如何正確簽署cmp請求消息？ （java，bouncy castle）

Question

我嘗試在證書頒發機構（cmp服務器）上通過cmp（證書管理協議）吊銷證書，並獲取錯誤代碼「無效簽名密鑰代碼」。我認爲它是我簽署cmp消息的方式的原因，那裏出了問題。

我建立與org.bouncycastle.asn1.cmp.PKIHeaderBuilder的頭和身體與org.bouncycastle.asn1.crmf.CertTemplateBuilder：

CertTemplateBuilder builderCer = new CertTemplateBuilder(); 

// cert to revoke 
builderCer.setIssuer(issuer);    
builderCer.setSerialNumber(serial); 

//body 
ArrayList revDetailsList = new ArrayList(); 
revDetailsList.add(new RevDetails(builderCer.build())); 
RevReqContent revReqContent = new RevReqContent((RevDetails[]) revDetailsList.toArray(new RevDetails[revDetailsList.size()])); 
PKIBody body = new PKIBody(PKIBody.TYPE_REVOCATION_REQ, revReqContent); 

// header 
X509Name recipient = new X509Name("CN=recipient"); 
X509Name sender = new X509Name("CN=sender"); 
int pvno = 1; 
PKIHeaderBuilder builderHeader = new PKIHeaderBuilder(pvno, new GeneralName(sender), new GeneralName(recipient)); 
AlgorithmIdentifier algId = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.10045.4.1")); 
builderHeader.setProtectionAlg(algId); 
PKIHeader header = builderHeader.build(); 

然後我必須簽署整個消息，似乎有以不同的方式。在extracerts（CMPCertificate）中，我必須添加簽名的公鑰，簽名必須使用該公鑰驗證。我如何正確地爲這種申請簽署此消息？我試過org.bouncycastle.asn1.cmp.PKIMessages和org.bouncycastle.cert.cmp.ProtectedPKIMessage。

PKIMessages：

DERBitString signature = new DERBitString(createSignature("signature".getBytes())); 
X509Certificate signercert = convertToX509Cert(certPEM); 
CMPCertificate cmpCert = new CMPCertificate(org.bouncycastle.asn1.x509.Certificate.getInstance(signercert.getEncoded())); 

PKIMessage message = new PKIMessage(header, body, signature, new CMPCertificate[] { cmpCert }); 

// createsignature() 
private static byte[] createSignature(byte[] str){ 
Signature dsa = Signature.getInstance("SHA256WithRSA"); 
dsa.initSign(privateKey); 
dsa.update(str, 0, str.length); 
signature = dsa.sign(); 
return signature; 

- >從CMP服務器錯誤： 「SIGNATURE_INVALID_KEY_CODE」

ProtectedPKIMessage：

ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyCastleProvider.PROVIDER_NAME).build((PrivateKey) ks.getKey(KEYSTORE_ALIAS, KEYSTORE_PWD.toCharArray())); 

ProtectedPKIMessage message = new ProtectedPKIMessageBuilder(pvno, new GeneralName(sender), new GeneralName(recipient)) 
.addCMPCertificate(new X509CertificateHolder(ks.getCertificate(KEYSTORE_ALIAS).getEncoded())) 
.setBody(body).build(signer); 

- >從CMP服務器錯誤： 「ERROR_READING_CMS_OBJECT_CODE」

我簽署cmp請求消息的方式是否正確？ PKIMessage和'protection'參數和org.bouncycastle.cert.cmp.ProtectedPKIMessage之間有什麼區別？

Answer 1

這是我用來登錄CMP請求

GeneralName generalName = new GeneralName(subjectDN); 
ProtectedPKIMessageBuilder pbuilder = new 
ProtectedPKIMessageBuilder(generalName, 
        protectedPKIMessage.getHeader().getSender()); 
      pbuilder.setBody(pkibody); 
      ContentSigner msgsigner = new 
      JcaContentSignerBuilder(contentSignerBuilder)// 
        .setProvider("BC")// 
        .build(getKey().getPrivate()); 

      ProtectedPKIMessage message = pbuilder.build(msgsigner) 

的方式;

Answer 2

我還發現了另一種解決方案通過使用PKIMessage（不ProtectedPKIMessage）：

// ProtectedPart from bouncy castle 
ProtectedPart protectedPart = new ProtectedPart(header, body); 

Signature signature = Signature.getInstance("1.2.840.113549.1.1.11", "BC"); 
signature.initSign((PrivateKey) key); 
signature.update(protectedPart.getEncoded()); 
byte[] sigBytes = signature.sign(); 
DERBitString signatureDER = new DERBitString(sigBytes); 

PKIMessage message = new PKIMessage(header, body, signatureDER, new CMPCertificate[] { cmpCert });