問題描述

我想使用 bouncycastle 生成一個(gè)簡(jiǎn)單的 CMS 簽名.此代碼有效！

I want to generate a simple CMS signature using bouncycastle. This code works!

  Security.addProvider(new BouncyCastleProvider());
  String password = "123456";
  KeyStore ks = KeyStore.getInstance("PKCS12");
  ks.load(new FileInputStream("c:/cert_123456.p12"), password.toCharArray());
  String alias = (String)ks.aliases().nextElement();
  PrivateKey key = (PrivateKey)ks.getKey(alias, password.toCharArray());
  Certificate[] chain = ks.getCertificateChain(alias);

  CMSSignedDataGenerator generator = new CMSSignedDataGenerator();

  generator.addSigner(key, (X509Certificate)chain[0], CMSSignedDataGenerator.DIGEST_SHA1);
  ArrayList list = new ArrayList();
  for (int i = 0; i < chain.length; i++) {
       list.add(chain[i]);
  }
  CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), "BC");
  generator.addCertificatesAndCRLs(chainStore);
  CMSProcessable content = new CMSProcessableByteArray("test".getBytes());
  CMSSignedData signedData = generator.generate(content, false, "BC");

  byte[] pk = signedData.getEncoded();

但是，如何添加簽名屬性?
我想刪除默認(rèn)簽名屬性并添加簽名策略標(biāo)識(shí)符.

But, how to add signed attributes?
I want to remove default signed attributes and add signature-policy-identifier.

文章非常受歡迎.

推薦答案

首先，您似乎在使用在最新版本的 Bouncy Castle 中已棄用的構(gòu)造.要添加經(jīng)過身份驗(yàn)證/簽名的 屬性，您必須將它們打包到 AttributeTable 簽名屬性被添加到簽名者中所以:

First of all you appear to be using constructs that are deprecated in the latest versions of Bouncy Castle. To add authenticated/signed attributes you have to package them into an AttributeTable Signed attributes are added to the signer like so:

ASN1EncodableVector signedAttributes = new ASN1EncodableVector();
signedAttributes.add(new Attribute(CMSAttributes.contentType, new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"))));
signedAttributes.add(new Attribute(CMSAttributes.messageDigest, new DERSet(new DEROctetString(digestBytes))));
signedAttributes.add(new Attribute(CMSAttributes.signingTime, new DERSet(new DERUTCTime(signingDate))));

AttributeTable signedAttributesTable = new AttributeTable(signedAttributes);

然后在 addSigner 方法之一中使用它.正如我在開始時(shí)已經(jīng)提到的，這種方法已被棄用，我們鼓勵(lì)您使用生成器和生成器生成器.這是一個(gè)簡(jiǎn)短的例子:

Then use it in one of the addSigner methods. As I already mentioned in the beginning this method is deprecated and you are encouraged to use Generators and Generator Builders. Here's a short example:

    /* Construct signed attributes */
    ASN1EncodableVector signedAttributes = new ASN1EncodableVector();
    signedAttributes.add(new Attribute(CMSAttributes.contentType, new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"))));
    signedAttributes.add(new Attribute(CMSAttributes.messageDigest, new DERSet(new DEROctetString(digestBytes))));
    signedAttributes.add(new Attribute(CMSAttributes.signingTime, new DERSet(new DERUTCTime(signingDate))));

    AttributeTable signedAttributesTable = new AttributeTable(signedAttributes);
    signedAttributesTable.toASN1EncodableVector();
    DefaultSignedAttributeTableGenerator signedAttributeGenerator = new DefaultSignedAttributeTableGenerator(signedAttributesTable);

    /* Build the SignerInfo generator builder, that will build the generator... that will generate the SignerInformation... */
    SignerInfoGeneratorBuilder signerInfoBuilder = new SignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build());
    signerInfoBuilder.setSignedAttributeGenerator(signedAttributeGenerator);
    CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
    JcaContentSignerBuilder contentSigner = new JcaContentSignerBuilder("SHA1withRSA");
    contentSigner.setProvider("BC");

    generator.addSignerInfoGenerator(signerInfoBuilder.build(contentSigner.build(this.signingKey), new X509CertificateHolder(this.signingCert.getEncoded())));

    ArrayList<X509CertificateHolder> signingChainHolder = new ArrayList<X509CertificateHolder>();
    Iterator i = this.signingChain.iterator();
    while (i.hasNext()) {
        X509CertificateObject cert = (X509CertificateObject)i.next();
        signingChainHolder.add(new X509CertificateHolder(cert.getEncoded()));
    }

    generator.addCertificates(new JcaCertStore(signingChainHolder));
    generator.generate(new CMSAbsentContent(), "BC").getEncoded();

它相當(dāng)笨重，可能還不能工作(我正在編寫它，并在研究一些東西時(shí)偶然發(fā)現(xiàn)了你的問題)，尤其是簽名日期部分，它可能必須是 new DERSet(新時(shí)間(新日期))(更新:它適用于DERUTCTime).

It's quite bulky and probably doesn't work yet (I'm in the process of writing it and stumbled upon your question while researching some stuff), especially the signingDate part, it probably has to be new DERSet(new Time(new Date)) (update: it works with DERUTCTime).

有點(diǎn)離題:我仍然無法理解 Signed 和 Authenticated 屬性之間的區(qū)別，Bouncy Castle 擁有 DefaultAuthenticatedAttributeTableGenerator、DefaultSignedAttributeTableGenerator 類，它們與 Signers 完美配合.兩者在簽名時(shí)間方面似乎存在一些細(xì)微差別，如果不存在，SignedAttributes 默認(rèn)會(huì)添加簽名時(shí)間.RFC 提到了這兩種屬性類型，但我找不到任何確定的內(nèi)容.

A bit of offtopic: I still can't get my head around the difference between Signed and Authenticated attributes, Bouncy Castle has got both DefaultAuthenticatedAttributeTableGenerator, DefaultSignedAttributeTableGenerator classes which work perfectly well with Signers. There seem to be some minor differences between the two in regards to signingTime, SignedAttributes adds the signingTime by default if not present. The RFCs mention both attribute types, but I couldn't find anything definite.

這篇關(guān)于使用 BouncyCastle 向 CMS 簽名添加簽名/認(rèn)證屬性的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！