[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-jce] SignerInfo



Hello,

a SignerInfo without an IssuerAndSerialNumber is invalid. You may use
constructor

SignerInfo(IssuerAndSerialNumber issuerAndSerialNumber,
           AlgorithmID digestAlgorithm,
           PrivateKey privateKey)

and supply null as private key if you yourself calculate the encrypted
digest, e.g.:

IssuerAndSerialNumber issuer = new IssuerAndSerialNumber(cert);
SignerInfo signer_info = new SignerInfo(issuer, AlgorithmID.sha, null);
signer_info.setEncryptedDigest(encrypted_digest);
...

When doing the digest encryption outside SignerInfo class please be aware
about the two different situations depending whether authenticated
attributes are present or not. If not the content data is hashed and
encrypted (signed) with the signer´s private key. If authenticated
attributes are present they are DER encoded, hashed and encrypted (signed).
Note, that as soon as there are authenticated attributes are present, they
have to include the "message digest" attribute giving a hash of the content.
In this way it is ensured that the content is included in the hash anyway
(see http://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/PKCS#7, section 9.3
"Message-digesting process").


Regards,
Dieter Bratko




-----Ursprüngliche Nachricht-----
Von: iaik-jce-owner@iaik.tu-graz.ac.at
[mailto:iaik-jce-owner@iaik.tu-graz.ac.at]Im Auftrag von Mauro Marini
Gesendet: Mittwoch, 18. Oktober 2000 17:05
An: iaik-jce@iaik.at
Betreff: [iaik-jce] SignerInfo


I have to build a pkcs7 envelope of SignedData type using components I
already
have.
1) A document converted in an array of byte: DocBuffer
2) An X509 certificate loaded from disk: cert
3) An already encrypted document digest, stored in an array of byte:
encrypted_digest

Here is what I do:

      int mode = SignedData.IMPLICIT;
      SignedData signed_data = new SignedData (DocBuffer, mode);
      iaik.x509.X509Certificate[] certificates = {cert};
      signed_data.setCertificates(certificates);
      SignerInfo signer_info = new SignerInfo();
      signer_info.setEncryptedDigest( encrypted_digest );
      signed_data.addSignerInfo( signer_info );
      byte[] encoded_signed_data = signed_data.getEncoded();

The last library call throws a iaik.pkcs.PKCSException:
iaik.asn1.CodingException: java.lang.NullPointerException at
iaik.pkcs.pkcs7.SignedData.toASN1Object

Further inspections point out that maybe signer_info is not properly setted:
trying to convert it in an ASN1Object gives an exception, also. But, how can
I
make a better signer_info? Take in count that I can't use the other
constructors
because I can't directly extract the private key from the underlaying
framework.

Thanks a lot in advance
Mauro





--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce




***************************************************************************
*                                                                         *
* IAIK S/MIME Mapper Security Info                                        *
* ===================================                                     *
*                                                                         *
* for message:                                                            *
*   From: "Dieter Bratko" <Dieter.Bratko@iaik.at>                         *
*   Date: Thu, 19 Oct 2000 09:38:59 +0200                                 *
*   Subject: AW: [iaik-jce] SignerInfo                                    *
*                                                                         *
* Message S/MIME properties:                                              *
*                                                                         *
*   Encrypted using:    not encrypted                                     *
*                                                                         *
*   Digitally signed:   yes                                               *
*   Signature valid:    yes                                               *
*   Signature trusted:  yes                                               *
*                                                                         *
*                                                                         *
* Compliance with policy for email addresses *@iaik.at:                   *
*                                                                         *
*   Encryption:         OK (None or better required)                      *
*                                                                         *
*   Digital Signature:  OK (digital signature required)                   *
*                                                                         *
***************************************************************************