List of usage examples for org.bouncycastle.cert.jcajce JcaX509CertificateHolder JcaX509CertificateHolder
public JcaX509CertificateHolder(X509Certificate cert) throws CertificateEncodingException
From source file:be.fedict.trust.ocsp.OcspTrustLinker.java
License:Open Source License
@Override public TrustLinkerResult hasTrustLink(X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, AlgorithmPolicy algorithmPolicy) throws TrustLinkerResultException, Exception { URI ocspUri = getOcspUri(childCertificate); if (null == ocspUri) { return TrustLinkerResult.UNDECIDED; }// w w w. j a va 2 s .co m LOG.debug("OCSP URI: " + ocspUri); OCSPResp ocspResp = this.ocspRepository.findOcspResponse(ocspUri, childCertificate, certificate, validationDate); if (null == ocspResp) { LOG.debug("OCSP response not found"); return TrustLinkerResult.UNDECIDED; } int ocspRespStatus = ocspResp.getStatus(); if (OCSPResponseStatus.SUCCESSFUL != ocspRespStatus) { LOG.debug("OCSP response status: " + ocspRespStatus); return TrustLinkerResult.UNDECIDED; } Object responseObject = ocspResp.getResponseObject(); BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseObject; X509CertificateHolder[] responseCertificates = basicOCSPResp.getCerts(); for (X509CertificateHolder responseCertificate : responseCertificates) { LOG.debug("OCSP response cert: " + responseCertificate.getSubject()); LOG.debug("OCSP response cert issuer: " + responseCertificate.getIssuer()); } algorithmPolicy.checkSignatureAlgorithm(basicOCSPResp.getSignatureAlgOID().getId(), validationDate); if (0 == responseCertificates.length) { /* * This means that the OCSP response has been signed by the issuing * CA itself. */ ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(certificate.getPublicKey()); boolean verificationResult = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (false == verificationResult) { LOG.debug("OCSP response signature invalid"); return TrustLinkerResult.UNDECIDED; } } else { /* * We're dealing with a dedicated authorized OCSP Responder * certificate, or of course with a CA that issues the OCSP * Responses itself. */ X509CertificateHolder ocspResponderCertificate = responseCertificates[0]; ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(ocspResponderCertificate); boolean verificationResult = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (false == verificationResult) { LOG.debug("OCSP Responser response signature invalid"); return TrustLinkerResult.UNDECIDED; } if (false == Arrays.equals(certificate.getEncoded(), ocspResponderCertificate.getEncoded())) { // check certificate signature algorithm algorithmPolicy.checkSignatureAlgorithm( ocspResponderCertificate.getSignatureAlgorithm().getAlgorithm().getId(), validationDate); X509Certificate issuingCaCertificate; if (responseCertificates.length < 2) { // so the OCSP certificate chain only contains a single // entry LOG.debug("OCSP responder complete certificate chain missing"); /* * Here we assume that the OCSP Responder is directly signed * by the CA. */ issuingCaCertificate = certificate; } else { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); issuingCaCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(responseCertificates[1].getEncoded())); /* * Is next check really required? */ if (false == certificate.equals(issuingCaCertificate)) { LOG.debug("OCSP responder certificate not issued by CA"); return TrustLinkerResult.UNDECIDED; } } // check certificate signature algorithmPolicy.checkSignatureAlgorithm(issuingCaCertificate.getSigAlgOID(), validationDate); PublicKeyTrustLinker publicKeyTrustLinker = new PublicKeyTrustLinker(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate x509OcspResponderCertificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(ocspResponderCertificate.getEncoded())); LOG.debug("OCSP Responder public key fingerprint: " + DigestUtils.sha1Hex(x509OcspResponderCertificate.getPublicKey().getEncoded())); publicKeyTrustLinker.hasTrustLink(x509OcspResponderCertificate, issuingCaCertificate, validationDate, revocationData, algorithmPolicy); if (null == x509OcspResponderCertificate .getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId())) { LOG.debug("OCSP Responder certificate should have id-pkix-ocsp-nocheck"); /* * TODO: perform CRL validation on the OCSP Responder * certificate. On the other hand, do we really want to * check the checker? */ return TrustLinkerResult.UNDECIDED; } List<String> extendedKeyUsage = x509OcspResponderCertificate.getExtendedKeyUsage(); if (null == extendedKeyUsage) { LOG.debug("OCSP Responder certificate has no extended key usage extension"); return TrustLinkerResult.UNDECIDED; } if (false == extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) { LOG.debug("OCSP Responder certificate should have a OCSPSigning extended key usage"); return TrustLinkerResult.UNDECIDED; } } else { LOG.debug("OCSP Responder certificate equals the CA certificate"); // and the CA certificate is already trusted at this point } } DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certificateId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(certificate), childCertificate.getSerialNumber()); SingleResp[] singleResps = basicOCSPResp.getResponses(); for (SingleResp singleResp : singleResps) { CertificateID responseCertificateId = singleResp.getCertID(); if (false == certificateId.equals(responseCertificateId)) { continue; } DateTime thisUpdate = new DateTime(singleResp.getThisUpdate()); DateTime nextUpdate; if (null != singleResp.getNextUpdate()) { nextUpdate = new DateTime(singleResp.getNextUpdate()); } else { LOG.debug("no OCSP nextUpdate"); nextUpdate = thisUpdate; } LOG.debug("OCSP thisUpdate: " + thisUpdate); LOG.debug("(OCSP) nextUpdate: " + nextUpdate); DateTime beginValidity = thisUpdate.minus(this.freshnessInterval); DateTime endValidity = nextUpdate.plus(this.freshnessInterval); DateTime validationDateTime = new DateTime(validationDate); if (validationDateTime.isBefore(beginValidity)) { LOG.warn("OCSP response not yet valid"); continue; } if (validationDateTime.isAfter(endValidity)) { LOG.warn("OCSP response expired"); continue; } if (null == singleResp.getCertStatus()) { LOG.debug("OCSP OK for: " + childCertificate.getSubjectX500Principal()); addRevocationData(revocationData, ocspResp, ocspUri); return TrustLinkerResult.TRUSTED; } else { LOG.debug("OCSP certificate status: " + singleResp.getCertStatus().getClass().getName()); if (singleResp.getCertStatus() instanceof RevokedStatus) { LOG.debug("OCSP status revoked"); } addRevocationData(revocationData, ocspResp, ocspUri); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_REVOCATION_STATUS, "certificate revoked by OCSP"); } } LOG.debug("no matching OCSP response entry"); return TrustLinkerResult.UNDECIDED; }
From source file:be.fedict.trust.ocsp.OfflineOcspRepository.java
License:Open Source License
@Override public OCSPResp findOcspResponse(URI ocspUri, X509Certificate certificate, X509Certificate issuerCertificate, Date validationDate) {/* w ww .j av a 2 s. c o m*/ LOG.debug("find OCSP response"); DigestCalculatorProvider digCalcProv; try { digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME) .build(); } catch (OperatorCreationException e) { throw new RuntimeException(e); } CertificateID certId; try { certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); } catch (Exception e) { throw new RuntimeException(e); } try { for (OCSPResp ocspResp : this.ocspResponses) { BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject(); for (SingleResp singleResp : basicOCSPResp.getResponses()) { if (singleResp.getCertID().equals(certId)) { LOG.debug("OCSP response found"); return ocspResp; } } } } catch (OCSPException e) { LOG.error("OCSPException: " + e.getMessage(), e); return null; } LOG.debug("OCSP response not found"); return null; }
From source file:be.fedict.trust.ocsp.OnlineOcspRepository.java
License:Open Source License
private OCSPResp getOcspResponse(URI ocspUri, X509Certificate certificate, X509Certificate issuerCertificate) throws Exception { LOG.debug("OCSP URI: " + ocspUri); OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); ocspReqBuilder.addRequest(certId);//www . ja va 2 s . co m OCSPReq ocspReq = ocspReqBuilder.build(); byte[] ocspReqData = ocspReq.getEncoded(); HttpPost httpPost = new HttpPost(ocspUri.toString()); ContentType contentType = ContentType.create("application/ocsp-request"); HttpEntity requestEntity = new ByteArrayEntity(ocspReqData, contentType); httpPost.addHeader("User-Agent", "jTrust OCSP Client"); httpPost.setEntity(requestEntity); DefaultHttpClient httpClient = new DefaultHttpClient(); if (null != this.networkConfig) { HttpHost proxy = new HttpHost(this.networkConfig.getProxyHost(), this.networkConfig.getProxyPort()); httpClient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy); } if (null != this.credentials) { this.credentials.init(httpClient.getCredentialsProvider()); } HttpResponse httpResponse; int responseCode; try { httpResponse = httpClient.execute(httpPost); StatusLine statusLine = httpResponse.getStatusLine(); responseCode = statusLine.getStatusCode(); } catch (ConnectException e) { LOG.debug("OCSP responder is down"); return null; } if (HttpURLConnection.HTTP_OK != responseCode) { LOG.error("HTTP response code: " + responseCode); return null; } Header responseContentTypeHeader = httpResponse.getFirstHeader("Content-Type"); if (null == responseContentTypeHeader) { LOG.error("no Content-Type response header"); return null; } String resultContentType = responseContentTypeHeader.getValue(); if (!"application/ocsp-response".equals(resultContentType)) { LOG.error("result content type not application/ocsp-response"); LOG.error("actual content-type: " + resultContentType); if ("text/html".equals(resultContentType)) { LOG.error("content: " + EntityUtils.toString(httpResponse.getEntity())); } return null; } Header responseContentLengthHeader = httpResponse.getFirstHeader("Content-Length"); if (null != responseContentLengthHeader) { String resultContentLength = responseContentLengthHeader.getValue(); if ("0".equals(resultContentLength)) { LOG.debug("no content returned"); return null; } } HttpEntity httpEntity = httpResponse.getEntity(); OCSPResp ocspResp = new OCSPResp(httpEntity.getContent()); LOG.debug("OCSP response size: " + ocspResp.getEncoded().length + " bytes"); httpPost.releaseConnection(); return ocspResp; }
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm) throws Exception { // request/*from w w w . j a va2s.c o m*/ OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); ocspReqBuilder.addRequest(certId); OCSPReq ocspReq = ocspReqBuilder.build(); BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder( ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1)); // request processing Req[] requestList = ocspReq.getRequestList(); for (Req ocspRequest : requestList) { CertificateID certificateID = ocspRequest.getCertID(); CertificateStatus certificateStatus; if (revoked) { certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified); } else { certificateStatus = CertificateStatus.GOOD; } basicOCSPRespBuilder.addResponse(certificateID, certificateStatus); } // basic response generation X509CertificateHolder[] chain = null; if (!ocspResponderCertificate.equals(issuerCertificate)) { chain = new X509CertificateHolder[] { new X509CertificateHolder(ocspResponderCertificate.getEncoded()), new X509CertificateHolder(issuerCertificate.getEncoded()) }; } ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm) .build(ocspResponderPrivateKey); BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date()); // response generation OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp); return ocspResp; }
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm, List<X509Certificate> ocspResponderCertificateChain) throws Exception { // request/*from www. j av a 2 s. c o m*/ OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); ocspReqBuilder.addRequest(certId); OCSPReq ocspReq = ocspReqBuilder.build(); BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder( ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1)); // request processing Req[] requestList = ocspReq.getRequestList(); for (Req ocspRequest : requestList) { CertificateID certificateID = ocspRequest.getCertID(); CertificateStatus certificateStatus; if (revoked) { certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified); } else { certificateStatus = CertificateStatus.GOOD; } basicOCSPRespBuilder.addResponse(certificateID, certificateStatus); } // basic response generation X509CertificateHolder[] chain; if (ocspResponderCertificateChain.isEmpty()) { chain = null; } else { chain = new X509CertificateHolder[ocspResponderCertificateChain.size()]; for (int idx = 0; idx < chain.length; idx++) { chain[idx] = new X509CertificateHolder(ocspResponderCertificateChain.get(idx).getEncoded()); } } ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").build(ocspResponderPrivateKey); BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date()); // response generation OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp); return ocspResp; }
From source file:beta01.CreateCertByCsr.java
public CreateCertByCsr() throws Exception { //read p12//from w w w. jav a2 s. co m KeyStore pkcs12Store = KeyStore.getInstance("PKCS12", "BC"); pkcs12Store.load(new FileInputStream("D:\\rootPrivateKey.p12"), "pass".toCharArray()); //read root key pair and certificate PrivateKey privateKey = null; PublicKey publicKey = null; X509Certificate rootCert = null; for (Enumeration en = pkcs12Store.aliases(); en.hasMoreElements();) { String alias = (String) en.nextElement(); if (pkcs12Store.isCertificateEntry(alias)) { rootCert = (X509Certificate) pkcs12Store.getCertificate(alias); Certificate cert = pkcs12Store.getCertificate(alias); publicKey = cert.getPublicKey(); } else if (pkcs12Store.isKeyEntry(alias)) { privateKey = (PrivateKey) pkcs12Store.getKey(alias, "pass".toCharArray()); } } //read CSR String fileName = "CSR_DSA"; FileReader fileReader = new FileReader("D:\\" + fileName + ".p10"); PemReader pemReader = new PemReader(fileReader); PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent()); //create certf JcaX509CertificateHolder holder = new JcaX509CertificateHolder(rootCert); X509v3CertificateBuilder certBuilder; certBuilder = new X509v3CertificateBuilder(holder.getSubject(), BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + 7 * 24 * 60 * 60 * 1000), csr.getSubject(), csr.getSubjectPublicKeyInfo()); certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); SignatureAlgorithmIdentifierFinder algFinder = new DefaultSignatureAlgorithmIdentifierFinder(); AlgorithmIdentifier sigAlg = algFinder.find("SHA512withRSA"); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); //RSAPrivateKey rsa = (RSAPrivateKey) privateKey; //AsymmetricCipherKeyPair ss =new AsymmetricCipherKeyPair // RSAKeyParameters rsaP = new RSAPrivateCrtKeyParameters(rsa.getModulus(), rsa.getPublicExponent(), // rsa.getPrivateExponent(), rsa., BigInteger.ONE, BigInteger.ONE, BigInteger.ONE, BigInteger.ONE); //ContentSigner signer = new BcRSAContentSignerBuilder(sigAlg, digAlg).build((AsymmetricKeyParameter) privateKey); // AsymmetricCipherKeyPair sd = new AsymmetricCipherKeyPair(null, null) ContentSigner signer = new JcaContentSignerBuilder("SHA512withRSA").setProvider("BC").build(privateKey); X509CertificateHolder holder2 = certBuilder.build(signer); new SimpleGenCert().converToPem(holder2, fileName); }
From source file:beta01.ReadPkc12.java
public static void main(String[] args) throws KeyStoreException, NoSuchProviderException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException { KeyStore pkcs12Store = KeyStore.getInstance("PKCS12", "BC"); pkcs12Store.load(new FileInputStream("D:\\rootPrivateKeySS.p12"), "pass".toCharArray()); System.out.println("########## KeyStore Dump. Size: " + pkcs12Store.size()); //KeyPair// w w w . j a v a2s .com PrivateKey privateKey = null; for (Enumeration en = pkcs12Store.aliases(); en.hasMoreElements();) { String alias = (String) en.nextElement(); if (pkcs12Store.isCertificateEntry(alias)) { X509Certificate cc = (X509Certificate) pkcs12Store.getCertificate(alias); X509CertificateHolder holder = new JcaX509CertificateHolder(cc); SubjectPublicKeyInfo pkInfo = holder.getSubjectPublicKeyInfo(); Certificate cert = pkcs12Store.getCertificate(alias); //System.out.println("Signature: "+cert.getType()+" "+cert.getPublicKey()); PublicKey publicKey = cert.getPublicKey(); System.out.println("Certificate Entry: " + alias + ", Subject: " + (((X509Certificate) pkcs12Store.getCertificate(alias)).getSubjectDN())); //test signing Signature dsa = Signature.getInstance("SHA512withRSA"); String data = "DATA55555556666666..."; try { dsa.initSign(privateKey); dsa.update(data.getBytes()); byte[] realSign = dsa.sign(); //X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(publicKey.getEncoded()); //KeyFactory keyFactory = KeyFactory.getInstance("RSA"); //pk2 = keyFactory.generatePublic(pubKeySpec); dsa.initVerify(publicKey); dsa.update(data.getBytes()); System.out.println("Is verivied? " + dsa.verify(realSign)); } catch (InvalidKeyException | SignatureException ex) { Logger.getLogger(ReadPkc12.class.getName()).log(Level.SEVERE, null, ex); } } else if (pkcs12Store.isKeyEntry(alias)) { privateKey = (PrivateKey) pkcs12Store.getKey(alias, "pass".toCharArray()); System.out.println("Key Entry: [" + privateKey.getAlgorithm() + "]" + alias + ", Subject: " + (((X509Certificate) pkcs12Store.getCertificate(alias)).getSubjectDN())); } } }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
private void checkAuthorityKeyIdentifierExtenstion(final X509Certificate cert, final CaCert caCert) throws CertificateEncodingException, IOException { final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final byte[] extValue = cert.getExtensionValue(OID.AUTHORITY_KEY_IDENIFIER.oid.getId()); assertThat(extValue, is(notNullValue())); final byte[] expectedExtValue = X509CertExtension.builder().oid(Extension.authorityKeyIdentifier) .value(extUtils.createAuthorityKeyIdentifier(caCert.getCert())).critical(false).build() .toExtension().getExtnValue().getEncoded(DER.name()); assertThat(Arrays.areEqual(extValue, expectedExtValue), is(true)); final X509CertificateHolder certHolder = new JcaX509CertificateHolder(cert); final Extension ext = certHolder.getExtensions().getExtension(OID.AUTHORITY_KEY_IDENIFIER.oid); assertThat(ext, is(notNullValue())); assertThat(Arrays.areEqual(ext.getExtnValue().getEncoded(DER.name()), expectedExtValue), is(true)); }
From source file:co.runrightfast.core.security.cert.impl.CertificateServiceImplTest.java
License:Apache License
private void checkSubjectKeyIdentifierExtenstion(final X509Certificate cert) throws CertificateEncodingException, IOException { final JcaX509ExtensionUtils extUtils = jcaX509ExtensionUtils(); final byte[] extValue = cert.getExtensionValue(OID.SUBJECT_KEY_IDENIFIER.oid.getId()); assertThat(extValue, is(notNullValue())); final byte[] expectedExtValue = X509CertExtension.builder().oid(Extension.subjectKeyIdentifier) .value(extUtils.createSubjectKeyIdentifier(cert.getPublicKey())).critical(false).build() .toExtension().getExtnValue().getEncoded(DER.name()); assertThat(Arrays.areEqual(extValue, expectedExtValue), is(true)); final X509CertificateHolder certHolder = new JcaX509CertificateHolder(cert); final Extension ext = certHolder.getExtensions().getExtension(OID.SUBJECT_KEY_IDENIFIER.oid); assertThat(ext, is(notNullValue())); assertThat(Arrays.areEqual(ext.getExtnValue().getEncoded(DER.name()), expectedExtValue), is(true)); }
From source file:com.android.apksigner.core.internal.apk.v1.V1SchemeSigner.java
License:Apache License
private static byte[] generateSignatureBlock(SignerConfig signerConfig, byte[] signatureFileBytes) throws InvalidKeyException, CertificateEncodingException, SignatureException { JcaCertStore certs = new JcaCertStore(signerConfig.certificates); X509Certificate signerCert = signerConfig.certificates.get(0); String jcaSignatureAlgorithm = getJcaSignatureAlgorithm(signerCert.getPublicKey(), signerConfig.signatureDigestAlgorithm); try {//w w w .j a v a 2s . c o m ContentSigner signer = new JcaContentSignerBuilder(jcaSignatureAlgorithm) .build(signerConfig.privateKey); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); gen.addSignerInfoGenerator( new SignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build(), SignerInfoSignatureAlgorithmFinder.INSTANCE).setDirectSignature(true).build(signer, new JcaX509CertificateHolder(signerCert))); gen.addCertificates(certs); CMSSignedData sigData = gen.generate(new CMSProcessableByteArray(signatureFileBytes), false); ByteArrayOutputStream out = new ByteArrayOutputStream(); try (ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded())) { DEROutputStream dos = new DEROutputStream(out); dos.writeObject(asn1.readObject()); } return out.toByteArray(); } catch (OperatorCreationException | CMSException | IOException e) { throw new SignatureException("Failed to generate signature", e); } }