如何使用BouncyCastle lightwigth API生成cms封装数据 [英] How to use BouncyCastle lightwigth API to generate cms enveloped data
问题描述
经过数小时的挣扎之后,我终于有了当前的工作代码,可以使用JCE / JCA生成带有收件人信息的CMS封装(RSA-OAEP / PKCS#1)数据:
After struggling uncountable hours I finally have the current working code to generate CMS enveloped (RSA-OAEP / PKCS#1) data with recipient info using JCE/JCA:
String digest = "SHA-256";
String mgfDigest = "SHA-256";
// Data to encrypt
CMSTypedData msg = new CMSProcessableByteArray(data);
// Generator for my CMS enveloped data
CMSEnvelopedDataGenerator envelopedDataGen = new CMSEnvelopedDataGenerator();
// Recipient Info Stuff
JcaAlgorithmParametersConverter paramsConverter = new JcaAlgorithmParametersConverter();
OAEPParameterSpec oaepSpec = new OAEPParameterSpec(digest, "MGF1", new MGF1ParameterSpec(mgfDigest), PSource.PSpecified.DEFAULT);
AlgorithmIdentifier oaepAlgId = paramsConverter.getAlgorithmIdentifier(PKCSObjectIdentifiers.id_RSAES_OAEP, oaepSpec);
envelopedDataGen.addRecipientInfoGenerator(
new JceKeyTransRecipientInfoGenerator(
getCert(),
oaepAlgId).setProvider("BC"));
/*
* Generate CMS-Data
* CMSOutputEncryptor is my own Class implementing OutputEncryptor
*/
CMSEnvelopedData ed = envelopedDataGen.generate(
msg,
new CMSOutputEncryptor());
byte[] encoded = ed.getEncoded();
这可以按预期工作,但是因为它使用JCE,所以我的客户需要安装无限强度的api才能使用它码。我希望有一种方法可以克服这些需求,因为我的大多数客户的手指都是大拇指...
This works as expected but because it uses JCE my customers need to install the unlimited strength api to use this code. I would prefer a way to overcome these needs because most of my customers fingers are thumbs...
也许有人可以向我展示一段使用纯BouncyCastle方法的代码这样做,这样就不需要安装无限强度的api?
Maybe someone can show me a piece of code which use a pure BouncyCastle way of doing the same so that one don't need to install the unlimited strength api?
推荐答案
请注意,我不确定是否在所有国家/地区/所有客户都合法。
如果要删除限制,可以使用一些反射魔术。这就是我在框架中的操作方式(部分取自: https://github.com/jruby/jruby/blob/0c345e1b186bd457ebd96143c0816abe93b18fdf/core/src/main/java/org/jruby/util/SecurityHelper.java ):
If you want to remove the restriction, you can work with some reflection magic. This is how I do it in my framework (Partially taken from: https://github.com/jruby/jruby/blob/0c345e1b186bd457ebd96143c0816abe93b18fdf/core/src/main/java/org/jruby/util/SecurityHelper.java):
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
public class UnlimitedStrengthHelper {
public static void removeCryptoStrengthRestriction() {
try {
if (Cipher.getMaxAllowedKeyLength("AES") < 256) {
Class jceSecurity = Class.forName("javax.crypto.JceSecurity");
Field isRestricted = jceSecurity.getDeclaredField("isRestricted");
if (Modifier.isFinal(isRestricted.getModifiers())) {
Field modifiers = Field.class.getDeclaredField("modifiers");
modifiers.setAccessible(true);
modifiers.setInt(isRestricted, isRestricted.getModifiers() & ~Modifier.FINAL);
modifiers.setAccessible(false);
}
isRestricted.setAccessible(true);
isRestricted.setBoolean(null, false);
isRestricted.setAccessible(false);
}
} catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException
| NoSuchAlgorithmException | NoSuchFieldException | SecurityException ex) {
System.out.println("It is not possible to use unrestricted policy with this JDK, "
+ "consider reconfiguration: " + ex.getLocalizedMessage());
}
}
}
代码首先检查是否存在限制(在这种情况下,您不能使用AES256)。然后,它使用 JceSecurity 类及其 isRestricted 字段。
The code first checks whether the restriction exists (in that case, you cannot work with AES256). Afterwards, it takes the JceSecurity class and its isRestricted field. It ensures that we can access this field and finally sets its value to false.
Btw。,谢谢您的CMS示例,它对我有很大帮助。
Btw., thank you for your CMS example, it helped me a lot.
这篇关于如何使用BouncyCastle lightwigth API生成cms封装数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
