使用BC驗證分離簽名

Question

如何使用Java中的BouncyCastle提供程序驗證分離簽名（CMS/pkcs＃7簽名）？

目前，我的代碼如下拋出與消息message-digest attribute value does not match calculated value

Security.addProvider(new BouncyCastleProvider()); 

File f = new File(filename); 
byte[] buffer = new byte[(int)f.length()]; 
DataInputStream in = new DataInputStream(new FileInputStream(f)); 
in.readFully(buffer); 
in.close(); 

CMSSignedData signature = new CMSSignedData(buffer); 
SignerInformation signer = (SignerInformation) signature.getSignerInfos().getSigners().iterator().next(); 
CertStore cs = signature.getCertificatesAndCRLs("Collection", "BC"); 
Iterator iter = cs.getCertificates(signer.getSID()).iterator(); 
X509Certificate certificate = (X509Certificate) iter.next(); 

CMSProcessable sc = signature.getSignedContent(); 

signer.verify(certificate, "BC"); 

Answer 1

主要用於驗證異常分離PKCS7是使用CMSTypedStream，如代碼波紋管：

public void verifySign(byte[] signedData,byte[]bPlainText) throws Exception { 
       InputStream is = new ByteArrayInputStream(bPlainText);    
       CMSSignedDataParser sp = new CMSSignedDataParser(new CMSTypedStream (is),signedData); 
       CMSTypedStream signedContent = sp.getSignedContent();   

       signedContent.drain(); 





        //CMSSignedData s = new CMSSignedData(signedData); 
        Store certStore = sp.getCertificates(); 

        SignerInformationStore signers = sp.getSignerInfos(); 
        Collection c = signers.getSigners(); 
        Iterator it = c.iterator(); 
        while (it.hasNext()) 
        { 
         SignerInformation signer = (SignerInformation)it.next(); 
         Collection certCollection = certStore.getMatches(signer.getSID()); 

         Iterator certIt = certCollection.iterator(); 

         X509CertificateHolder certHolder = (X509CertificateHolder)certIt.next(); 




         if (!signer.verify(new 
      JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder))) 
         { 
          throw new DENException("Verification FAILED! "); 

         } 
         else 
         { 
          logger.debug("verify success"); 
         } 


        } 
    } 

Answer 2

您可以驗證分離簽名通過以下代碼：

public static boolean verif_Detached(String signed_file_name,String original_file_name) throws IOException, CMSException, NoSuchAlgorithmException, NoSuchProviderException, CertStoreException, CertificateExpiredException, CertificateNotYetValidException{ 

    boolean result= false; 
    Security.addProvider(new BouncyCastleProvider()); 

    File f = new File(signed_file_name); 
    byte[] Sig_Bytes = new byte[(int)f.length()]; 
    DataInputStream in = new DataInputStream(new FileInputStream(f)); 
    in.readFully(Sig_Bytes); 
    in.close(); 

    File fi = new File(original_file_name); 
    byte[] Data_Bytes = new byte[(int)fi.length()]; 
    DataInputStream input = new DataInputStream(new FileInputStream(fi)); 
    input.readFully(Data_Bytes); 
    input.close(); 

    try{ 
     CMSSignedData cms = new CMSSignedData(new CMSProcessableByteArray(Data_Bytes), Sig_Bytes); 
     CertStore certStore = cms.getCertificatesAndCRLs("Collection", "BC"); 
     SignerInformationStore signers = cms.getSignerInfos(); 
     Collection c = signers.getSigners(); 
     Iterator it = c.iterator(); 
     while (it.hasNext()) { 
      SignerInformation signer = (SignerInformation) it.next(); 
      Collection certCollection = certStore.getCertificates(signer.getSID()); 
      Iterator certIt = certCollection.iterator(); 
      X509Certificate cert = (X509Certificate) certIt.next(); 
      cert_signer=cert; 
      result=signer.verify(cert, "BC"); 
     } 
    }catch(Exception e){ 
     e.printStackTrace(); 
     result=false; 
    } 
    return result; 
} 

Answer 3

你可以找到答案呃到這個職位here。發生這種情況的原因是，當S/MIME頭文件不存在時，bouncy castle/open ssl如何處理S/MIME消息。解決方案是在signimg前添加S/MIME頭文件