Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / March 2004

Tip: Looking for answers? Try searching our database.

Sign plain text in PKCS#7 format

Thread view: 
Enable EMail AlertsStart New Thread
Ride - 25 Feb 2004 13:04 GMT
Hi!
I need to encode a string (plain text) in PKCS#7 format. The question is:
What I need? I have the iaik jce package. I need something else?

Could you send me some sample code?

Thank you!
Reply to this Message
Michel Gallant - 25 Feb 2004 13:46 GMT
Have a look at the BC implementation samples here:
  http://www.jensign.com/JavaScience/javacrypto

Also, all the JavaScience samples are not available via:
 http://www.jensign.com

-Michel Gallant
JavaScience Consulting

> Hi!
> I need to encode a string (plain text) in PKCS#7 format. The question is:
[quoted text clipped - 3 lines]
>
> Thank you!
Reply to this Message
Ride - 26 Feb 2004 11:35 GMT
Hi Michel,
Thank for the code samples, help me a lot. Now, I have another
question:
How can I get the private key from/within a certificate? I have an
certificate in my machine(X509) and I need its private key in order to
encrypt data with it. Could you help me?

Thanks

> Have a look at the BC implementation samples here:
>    http://www.jensign.com/JavaScience/javacrypto
[quoted text clipped - 12 lines]
> >
> > Thank you!
Reply to this Message
Michel Gallant - 26 Feb 2004 20:53 GMT
How is the certificate stored? Are you talking about accessing the
private key associated with a certificate on Windows, for example?
- Mitch

> Hi Michel,
> Thank for the code samples, help me a lot. Now, I have another
[quoted text clipped - 21 lines]
> > >
> > > Thank you!
Reply to this Message
Ride - 27 Feb 2004 07:01 GMT
Exactly! I need to get the private key associated to the user
certificate. The real application will run in a Solaris environment,
but now I'm "practising" in windows.
I've "stored" the certificate in cacerts file (with keytool). Using
keytool -list I get a list of my "installed" certificates (one in this
case). Then I load a KeyStore object with cacerts file.

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("cacerts"), pwd.toCharArray());

Then I try to get the private key:

Enumeration en = keystore.aliases();
String pName = null;

while (en.hasMoreElements())
{
  String  n = (String)en.nextElement();
  if (keystore.isKeyEntry(n))
  {
     pName = n;
  }
}

PrivateKey priv = (PrivateKey)keystore.getKey(pName,
pwd.toCharArray());

But this returns to me null. The enumeration has one "alias" but seems
that has no private key (?)

Thanks.

> How is the certificate stored? Are you talking about accessing the
> private key associated with a certificate on Windows, for example?
[quoted text clipped - 27 lines]
> > > >
> > > > Thank you!
Reply to this Message
Ride - 27 Feb 2004 08:13 GMT
I've done it!!!
Simple I changed this line:

keystore = KeyStore.getInstance("JKS");

to this one:

keystore = KeyStore.getInstance("PKCS12");

I realized that I export the certificate in PKCS12 format. Now I can
load the keystore, retrieve the private key. Now I have to encrypt
data!!

Thank you very much

> How is the certificate stored? Are you talking about accessing the
> private key associated with a certificate on Windows, for example?
[quoted text clipped - 27 lines]
> > > >
> > > > Thank you!
Reply to this Message
Michel Gallant - 27 Feb 2004 14:09 GMT
There is also some interop and pkcs12 info and useful samples here:
http://www.jensign.com/JavaScience/Thawte

- Michel Gallant

> I've done it!!!
> Simple I changed this line:
[quoted text clipped - 42 lines]
> > > > >
> > > > > Thank you!
Reply to this Message
Ride - 02 Mar 2004 10:31 GMT
Hello Michel,
I obtain encrypted PKCS#7 data using BouncyCastle,but now I have a big
problem... I hope you could help me.
I try to explain it. I need to make an application in java that
encrypts data (a large string) in pkcs#7 dettached (sign the data),
encode it to Base64 and send it to a remote server using https (post).
The data that I have to send (encrypted) must be equals to signText
function in javascript (only works in netscape browsers). Here is the
script:

var textToSend = window.crypto.signText("This is the text to sign");

This produces base64 encoded data. I think the data is encrypted in
pkcs#7 and after is encoded to Base64. My problem is that using the
bouncycastle package, and the examples in http://www.jensign.com
(BCSignFile.java) I get pkcs#7 encrypted data but is DIFFERENT from
the window.crypto.signText javascript function!!! This is a piece of
my code:

X509Certificate cert = null;
PublicKey pub = null;
PrivateKey priv = null;
KeyStore keystore = null;
String data = "Text to be signed";

try
{
Security.addProvider(new BouncyCastleProvider());

keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
// Load the keystore
keystore.load(new FileInputStream("myKeyStoreFile.pfx"),
passw.toCharArray());

Enumeration e = keystore.aliases();
String name = "";

if(e!=null)
{
while (e.hasMoreElements())
{
String  n = (String)e.nextElement();
if (keystore.isKeyEntry(n))
{
   name = n;
}
}
}

              // Get the private key and the certificate
priv = (PrivateKey)keystore.getKey(name, passw.toCharArray());
cert = (X509Certificate) keystore.getCertificate(name);

              // I'm not sure if this is necessary
              Certificate[] certChain =
keystore.getCertificateChain(name);
ArrayList certList = new ArrayList();
CertStore certs = null;
for (int i=0; i < certChain.length; i++)
certList.add(certChain[i]);

certs = CertStore.getInstance("Collection", new
CollectionCertStoreParameters(certList), "BC");

              // Encrypt data
CMSSignedDataGenerator sgen = new CMSSignedDataGenerator();
              // What digest algorithm i must use? SHA1? MD5? RSA?...
sgen.addSigner(priv, (X509Certificate)cert,
CMSSignedDataGenerator.DIGEST_MD5);
              // I'm not sure this is necessary
sgen.addCertificatesAndCRLs(certs);

// I think that the 2nd parameter need to be false (dettached form)
CMSSignedData csd = sgen.generate( new
CMSProcessableByteArray(data.getBytes()), false, "BC");
byte[] signedData = csd.getEncoded();
byte[] signedDataB64 = Base64.encode(signedData);

FileOutputStream out = new FileOutputStream("out2.p7s");
out.write(signedDataB64);
out.close();

}
catch(Exception e)
{

}

The signedDataB64 byte array is different of the javascript function
and must be equal. I'm in troubles now... I hope you could help me.
Thank you in advance.

Albert

P.S. If you please, send the response to my email
(albertocasanovas@hotmail.com)
Reply to this Message
Michel Gallant - 02 Mar 2004 21:11 GMT
Well that is a good question  :-)
With Netscape/signText, you have to be a bit careful with the content
which you verify against. There *might* be an extra LF or such in the
binary data that gets hashed/signed by Netscape.

The signature blobs won't be identical (probably other signature extensions etc.)
but you SHOULD be able to verify the b64 netscape blob with any
good detached-signature pkcs #7 verifier if you know the correct content.

I have use Java servlets, signed web page forms, submitted to Tomcat and
can verify the detached signature properly with CryptoAPI or CAPICOM.

Post a specific signature (b64) and what you *think* is the content signed so
we can toubleshoot!

- Mitch Gallant
  www.jensign.com

> Hello Michel,
> I obtain encrypted PKCS#7 data using BouncyCastle,but now I have a big
[quoted text clipped - 92 lines]
> P.S. If you please, send the response to my email
> (albertocasanovas@hotmail.com)
Reply to this Message
Ride - 04 Mar 2004 10:47 GMT
Hi!

The data to be signed is like this:

1190200385077604YTOMAS AVILA PILAR                      
T911111111CABALLERO GOMEZ ESPERANZA               1709898619161
0000000000000000000001 000000000100000000000000015000                
                                         
F611E1336858T2190200385077604Y00000102X         ESPAÑOL ESPAÑOL JUAN  
                02F01 00000001000000000000015000
0000000000000000000000000000000000000002002000000        
000000000000000000000000000000000000000000000000000000000000000000000000000000000000

the b64 netscape blob generated by crypto.SignText is like this:

MIIFZwYJKoZIhvcNAQcCoIIFWDCCBVQCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBA0wggQJMIIDcqADAgECAgQ8Z+OAMA0GCSqGSIb3DQEBBQUAMDYxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlIDIgQ0EwHhcNMDIxMTA5MTcyMDQ2WhcNMDQxMTA5MTc1MDQ2WjCBszELMAkGA1UEBhMCRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2xhc2UgMiBDQTESMBAGA1UECxMJNTAwMDUzNzA1MWcwZQYDVQQDFF5FTlRJREFEIENBSkEgREUgQUhPUlJPUyBERSBDQVRBTFXx
SAtIENJRiBHMDgxNjk4MTUgLSBOT01CUkUgQVJOQVUgTVVSVFJPIEpVQU4gLSBOSUYgMzY5NTA5OThBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOcyRVMBlN9PRaxde9nF2FdUGFxEDnMdR1wnoKOhykzJnFEiG3U+yZk6i1R/Z98zPxGRgY+OeP4C6I1Jj7d0lnMCAwEAAaOCAegwggHkMCsGA1UdEAQkMCKADzIwMDIxMTA5MTcyMDQ2WoEPMjAwNDExMDkxNzUwNDZaMAsGA1UdDwQEAwIFoDARBglghkgBhvhCAQEEBAMCBaAwgdIGA1UdEQSByjCBx4EdYWxiZXJ0LnB1aWdAY2FpeGFjYXRhbHVueWEuZXOkgaUwgaIxGDAWBgkrBgEEA
xmAQcTCWcwODE2OTgxNTEqMCgGCSsGAQQBrGYBBhQbY2FqYSBkZSBhaG9ycm9zIGRlIGNhdGFsddFhMRgwFgYJKwYBBAGsZgEEEwkzNjk1MDk5OGExFTATBgkrBgEEAaxmAQMTBm11cnRybzEUMBIGCSsGAQQBrGYBAhMFYXJuYXUxEzARBgkrBgEEAaxmAQETBGp1YW4wWgYDVR0fBFMwUTBPoE2gS6RJMEcxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlIDIgQ0ExDzANBgNVBAMTBkNSTDY3NzAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTAdBgNVHQ4EFgQU2rcwImt/ltwNis951B
NAalNcH8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWNS4wAwIDqDANBgkqhkiG9w0BAQUFAAOBgQB8vTACU/s9IlbIhQuOkb3LEuNfwq8+2UuiblsTEnYrPEMaP50rUrn1v/KTTcR3l/huqZvnfWf56smaa+o0XKUb+Z5JYQUwLgyeOJhQS7f+CYezEF7aRmMia3QlOIL3Pd6PsTmH2pJtiiuDYUqXHl5x/Off5vLkyKXbFR4t3WrNKDGCASIwggEeAgEBMD4wNjELMAkGA1UEBhMCRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2xhc2UgMiBDQQIEPGfjgDAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb
DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQwMzA0MTA0MDUyWjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqGSIb3DQMCAgEoMCMGCSqGSIb3DQEJBDEWBBQs6JNqMPw11kLsF68ucBrx0aAmIjANBgkqhkiG9w0BAQEFAARAxvWTdD9/9Md7Fx8LgT/jfh9QCeVo4XPJtwsqmzXpZz4ejRoqmR81BRq6cP6uB1b0CCCY6g421ft1X21z1oPQ8Q==

generated using javascript:
pkcs7=window.crypto.signText(origin,'ask')
pkcs7=pkcs7.split('\n').join('').split('\r').join('')

where origin is the data to be signed.

And the data generated by my java class is:

MIIFRgYJKoZIhvcNAQcCoIIFNzCCBTMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBA0wggQJMIIDcqADAgECAgQ8Z+OAMA0GCSqGSIb3DQEBBQUAMDYxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlIDIgQ0EwHhcNMDIxMTA5MTcyMDQ2WhcNMDQxMTA5MTc1MDQ2WjCBszELMAkGA1UEBhMCRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2xhc2UgMiBDQTESMBAGA1UECxMJNTAwMDUzNzA1MWcwZQYDVQQDFF5FTlRJREFEIENBSkEgREUgQUhPUlJPUyBERSBDQVRBTFXx
SAtIENJRiBHMDgxNjk4MTUgLSBOT01CUkUgQVJOQVUgTVVSVFJPIEpVQU4gLSBOSUYgMzY5NTA5OThBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOcyRVMBlN9PRaxde9nF2FdUGFxEDnMdR1wnoKOhykzJnFEiG3U+yZk6i1R/Z98zPxGRgY+OeP4C6I1Jj7d0lnMCAwEAAaOCAegwggHkMCsGA1UdEAQkMCKADzIwMDIxMTA5MTcyMDQ2WoEPMjAwNDExMDkxNzUwNDZaMAsGA1UdDwQEAwIFoDARBglghkgBhvhCAQEEBAMCBaAwgdIGA1UdEQSByjCBx4EdYWxiZXJ0LnB1aWdAY2FpeGFjYXRhbHVueWEuZXOkgaUwgaIxGDAWBgkrBgEEA
xmAQcTCWcwODE2OTgxNTEqMCgGCSsGAQQBrGYBBhQbY2FqYSBkZSBhaG9ycm9zIGRlIGNhdGFsddFhMRgwFgYJKwYBBAGsZgEEEwkzNjk1MDk5OGExFTATBgkrBgEEAaxmAQMTBm11cnRybzEUMBIGCSsGAQQBrGYBAhMFYXJuYXUxEzARBgkrBgEEAaxmAQETBGp1YW4wWgYDVR0fBFMwUTBPoE2gS6RJMEcxCzAJBgNVBAYTAkVTMQ0wCwYDVQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlIDIgQ0ExDzANBgNVBAMTBkNSTDY3NzAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTAdBgNVHQ4EFgQU2rcwImt/ltwNis951B
NAalNcH8wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWNS4wAwIDqDANBgkqhkiG9w0BAQUFAAOBgQB8vTACU/s9IlbIhQuOkb3LEuNfwq8+2UuiblsTEnYrPEMaP50rUrn1v/KTTcR3l/huqZvnfWf56smaa+o0XKUb+Z5JYQUwLgyeOJhQS7f+CYezEF7aRmMia3QlOIL3Pd6PsTmH2pJtiiuDYUqXHl5x/Off5vLkyKXbFR4t3WrNKDGCAQEwgf4CAQEwPjA2MQswCQYDVQQGEwJFUzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBAgQ8Z+OAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvc
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMDQwODA5MTNaMCMGCSqGSIb3DQEJBDEWBBTRQSGYQuA6awIvFmMZPJrilCjZaDANBgkqhkiG9w0BAQEFAARAb8qZppg3F4jhWDlQ5W9jakJwxrKTOgHU5b8cpin7t/nbyaochS8kYPKl0odpxtSFc3o6beazBnDwCDDhOHOU5w==

Netscape blob is 44 bytes larger than mine...

Any idea?

Thanx

> Well that is a good question  :-)
> With Netscape/signText, you have to be a bit careful with the content
[quoted text clipped - 110 lines]
> > P.S. If you please, send the response to my email
> > (albertocasanovas@hotmail.com)
Reply to this Message
jasaezb - 11 Mar 2004 16:31 GMT
Hola Alberto Casanovas.

Por tu nombre y lo que esta preguntando supongo que eres Espa?ol.
Tengo EXACTAMENTE el mismo problema que tu. (AEAT, ?verdad?), y estoy en el mismo punto. El BASE64 que genero es distinto que el que genera la operden de JavaScritp.

?me puedes ayudar?
Llevo cerca de un mes con esto y estoy algo desesperado.

Gracias.
jasaezb0@yahoo.es
Reply to this Message
jasaezb - 11 Mar 2004 16:31 GMT
Hola Alberto Casanovas.

Por tu nombre y lo que esta preguntando supongo que eres Espa?ol.
Tengo EXACTAMENTE el mismo problema que tu. (AEAT, ?verdad?), y estoy en el mismo punto. El BASE64 que genero es distinto que el que genera la operden de JavaScritp.

?me puedes ayudar?
Llevo cerca de un mes con esto y estoy algo desesperado.

Gracias.
jasaezb0@yahoo.es
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.