Estoy trabajando en la firma y codificación de mensajes CMS / PKCS # 7 (algo similar a C # SignedCms ).
Tengo un certificado x509 del almacén de claves, rsa clave privada,
ContentInfo. ContentType es "oidPkcs7Data".
No entiendo muy bien qué debo hacer a continuación.
Pensé:
- generar una firma y firmar datos de ContentInfo
Signature signature = Signature.getInstance("MD5withRSA"); signature.initSign(rsaPrivateKeyFromStore); signature.update(contentInfo.getData()); signedData = signature.sign();
- codifica signedData + signature.
PKCS7 pkcs7 = new PKCS7(signedData); ByteArrayOutputStream baos = new ByteArrayOutputStream(); pkcs7.encodeSignedData(baos);
Pero tengo la excepción
sun.security.pkcs.ParsingException: Unable to parse the encoded bytes at sun.security.pkcs.PKCS7.(PKCS7.java:94)
Obviamente lo estoy haciendo mal.
También me gustaría hacerlo sin BouncyCastle o Classpth o smth como estos.
¿Es posible usar solo clases sun.security. *? Yo uso java 1.5.
Soy nuevo en el mundo de DigitalSignature y agradecemos cualquier ayuda o consejo.
UPD
Generé mi propio certificado e intenté firmar los datos con él.
Código .Net
X509Certificate2 certificate = new X509Certificate2("X:\mypfxstore.pfx", "123");
String text = "text";
ContentInfo contentInfo = new ContentInfo(System.Text.Encoding.UTF8.GetBytes(text));
SignedCms cms = new SignedCms(contentInfo, false);
CmsSigner signer = new CmsSigner(certificate);
signer.IncludeOption = X509IncludeOption.None;
signer.DigestAlgorithm = new Oid("SHA1");
cms.ComputeSignature(signer, false);
byte[] signature = cms.Encode();
print(signature);
Código .Java
char[] password = "123".toCharArray();
String text = "text";
FileInputStream fis = new FileInputStream("X:\mypfxstore.pfx");
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(fis, password);
String alias = ks.aliases().nextElement();
PrivateKey pKey = (PrivateKey)ks.getKey(alias, password);
X509Certificate c = (X509Certificate)ks.getCertificate(alias);
//Data to sign
byte[] dataToSign = text.getBytes("UTF-8");
//compute signature:
Signature signature = Signature.getInstance("SHA1WithRSA");
signature.initSign(pKey);
signature.update(dataToSign);
byte[] signedData = signature.sign();
//load X500Name
X500Name xName = X500Name.asX500Name(c.getSubjectX500Principal());
//load serial number
BigInteger serial = c.getSerialNumber();
//laod digest algorithm
AlgorithmId digestAlgorithmId = new AlgorithmId(AlgorithmId.SHA_oid);
//load signing algorithm
AlgorithmId signAlgorithmId = new AlgorithmId(AlgorithmId.RSAEncryption_oid);
//Create SignerInfo:
SignerInfo sInfo = new SignerInfo(xName, serial, digestAlgorithmId, signAlgorithmId, signedData);
//Create ContentInfo:
ContentInfo cInfo = new ContentInfo(ContentInfo.DIGESTED_DATA_OID, new DerValue(DerValue.tag_OctetString, dataToSign));
//Create PKCS7 Signed data
PKCS7 p7 = new PKCS7(new AlgorithmId[] { digestAlgorithmId }, cInfo,
new java.security.cert.X509Certificate[] { /*cert,*/ },
new SignerInfo[] { sInfo });
//Write PKCS7 to bYteArray
ByteArrayOutputStream bOut = new DerOutputStream();
p7.encodeSignedData(bOut);
byte[] encoded = bOut.toByteArray();
print(encoded);
salida de Java
length=264
3082010406092A864886F70D010702A081F63081F3020101310B300906052B0E03021A0500
301306092A864886F70D0 -> 10705A <- 0060404746578743181CB3081C8020101302630123110300E06
035504031307436F6D70616E790210FCAF9B5224FB4B9F4000B5127D881E2E300906052B0E0302
1A0500300D06092A864886F70D0101010500048180636ADD9F7E218AF3CBC5A75FA2076A53BE49
03DC864E87EBA3C1EE594FAACAFE93CA6F3410D847AC0C0ACB9FD88EC9CF6B00379FA9AD256C86
7204ED81E3FA2F8F492109FF87E81398B7B489B00A35914A2B51919DAAEC2BA87CEFB5AF52294E
2448B5B150D50A39BA0471A9AA1EA2B38A4E23BBA56E029842459F0D5BA3D511
Salida .Net
length=264
3082010406092A864886F70D010702A081F63081F3020101310B300906052B0E03021A0500
301306092A864886F70D0 -> 10701A <- 0060404746578743181CB3081C8020101302630123110300E06
035504031307436F6D70616E790210FCAF9B5224FB4B9F4000B5127D881E2E300906052B0E0302
1A0500300D06092A864886F70D0101010500048180636ADD9F7E218AF3CBC5A75FA2076A53BE49
03DC864E87EBA3C1EE594FAACAFE93CA6F3410D847AC0C0ACB9FD88EC9CF6B00379FA9AD256C86
7204ED81E3FA2F8F492109FF87E81398B7B489B00A35914A2B51919DAAEC2BA87CEFB5AF52294E
2448B5B150D50A39BA0471A9AA1EA2B38A4E23BBA56E029842459F0D5BA3D511
Ejemplo de certificado ejemplo