无法验证签名 (cmssigneddata) bouncycastle

Posted

技术标签:

【中文标题】无法验证签名 (cmssigneddata) bouncycastle【英文标题】:Cannot verify signature (cmssigneddata) bouncycastle 【发布时间】:2017-10-15 03:42:44 【问题描述】:

当我想验证我使用 BouncyCastle 制作的签名时,我不会进入 verifySignature 方法的第二个 while 循环。 store.getMatches() 返回一个空数组。

public static CMSSignedData sign() throws Exception 
    byte[] file = fileChooser();
    store = KeyStore.getInstance(storeType);
    FileInputStream in = new FileInputStream(new File(storePathKey));
    store.load(in, storePassword);
    in.close();

    Key priv = store.getKey("Subject", storePassword);
    System.out.println(priv.toString() + "priv string");
    X509Certificate cert = (X509Certificate) store.geCertificate("Subject");
    ContentSigner signer = new JcaContentSignerBuilder(sigAlgo).build((RSAPrivateKey) priv);

    CMSTypedData data = new CMSProcessableByteArray(file);
    CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
    gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build())
        .build(signer, cert));
    CMSSignedData sigData = gen.generate(data, true);

    return sigData;


public static void verifySig(CMSSignedData sigData) throws Exception 
    Store store = sigData.getCertificates();
    SignerInformationStore signers = sigData.getSignerInfos();
    System.out.println(store.toString() + "store");
    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) 
        System.out.println("enter while loop1");
        SignerInformation signer = (SignerInformation) it.next();

        Collection certCollection = store.getMatches(signer.getSID());
        Iterator certIt = certCollection.iterator();
        System.out.println(store.getMatches(null) + "collection of certs");

        while (certIt.hasNext()) 
            System.out.println("enter while loop2");
            X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
            X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certHolder);

            if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert))) 
                System.out.println("verified correct");
             else 
                System.out.println("not verified");

我在sign() 方法中遗漏了什么吗?

【问题讨论】:

【参考方案1】:

您需要将证书添加到org.bouncycastle.util.CollectionStore,并将此存储添加到签名中。

我正在使用 BouncyCastle 1.56

import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.util.CollectionStore;

// add these lines after gen.addSignerInfoGenerator(...)

// cert is your X509Certificate
X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
CollectionStore<X509CertificateHolder> certStore = new CollectionStore<>(Collections.singletonList(holder));
gen.addCertificates(certStore); // add the store to the signature

当您想要添加多个证书时,CollectionStore 很有用。如果你只想添加一个,你也可以这样做:

X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
gen.addCertificate(holder);

我得到的输出:

enter while loop1
[org.bouncycastle.cert.X509CertificateHolder@5bc807a8]collection of certs
enter while loop2
verified correct

【讨论】:

以上是关于无法验证签名 (cmssigneddata) bouncycastle的主要内容,如果未能解决你的问题,请参考以下文章

找不到类 org.bouncycastle.cms.CMSSignedData

无法从 Iphone 生成 Json 请求正文

系统重装无法验证数字签名

iOS WKWebView 自签名证书单向验证+双向验证

接收方无法验证签名的 XML 消息

UseJwtBearerAuthentication 失败并显示 IDX10504:无法验证签名,令牌没有签名