Re: PKCS11 quagmire... (JSS question) [solved]

Fri, 29 Jun 2007 11:35:11 -0700 

OK so I went with making the SignerInfo outside of JSS which wasn't as 
bad as I first thought.  This works with private keys from PKCS12 or 
Sun-PKCS11 hardware tokens.  I used BouncyCastle methods to do this.  In 
the spirit of openness and thanks for all the help I get here, here's 
some code to do this:

agentCert is a java.security.cert.X509Certificate
agentPrivateKey is a java.security.PrivateKey
pkiDataHashBytes is a byte[] of the hash of the PKIData object
And I used the following BouncyCastle imports:
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.jce.PrincipalUtil;

       //sign the hash
       Signature sig = Signature.getInstance("SHA1withRSA");
       sig.initSign(agentPrivateKey);
       sig.update(pkiDataHashBytes);
       byte[] encryptedHashBytes = sig.sign();

       //Add BC pieces to create a SignerInfo
       ASN1EncodableVector bcSignerInfo = new ASN1EncodableVector();
       bcSignerInfo.add(new DERInteger(1));  //version 1 if using 
issuerAndSerialNumber, 3 if using subjectKeyIdentifier
       bcSignerInfo.add(new 
IssuerAndSerialNumber(PrincipalUtil.getIssuerX509Principal(agentCert),agentCert.getSerialNumber()));
       bcSignerInfo.add(new 
org.bouncycastle.asn1.x509.AlgorithmIdentifier("1.3.14.3.2.26")); //SHA1
       bcSignerInfo.add(new 
org.bouncycastle.asn1.x509.AlgorithmIdentifier("1.2.840.113549.1.1.1")); 
  //SHA1withRSA
       bcSignerInfo.add(new DEROctetString(encryptedHashBytes));

       //DER encode the BC SignerInfo
       ByteArrayOutputStream baos = new ByteArrayOutputStream();
       DEROutputStream dout = new DEROutputStream(baos);
       dout.writeObject(new DERSequence(bcSignerInfo));
       dout.close();
       byte[] signerInfoDERBytes = baos.toByteArray();

       //parse the DER signerInfo created with BouncyCastle into a JSS 
SignerInfo
       return (SignerInfo) ASN1Util.decode(SignerInfo.getTemplate(), 
signerInfoDERBytes);

Dave

PS: I filed https://bugzilla.mozilla.org/show_bug.cgi?id=386351 as it 
appears that JSS adds the wrong version # to the SignerInfo when 
constructed with an IssuerAndSerialNumber.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to