CODEWITHSUNDEEP
javapkcs#7
ashwini
ashwini

Reputation: 23

Signature Verification (formate is PKCS#7)

I have following in the XML 1. tag : Signature in this is in the PKCS#7 format, This is an international standard. The signature includes the Signer's public key certificate as part of the PKCS#7 bag, along with the encrypted hash of data. 2. tag: Original Data is in this tag.

I don't understand how to verify the signature. Client said that "Any API / tool that can read the PKCS#7 Signature can give you the Public Key."

The examples which I saw require public key separately to verify the signature. Is it even possible that required public key float with signature and some tool will automatically identify it and verify the data? If yes, I am not able to find any java API which will verify this signature.

Upvotes: 0

Views: 5625

Answers (1)

GPI
GPI

Reputation: 9328

As a prologue, first rule of cryptography : do not do it yourself, use proven tools in their documented use cases to perform the operations.

So I'd first check if you XML document is indeed signed using a standard (I don't know of an XML signature format that is based on PKCS7, but then, I sure don't know everything). If so, I'd find a library that supports this specific format.

XML Signature is standardized along the XMLD Sig umbrella, formalized here : http://www.w3.org/TR/xmldsig-core/. The Oracle JDK ships with a reference implementation (that is derived from an Apache implementation of the standard), using the XMLSignatureFactory base class.

PKCS7 is not used as part of XML DSig, though, so you may have to "do it yourself" (a small enough part of if) in the end, unless there is a protocol that I do not know of.

That said, indeed PKCS7 (superseeded in some cases by CMS) is a standard cryptographic format that allows the signature of arbitrary content. The structure is flexible enough to hold notably : the content to be signed (it can be embedded, or not), the signature and associated algorithm identifiers, plus X509 material linked to the signature (such as Certificates and public keys, certificate revocation lists...).

The Java language does not provide a generic implementation of PKCS7 processing to my knowledge, although the Oracle JDK does under the sun.security.pkcs package.

A popular, common library for PKCS7 processing in Java is BouncyCastle. I'm more familiar with it, so this is what I'll talk about.

You can find a usage sample here : http://i-proving.com/2007/09/21/pkcs7-signatures-using-bouncy-castle/

Bouncy Castle has a fairly good example package when you download the source, and also Javadoc. So you can check it out for up-to-date usage of the API. Check for example : https://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cms/CMSSignedData.html, reproduced here for easier reference

CMSSignedData           s = new CMSSignedData(inputStream);
Store                   certStore = s.getCertificates(); // This is where you access embedded certificates
SignerInformationStore  signers = s.getSignerInfos();
Collection              c = signers.getSigners();
Iterator                it = c.iterator();

while (it.hasNext())
{
  SignerInformation   signer = (SignerInformation)it.next();
  Collection          certCollection = certStore.getMatches(signer.getSID());

  Iterator              certIt = certCollection.iterator();
  X509CertificateHolder cert = (X509CertificateHolder)certIt.next();

  if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)))
  {
      verified++;
  } 
}

Remember though, that checking the validity of the signature is one step, the second is to verify that the signing certificates are indeed trustworthy. An example is available here :

Verifying PKCS#7 certificates in Java

Upvotes: 2

Related Questions