I am working on signing and encoding of CMS/PKCS#7 messages (something similar to C# SignedCms).
I have x509certificate from the keystore, rsa private key,
ContentInfo. ContentType is "oidPkcs7Data".
I don't quite understand what should I do next.
I thought:
- generate a signature and sign ContentInfo data
Signature signature = Signature.getInstance("MD5withRSA"); signature.initSign(rsaPrivateKeyFromStore); signature.update(contentInfo.getData()); signedData = signature.sign();
- encode signedData+signature.
PKCS7 pkcs7 = new PKCS7(signedData); ByteArrayOutputStream baos = new ByteArrayOutputStream(); pkcs7.encodeSignedData(baos);
But I got the exception
sun.security.pkcs.ParsingException: Unable to parse the encoded bytes at sun.security.pkcs.PKCS7.(PKCS7.java:94)
Obviously I am doing it wrong.
Also I'd like to do it without BouncyCastle or Classpth or smth like these ones.
Is there possible to use just sun.security.* classes? I use java 1.5.
I am a new in DigitalSignature world and any help or advice is appreciated.
UPD
I generated my own certificate and tried to sign the data with it.
.Net code
X509Certificate2 certificate = new X509Certificate2("X:\\mypfxstore.pfx", "123");
String text = "text";
ContentInfo contentInfo = new ContentInfo(System.Text.Encoding.UTF8.GetBytes(text));
SignedCms cms = new SignedCms(contentInfo, false);
CmsSigner signer = new CmsSigner(certificate);
signer.IncludeOption = X509IncludeOption.None;
signer.DigestAlgorithm = new Oid("SHA1");
cms.ComputeSignature(signer, false);
byte[] signature = cms.Encode();
print(signature);
.Java code
char[] password = "123".toCharArray();
String text = "text";
FileInputStream fis = new FileInputStream("X:\\mypfxstore.pfx");
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(fis, password);
String alias = ks.aliases().nextElement();
PrivateKey pKey = (PrivateKey)ks.getKey(alias, password);
X509Certificate c = (X509Certificate)ks.getCertificate(alias);
//Data to sign
byte[] dataToSign = text.getBytes("UTF-8");
//compute signature:
Signature signature = Signature.getInstance("SHA1WithRSA");
signature.initSign(pKey);
signature.update(dataToSign);
byte[] signedData = signature.sign();
//load X500Name
X500Name xName = X500Name.asX500Name(c.getSubjectX500Principal());
//load serial number
BigInteger serial = c.getSerialNumber();
//laod digest algorithm
AlgorithmId digestAlgorithmId = new AlgorithmId(AlgorithmId.SHA_oid);
//load signing algorithm
AlgorithmId signAlgorithmId = new AlgorithmId(AlgorithmId.RSAEncryption_oid);
//Create SignerInfo:
SignerInfo sInfo = new SignerInfo(xName, serial, digestAlgorithmId, signAlgorithmId, signedData);
//Create ContentInfo:
ContentInfo cInfo = new ContentInfo(ContentInfo.DIGESTED_DATA_OID, new DerValue(DerValue.tag_OctetString, dataToSign));
//Create PKCS7 Signed data
PKCS7 p7 = new PKCS7(new AlgorithmId[] { digestAlgorithmId }, cInfo,
new java.security.cert.X509Certificate[] { /*cert,*/ },
new SignerInfo[] { sInfo });
//Write PKCS7 to bYteArray
ByteArrayOutputStream bOut = new DerOutputStream();
p7.encodeSignedData(bOut);
byte[] encoded = bOut.toByteArray();
print(encoded);
Java output
length=264
3082010406092A864886F70D010702A081F63081F3020101310B300906052B0E03021A0500
301306092A864886F70D0 -> 10705A <- 0060404746578743181CB3081C8020101302630123110300E06
035504031307436F6D70616E790210FCAF9B5224FB4B9F4000B5127D881E2E300906052B0E0302
1A0500300D06092A864886F70D0101010500048180636ADD9F7E218AF3CBC5A75FA2076A53BE49
03DC864E87EBA3C1EE594FAACAFE93CA6F3410D847AC0C0ACB9FD88EC9CF6B00379FA9AD256C86
7204ED81E3FA2F8F492109FF87E81398B7B489B00A35914A2B51919DAAEC2BA87CEFB5AF52294E
2448B5B150D50A39BA0471A9AA1EA2B38A4E23BBA56E029842459F0D5BA3D511
.Net output
length=264
3082010406092A864886F70D010702A081F63081F3020101310B300906052B0E03021A0500
301306092A864886F70D0 -> 10701A <- 0060404746578743181CB3081C8020101302630123110300E06
035504031307436F6D70616E790210FCAF9B5224FB4B9F4000B5127D881E2E300906052B0E0302
1A0500300D06092A864886F70D0101010500048180636ADD9F7E218AF3CBC5A75FA2076A53BE49
03DC864E87EBA3C1EE594FAACAFE93CA6F3410D847AC0C0ACB9FD88EC9CF6B00379FA9AD256C86
7204ED81E3FA2F8F492109FF87E81398B7B489B00A35914A2B51919DAAEC2BA87CEFB5AF52294E
2448B5B150D50A39BA0471A9AA1EA2B38A4E23BBA56E029842459F0D5BA3D511
Certificate example example