5A75FA2076A53BE49
03DC864E87EBA3C1EE594FAACAFE93CA6F3410D847AC0C0ACB9FD88EC9CF6B00379FA9AD256C86
7204ED81E3FA2F8F492109FF87E81398B7B489B00A35914A2B51919DAAEC2BA87CEFB5AF52294E
2448B5B150D50A39BA0471A9AA1EA2B38A4E23BBA56E029842459F0D5BA3D511

Esempio di certificato esempio

    
posta nixspirit 18.04.2012 - 17:48
fonte

1 risposta

9
package test.pkcs7;

import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.math.BigInteger;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.Enumeration;

import sun.security.pkcs.ContentInfo;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.SignerInfo;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
import sun.security.x509.AlgorithmId;
import sun.security.x509.X500Name;

public class GenPKCS {

    static final String STORENAME = "c:/fileName.p12";
    static final String STOREPASS = "password";

    public static void main(String[] args) throws Exception{

        //First load the keystore object by providing the p12 file path
        KeyStore clientStore = KeyStore.getInstance("PKCS12");
        //replace testPass with the p12 password/pin
        clientStore.load(new FileInputStream(STORENAME), STOREPASS.toCharArray());

        Enumeration<String> aliases = clientStore.aliases();
        String aliaz = "";
        while(aliases.hasMoreElements()){
            aliaz = aliases.nextElement();
            if(clientStore.isKeyEntry(aliaz)){
                break;
            }
        }
        X509Certificate c = (X509Certificate)clientStore.getCertificate(aliaz);

        //Data to sign
        byte[] dataToSign = "SigmaWorld".getBytes();
        //compute signature:
        Signature signature = Signature.getInstance("Sha1WithRSA");
        signature.initSign((PrivateKey)clientStore.getKey(aliaz, STOREPASS.toCharArray()));
        signature.update(dataToSign);
        byte[] signedData = signature.sign();

        //load X500Name
        X500Name xName      = X500Name.asX500Name(c.getSubjectX500Principal());
        //load serial number
        BigInteger serial   = c.getSerialNumber();
        //laod digest algorithm
        AlgorithmId digestAlgorithmId = new AlgorithmId(AlgorithmId.SHA_oid);
        //load signing algorithm
        AlgorithmId signAlgorithmId = new AlgorithmId(AlgorithmId.RSAEncryption_oid);

        //Create SignerInfo:
        SignerInfo sInfo = new SignerInfo(xName, serial, digestAlgorithmId, signAlgorithmId, signedData);
        //Create ContentInfo:
        ContentInfo cInfo = new ContentInfo(ContentInfo.DIGESTED_DATA_OID, new DerValue(DerValue.tag_OctetString, dataToSign));
        //Create PKCS7 Signed data
        PKCS7 p7 = new PKCS7(new AlgorithmId[] { digestAlgorithmId }, cInfo,
                new java.security.cert.X509Certificate[] { c },
                new SignerInfo[] { sInfo });
        //Write PKCS7 to bYteArray
        ByteArrayOutputStream bOut = new DerOutputStream();
        p7.encodeSignedData(bOut);
        byte[] encodedPKCS7 = bOut.toByteArray();
    }
}

Le seguenti modifiche devono essere eseguite nel codice Java per rendere l'output simile a .NET: 

//Create ContentInfo:
ContentInfo cInfo = new ContentInfo(ContentInfo.DIGESTED_DATA_OID, new DerValue(DerValue.tag_OctetString, dataToSign));

cambia in 

//Create ContentInfo:
ContentInfo cInfo = new ContentInfo(ContentInfo.DATA_OID, new DerValue(DerValue.tag_OctetString, dataToSign));
    
risposta data 06.06.2012 - 15:25
fonte

Leggi altre domande sui tag

Strumenti per la ricerca di PII [chiuso] Apache è vulnerabile a CVE-2015-1781?