All geek questions in one place

Checking a single record with BC

How to verify a highlighted signature (CMS / pkcs # 7 signature) using the BouncyCastle provider in Java?

Currently, my code below throws an exception with the message message-digest attribute value does not match calculated value

 Security.addProvider(new BouncyCastleProvider()); File f = new File(filename); byte[] buffer = new byte[(int)f.length()]; DataInputStream in = new DataInputStream(new FileInputStream(f)); in.readFully(buffer); in.close(); CMSSignedData signature = new CMSSignedData(buffer); SignerInformation signer = (SignerInformation) signature.getSignerInfos().getSigners().iterator().next(); CertStore cs = signature.getCertificatesAndCRLs("Collection", "BC"); Iterator iter = cs.getCertificates(signer.getSID()).iterator(); X509Certificate certificate = (X509Certificate) iter.next(); CMSProcessable sc = signature.getSignedContent(); signer.verify(certificate, "BC");
+6
source share
3 answers

You can verify the selected signature with the following code:

 public static boolean verif_Detached(String signed_file_name,String original_file_name) throws IOException, CMSException, NoSuchAlgorithmException, NoSuchProviderException, CertStoreException, CertificateExpiredException, CertificateNotYetValidException{ boolean result= false; Security.addProvider(new BouncyCastleProvider()); File f = new File(signed_file_name); byte[] Sig_Bytes = new byte[(int)f.length()]; DataInputStream in = new DataInputStream(new FileInputStream(f)); in.readFully(Sig_Bytes); in.close(); File fi = new File(original_file_name); byte[] Data_Bytes = new byte[(int)fi.length()]; DataInputStream input = new DataInputStream(new FileInputStream(fi)); input.readFully(Data_Bytes); input.close(); try{ CMSSignedData cms = new CMSSignedData(new CMSProcessableByteArray(Data_Bytes), Sig_Bytes); CertStore certStore = cms.getCertificatesAndCRLs("Collection", "BC"); SignerInformationStore signers = cms.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); Collection certCollection = certStore.getCertificates(signer.getSID()); Iterator certIt = certCollection.iterator(); X509Certificate cert = (X509Certificate) certIt.next(); cert_signer=cert; result=signer.verify(cert, "BC"); } }catch(Exception e){ e.printStackTrace(); result=false; } return result; }
+6
source

The key for checking disconnected pKCS7 is to use CMSTypedStream, for example, the code below:

 public void verifySign(byte[] signedData,byte[]bPlainText) throws Exception { InputStream is = new ByteArrayInputStream(bPlainText); CMSSignedDataParser sp = new CMSSignedDataParser(new CMSTypedStream (is),signedData); CMSTypedStream signedContent = sp.getSignedContent(); signedContent.drain(); //CMSSignedData s = new CMSSignedData(signedData); Store certStore = sp.getCertificates(); SignerInformationStore signers = sp.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder certHolder = (X509CertificateHolder)certIt.next(); if ( !signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder))) { throw new DENException("Verification FAILED! "); } else { logger.debug("verify success" ); } } }
0
source

You can find the answer to this post here . This is because, because bouncy castle / open ssl processes the S / MIME message when S / MIME headers are not present. The solution is to add S / MIME headers to the message before signimg

0
source

Source: https://habr.com/ru/post/902205/

More articles:


All Articles