使用JAVA使用BouncyCastle签署CAdES [英] Sign CAdES using BouncyCastle using JAVA
问题描述
根据几篇文章,我发现现在可以使用BouncyCastle执行CAdES,但几乎没有任何关于该主题的文档。
According to several posts I've found out it's now possible to perform CAdES using BouncyCastle but there is hardly any documentation on the topic.
对于初学者我想要在具有基于文件的证书的文件上执行CAdES-BES而没有任何可选的签名属性。
For starters I want to perform CAdES-BES without any optional signed attributes on a file with a file based certificate.
响应皮屑:
我有一些可能有用的东西,你有你的SignerInformation,你需要扩展它,首先你需要从时间戳创建一个属性,我假设你已经有一个TimeStampResponse为tspResp
I have something that might be helpful, you have your SignerInformation, you need to extend it, first you need to create an attribute from the timestamp, I'll assume you already have a TimeStampResponse as tspResp
TimeStampToken token = tsresp.getTimeStampToken();
Attribute timeStamp = new Attribute(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, new DERSet(ASN1Object.fromByteArray(token.getEncoded())));
然后你需要扩展你的SignerInformation
Then you need to extend your SignerInformation
AttributeTable unsigned = signerInformation.getUnsignedAttributes();
Hashtable<ASN1ObjectIdentifier, Attribute> unsignedAttrHash = null;
if (unsigned == null) {
unsignedAttrHash = new Hashtable<ASN1ObjectIdentifier, Attribute>();
} else {
unsignedAttrHash = signerInformation.getUnsignedAttributes().toHashtable();
}
unsignedAttrHash.put(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, signatureTimeStamp);
SignerInformation newsi = SignerInformation.replaceUnsignedAttributes(si, new AttributeTable(
unsignedAttrHash));
我认为就是这样。
以下是我获得signin-certificate属性的方法
Here is how I got the signin-certificate attribute
Attribute signingCertificateAttribute;
MessageDigest dig = MessageDigest.getInstance(DigestAlgorithm().getName(),
new BouncyCastleProvider());
byte[] certHash = dig.digest(SigningCertificate().getEncoded());
if (DigestAlgorithm() == DigestAlgorithm.SHA1) {
SigningCertificate sc = new SigningCertificate(new ESSCertID(certHash));
signingCertificateAttribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificate, new DERSet(sc));
} else {
ESSCertIDv2 essCert = new ESSCertIDv2(new AlgorithmIdentifier(DigestAlgorithm().getOid()), certHash);
SigningCertificateV2 scv2 = new SigningCertificateV2(new ESSCertIDv2[] { essCert });
signingCertificateAttribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(scv2));
}
希望有所帮助
推荐答案
CAdES是CMS(又名PKCS7)的扩展,可以与BouncyCastle一起使用。 RFC5126 包含CAdES签名所需的一切,同时,我建议查找信息ASN.1,因为大多数部分都以该格式描述。
CAdES is an extension of CMS (aka PKCS7), which is possible to do with BouncyCastle. RFC5126 contains everything needed for a CAdES signature, also, I recommend lookup info on ASN.1 since most of the parts are described in that format.
我目前正在寻找您正在寻找的相同答案,并发现该书 David Hook使用Java开始加密提供了许多您可能需要的详细信息。
I am currently in hunt for the same answer you are looking for and found that the book Beginning Cryptography with Java by David Hook gives a lot of detailed information you might need.
这篇关于使用JAVA使用BouncyCastle签署CAdES的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
