Hi,
I've been writing quite a long stuff about this problem in a thread a
few days ago. This was: "crypto.signtext() & JSS #pkcs7 parsing "
thread.
The problem is that i'm still stuck. I paste a copy of the code here,
I hope someone will be able to solve/find a solution...
Thanks,
Irwin
------------------------------------------------
import java.io.*;
import java.text.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
import java.security.*;
import java.security.cert.CertificateFactory;
import org.mozilla.jss.pkix.cert.Certificate;
import org.mozilla.jss.pkix.cert.CertificateInfo;
import org.mozilla.jss.pkix.primitive.*;
import org.mozilla.jss.crypto.*;
import org.mozilla.jss.util.*;
import org.mozilla.jss.*;
import org.mozilla.jss.pkcs7.*;
import org.mozilla.jss.asn1.*;
import org.mozilla.jss.pkcs12.*;
public class CheckSign {
/* We check a signature made by someone whose certificate is
/home/rao.crt
The result string returned by signText (signature)
is a base-64-encoded PKCS #7 (version 1.5) signedData object
wrapped in a contentInfo object with a contentType of signedData.
(info about the fields of this object can be found here :
http://developer.netscape.com/docs/manuals/security/sgntxt/sgntxt.htm#intro
)
*/
protected static void checkRaoSign(Hashtable info,Object signature)
throws Exception {
try {
CryptoManager.InitializationValues vals =
new
CryptoManager.InitializationValues("/home/ca");
vals.removeSunProvider = false;
CryptoManager.initialize(vals);
}
catch (AlreadyInitializedException e) {}
/*Retrieving the RAO Public Key */
try {
FileInputStream fis = new FileInputStream("/home/rao.crt");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
java.security.cert.X509Certificate cert =
(java.security.cert.X509Certificate)
cf.generateCertificate(fis);
java.security.PublicKey pkey = cert.getPublicKey();
fis.close();
/* Other way of retrieving the RAO Public Key */
FileInputStream fis2 = new FileInputStream("/home/rao.crt");
BufferedInputStream bis2 = new BufferedInputStream(fis2);
Certificate ocert = (Certificate)
org.mozilla.jss.pkix.cert.Certificate.getTemplate().decode(bis2);
java.security.PublicKey pkey2 = (java.security.PublicKey)
ocert.getInfo().getSubjectPublicKeyInfo().toPublicKey();
fis2.close();
/* Checking the signature */
FileOutputStream fos = new FileOutputStream("/home/ca/signed.b64");
fos.write(((String) signature ).getBytes());
fos.close();
FileInputStream fiss = new FileInputStream("/home/ca/signed.b64");
InputStream is = javax.mail.internet.MimeUtility.decode(fiss,"base64");
BufferedInputStream bis = new BufferedInputStream(is);
ContentInfo ci = (ContentInfo) ContentInfo.getTemplate().decode(bis);
SignedData sd = (SignedData) ci.getInterpretedContent();
System.out.println("<br>Version : " + sd.getVersion());
SET signers = sd.getSignerInfos();
SignerInfo sinfo = (SignerInfo) signers.elementAt(0);
System.out.println("<br> *** SIGNER INFO *** <br> ");
System.out.println("<br> Version : " + sinfo.getVersion());
System.out.println("<br> SN of cert. used to sign data : "
+ sinfo.getIssuerAndSerialNumber().getSerialNumber());
SET authatt = sinfo.getAuthenticatedAttributes();
System.out.println("<br> ** Auth. attributes ** : " +
authatt.size());
/* building the digest info... computed without the publickey*/
String datatobechecked = info.toString();
MessageDigest md =MessageDigest.getInstance("SHA-1");
byte[] messageDigest = md.digest(datatobechecked.getBytes());
byte[] edigest = sinfo.getEncryptedDigest();
/* We check here the signature :
The messageDigest and the one contained in the signerInfo match.
problem is that publicKey pkey is not pkcs11.
if we try to make it pkcs11, Tomcat crashes executing :
org.mozilla.jss.pkcs11.PK11PubKey zubkey =
org.mozilla.jss.pkcs11.PK11PubKey.fromRaw(org.mozilla.jss.crypto.PrivateKey.Type.RSA,
pkey.getEncoded());
*/
sinfo.verify(messageDigest,ContentInfo.DATA,pkey);
}
catch (Exception e) {System.out.println("Exception checking sign: " +
e.getMessage());e.printStackTrace();}
}
}
