将证书添加到CMS签名数据 [英] Adding Certificates to CMS Signed Data

问题描述

我目前正在使用Java Bouncy Castle库来创建CMS签名的数据(或PKCS7签名的数据).但是，我似乎不愿意添加证书(即使证书签名者已正确添加).

I am currently using the java Bouncy Castle libraries in order to create CMS signed data (or PKCS7 signed data). I seem however to be stuck with adding certificates (even though the certificate signer is properly added).

我检查了此问题有关正确的内容签名数据，但没有满足我的SCEP服务器的需求.我使用的代码来自EJBCA，但似乎没有向PKCS7签名的数据添加证书.

I checked out this question about properly signing data, but it didn't respond the needs of my SCEP server. The code I used was from EJBCA but doesn't seem to add certificates to the PKCS7 signed data.

当我使用openssl cms工具解析签名的数据时，我看到证书"字段为空".此外，当我尝试使用openssl pkcs7 [...] -print_certs打印证书时，我什么也没得到.

When I parse the signed data with the openssl cms tool, I see that the "certificates" field is "EMPTY". Additionally, when I try to the print the certs with openssl pkcs7 [...] -print_certs, I get nothing.

这是我与Bouncy Castle签署数据的方式(代码很多，但足以重现此问题):

Here is how I sign my data with Bouncy Castle (it's a lot code but enough to reproduce the issue):

CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
CMSTypedData msg;
List<X509Certificate> certList = new ArrayList<>();
// Make sure the certificate is not null
if (this.certificate != null) {
    certList.add((X509Certificate) this.certificate);
}

/**
* Create the signed CMS message to be contained inside the envelope
* this message does not contain any message, and no signerInfo
**/
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
Collection<JcaX509CertificateHolder> x509CertificateHolder = new ArrayList<>();
try {
    for (X509Certificate certificate : certList) {
        x509CertificateHolder.add(new JcaX509CertificateHolder(certificate));
    }
    CollectionStore<JcaX509CertificateHolder> store = new CollectionStore<>(x509CertificateHolder);
    gen.addCertificates(store);
} catch (Handle all exceptions) {}

上面的代码片段通常应添加证书.我是从EJBCA那里获得的.

This snippet of code above should normally add certificates. I took this from EJBCA.

这是我完成签名数据的方式:

Here is how I complete the signed data:

CMSSignedDataGenerator gen1 = new CMSSignedDataGenerator();
// I add ALL of my attributes here
// Once they're added...
Certificate caCert = this.caCertificate;
try {
    String provider = BouncyCastleProvider.PROVIDER_NAME;
    ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithmName).
            setProvider(provider).
            build(signerKey);
    JcaDigestCalculatorProviderBuilder calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder().
            setProvider(provider);
    JcaSignerInfoGeneratorBuilder builder = new JcaSignerInfoGeneratorBuilder(calculatorProviderBuilder.build());
    builder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(new AttributeTable(attributes)));
    gen1.addSignerInfoGenerator(builder.build(contentSigner, (X509Certificate) ca));
} catch (Handle all exceptions) {}

// Create the signed data
CMSSignedData sd = gen1.generate(msg, true);
byte[] results = sd.getEncoded();

bytes数组的结果是DER格式的PKCS7签名数据...但未添加证书.

The bytes array results is the DER formatted PKCS7 signed data... but no certificate is added.

我错过了什么吗?谢谢您的帮助！

Am I missing something? Thank you for your help!

推荐答案

CMSSignedDataGenerator gen1必须显式添加我不知道的证书.

The CMSSignedDataGenerator gen1 has to explicitly add the certificate, which I wasn't aware of.

可以简单地通过以下方式完成

It can simply be done by:

• 将证书添加到X509Certificates的List;
• 将List转换为JcaX509CertificateHolder的Collection;
• 将此集合添加到JcaX509CertificateHolder的CollectionStore;
• 添加商店CMSSignedDataGenerator.

• Adding the certificates to a List of X509Certificates;
• Converting that List into a Collection of JcaX509CertificateHolder;
• Adding this collection to a CollectionStore of JcaX509CertificateHolder;
• Adding the store the CMSSignedDataGenerator.

代码示例:

 CMSSignedDataGenerator gen1 = new CMSSignedDataGenerator();
 List<X509Certificate> certificates = new ArrayList<>();

 // I chose to add the CA certificate
 certificates.add((X509Certificate) this.caCertificate);

 // In this case, this is a certificate that I need to add
 if (this.certificate != null)
     certificates.add((X509Certificate) this.certificate);

 // This is the recipient certificate
 if (this.recipientCert != null)
     certificates.add((X509Certificate) this.recipientCert);
 Collection<JcaX509CertificateHolder> x509CertificateHolder = new ArrayList<>();

 // Of course, we need to handle the exceptions...
 for (X509Certificate certificate : certificates) {
     x509CertificateHolder.add(new JcaX509CertificateHolder(certificate));
 }
 CollectionStore<JcaX509CertificateHolder> store = new CollectionStore<>(x509CertificateHolder);

// The final stage.
 gen1.addCertificates(store);

希望这对以后的所有人有帮助.

Hope this helps anyone in the future.

这篇关于将证书添加到CMS签名数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！