Reputation: 15
How to validate a TimeStampToken using a .cer file from filesystem?
There are two validate methods in the TimeStampToken class (bctsp-jdk16-1.46.jar), one of them is deprecated.
The deprecated method uses a X509Certificate as argument, and that's quite easy to create.
InputStream inPFX = getClass().getClassLoader().getResourceAsStream("tsp.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509Certificate cert = (X509Certificate) cf.generateCertificate(inPFX);
// The validate method just takes the X509Certificate object
token.validate(cert, "BC");
The new method uses a SignerInformationVerifier object. I found a way to create a SignerInformationVerifier (not sure it's the right way), but I still need a X509CertificateHolder object.
- How do I create the X509CertificateHolder from a file on the filesystem (*.cer file)
- Is this the correct way to create a SignerInformationVerifier to validate the TimeStampToken?
My current code looks like this:
TimeStampToken token = new TimeStampToken(new CMSSignedData(response));
X509CertificateHolder x = // HOW TODO THIS?
// create the SignerInformationVerifier object
DigestAlgorithmIdentifierFinder daif = new DefaultDigestAlgorithmIdentifierFinder();
DigestCalculatorProvider dcp = new BcDigestCalculatorProvider();
SignerInformationVerifier siv = new BcRSASignerInfoVerifierBuilder(daif, dcp).build(x509ch);
// use the new validate method
token.validate(siv);
Upvotes: 1
Views: 1696
Answers (1)
Reputation: 10574
Try this
TimeStampToken token = new TimeStampToken(new CMSSignedData(response));
InputStream in = new FileInputStream("tsp.cer");
CertificateFactory factory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) factory.generateCertificate(in);
//RSA Signature processing with BC
X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
SignerInformationVerifier siv = new BcRSASignerInfoVerifierBuilder(new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(holder);
//Signature processing with JCA and other provider
//X509CertificateHolder holderJca = new JcaX509CertificateHolder(cert);
//SignerInformationVerifier sivJca = new JcaSimpleSignerInfoVerifierBuilder().setProvider("anotherprovider").build(holderJca);
token.validate(siv);
Take a look at Verifying a SignerInformation object section of BC Version 2 APIs documentation for additional information about signature verification with BC API.
You are creating the SignerInformationVerifier in the right way, you can find attached at the sample code another way to create the SignerInformationVerifier for a JCA/JCE provider based solution.
Upvotes: 1
Related Questions
- Verify RFC 3161 timestamp response with PKIStatus value
- timestamptoken validate java bouncycastle
- Bouncycastle Java - Generate a tst file from TimestampToken
- how to validate a timestamp in java?
- BouncyCastle - how get expiration date of TimeStampToken
- How to validate if a signed jar contains a timestamp?
- Which data from a CMSSignedData object must I pass to generate a valid Timestamp?
- Timestamp request with file hash already generated in client
- Digital signature with timestamp in Java
- Bouncycastle and S/MIME signing-time attribute