开发者

How to create an pkcs7 block for key exchange only (bouncy castle)

开发者 https://www.devze.com 2023-03-17 11:09 出处:网络
I am trying to create a file containing a pkcs 7 block. In this container, I need my public key and my signer info (no signed data!!!). I have already tried several alternatives without any luck. This

I am trying to create a file containing a pkcs 7 block. In this container, I need my public key and my signer info (no signed data!!!). I have already tried several alternatives without any luck. This is my code:

First the signature info:

 List<X509Certificate> certs = new List<X509Certificate> { cert };
 IX509Store x509Certs = X509StoreFactory.Create(
      "CERTIFICATE/COLLECTION",
      new X509CollectionStoreParameters(certs));

 var ias = new IssuerAndSerialNumber(cert.IssuerDN, cert.SerialNumber);
 SignerIdentifier sid = new SignerIdentifier(ias);
 AlgorithmIdentifier algoDigId = new AlgorithmIdentifierCmsSignedGenerator.DigestSha1);
 AlgorithmIdentifier algoCryptId = new AlgorithmIdentifier(CmsSignedGenerator.EncryptionRsa);

 SignerInfo si = new SignerInfo(sid, algoDigId, null, algoCryptId,
                                      new DerOctetString(contentSignature), null);

the contentSignature byte[] contains a signed digest for some info.

Now, when I try to create the SignedData, everything goes down

  var signedContent = new ContentInfo(CmsObjectIdentifiers.Data, DerNull.Instance);
  CmsSignedData csd = new CmsSignedData(signedContent);

I am not trying to send info, this is only for key exchange and verification purposes. I believe this is a valid scenario but somehow this does not work.

Thanks for your help.

UPDATE:

more context.

I am trying to sign a JAR from a .Net executable. I have pretty much done the rest of the process but jarsigner creates a pkcs7 file with:

开发者_Go百科
  • ContentInfo set to type Data and no content. So far, making new ContentInfo( CmsObjectIdentifiers.Data, null) just throws an exception while adding the content info to the CmsData

  • A SignerInfo is added, this SignerInfo includes a signature previously derived from the JAR's content.


As this question is specifically related to signing an APK / JAR file, I will answer in that context.

Assuming that:

You have performed all the following setup steps:

  1. Generated a valid MANIFEST.MF
  2. Generated a valid CERT.SF
  3. Have a valid PFX file loaded into an X509Certificate2 variable named "cert"
  4. Have the binary contents of the CERT.SF file in a byte array named "manifestSFBytes"

The following code will generate a valid detached pkcs7 signature which is effectively your CERT.RSA content:

string OID_DATA = "1.2.840.113549.1.7.1";

// setup the data to sign
ContentInfo content = new ContentInfo( new Oid( OID_DATA ), manifestSFBytes );
SignedCms signedCms = new SignedCms( content, true );
CmsSigner signer = new CmsSigner( SubjectIdentifierType.IssuerAndSerialNumber, cert );

// create the signature
signedCms.ComputeSignature( signer );
byte[] data = signedCms.Encode();

This code relies on the System.Security.Cryptography.Pkcs namespace and does not require BouncyCastle.

What is going on here is that the raw content (signature file binary data) is hashed and signed in one go by the ComputeSignature() call.

Therefore no "null ContentInfo" tricks are necessary i.e. the ContentInfo contains the raw data to be signed and hashed unlike the Java implementation which signs and hashes the content prior to PKCS7 generation.

HTH

-(e)


Here is a simple example of what I think you want to do. NOTE: The code below is for the Java bouncycastle but I think the classes are very similar in the C# version of the library.

import java.io.*;
import java.security.cert.*;
import java.util.ArrayList;
import java.util.List;

import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.*;

public class PKCS7CertList1
{

    public static byte[] buildCMSCertThingy() throws Exception
    {
        final List<X509Certificate> certs = new ArrayList<X509Certificate>();
        final InputStream certIs = new FileInputStream("google_com.p7b");
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        for (Certificate cert : cf.generateCertificates(certIs))
        {
            certs.add((X509Certificate) cert);
        }
        certIs.close();
        System.err.printf("Number of certs parsed = %d%n", certs.size());
        final CMSSignedDataGenerator cmsGen = new CMSSignedDataGenerator();
        cmsGen.addCertificates(new JcaCertStore(certs));
        final CMSSignedData sigData = cmsGen.generate(new CMSAbsentContent(), false);
        return sigData.getEncoded();
    }
    public static void main(String[] args) throws Exception
    {   
        FileOutputStream fos = new FileOutputStream("signed_data.der");
        fos.write(buildCMSCertThingy());
        fos.close();
    }

}
0

精彩评论

暂无评论...
验证码 换一张
取 消