无法验证签名（cmssigneddata）bouncycastle [英] Cannot verify signature (cmssigneddata) bouncycastle

问题描述

当我想验证使用BouncyCastle所做的签名时，我不会进入 verifySignature while 循环中c>方法。 store.getMatches（）会返回一个空数组。

When I want to verify my signature made with BouncyCastle I don't get into the second while loop of the verifySignature method. The store.getMatches() gives back an empty array.

public static CMSSignedData sign() throws Exception {
    byte[] file = fileChooser();
    store = KeyStore.getInstance(storeType);
    FileInputStream in = new FileInputStream(new File(storePathKey));
    store.load(in, storePassword);
    in.close();

    Key priv = store.getKey("Subject", storePassword);
    System.out.println(priv.toString() + "priv string");
    X509Certificate cert = (X509Certificate) store.geCertificate("Subject");
    ContentSigner signer = new JcaContentSignerBuilder(sigAlgo).build((RSAPrivateKey) priv);

    CMSTypedData data = new CMSProcessableByteArray(file);
    CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
    gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build())
        .build(signer, cert));
    CMSSignedData sigData = gen.generate(data, true);

    return sigData;
}

public static void verifySig(CMSSignedData sigData) throws Exception {
    Store store = sigData.getCertificates();
    SignerInformationStore signers = sigData.getSignerInfos();
    System.out.println(store.toString() + "store");
    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
        System.out.println("enter while loop1");
        SignerInformation signer = (SignerInformation) it.next();

        Collection certCollection = store.getMatches(signer.getSID());
        Iterator certIt = certCollection.iterator();
        System.out.println(store.getMatches(null) + "collection of certs");

        while (certIt.hasNext()) {
            System.out.println("enter while loop2");
            X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
            X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certHolder);

            if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert))) {
                System.out.println("verified correct");
            } else {
                System.out.println("not verified");
            }
        }
    }
}

Am我在 sign（）方法中缺少什么吗？

Am I missing something in the sign() method?

推荐答案

您需要将证书添加到 org.bouncycastle.util.CollectionStore ，然后将此商店添加到签名中。

You need to add the certificate to a org.bouncycastle.util.CollectionStore, and add this store to the signature.

我正在使用 BouncyCastle 1.56 ：

import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.util.CollectionStore;

// add these lines after gen.addSignerInfoGenerator(...)

// cert is your X509Certificate
X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
CollectionStore<X509CertificateHolder> certStore = new CollectionStore<>(Collections.singletonList(holder));
gen.addCertificates(certStore); // add the store to the signature

CollectionStore 很有用。如果您只想添加一个，也可以执行以下操作：

The CollectionStore is useful when you want to add more than one certificate. If you want to add just one, you can also do:

X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
gen.addCertificate(holder);

我得到的输出：

enter while loop1
[org.bouncycastle.cert.X509CertificateHolder@5bc807a8]collection of certs
enter while loop2
verified correct

这篇关于无法验证签名（cmssigneddata）bouncycastle的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！