Sign plain text in PKCS#7 format

Hi!
I need to encode a string (plain text) in PKCS#7 format. The question is:
What I need? I have the iaik jce package. I need something else?

Could you send me some sample code?

Thank you!

Have a look at the BC implementation samples here:
http://www.jensign.com/JavaScience/javacrypto

Also, all the JavaScience samples are not available via:
http://www.jensign.com

-Michel Gallant
JavaScience Consulting

"Ride" <albertocasanovas@hotmail.com> wrote in message
news:16dabcd3.0402250504.25964ebe@posting.google.com...
> Hi!
> I need to encode a string (plain text) in PKCS#7 format. The question is:
> What I need? I have the iaik jce package. I need something else?
>
> Could you send me some sample code?
>
> Thank you!

Hi Michel,
Thank for the code samples, help me a lot. Now, I have another
question:
How can I get the private key from/within a certificate? I have an
certificate in my machine(X509) and I need its private key in order to
encrypt data with it. Could you help me?

Thanks

"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<VG1%b.13466$Mo4.426313@new
s20.bellglobal.com>...
> Have a look at the BC implementation samples here:
>    http://www.jensign.com/JavaScience/javacrypto
>
> Also, all the JavaScience samples are not available via:
>   http://www.jensign.com
>
> -Michel Gallant
>  JavaScience Consulting
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0402250504.25964ebe@posting.google.com... 

Exactly! I need to get the private key associated to the user
certificate. The real application will run in a Solaris environment,
but now I'm "practising" in windows.
I've "stored" the certificate in cacerts file (with keytool). Using
keytool -list I get a list of my "installed" certificates (one in this
case). Then I load a KeyStore object with cacerts file.

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("cacerts"), pwd.toCharArray());

Then I try to get the private key:

Enumeration en = keystore.aliases();
String pName = null;

while (en.hasMoreElements())
{
String  n = (String)en.nextElement();
if (keystore.isKeyEntry(n))
{
pName = n;
}
}

PrivateKey priv = (PrivateKey)keystore.getKey(pName,
pwd.toCharArray());

But this returns to me null. The enumeration has one "alias" but seems
that has no private key (?)


Thanks.



"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<H1t%b.15532$Mo4.539830@new
s20.bellglobal.com>...
> How is the certificate stored? Are you talking about accessing the
> private key associated with a certificate on Windows, for example?
> - Mitch
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0402260335.30b9b20d@posting.google.com... 
>  news:<VG1%b.13466$Mo4.426313@news20.bellglobal.com>... 

I've done it!!!
Simple I changed this line:

keystore = KeyStore.getInstance("JKS");

to this one:

keystore = KeyStore.getInstance("PKCS12");

I realized that I export the certificate in PKCS12 format. Now I can
load the keystore, retrieve the private key. Now I have to encrypt
data!!

Thank you very much



"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<H1t%b.15532$Mo4.539830@new
s20.bellglobal.com>...
> How is the certificate stored? Are you talking about accessing the
> private key associated with a certificate on Windows, for example?
> - Mitch
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0402260335.30b9b20d@posting.google.com... 
>  news:<VG1%b.13466$Mo4.426313@news20.bellglobal.com>... 

How is the certificate stored? Are you talking about accessing the
private key associated with a certificate on Windows, for example?
- Mitch

"Ride" <albertocasanovas@hotmail.com> wrote in message
news:16dabcd3.0402260335.30b9b20d@posting.google.com...
> Hi Michel,
> Thank for the code samples, help me a lot. Now, I have another
> question:
> How can I get the private key from/within a certificate? I have an
> certificate in my machine(X509) and I need its private key in order to
> encrypt data with it. Could you help me?
>
> Thanks
>
> "Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
news:<VG1%b.13466$Mo4.426313@news20.bellglobal.com>... 

Hello Michel,
I obtain encrypted PKCS#7 data using BouncyCastle,but now I have a big
problem... I hope you could help me.
I try to explain it. I need to make an application in java that
encrypts data (a large string) in pkcs#7 dettached (sign the data),
encode it to Base64 and send it to a remote server using https (post).
The data that I have to send (encrypted) must be equals to signText
function in javascript (only works in Netscape browsers). Here is the
script:

var textToSend = window.crypto.signText("This is the text to sign");

This produces base64 encoded data. I think the data is encrypted in
pkcs#7 and after is encoded to Base64. My problem is that using the
bouncycastle package, and the examples in http://www.jensign.com
(BCSignFile.java) I get pkcs#7 encrypted data but is DIFFERENT from
the window.crypto.signText javascript function!!! This is a piece of
my code:

X509Certificate cert = null;
PublicKey pub = null;
PrivateKey priv = null;
KeyStore keystore = null;
String data = "Text to be signed";

try
{
Security.addProvider(new BouncyCastleProvider());

keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
// Load the keystore
keystore.load(new FileInputStream("myKeyStoreFile.pfx"),
passw.toCharArray());

Enumeration e = keystore.aliases();
String name = "";

if(e!=null)
{
while (e.hasMoreElements())
{
String  n = (String)e.nextElement();
if (keystore.isKeyEntry(n))
{
name = n;
}
}
}

// Get the private key and the certificate
priv = (PrivateKey)keystore.getKey(name, passw.toCharArray());
cert = (X509Certificate) keystore.getCertificate(name);

// I'm not sure if this is necessary
Certificate[] certChain =
keystore.getCertificateChain(name);
ArrayList certList = new ArrayList();
CertStore certs = null;
for (int i=0; i < certChain.length; i++)
certList.add(certChain[i]);

certs = CertStore.getInstance("Collection", new
 CollectionCertStoreParameters(certList),
 "BC");


// Encrypt data
CMSSignedDataGenerator sgen = new CMSSignedDataGenerator();
// What digest algorithm i must use? SHA1? MD5? RSA?...
sgen.addSigner(priv, (X509Certificate)cert,
CMSSignedDataGenerator.DIGEST_MD5);
// I'm not sure this is necessary
sgen.addCertificatesAndCRLs(certs);

// I think that the 2nd parameter need to be false (dettached form)
CMSSignedData csd = sgen.generate( new
CMSProcessableByteArray(data.getBytes()), false, "BC");
byte[] signedData = csd.getEncoded();
byte[] signedDataB64 = Base64.encode(signedData);

FileOutputStream out = new FileOutputStream("out2.p7s");
out.write(signedDataB64);
out.close();

}
catch(Exception e)
{

}

The signedDataB64 byte array is different of the javascript function
and must be equal. I'm in troubles now... I hope you could help me.
Thank you in advance.

Albert

P.S. If you please, send the response to my email
(albertocasanovas@hotmail.com)

Well that is a good question  :-)
With Netscape/signText, you have to be a bit careful with the content
which you verify against. There *might* be an extra LF or such in the
binary data that gets hashed/signed by Netscape.

The signature blobs won't be identical (probably other signature extensions 
etc.)
but you SHOULD be able to verify the b64 Netscape blob with any
good detached-signature pkcs #7 verifier if you know the correct content.

I have use Java servlets, signed web page forms, submitted to Tomcat and
can verify the detached signature properly with CryptoAPI or CAPICOM.

Post a specific signature (b64) and what you *think* is the content signed s
o
we can toubleshoot!

- Mitch Gallant
www.jensign.com

"Ride" <albertocasanovas@hotmail.com> wrote in message
news:16dabcd3.0403020231.60a8d547@posting.google.com...
> Hello Michel,
> I obtain encrypted PKCS#7 data using BouncyCastle,but now I have a big
> problem... I hope you could help me.
> I try to explain it. I need to make an application in java that
> encrypts data (a large string) in pkcs#7 dettached (sign the data),
> encode it to Base64 and send it to a remote server using https (post).
> The data that I have to send (encrypted) must be equals to signText
> function in javascript (only works in Netscape browsers). Here is the
> script:
>
> var textToSend = window.crypto.signText("This is the text to sign");
>
> This produces base64 encoded data. I think the data is encrypted in
> pkcs#7 and after is encoded to Base64. My problem is that using the
> bouncycastle package, and the examples in http://www.jensign.com
> (BCSignFile.java) I get pkcs#7 encrypted data but is DIFFERENT from
> the window.crypto.signText javascript function!!! This is a piece of
> my code:
>
> X509Certificate cert = null;
> PublicKey pub = null;
> PrivateKey priv = null;
> KeyStore keystore = null;
> String data = "Text to be signed";
>
> try
> {
> Security.addProvider(new BouncyCastleProvider());
>
> keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
> // Load the keystore
> keystore.load(new FileInputStream("myKeyStoreFile.pfx"),
> passw.toCharArray());
>
> Enumeration e = keystore.aliases();
> String name = "";
>
> if(e!=null)
> {
> while (e.hasMoreElements())
> {
> String  n = (String)e.nextElement();
> if (keystore.isKeyEntry(n))
> {
>     name = n;
> }
> }
> }
>
>                // Get the private key and the certificate
> priv = (PrivateKey)keystore.getKey(name, passw.toCharArray());
> cert = (X509Certificate) keystore.getCertificate(name);
>
>                // I'm not sure if this is necessary
>                Certificate[] certChain =
> keystore.getCertificateChain(name);
> ArrayList certList = new ArrayList();
> CertStore certs = null;
> for (int i=0; i < certChain.length; i++)
> certList.add(certChain[i]);
>
> certs = CertStore.getInstance("Collection", new
>  CollectionCertStoreParameters(certList),
 "BC");
>
>
>                // Encrypt data
> CMSSignedDataGenerator sgen = new CMSSignedDataGenerator();
>                // What digest algorithm i must use? SHA1? MD5? RSA?...
> sgen.addSigner(priv, (X509Certificate)cert,
> CMSSignedDataGenerator.DIGEST_MD5);
>                // I'm not sure this is necessary
> sgen.addCertificatesAndCRLs(certs);
>
> // I think that the 2nd parameter need to be false (dettached form)
> CMSSignedData csd = sgen.generate( new
> CMSProcessableByteArray(data.getBytes()), false, "BC");
> byte[] signedData = csd.getEncoded();
> byte[] signedDataB64 = Base64.encode(signedData);
>
> FileOutputStream out = new FileOutputStream("out2.p7s");
> out.write(signedDataB64);
> out.close();
>
> }
> catch(Exception e)
> {
>
> }
>
> The signedDataB64 byte array is different of the javascript function
> and must be equal. I'm in troubles now... I hope you could help me.
> Thank you in advance.
>
> Albert
>
> P.S. If you please, send the response to my email
> (albertocasanovas@hotmail.com)

Hi!

The data to be signed is like this:

1190200385077604YTOMAS AVILA PILAR
T911111111CABALLERO GOMEZ ESPERANZA               1709898619161
0000000000000000000001 000000000100000000000000015000

F611E1336858T2190200385077604Y00000102X         ESPAÑOL ESPAÑOL JUAN
02F01 00000001000000000000015000
 0000000000000000000000000000000000000002
002000000
 0000000000000000000000000000000000000000
000000000000000000000000000000000000
00000000

the b64 Netscape blob generated by crypto.SignText is like this:

 MIIFZwYJKoZIhvcNAQcCoIIFWDCCBVQCAQExCzAJ
BgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBA0w
 ggQJMIIDcqADAgECAgQ8Z+OAMA0GCSqGSIb3DQEB
BQUAMDYxCzAJBgNVBAYTAkVTMQ0wCwYDVQQK
 EwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlIDIg
Q0EwHhcNMDIxMTA5MTcyMDQ2WhcNMDQxMTA5
MTc1MDQ2WjCBszELMAkGA1UEBhM
 CRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0Z
OTVQgQ2xhc2UgMiBDQTESMBAGA1UECxMJNTA
 wMDUzNzA1MWcwZQYDVQQDFF5FTlRJREFEIENBSkE
gREUgQUhPUlJPUyBERSBDQVRBTFXx
 SAtIENJRiBHMDgxNjk4MTUgLSBOT01CUkUgQVJOQ
VUgTVVSVFJPIEpVQU4gLSBOSUYgMzY5NTA5O
 ThBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOcyR
VMBlN9PRaxde9nF2FdUGFxEDnMdR1wnoKOhy
kzJnFEiG3U+yZk6i1R/ Z98zPxGRgY+OeP4C6I1Jj7d0lnMCAwEAAaOCAegw
ggHkMCsGA1UdEAQkM
CKADzIwMDIxMTA5MTcyMDQ2WoEP
 MjAwNDExMDkxNzUwNDZaMAsGA1UdDwQEAwIFoDAR
BglghkgBhvhCAQEEBAMCBaAwgdIGA1UdEQSB
 yjCBx4EdYWxiZXJ0LnB1aWdAY2FpeGFjYXRhbHVu
eWEuZXOkgaUwgaIxGDAWBgkrBgEEA
 xmAQcTCWcwODE2OTgxNTEqMCgGCSsGAQQBrGYBBh
QbY2FqYSBkZSBhaG9ycm9zIGRlIGNhdGFsdd
 FhMRgwFgYJKwYBBAGsZgEEEwkzNjk1MDk5OGExFT
ATBgkrBgEEAaxmAQMTBm11cnRybzEUMBIGCS
 sGAQQBrGYBAhMFYXJuYXUxEzARBgkrBgEEAaxmAQ
ETBGp1YW4wWgYDVR0fBFMwUTBPoE2gS6RJME
cxCzAJBgNVBAYTAkVTMQ0wCwYDV
 QQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlI
DIgQ0ExDzANBgNVBAMTBkNSTDY3NzAfBgNVH
 SMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTAdB
gNVHQ4EFgQU2rcwImt/ltwNis951B
 NAalNcH8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQA
EDDAKGwRWNS4wAwIDqDANBgkqhkiG9w0BAQU
FAAOBgQB8vTACU/ s9IlbIhQuOkb3LEuNfwq8+2UuiblsTEnYrPEMaP5
0rUrn1v/KTTcR3l/huqZv
 nfWf56smaa+o0XKUb+Z5JYQUwLgyeOJhQS7f+CYe
zEF7aRmMia3QlOIL3Pd6PsTmH2pJtiiuDYUq
XHl5x/Off5vLkyKXbFR4t3WrNKD
 GCASIwggEeAgEBMD4wNjELMAkGA1UEBhMCRVMxDT
ALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0ZOTV
 QgQ2xhc2UgMiBDQQIEPGfjgDAJBgUrDgMCGgUAoH
0wGAYJKoZIhvcNAQkDMQsGCSqGSIb
 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQwMzA0MTA0
MDUyWjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqG
 SIb3DQMCAgEoMCMGCSqGSIb3DQEJBDEWBBQs6JNq
MPw11kLsF68ucBrx0aAmIjANBgkqhkiG9w0B
AQEFAARAxvWTdD9/9Md7Fx8LgT/ jfh9QCeVo4XPJtwsqmzXpZz4ejRoqmR81BRq6cP6
uB1b0CCCY
6g421ft1X21z1oPQ8Q==

generated using java script:
pkcs7=window.crypto.signText(origin,'ask')
pkcs7=pkcs7.split('\n').join('').split('\r').join('')

where origin is the data to be signed.

And the data generated by my java class is:

 MIIFRgYJKoZIhvcNAQcCoIIFNzCCBTMCAQExCzAJ
BgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBA0w
 ggQJMIIDcqADAgECAgQ8Z+OAMA0GCSqGSIb3DQEB
BQUAMDYxCzAJBgNVBAYTAkVTMQ0wCwYDVQQK
 EwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlIDIg
Q0EwHhcNMDIxMTA5MTcyMDQ2WhcNMDQxMTA5
MTc1MDQ2WjCBszELMAkGA1UEBhM
 CRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0Z
OTVQgQ2xhc2UgMiBDQTESMBAGA1UECxMJNTA
 wMDUzNzA1MWcwZQYDVQQDFF5FTlRJREFEIENBSkE
gREUgQUhPUlJPUyBERSBDQVRBTFXx
 SAtIENJRiBHMDgxNjk4MTUgLSBOT01CUkUgQVJOQ
VUgTVVSVFJPIEpVQU4gLSBOSUYgMzY5NTA5O
 ThBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOcyR
VMBlN9PRaxde9nF2FdUGFxEDnMdR1wnoKOhy
kzJnFEiG3U+yZk6i1R/ Z98zPxGRgY+OeP4C6I1Jj7d0lnMCAwEAAaOCAegw
ggHkMCsGA1UdEAQkM
CKADzIwMDIxMTA5MTcyMDQ2WoEP
 MjAwNDExMDkxNzUwNDZaMAsGA1UdDwQEAwIFoDAR
BglghkgBhvhCAQEEBAMCBaAwgdIGA1UdEQSB
 yjCBx4EdYWxiZXJ0LnB1aWdAY2FpeGFjYXRhbHVu
eWEuZXOkgaUwgaIxGDAWBgkrBgEEA
 xmAQcTCWcwODE2OTgxNTEqMCgGCSsGAQQBrGYBBh
QbY2FqYSBkZSBhaG9ycm9zIGRlIGNhdGFsdd
 FhMRgwFgYJKwYBBAGsZgEEEwkzNjk1MDk5OGExFT
ATBgkrBgEEAaxmAQMTBm11cnRybzEUMBIGCS
 sGAQQBrGYBAhMFYXJuYXUxEzARBgkrBgEEAaxmAQ
ETBGp1YW4wWgYDVR0fBFMwUTBPoE2gS6RJME
cxCzAJBgNVBAYTAkVTMQ0wCwYDV
 QQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlI
DIgQ0ExDzANBgNVBAMTBkNSTDY3NzAfBgNVH
 SMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTAdB
gNVHQ4EFgQU2rcwImt/ltwNis951B
 NAalNcH8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQA
EDDAKGwRWNS4wAwIDqDANBgkqhkiG9w0BAQU
FAAOBgQB8vTACU/ s9IlbIhQuOkb3LEuNfwq8+2UuiblsTEnYrPEMaP5
0rUrn1v/KTTcR3l/huqZv
 nfWf56smaa+o0XKUb+Z5JYQUwLgyeOJhQS7f+CYe
zEF7aRmMia3QlOIL3Pd6PsTmH2pJtiiuDYUq
XHl5x/Off5vLkyKXbFR4t3WrNKD
 GCAQEwgf4CAQEwPjA2MQswCQYDVQQGEwJFUzENMA
sGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVC
 BDbGFzZSAyIENBAgQ8Z+OAMAkGBSsOAwIaBQCgXT
AYBgkqhkiG9w0BCQMxCwYJKoZIhvc
 AQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMDQwODA5
MTNaMCMGCSqGSIb3DQEJBDEWBBTRQSGYQuA6
 awIvFmMZPJrilCjZaDANBgkqhkiG9w0BAQEFAARA
b8qZppg3F4jhWDlQ5W9jakJwxrKTOgHU5b8c
pin7t/ nbyaochS8kYPKl0odpxtSFc3o6beazBnDwCDDhOH
OU5w==

Netscape blob is 44 bytes larger than mine...

Any idea?

Thanx


"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message news:<mM61c.11379$qA2.563928@new
s20.bellglobal.com>...
> Well that is a good question  :-)
> With Netscape/signText, you have to be a bit careful with the content
> which you verify against. There *might* be an extra LF or such in the
> binary data that gets hashed/signed by Netscape.
>
> The signature blobs won't be identical (probably other signature extension
s etc.)
> but you SHOULD be able to verify the b64 Netscape blob with any
> good detached-signature pkcs #7 verifier if you know the correct content.
>
> I have use Java servlets, signed web page forms, submitted to Tomcat and
> can verify the detached signature properly with CryptoAPI or CAPICOM.
>
> Post a specific signature (b64) and what you *think* is the content signed
 so
> we can toubleshoot!
>
> - Mitch Gallant
>    www.jensign.com
>
> "Ride" <albertocasanovas@hotmail.com> wrote in message
> news:16dabcd3.0403020231.60a8d547@posting.google.com... 

Hola Alberto Casanovas.


Por tu nombre y lo que esta preguntando supongo que eres Español.
Tengo EXACTAMENTE el mismo problema que tu. (AEAT, ¿verdad?), y estoy en el 
mismo punto. El BASE64 que genero es distinto que el que genera la operden d
e JavaScritp.

¿me puedes ayudar?
Llevo cerca de un mes con esto y estoy algo desesperado.

Gracias.
jasaezb0@yahoo.es