[英]Sign CAdES using BouncyCastle using JAVA
According to several posts I've found out it's now possible to perform CAdES using BouncyCastle but there is hardly any documentation on the topic. 根据我发现的几篇文章,现在可以使用BouncyCastle执行CAdES,但是几乎没有关于该主题的文档。
For starters I want to perform CAdES-BES without any optional signed attributes on a file with a file based certificate. 对于初学者,我想在具有基于文件的证书的文件上执行CAdES-BES而没有任何可选的已签名属性。
In response to dander: 回应皮屑:
I have something that might be helpful, you have your SignerInformation, you need to extend it, first you need to create an attribute from the timestamp, I'll assume you already have a TimeStampResponse as tspResp 我有一些有用的东西,您有SignerInformation,需要扩展它,首先需要从时间戳创建一个属性,我假设您已经有一个TimeStampResponse作为tspResp
TimeStampToken token = tsresp.getTimeStampToken();
Attribute timeStamp = new Attribute(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, new DERSet(ASN1Object.fromByteArray(token.getEncoded())));
Then you need to extend your SignerInformation 然后,您需要扩展SignerInformation
AttributeTable unsigned = signerInformation.getUnsignedAttributes();
Hashtable<ASN1ObjectIdentifier, Attribute> unsignedAttrHash = null;
if (unsigned == null) {
unsignedAttrHash = new Hashtable<ASN1ObjectIdentifier, Attribute>();
} else {
unsignedAttrHash = signerInformation.getUnsignedAttributes().toHashtable();
}
unsignedAttrHash.put(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, signatureTimeStamp);
SignerInformation newsi = SignerInformation.replaceUnsignedAttributes(si, new AttributeTable(
unsignedAttrHash));
I think that's about it. 我想就是这样。
Here is how I got the signin-certificate attribute 这是我获得signin-certificate属性的方法
Attribute signingCertificateAttribute;
MessageDigest dig = MessageDigest.getInstance(DigestAlgorithm().getName(),
new BouncyCastleProvider());
byte[] certHash = dig.digest(SigningCertificate().getEncoded());
if (DigestAlgorithm() == DigestAlgorithm.SHA1) {
SigningCertificate sc = new SigningCertificate(new ESSCertID(certHash));
signingCertificateAttribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificate, new DERSet(sc));
} else {
ESSCertIDv2 essCert = new ESSCertIDv2(new AlgorithmIdentifier(DigestAlgorithm().getOid()), certHash);
SigningCertificateV2 scv2 = new SigningCertificateV2(new ESSCertIDv2[] { essCert });
signingCertificateAttribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(scv2));
}
Hope it helps 希望能帮助到你
CAdES is an extension of CMS (aka PKCS7), which is possible to do with BouncyCastle. CAdES是CMS(又名PKCS7)的扩展,可以与BouncyCastle一起使用。 RFC5126 contains everything needed for a CAdES signature, also, I recommend lookup info on ASN.1 since most of the parts are described in that format.
RFC5126包含CAdES签名所需的所有内容,此外,我建议在ASN.1上查找信息,因为大多数部分都以该格式描述。
I am currently in hunt for the same answer you are looking for and found that the book Beginning Cryptography with Java by David Hook gives a lot of detailed information you might need. 我目前正在寻找与您正在寻找的相同答案,并且发现David Hook的《用Java进行密码学入门》一书提供了您可能需要的许多详细信息。
Useful code could be found on " https://joinup.ec.europa.eu/ " 有用的代码可以在“ https://joinup.ec.europa.eu/ ”上找到
Take a look on CAdESProfileBES.java . 看一下CAdESProfileBES.java 。
Someone put the same code on Fork of the original SD - Digital Signature Service . 有人将相同的代码放在原始SD数字签名服务的Fork上 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.