从CMSSignedData获取签名链 [英] Get signing chain from CMSSignedData

问题描述

如何从 CMSSignedData (BouncyCastle)获取签名链，以通过签名链存储进行验证?

How can I get a signing chain from a CMSSignedData (BouncyCastle) to verify it with the signing chain store?

Certificate[] storeCertChain = store.getCertificateChain(alias)

没有命令或类似的东西我可以获取数据的签名链吗?还是从签名链那里获得证书?

Isn't there a command or something like this I can get the signing chain of the data? Or get the certificate from it and there from the signing chain?

推荐答案

用于签署可能的证书链位于 CMSSignedData 中，但这不是强制性的.

The chain of the certificate used to sign might be in the CMSSignedData, but it's not mandatory.

根据 RFC 3852 ，CMS SignedData具有

According to RFC 3852, a CMS SignedData has the following structure (described in section 5.1):

SignedData ::= SEQUENCE {
    version CMSVersion,
    digestAlgorithms DigestAlgorithmIdentifiers,
    encapContentInfo EncapsulatedContentInfo,
    certificates [0] IMPLICIT CertificateSet OPTIONAL,
    crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
    signerInfos SignerInfos }

certificates 字段描述为:

certificates是证书的集合.旨在证书集足以包含证书来自公认的根"或顶级认证"的路径权限"授予signerInfos字段中的所有签名者.有可能会多余的证书，并且可能会有足以包含两个或两个以上证书路径的证书更多独立的顶级证书颁发机构.可能证书数量也少于必要(如果可以预期的话)接收者有另一种获取必要信息的方式证书(例如，来自先前的一组证书).这包括签署人的证书 MAY .

certificates is a collection of certificates. It is intended that the set of certificates be sufficient to contain certification paths from a recognized "root" or "top-level certification authority" to all of the signers in the signerInfos field. There may be more certificates than necessary, and there may be certificates sufficient to contain certification paths from two or more independent top-level certification authorities. There may also be fewer certificates than necessary, if it is expected that recipients have an alternate means of obtaining necessary certificates (e.g., from a previous set of certificates). The signer's certificate MAY be included.

请注意， certificates 字段是可选的，即使存在，其所有内容也是可选的.因此，此字段可能包含证书链，但不能保证.

Note that the certificates field is optional, and even when it's present, all its contents are also optional. So, this field might contain the certificate chain, but it's not guaranteed.

如果存在，您可以通过 BouncyCastle (我使用的是 1.56 版本)来获取它:

If this field is present, you can get it with BouncyCastle (I'm using version 1.56):

import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.util.Store;

CMSSignedData sigData = ...
Store store = sigData.getCertificates();

没有证书时，我不确定 getCertificates()是否返回 null 或空的 Store (我认为可能是视具体情况而定).

When there are no certificates, I'm not sure if getCertificates() returns null or an empty Store (I think it may vary according to implementation).

如果 Store 不是 null ，则可以检查签名者的证书是否存在:

If the Store is not null, you can check if the signer's certificate is present:

import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;

SignerInformationStore signers = sigData.getSignerInfos();
Collection<SignerInformation> c = signers.getSigners();
for (SignerInformation signer : c) {
    // this collection will contain the signer certificate, if present
    Collection signerCol = store.getMatches(signer.getSID());
}

signerCol 集合将包含签名者证书，如果它存在于 certificates 字段中.然后，您可以像使用在另一个问题中一样使用它来验证签名.

The signerCol collection will contain the signer certificate, if it's present in the certificates field. Then you can use it to verify the signature, exactly like you were doing in your other question.

要检查整个链是否都在CMS结构中，可以在 Store 中获取所有证书，并检查它们是否在那里.要将所有内容存储在 Store 中，您可以使用类似于此处的代码:

To check if the whole chain is in the CMS structure, you can get all the certificates in the Store and check if they're there. To get everything inside a Store, you can use code similar to used here:

Collection<X509CertificateHolder> allCerts = store.getMatches(null);

在我使用的版本( BouncyCastle 1.56 )中，传递 null 会返回商店中的所有证书.然后，您可以检查该链是否在 allCerts 集合内.

In the version I'm using (BouncyCastle 1.56), passing null returns all the certificates in the store. You can then check if the chain is inside the allCerts collection.

如果该链不存在，则必须将其移到其他位置.

If the chain is not present, you'll have to get it elsewhere.

• 如果您拥有签名者(最终实体)证书，则可以使用授权信息访问权限尝试使用它(请检查此答案)
• 如果不可能，则必须下载链或使用签名者获得证书

这篇关于从CMSSignedData获取签名链的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！