通过Bouncy Castle在Java中验证pkcs7 SignedData
本文关键字:验证 pkcs7 SignedData Java Bouncy Castle 通过 | 更新日期: 2023-09-27 18:26:20
我正在Java中实现C#SignedCms功能。
我有一个pkcs7签名数据(请参阅附件:https://www.dropbox.com/s/yivani7dvh98wpa/SignedData.bin?dl=0),可以在C#中进行验证:
//signed data is loaded from my attached file.
bool VerifyPKCS7(byte[] signedData)
{
try
{
SignedCms signedCms = new SignedCms();
signedCms.Decode(signedData);
signedCms.CheckSignature(true);
return true;
}
catch
{
}
return false;
}
但它不能使用Java中的Bouncy Castle libs(bcprov-jdk15on-153.jar,bcpkix-jdk15on-153.jar)进行验证:
//encapSigData is loaded from my attached file.
CMSSignedDataParser sp = new CMSSignedDataParser(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build(), encapSigData);
sp.getSignedContent().drain();
Store certStore = sp.getCertificates();
SignerInformationStore signers = sp.getSignerInfos();
Collection c = signers.getSigners();
Iterator it = c.iterator();
while (it.hasNext())
{
SignerInformation signer = (SignerInformation)it.next();
Collection certCollection = certStore.getMatches(signer.getSID());
Iterator certIt = certCollection.iterator();
X509CertificateHolder cert = (X509CertificateHolder)certIt.next();
System.out.println("verify returns: " + signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)));
}
我在第一行代码(CMSSignedDataParser
构造函数)处得到一个异常:
java.lang.ClassCastException: org.bouncycastle.asn1.DERSequenceParser cannot be cast to org.bouncycastle.asn1.ASN1OctetStringParser
at org.bouncycastle.cms.CMSSignedDataParser.<init>(Unknown Source)
at org.bouncycastle.cms.CMSSignedDataParser.<init>(Unknown Source)
at org.bouncycastle.cms.CMSSignedDataParser.<init>(Unknown Source)
经过分析,我发现SignedData中contentInfo的内容是一个序列。看来bouncycastle不能接受序列作为内容。
如何在Java中使用bouncycastle验证此SignedData?
这里的问题是,与常规CMS消息不同,这实际上是一个PKCS7消息。对这些的支持现在已经添加到Bouncy Castle的bcpkix API中。
你可以在最新的测试版中找到它http://www.bouncycastle.org/betas154b12或更高版本。