What are the steps need to follow to encrypt, sign, decrypt and verify signature using java. using PKCS#7 algorithm, what is the use of java key store ? with respect to PKCS#7.
Asked
Active
Viewed 4,614 times
1 Answers
4
Step 1 Generate key using keytool utility.here your will find good tutorial
Step 2 Load the keystore
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.SystemUtils;
public class MyKeystoreProvider {
public KeyStore getKeystore(char[] password) throws GeneralSecurityException, IOException {
KeyStore keystore = KeyStore.getInstance("jks");
InputStream input = new FileInputStream(SystemUtils.USER_HOME + File.separator + ".keystore");
try {
keystore.load(input, password);
} catch (IOException e) {
} finally {
IOUtils.closeQuietly(input);
}
return keystore;
}
}
Step 3 Next, suppose you want to have some code that signs some content. Let’s say that your content is a bunch of ASCII text that you can represent as an array of bytes. so you will use some Bouncy Castle classes to generate “CMS Signed Data”:
public byte[] sign(byte[] data) throws
GeneralSecurityException, CMSException, IOException {
Security.addProvider(new BouncyCastleProvider());
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
generator.addSigner(getPrivateKey(), (X509Certificate) getCertificate(),
CMSSignedDataGenerator.DIGEST_SHA1);
generator.addCertificatesAndCRLs(getCertStore());
CMSProcessable content = new CMSProcessableByteArray(data);
CMSSignedData signedData = generator.generate(content, true, "BC");
return signedData.getEncoded();
}
private CertStore getCertStore() throws GeneralSecurityException {
ArrayList<Certificate> list = new ArrayList<Certificate>();
Certificate[] certificates = getKeystore().getCertificateChain(this.alias);
for (int i = 0, length = certificates == null ? 0 : certificates.length; i < length; i++) {
list.add(certificates[i]);
}
return CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), "BC");
}
private PrivateKey getPrivateKey() throws GeneralSecurityException {
if (this.privateKey == null) {
this.privateKey = initalizePrivateKey();
}
return this.privateKey;
}
private PrivateKey initalizePrivateKey() throws GeneralSecurityException {
KeyStore keystore = new MyKeystoreProvider().getKeystore();
return (PrivateKey) keystore.getKey(this.alias, getPasswordAsCharArray());
}
And now finally to get orignal contantens .
CMSSignedData s = new CMSSignedData(signedBytes);
CertStore certs = s.getCertificatesAndCRLs("Collection", "BC");
SignerInformationStore signers = s.getSignerInfos();
boolean verified = false;
for (Iterator i = signers.getSigners().iterator(); i.hasNext(); ) {
SignerInformation signer = (SignerInformation) i.next();
Collection<? extends Certificate> certCollection = certs.getCertificates(signer.getSID());
if (!certCollection.isEmpty()) {
X509Certificate cert = (X509Certificate) certCollection.iterator().next();
if (signer.verify(cert.getPublicKey(), "BC")) {
verified = true;
}
}
}
CMSProcessable signedContent = s.getSignedContent() ;
byte[] originalContent = (byte[]) signedContent.getContent();
Vipul
- 27,808
- 7
- 60
- 75
-
Thanks Vipul In step 3 `generator.addSigner(getPrivateKey(), (X509Certificate) getCertificate(), CMSSignedDataGenerator.DIGEST_SHA1);` what is getCertificate() and how it works ? – Abhijeet Jun 14 '12 at 05:36
-
If you can reffer to bouncycastle PKCS.They have very good documentation on it. :) – Vipul Jun 14 '12 at 05:49
-
I have a simple question about P7: Is pkcs7 uses for unencrypted messages? I mean, Is it possible to convert a simple message to PKCS7 format without encryption? – Hosein Aqajani May 04 '16 at 08:00