Home > Archive > Java Security > March 2004 > Sign plain text in PKCS#7 format
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Sign plain text in PKCS#7 format
|
|
|
| Hi!
I need to encode a string (plain text) in PKCS#7 format. The question is:
What I need? I have the iaik jce package. I need something else?
Could you send me some sample code?
Thank you!
| |
| Michel Gallant 2004-03-19, 8:54 pm |
| Have a look at the BC implementation samples here:
http://www.jensign.com/JavaScience/javacrypto
Also, all the JavaScience samples are not available via:
http://www.jensign.com
-Michel Gallant
JavaScience Consulting
"Ride" <albertocasanovas@hotmail.com> wrote in message
news:16dabcd3.0402250504.25964ebe@posting.google.com...
> Hi!
> I need to encode a string (plain text) in PKCS#7 format. The question is:
> What I need? I have the iaik jce package. I need something else?
>
> Could you send me some sample code?
>
> Thank you!
| |
|
| Hi Michel,
Thank for the code samples, help me a lot. Now, I have another
question:
How can I get the private key from/within a certificate? I have an
certificate in my machine(X509) and I need its private key in order to
encrypt data with it. Could you help me?
Thanks
"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<VG1%b.13466$Mo4.426313@news20.bellglobal.com>...[color=darkred]
> Have a look at the BC implementation samples here:
> http://www.jensign.com/JavaScience/javacrypto
>
> Also, all the JavaScience samples are not available via:
> http://www.jensign.com
>
> -Michel Gallant
> JavaScience Consulting
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0402250504.25964ebe@posting.google.com...
| |
|
| Exactly! I need to get the private key associated to the user
certificate. The real application will run in a Solaris environment,
but now I'm "practising" in windows.
I've "stored" the certificate in cacerts file (with keytool). Using
keytool -list I get a list of my "installed" certificates (one in this
case). Then I load a KeyStore object with cacerts file.
keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("cacerts"), pwd.toCharArray());
Then I try to get the private key:
Enumeration en = keystore.aliases();
String pName = null;
while (en.hasMoreElements())
{
String n = (String)en.nextElement();
if (keystore.isKeyEntry(n))
{
pName = n;
}
}
PrivateKey priv = (PrivateKey)keystore.getKey(pName,
pwd.toCharArray());
But this returns to me null. The enumeration has one "alias" but seems
that has no private key (?)
Thanks.
"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<H1t%b.15532$Mo4.539830@news20.bellglobal.com>...[color=darkred]
> How is the certificate stored? Are you talking about accessing the
> private key associated with a certificate on Windows, for example?
> - Mitch
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0402260335.30b9b20d@posting.google.com...
> news:<VG1%b.13466$Mo4.426313@news20.bellglobal.com>...
| |
|
| I've done it!!!
Simple I changed this line:
keystore = KeyStore.getInstance("JKS");
to this one:
keystore = KeyStore.getInstance("PKCS12");
I realized that I export the certificate in PKCS12 format. Now I can
load the keystore, retrieve the private key. Now I have to encrypt
data!!
Thank you very much
"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<H1t%b.15532$Mo4.539830@news20.bellglobal.com>...[color=darkred]
> How is the certificate stored? Are you talking about accessing the
> private key associated with a certificate on Windows, for example?
> - Mitch
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0402260335.30b9b20d@posting.google.com...
> news:<VG1%b.13466$Mo4.426313@news20.bellglobal.com>...
| |
| Michel Gallant 2004-03-19, 8:54 pm |
| How is the certificate stored? Are you talking about accessing the
private key associated with a certificate on Windows, for example?
- Mitch
"Ride" <albertocasanovas@hotmail.com> wrote in message
news:16dabcd3.0402260335.30b9b20d@posting.google.com...
> Hi Michel,
> Thank for the code samples, help me a lot. Now, I have another
> question:
> How can I get the private key from/within a certificate? I have an
> certificate in my machine(X509) and I need its private key in order to
> encrypt data with it. Could you help me?
>
> Thanks
>
> "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
news:<VG1%b.13466$Mo4.426313@news20.bellglobal.com>...[color=darkred]
| |
|
| Hello Michel,
I obtain encrypted PKCS#7 data using BouncyCastle,but now I have a big
problem... I hope you could help me.
I try to explain it. I need to make an application in java that
encrypts data (a large string) in pkcs#7 dettached (sign the data),
encode it to Base64 and send it to a remote server using https (post).
The data that I have to send (encrypted) must be equals to signText
function in javascript (only works in Netscape browsers). Here is the
script:
var textToSend = window.crypto.signText("This is the text to sign");
This produces base64 encoded data. I think the data is encrypted in
pkcs#7 and after is encoded to Base64. My problem is that using the
bouncycastle package, and the examples in http://www.jensign.com
(BCSignFile.java) I get pkcs#7 encrypted data but is DIFFERENT from
the window.crypto.signText javascript function!!! This is a piece of
my code:
X509Certificate cert = null;
PublicKey pub = null;
PrivateKey priv = null;
KeyStore keystore = null;
String data = "Text to be signed";
try
{
Security.addProvider(new BouncyCastleProvider());
keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
// Load the keystore
keystore.load(new FileInputStream("myKeyStoreFile.pfx"),
passw.toCharArray());
Enumeration e = keystore.aliases();
String name = "";
if(e!=null)
{
while (e.hasMoreElements())
{
String n = (String)e.nextElement();
if (keystore.isKeyEntry(n))
{
name = n;
}
}
}
// Get the private key and the certificate
priv = (PrivateKey)keystore.getKey(name, passw.toCharArray());
cert = (X509Certificate) keystore.getCertificate(name);
// I'm not sure if this is necessary
Certificate[] certChain =
keystore.getCertificateChain(name);
ArrayList certList = new ArrayList();
CertStore certs = null;
for (int i=0; i < certChain.length; i++)
certList.add(certChain[i]);
certs = CertStore.getInstance("Collection", new
CollectionCertStoreParameters(certList),
"BC");
// Encrypt data
CMSSignedDataGenerator sgen = new CMSSignedDataGenerator();
// What digest algorithm i must use? SHA1? MD5? RSA?...
sgen.addSigner(priv, (X509Certificate)cert,
CMSSignedDataGenerator.DIGEST_MD5);
// I'm not sure this is necessary
sgen.addCertificatesAndCRLs(certs);
// I think that the 2nd parameter need to be false (dettached form)
CMSSignedData csd = sgen.generate( new
CMSProcessableByteArray(data.getBytes()), false, "BC");
byte[] signedData = csd.getEncoded();
byte[] signedDataB64 = Base64.encode(signedData);
FileOutputStream out = new FileOutputStream("out2.p7s");
out.write(signedDataB64);
out.close();
}
catch(Exception e)
{
}
The signedDataB64 byte array is different of the javascript function
and must be equal. I'm in troubles now... I hope you could help me.
Thank you in advance.
Albert
P.S. If you please, send the response to my email
(albertocasanovas@hotmail.com)
| |
| Michel Gallant 2004-03-19, 8:54 pm |
| Well that is a good question :-)
With Netscape/signText, you have to be a bit careful with the content
which you verify against. There *might* be an extra LF or such in the
binary data that gets hashed/signed by Netscape.
The signature blobs won't be identical (probably other signature extensions etc.)
but you SHOULD be able to verify the b64 Netscape blob with any
good detached-signature pkcs #7 verifier if you know the correct content.
I have use Java servlets, signed web page forms, submitted to Tomcat and
can verify the detached signature properly with CryptoAPI or CAPICOM.
Post a specific signature (b64) and what you *think* is the content signed so
we can toubleshoot!
- Mitch Gallant
www.jensign.com
"Ride" <albertocasanovas@hotmail.com> wrote in message
news:16dabcd3.0403020231.60a8d547@posting.google.com...
> Hello Michel,
> I obtain encrypted PKCS#7 data using BouncyCastle,but now I have a big
> problem... I hope you could help me.
> I try to explain it. I need to make an application in java that
> encrypts data (a large string) in pkcs#7 dettached (sign the data),
> encode it to Base64 and send it to a remote server using https (post).
> The data that I have to send (encrypted) must be equals to signText
> function in javascript (only works in Netscape browsers). Here is the
> script:
>
> var textToSend = window.crypto.signText("This is the text to sign");
>
> This produces base64 encoded data. I think the data is encrypted in
> pkcs#7 and after is encoded to Base64. My problem is that using the
> bouncycastle package, and the examples in http://www.jensign.com
> (BCSignFile.java) I get pkcs#7 encrypted data but is DIFFERENT from
> the window.crypto.signText javascript function!!! This is a piece of
> my code:
>
> X509Certificate cert = null;
> PublicKey pub = null;
> PrivateKey priv = null;
> KeyStore keystore = null;
> String data = "Text to be signed";
>
> try
> {
> Security.addProvider(new BouncyCastleProvider());
>
> keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
> // Load the keystore
> keystore.load(new FileInputStream("myKeyStoreFile.pfx"),
> passw.toCharArray());
>
> Enumeration e = keystore.aliases();
> String name = "";
>
> if(e!=null)
> {
> while (e.hasMoreElements())
> {
> String n = (String)e.nextElement();
> if (keystore.isKeyEntry(n))
> {
> name = n;
> }
> }
> }
>
> // Get the private key and the certificate
> priv = (PrivateKey)keystore.getKey(name, passw.toCharArray());
> cert = (X509Certificate) keystore.getCertificate(name);
>
> // I'm not sure if this is necessary
> Certificate[] certChain =
> keystore.getCertificateChain(name);
> ArrayList certList = new ArrayList();
> CertStore certs = null;
> for (int i=0; i < certChain.length; i++)
> certList.add(certChain[i]);
>
> certs = CertStore.getInstance("Collection", new
> CollectionCertStoreParameters(certList),
"BC");
>
>
> // Encrypt data
> CMSSignedDataGenerator sgen = new CMSSignedDataGenerator();
> // What digest algorithm i must use? SHA1? MD5? RSA?...
> sgen.addSigner(priv, (X509Certificate)cert,
> CMSSignedDataGenerator.DIGEST_MD5);
> // I'm not sure this is necessary
> sgen.addCertificatesAndCRLs(certs);
>
> // I think that the 2nd parameter need to be false (dettached form)
> CMSSignedData csd = sgen.generate( new
> CMSProcessableByteArray(data.getBytes()), false, "BC");
> byte[] signedData = csd.getEncoded();
> byte[] signedDataB64 = Base64.encode(signedData);
>
> FileOutputStream out = new FileOutputStream("out2.p7s");
> out.write(signedDataB64);
> out.close();
>
> }
> catch(Exception e)
> {
>
> }
>
> The signedDataB64 byte array is different of the javascript function
> and must be equal. I'm in troubles now... I hope you could help me.
> Thank you in advance.
>
> Albert
>
> P.S. If you please, send the response to my email
> (albertocasanovas@hotmail.com)
| |
|
| Hi!
The data to be signed is like this:
1190200385077604YTOMAS AVILA PILAR
T911111111CABALLERO GOMEZ ESPERANZA 1709898619161
0000000000000000000001 000000000100000000000000015000
F611E1336858T2190200385077604Y00000102X ESPAÑOL ESPAÑOL JUAN
02F01 00000001000000000000015000
0000000000000000000000000000000000000002
002000000
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
0000
the b64 Netscape blob generated by crypto.SignText is like this:
MIIFZwYJKoZIhvcNAQcCoIIFWDCCBVQCAQExCzAJ
BgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBA0wggQJ
MIIDcqADAgECAgQ8Z+OAMA0GCSqGSIb3DQEBBQUA
MDYxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1U
MRgwFgYDVQQLEw9GTk1UIENsYXNlIDIgQ0EwHhcN
MDIxMTA5MTcyMDQ2WhcNMDQxMTA5MTc1MDQ2WjCB
szELMAkGA1UEBhM
CRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0Z
OTVQgQ2xhc2UgMiBDQTESMBAGA1UECxMJNTAwMDU
zNzA1MWcwZQYDVQQDFF5FTlRJREFEIENBSkEgREU
gQUhPUlJPUyBERSBDQVRBTFXx
SAtIENJRiBHMDgxNjk4MTUgLSBOT01CUkUgQVJOQ
VUgTVVSVFJPIEpVQU4gLSBOSUYgMzY5NTA5OThBM
FwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOcyRVMBl
N9PRaxde9nF2FdUGFxEDnMdR1wnoKOhykzJnFEiG
3U+yZk6i1R/ Z98zPxGRgY+OeP4C6I1Jj7d0lnMCAwEAAaOCAegw
ggHkMCsGA1UdEAQkMCKADzIwMDIxMTA5MTcyMDQ2
WoEP
MjAwNDExMDkxNzUwNDZaMAsGA1UdDwQEAwIFoDAR
BglghkgBhvhCAQEEBAMCBaAwgdIGA1UdEQSByjCB
x4EdYWxiZXJ0LnB1aWdAY2FpeGFjYXRhbHVueWEu
ZXOkgaUwgaIxGDAWBgkrBgEEA
xmAQcTCWcwODE2OTgxNTEqMCgGCSsGAQQBrGYBBh
QbY2FqYSBkZSBhaG9ycm9zIGRlIGNhdGFsddFhMR
gwFgYJKwYBBAGsZgEEEwkzNjk1MDk5OGExFTATBg
krBgEEAaxmAQMTBm11cnRybzEUMBIGCSsGAQQBrG
YBAhMFYXJuYXUxEzARBgkrBgEEAaxmAQETBGp1YW
4wWgYDVR0fBFMwUTBPoE2gS6RJMEcxCzAJBgNVBA
YTAkVTMQ0wCwYDV
QQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlI
DIgQ0ExDzANBgNVBAMTBkNSTDY3NzAfBgNVHSMEG
DAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTAdBgNVH
Q4EFgQU2rcwImt/ltwNis951B
NAalNcH8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQA
EDDAKGwRWNS4wAwIDqDANBgkqhkiG9w0BAQUFAAO
BgQB8vTACU/ s9IlbIhQuOkb3LEuNfwq8+2UuiblsTEnYrPEMaP5
0rUrn1v/KTTcR3l/ huqZvnfWf56smaa+o0XKUb+Z5JYQUwLgyeOJhQS7
f+CYezEF7aRmMia3QlOIL3Pd6PsTmH2pJtiiuDYU
qXHl5x/Off5vLkyKXbFR4t3WrNKD
GCASIwggEeAgEBMD4wNjELMAkGA1UEBhMCRVMxDT
ALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2
xhc2UgMiBDQQIEPGfjgDAJBgUrDgMCGgUAoH0wGA
YJKoZIhvcNAQkDMQsGCSqGSIb
DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQwMzA0MTA0
MDUyWjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqGSIb3
DQMCAgEoMCMGCSqGSIb3DQEJBDEWBBQs6JNqMPw1
1kLsF68ucBrx0aAmIjANBgkqhkiG9w0BAQEFAARA
xvWTdD9/9Md7Fx8LgT/ jfh9QCeVo4XPJtwsqmzXpZz4ejRoqmR81BRq6cP6
uB1b0CCCY6g421ft1X21z1oPQ8Q==
generated using java script:
pkcs7=window.crypto.signText(origin,'ask')
pkcs7=pkcs7.split('\n').join('').split('\r').join('')
where origin is the data to be signed.
And the data generated by my java class is:
MIIFRgYJKoZIhvcNAQcCoIIFNzCCBTMCAQExCzAJ
BgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBA0wggQJ
MIIDcqADAgECAgQ8Z+OAMA0GCSqGSIb3DQEBBQUA
MDYxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1U
MRgwFgYDVQQLEw9GTk1UIENsYXNlIDIgQ0EwHhcN
MDIxMTA5MTcyMDQ2WhcNMDQxMTA5MTc1MDQ2WjCB
szELMAkGA1UEBhM
CRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0Z
OTVQgQ2xhc2UgMiBDQTESMBAGA1UECxMJNTAwMDU
zNzA1MWcwZQYDVQQDFF5FTlRJREFEIENBSkEgREU
gQUhPUlJPUyBERSBDQVRBTFXx
SAtIENJRiBHMDgxNjk4MTUgLSBOT01CUkUgQVJOQ
VUgTVVSVFJPIEpVQU4gLSBOSUYgMzY5NTA5OThBM
FwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOcyRVMBl
N9PRaxde9nF2FdUGFxEDnMdR1wnoKOhykzJnFEiG
3U+yZk6i1R/ Z98zPxGRgY+OeP4C6I1Jj7d0lnMCAwEAAaOCAegw
ggHkMCsGA1UdEAQkMCKADzIwMDIxMTA5MTcyMDQ2
WoEP
MjAwNDExMDkxNzUwNDZaMAsGA1UdDwQEAwIFoDAR
BglghkgBhvhCAQEEBAMCBaAwgdIGA1UdEQSByjCB
x4EdYWxiZXJ0LnB1aWdAY2FpeGFjYXRhbHVueWEu
ZXOkgaUwgaIxGDAWBgkrBgEEA
xmAQcTCWcwODE2OTgxNTEqMCgGCSsGAQQBrGYBBh
QbY2FqYSBkZSBhaG9ycm9zIGRlIGNhdGFsddFhMR
gwFgYJKwYBBAGsZgEEEwkzNjk1MDk5OGExFTATBg
krBgEEAaxmAQMTBm11cnRybzEUMBIGCSsGAQQBrG
YBAhMFYXJuYXUxEzARBgkrBgEEAaxmAQETBGp1YW
4wWgYDVR0fBFMwUTBPoE2gS6RJMEcxCzAJBgNVBA
YTAkVTMQ0wCwYDV
QQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlI
DIgQ0ExDzANBgNVBAMTBkNSTDY3NzAfBgNVHSMEG
DAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTAdBgNVH
Q4EFgQU2rcwImt/ltwNis951B
NAalNcH8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQA
EDDAKGwRWNS4wAwIDqDANBgkqhkiG9w0BAQUFAAO
BgQB8vTACU/ s9IlbIhQuOkb3LEuNfwq8+2UuiblsTEnYrPEMaP5
0rUrn1v/KTTcR3l/ huqZvnfWf56smaa+o0XKUb+Z5JYQUwLgyeOJhQS7
f+CYezEF7aRmMia3QlOIL3Pd6PsTmH2pJtiiuDYU
qXHl5x/Off5vLkyKXbFR4t3WrNKD
GCAQEwgf4CAQEwPjA2MQswCQYDVQQGEwJFUzENMA
sGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbG
FzZSAyIENBAgQ8Z+OAMAkGBSsOAwIaBQCgXTAYBg
kqhkiG9w0BCQMxCwYJKoZIhvc
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMDQwODA5
MTNaMCMGCSqGSIb3DQEJBDEWBBTRQSGYQuA6awIv
FmMZPJrilCjZaDANBgkqhkiG9w0BAQEFAARAb8qZ
ppg3F4jhWDlQ5W9jakJwxrKTOgHU5b8cpin7t/ nbyaochS8kYPKl0odpxtSFc3o6beazBnDwCDDhOH
OU5w==
Netscape blob is 44 bytes larger than mine...
Any idea?
Thanx
"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<mM61c.11379$qA2.563928@news20.bellglobal.com>...[color=darkred]
> Well that is a good question :-)
> With Netscape/signText, you have to be a bit careful with the content
> which you verify against. There *might* be an extra LF or such in the
> binary data that gets hashed/signed by Netscape.
>
> The signature blobs won't be identical (probably other signature extensions etc.)
> but you SHOULD be able to verify the b64 Netscape blob with any
> good detached-signature pkcs #7 verifier if you know the correct content.
>
> I have use Java servlets, signed web page forms, submitted to Tomcat and
> can verify the detached signature properly with CryptoAPI or CAPICOM.
>
> Post a specific signature (b64) and what you *think* is the content signed so
> we can toubleshoot!
>
> - Mitch Gallant
> www.jensign.com
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0403020231.60a8d547@posting.google.com...
| |
| jasaezb 2004-03-19, 8:55 pm |
| Hola Alberto Casanovas.
Por tu nombre y lo que esta preguntando supongo que eres Español.
Tengo EXACTAMENTE el mismo problema que tu. (AEAT, ¿verdad?), y estoy en el mismo punto. El BASE64 que genero es distinto que el que genera la operden de JavaScritp.
¿me puedes ayudar?
Llevo cerca de un mes con esto y estoy algo desesperado.
Gracias.
jasaezb0@yahoo.es
| |
| jasaezb 2004-03-19, 8:55 pm |
| Hola Alberto Casanovas.
Por tu nombre y lo que esta preguntando supongo que eres Español.
Tengo EXACTAMENTE el mismo problema que tu. (AEAT, ¿verdad?), y estoy en el mismo punto. El BASE64 que genero es distinto que el que genera la operden de JavaScritp.
¿me puedes ayudar?
Llevo cerca de un mes con esto y estoy algo desesperado.
Gracias.
jasaezb0@yahoo.es
|
|
|
|
|