Bouncy城​​堡我不能得到所有的证书 [英] Bouncy Castle i cannot get all certificate

问题描述

我尝试从smime.p7s档案读取凭证，凭证链是：

Baltimora Cyber​​ Trust - > DigitPA - > Aruba PEC

所以当我试图提取时，我只检索最后两个证书，最后一个像主题和第一个像发行者。
我错了什么？

代码：

  private List< CertificateInfo>读取（ASN1InputStream asn1Stream）throws IOException，CMSException，CertificateException {
 ArrayList< CertificateInfo> infos = new ArrayList< CertificateInfo>（）; 
 ASN1Primitive obj = asn1Stream.readObject（）; 
 ContentInfo contentInfo = ContentInfo.getInstance（obj）; 
 CMSSignedData cms = new CMSSignedData（contentInfo）; 
 JcaX509CertificateConverter converter = new JcaX509CertificateConverter（）。setProvider（BouncyCastleProvider.PROVIDER_NAME）; 
 Store store = cms.getCertificates（）; 
 SignerInformationStore signersInfoStore = cms.getSignerInfos（）; 
 Collection< SignerInformation> signers = signersInfoStore.getSigners（）; 
 logger.debug（signers num [+ signers.size（）+]）; 
 for（SignerInformation si：signers）{
 SignerId sid = si.getSID（）; 
 Collection< X509CertificateHolder> holders = store.getMatches（sid）; 
 logger.debug（holders num [+ holders.size（）+]）; 
 for（X509CertificateHolder certholder：holders）{
 X509Certificate cert = converter.getCertificate（certholder）; 
 logger.debug（Issuer [+ cert.getPublicKey（）+]）; 
 CertificateInfo certInfo = util.parse（cert）; 
 infos.add（certInfo）; 
} 
} 
 return infos; 
} 
  

我使用这些有弹性的城堡jar像属性：

 < dependency> 
< groupId> bouncycastle< / groupId> 
< artifactId> bcprov-jdk15< / artifactId> 
< version> 150< / version> 
< / dependency> 
< dependency> 
< groupId> bouncycastle< / groupId> 
< artifactId> bcmail-jdk15< / artifactId> 
< version> 150< / version> 
< / dependency> 
< dependency> 
< groupId> bouncycastle< / groupId> 
< artifactId> bcpg-jdk15< / artifactId> 
< version> 150< / version> 
< / dependency> 
< dependency> 
< groupId> bouncycastle< / groupId> 
< artifactId> bcpkix-jdk15< / artifactId> 
< version> 150< / version> 
< / dependency>提前感谢
  

。

方案

可能没有错。 PKI使用树状结构。可以使用DigitPA来信任Aruba PEC。但你怎么信任DigitPA呢？最常见的方法是将根证书存储在信任存储中。这种信任存储是例如。由应用程序分发（如Web浏览器中的信任存储）。

现在，如果Baltimora Cyber​​ Trust已经在信任存储中，则不需要在PKCS＃7容器中发送。

因此，您可以直接从信任存储区读取证书，或者从证书链中检索根证书创建用于验证。

I'm trying to read certificate from smime.p7s file, the certificate chain is:

Baltimora Cyber Trust --> DigitPA --> Aruba PEC

So when i'm trying to extract, I retrieve only the last two certificate, the last like subject and the first like issuer. What am I wrong?

the code:

private List<CertificateInfo> reading(ASN1InputStream asn1Stream) throws IOException, CMSException, CertificateException {
        ArrayList<CertificateInfo> infos = new ArrayList<CertificateInfo>();
        ASN1Primitive obj = asn1Stream.readObject();
        ContentInfo contentInfo = ContentInfo.getInstance(obj);
        CMSSignedData cms = new CMSSignedData(contentInfo);
        JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
        Store store = cms.getCertificates();
        SignerInformationStore signersInfoStore = cms.getSignerInfos();
        Collection<SignerInformation> signers = signersInfoStore.getSigners();
        logger.debug("signers num [" + signers.size() + "]");
        for (SignerInformation si : signers) {
            SignerId sid = si.getSID();
            Collection<X509CertificateHolder> holders = store.getMatches(sid);
            logger.debug("holders num [" + holders.size() + "]");
            for (X509CertificateHolder certholder : holders) {
                X509Certificate cert = converter.getCertificate(certholder);
                logger.debug("Issuer [" + cert.getPublicKey() + "]");
                CertificateInfo certInfo = util.parse(cert);
                infos.add(certInfo);
            }
        }
        return infos;
    }

I'm using these bouncy castle jar like dependecies:

        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcprov-jdk15</artifactId>
            <version>150</version>
        </dependency>
        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcmail-jdk15</artifactId>
            <version>150</version>
        </dependency>
        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcpg-jdk15</artifactId>
            <version>150</version>
        </dependency>
        <dependency>
            <groupId>bouncycastle</groupId>
            <artifactId>bcpkix-jdk15</artifactId>
            <version>150</version>
        </dependency>

thanks in advance.

解决方案

Probably nothing is wrong. PKI works with a tree-like structure. It is possible to trust Aruba PEC using DigitPA. But how can you trust DigitPA? The most common method is to store the root certificate in a trust store. This trust store is e.g. distributed by the application (like the trust store within web browsers).

Now if the Baltimora Cyber Trust is already in the trust store, there is no need to send it within the PKCS#7 container. The certificate chain can be constructed to the trusted root without it.

So you either read the cert from the trust store directly, or you retrieve the root cert from the certificate chain created for verification.

这篇关于Bouncy城​​堡我不能得到所有的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！